| Category | Details |
|---|---|
| Threat Actors | ELPACO-Team ransomware identified as part of the Mimic ransomware family, potentially linked to sophisticated cybercriminal syndicates. |
| Campaign Overview | Deployment of ELPACO-team ransomware using a dropper binary, targeting both individuals and enterprises with encryption of critical files and persistence mechanisms to ensure ransom payment. |
| Target Regions/Victims | Likely targets include organizations and individuals in Russia and South Korea based on telemetry data. |
| Methodology | Multi-stage deployment with brute force attacks on exposed services, exploiting vulnerabilities, and credential dumping tools like Mimikatz. Includes use of legitimate utilities to disable defenses and enable encryption. |
| Product Targeted | Windows systems; local and network drives. |
| Malware Reference | ELPACO-team.exe, a 32-bit Windows executable, using a self-extracting archive (7zSFX) and tools like xdel.exe, bcdedit.exe, and wevtutil.exe to manipulate and disable security settings. |
| Tools Used | Embedded utilities (Everything.exe, xdel.exe), Windows tools (e.g., bcdedit.exe, wevtutil.exe), PowerShell scripts, and command-line operations. |
| Vulnerabilities Exploited | Exploits insecure services (e.g., MSSQL) and misconfigurations to gain access; disables Windows Defender, telemetry, and recovery mechanisms. |
| TTPs | - Disables security features and system recovery. - Uses legitimate utilities for malicious purposes. - Encrypts files with prioritized extensions. - Gains persistence via registry and startup configurations. |
| Attribution | Part of the Mimic ransomware family, which shares code with the leaked Conti ransomware builder. |
| Recommendations | Strengthen endpoint defenses, implement advanced behavioral monitoring, conduct regular backups, and provide user awareness training. Employ multi-layered defenses and patch systems to avoid exploitation. |
| Source | CYFIRMA |
Read full article: Read More
Disclaimer: The above summary has been generated by an AI language model.
Leave a Reply