Skip to content
  • Reports
  • Analysts
  • Services
    • Threat Intelligence
    • Detection Rules
    • DFIR Labs
      • Capture The Flag (CTF)
      • Leaderboard
      • CTF Winners
      • Testimonials
    • Case Artifacts
    • Mentoring & Coaching Program
      • Book A Session
      • Meet The Team
  • Access DFIR Labs
  • Subscribe
  • Contact Us
  • Threat Intelligence
  • Detection Rules
  • DFIR Labs
    • Capture The Flag (CTF)
    • Leaderboard
    • CTF Winners
    • Testimonials
  • Mentoring & Coaching Program
    • Book A Session
    • Meet The Team
  • Case Artifacts

The DFIR Report

Real Intrusions by Real Attackers, The Truth Behind the Intrusion

  • Reports
  • Analysts
  • Services
    • Threat Intelligence
    • Detection Rules
    • DFIR Labs
      • Capture The Flag (CTF)
      • Leaderboard
      • CTF Winners
      • Testimonials
    • Case Artifacts
    • Mentoring & Coaching Program
      • Book A Session
      • Meet The Team
  • Access DFIR Labs
  • Subscribe
  • Contact Us
Sunday, May 25, 2025
  • Threat Intelligence
  • Detection Rules
  • DFIR Labs
    • Capture The Flag (CTF)
    • Leaderboard
    • CTF Winners
    • Testimonials
  • Mentoring & Coaching Program
    • Book A Session
    • Meet The Team
  • Case Artifacts

Category: ransomware

BazarCall to Conti Ransomware via Trickbot and Cobalt Strike
adfind BazarCall cobaltstrike conti ransomware trickbot

BazarCall to Conti Ransomware via Trickbot and Cobalt Strike

August 1, 2021

Intro This report will go through an intrusion that went from an Excel file to domain wide ransomware. The threat actors used BazarCall to install Trickbot in the environment which … Read More

Conti Ransomware
cobaltstrike conti icedid ransomware

Conti Ransomware

May 12, 2021

Introduction First seen in May 2020, Conti ransomware has quickly become one of the most common ransomware variants, according to Coveware. As per Coveware’s Quarterly Ransomware Report (Q1 2021), Conti … Read More

Sodinokibi (aka REvil) Ransomware
adfind cobaltstrike icedid ransomware revil Sodinokibi

Sodinokibi (aka REvil) Ransomware

March 29, 2021

Intro Sodinokibi (aka REvil) has been one of the most prolific ransomware as a service (RaaS) groups over the last couple years. The ransomware family was purported to be behind … Read More

PYSA/Mespinoza Ransomware
empire koadic mespinoza psexec ransomware rdp

PYSA/Mespinoza Ransomware

November 23, 2020

Intro Over the course of 8 hours the PYSA/Mespinoza threat actors used Empire and Koadic as well as RDP to move laterally throughout the environment, grabbing credentials from as many … Read More

empirekoadicmespinozaransomwarerdp
Ryuk Speed Run, 2 Hours to Ransom
adfind bazar cobaltstrike ransomware ryuk

Ryuk Speed Run, 2 Hours to Ransom

November 5, 2020

Intro Since the end of September Ryuk has been screaming back into the news. We’ve already covered 2 cases in that timeframe. We’ve seen major healthcare providers, managed service providers, … Read More

bazarcobalt strikekegtapransomwareryuk
Ryuk in 5 Hours
adfind bazar cobaltstrike ransomware rdp ryuk yara

Ryuk in 5 Hours

October 18, 2020

Intro The Ryuk threat actors went from a phishing email to domain wide ransomware in 5 hours. They escalated privileges using Zerologon (CVE-2020-1472), less than 2 hours after the initial … Read More

adfindbazarcobalt strikekegtapmalspamryuk
Ryuk’s Return
adfind bazar cobaltstrike ransomware ryuk

Ryuk’s Return

October 8, 2020

Intro The Ryuk group went from an email to domain wide ransomware in 29 hours and asked for over $6 million to unlock our systems. They used tools such as … Read More

adfindbazarcobalt strikekegtapryuk
NetWalker Ransomware in 1 Hour
adfind cobaltstrike psexec ransomware rdp

NetWalker Ransomware in 1 Hour

August 31, 2020

The threat actor logged in through RDP, attempted to run a Cobalt Strike Beacon, and then dumped memory using ProcDump and Mimikatz. Next, they RDPed into a Domain Controller, minutes … Read More

Ransomware Again…But We Changed the RDP Port!?!?!
ransomware rdp

Ransomware Again…But We Changed the RDP Port!?!?!

July 13, 2020

Here’s another example of threat actors brute forcing RDP to install ransomware, this time the brute forced system was not using the default RDP port. The threat actors installed ransomware … Read More

Snatch Ransomware
Meterpreter ransomware rdp yara

Snatch Ransomware

June 21, 2020

Another RDP brute force ransomware strikes again, this time, Snatch Team! Snatch Team was able to go from brute forcing a Domain Administrator (DA) account via RDP, to running a … Read More

The Little Ransomware That Couldn’t (Dharma)
ransomware rdp yara

The Little Ransomware That Couldn’t (Dharma)

June 16, 2020

Ransomware continues unabated in the year of continually mounting pressure. But for every big game actor out there compromising Fortune listed companies there are the little guys that maybe just … Read More

Lockbit Ransomware, Why You No Spread?
ransomware rdp yara

Lockbit Ransomware, Why You No Spread?

June 10, 2020

RDP brute forcing continues to be a favorite entry point for ransomware actors. In this past month we saw activity from the Lockbit ransomware family. Initial Access: RDP login from … Read More

Dharma Ransomware
ransomware rdp

Dharma Ransomware

April 14, 2020

An attacker logged into the honeypot via RDP from 178.239.173[.]172. Within 10 minutes the attacker went from local admin, to domain admin to installing ransomware on multiple machines. The attacker … Read More

GoGoogle Ransomware
ransomware rdp

GoGoogle Ransomware

April 4, 2020

An attacker logged into the honeypot from 93.174.95[.]73, disabled security tools, dropped their toolkit and started recon. Recon was quickly followed by an onslaught of password dumping tools such as … Read More

Comment on GoGoogle Ransomware

Posts pagination

Previous 1 2

Register For Our Next CTF

Reports

Threat Intelligence

Detection Rules

DFIR Labs

Mentoring and Coaching

Proudly powered by WordPress | Copyright 2023 | The DFIR Report | All Rights Reserved