2023-08-15 17:13:20
According to Huntress researchers, the new INC ransomware gang took no more than a week – and possibly less – to penetrate and encrypt an organization’s computer systems.
Although they were able to see what happened on three infected servers of the unidentified organization, the researchers were unable to determine how the attackers gained access – and more specifically how the gang obtained employee credentials. But they were able to build an interesting image for Defenders to learn regarding how this particular gang operates.
On day one, the attackers briefly connected to Server 1 with valid credentials. Approximately four and a half hours later, valid account credentials were used to access the same system via Windows Remote Desktop Protocol (RDP). For regarding 30 minutes, the attackers gathered information regarding the system.
On the second day, there was only a brief connection to server 2. The next day, server 2 was accessed once more. But this time, many 7-Zip archive commands were run to collect and organize the data for exfiltration. The attacker also used native tools such as Wordpad, Notepad and Microsoft Paint to view the contents of documents and image/JPEG files.
On the fourth day, the cybercriminal once more accessed Server 2 via RDP and continued issuing commands to collect and transfer data, as he had done the day before.
On day five, he accessed Server 3 via RDP for only six minutes, with little activity seen in endpoint telemetry. Nothing happened on the sixth day.
But on the seventh day, instead of resting, the cybercriminal struck. He accessed Server 3 via RDP, installed a free network scanner called Advanced IP Scanner, and a free SSH and telnet client called PuTTY that can be used for file transfers. Approximately three hours following the initial connection to Server 3, the attacker executed credential access commands on all three servers, all of which indicated the use of lsassy.py, a Python tool for extracting at remote credentials on a set of hosts.
Approximately four hours following the initial connection to Server 3, the cybercriminal issued a number of copy commands in quick succession, perhaps running a batch file or script, to push the file-encrypting executable to multiple endpoints within the IT infrastructure. These copy commands were followed in rapid succession by a similar series of commands through Windows’ wmic.exe and PSExec utilities (the latter renamed) to launch the file encryption executable on each of these endpoints.
What can we conclude from this? “There is often considerable activity that leads to deployment of the file encryption executable, such as initial access, credential access and elevation of privileges, and inventory and mapping infrastructure,” the researchers note. “In the event of data theft (staged and exfiltrated), this can very often be observed long before the deployment of the file encryption executable. »
The full Huntress report can be downloaded here.
The original article is available at IT World Canadaa sister publication of Informatic direction.
French adaptation and translation by Renaud Larue-Langlois.
1692121123
#young #ransomware #gang #hit #victim #Informatic #direction