Conti Ransomware
Introduction First seen in May 2020, Conti ransomware has quickly become one of the most common ransomware variants, according to Coveware. As per Coveware’s Quarterly Ransomware Report (Q1 2021), Conti … Read More
Trickbot Brief: Creds and Beacons
Intro “TrickBot malware—first identified in 2016—is a Trojan developed and operated by a sophisticated group of cybercrime actors. The cybercrime group initially designed TrickBot as a banking trojan to steal … Read More
Sodinokibi (aka REvil) Ransomware
Intro Sodinokibi (aka REvil) has been one of the most prolific ransomware as a service (RaaS) groups over the last couple years. The ransomware family was purported to be behind … Read More
Bazar Drops the Anchor
Intro The malware identified as Anchor first entered the scene in late 2018 and has been linked to the same group as Trickbot, due to similarities in code and usage … Read More
Laravel Apps Leaking Secrets
An threat actor logged in through RDP a few days ago to run a “smtp cracker” that scans a list of IP addresses or URLs looking for misconfigured Laravel systems. … Read More
Bazar, No Ryuk?
Intro In the fall of 2020, Bazar came to prominence when several campaigns delivered Ryuk ransomware. While Bazar appeared to drop-off in December, new campaigns have sprung up recently, using … Read More
All That for a Coinminer?
A threat actor recently brute forced a local administrator password using RDP and then dumped credentials using Mimikatz. They not only dumped LogonPasswords but they also exported all Kerberos tickets. … Read More
Trickbot Still Alive and Well
In October of 2020, the group behind the infamous botnet known as Trickbot had a bad few days. The group was under concerted pressure applied by US Cyber Command infiltrating … Read More
Defender Control
Defender Control is a free software utility we’ve come across in various intrusions. The creators describe it by saying the following: What is certain however is that it [Windows Defender] … Read More
PYSA/Mespinoza Ransomware
Intro Over the course of 8 hours the PYSA/Mespinoza threat actors used Empire and Koadic as well as RDP to move laterally throughout the environment, grabbing credentials from as many … Read More
Cryptominers Exploiting WebLogic RCE CVE-2020-14882
Intro Towards the end of October, we started seeing attackers take advantage of a WebLogic RCE vulnerability (CVE-2020-14882). Recently, SANS ISC talked about this vulnerability being exploited in the wild, … Read More
Ryuk Speed Run, 2 Hours to Ransom
Intro Since the end of September Ryuk has been screaming back into the news. We’ve already covered 2 cases in that timeframe. We’ve seen major healthcare providers, managed service providers, … Read More
Ryuk in 5 Hours
Intro The Ryuk threat actors went from a phishing email to domain wide ransomware in 5 hours. They escalated privileges using Zerologon (CVE-2020-1472), less than 2 hours after the initial … Read More
Ryuk’s Return
Intro The Ryuk group went from an email to domain wide ransomware in 29 hours and asked for over $6 million to unlock our systems. They used tools such as … Read More
NetWalker Ransomware in 1 Hour
The threat actor logged in through RDP, attempted to run a Cobalt Strike Beacon, and then dumped memory using ProcDump and Mimikatz. Next, they RDPed into a Domain Controller, minutes … Read More
Ransomware Again…But We Changed the RDP Port!?!?!
Here’s another example of threat actors brute forcing RDP to install ransomware, this time the brute forced system was not using the default RDP port. The threat actors installed ransomware … Read More
Snatch Ransomware
Another RDP brute force ransomware strikes again, this time, Snatch Team! Snatch Team was able to go from brute forcing a Domain Administrator (DA) account via RDP, to running a … Read More
The Little Ransomware That Couldn’t (Dharma)
Ransomware continues unabated in the year of continually mounting pressure. But for every big game actor out there compromising Fortune listed companies there are the little guys that maybe just … Read More
Lockbit Ransomware, Why You No Spread?
RDP brute forcing continues to be a favorite entry point for ransomware actors. In this past month we saw activity from the Lockbit ransomware family. Initial Access: RDP login from … Read More
AdFind Recon
A threat actor logged into the RDP honeypot from 217[.]182[.]242[.]13 (OVH) with a hostname of WORK9F3B. Within 20 seconds they opened a command prompt and issued the following commands They … Read More