Abstract: Since the outbreak of WannaCry Ransomware virus in 2017, The number of ransomware attacks targeting government agencies, large enterprises, medical institutions to increase globally. Ransomware attack presents the characteristics of a high ransom rate, an increasingly complete industry chain for ransomware attacks, and a more largescale and professional commercial operation. Therefore, it is urgent to conduct research on ransomware organizations. Traditional attack detection technology based on big data analysis cannot effectively describe the attack chain of ransomware organizations. Attack methods described in the cyber kill chain model exists high abstraction and lack of a unified description mechanism problems. This leads to differences in the descriptions of the same ransomware organizations by different security researchers. In order to unify the description mechanism, describes the attack chain completely. This paper proposed adopted ATT&CK (Adversarial Tactics, Techniques, and Common Knowledge) model, analyzes the common methods of 9 recently active ransomware organizations like Conti. And analyze the attack techniques commonly used by ransomware organizations. This paper shared a ransomware attack case of Conti organization depicted using the ATT&CK model in the end.

Key words: WannaCry ransomware virus, ransomware organizations, attack detection technology based on network data analysis, kill chain model, ATT&, CK model

摘要： 自2017年WannaCry勒索病毒爆发以来，全球范围内针对政府机构、大型企业、医疗机构等的勒索软件攻击持续增加，并呈现出勒索赎金高涨，勒索软件攻击产业链愈发完善，商业化运作更加规模化、职业化等特点.因此，亟需开展针对勒索软件组织的研究.而传统的基于网络大数据分析的攻击检测技术无法有效还原和刻画勒索软件组织的攻击链条，基于网络杀伤链模型描述勒索软件组织的攻击方法存在抽象度高、缺乏统一描述机制等问题，导致不同安全研究人员对同一勒索软件组织的描述存在差异.为了统一描述机制，完整刻画攻击链条，采用了统一原语的ATT&CK模型，针对性选取分析了Conti等9个近年异常活跃的勒索软件组织，使用ATT&CK模型描述其攻击方法，然后使用ATT&CK模型聚类了勒索软件组织在各个攻击阶段常用的技战术，最后使用ATT&CK模型针对Conti组织的勒索攻击案例进行刻画.

关键词: WannaCry勒索病毒, 勒索软件组织, 基于网络大数据分析的攻击检测技术, 网络杀伤链模型, ATT&, CK模型