From Word to Lateral Movement in 1 Hour
Introduction In May 2021, we observed a threat actor conducting an intrusion utilizing the IcedID payloads for initial access. They later performed a number of techniques from host discovery to … Read More
Category: cobaltstrike
Conti Ransomware
Introduction First seen in May 2020, Conti ransomware has quickly become one of the most common ransomware variants, according to Coveware. As per Coveware’s Quarterly Ransomware Report (Q1 2021), Conti … Read More
Sodinokibi (aka REvil) Ransomware
Intro Sodinokibi (aka REvil) has been one of the most prolific ransomware as a service (RaaS) groups over the last couple years. The ransomware family was purported to be behind … Read More
Bazar Drops the Anchor
Intro The malware identified as Anchor first entered the scene in late 2018 and has been linked to the same group as Trickbot, due to similarities in code and usage … Read More
Bazar, No Ryuk?
Intro In the fall of 2020, Bazar came to prominence when several campaigns delivered Ryuk ransomware. While Bazar appeared to drop-off in December, new campaigns have sprung up recently, using … Read More
Trickbot Still Alive and Well
In October of 2020, the group behind the infamous botnet known as Trickbot had a bad few days. The group was under concerted pressure applied by US Cyber Command infiltrating … Read More
Ryuk Speed Run, 2 Hours to Ransom
Intro Since the end of September Ryuk has been screaming back into the news. We’ve already covered 2 cases in that timeframe. We’ve seen major healthcare providers, managed service providers, … Read More
Ryuk in 5 Hours
Intro The Ryuk threat actors went from a phishing email to domain wide ransomware in 5 hours. They escalated privileges using Zerologon (CVE-2020-1472), less than 2 hours after the initial … Read More
Ryuk’s Return
Intro The Ryuk group went from an email to domain wide ransomware in 29 hours and asked for over $6 million to unlock our systems. They used tools such as … Read More
NetWalker Ransomware in 1 Hour
The threat actor logged in through RDP, attempted to run a Cobalt Strike Beacon, and then dumped memory using ProcDump and Mimikatz. Next, they RDPed into a Domain Controller, minutes … Read More