<img height="1" width="1" style="display:none" src="https://www.facebook.com/tr?id=116645602292181&amp;ev=PageView&amp;noscript=1">

Threat Alert:

Multi Stage Ransomware

ORANGE_THREAT_ALERT_CR_ICONS-54

Threat Overview

cr-icon-threat-type
Threat Type
RANSOMWARE
Target Industries
TARGET INDUSTRIES
CRITICAL INFRASTRUCTURE
cr-icon-attack-goal
Attack Goal
STEAL SENSITIVE DATA & SPREAD RANSOMWARE
cr-icon-impacted-geo
Impacted GEO
NORTH AMERICA, SUSPECTED GLOBAL

What's Happening?

Over the past few months, the Cybereason team has been investigating multiple instances of ransomware attacks against large critical infrastructure providers. This attack highlights an ongoing trend where ransomware attacks are no longer just deploying and detonating; they are taking their time to maximize their profit per targeted organization by impacting the availability of multiple machines and the confidentiality of proprietary data.

Read The Full Research

KEY OBSERVATIONS & TTPS


  • This attack exfiltrates victim’s data and credentials and uses stolen credentials to spread across the network before detonating ransomware.
  • Following initial access, this attack immediately establishes persistence and starts to move laterally across the network.
  • The malware establishes itself on multiple machines and scans the network. It deploys the ransomware early in the operation, exfiltrates data and credentials, and once that is completed, it detonates the ransomware.
  • Ransomware attacks are no longer limited to requesting a ransom; they are now being used for more damaging hacking operations that can lead to data breaches, brand degredation, and ultimately, ransomware attacks.
  • Read the full length research here.

Remediation Steps

cr-icon-remediate-disable

Reimage any affected machines because of the different persistence mechanisms used.

Asset 3

Change all passwords related to affected services, both browserbased and local applications.

Asset 1077

Harden remote access interfaces (RDP, SSH).

antivirus-01
Prevented & Detected by the Cybereason Defense Platform

CYBEREASON CUSTOMERS

We highly recommend every customer enable the following features:

  • The Cybereason Defense Platform was able to detect the preliminary stages of the attack and analyze and prevent the execution of the malicious ransomware payload.
  • If you do not have Cybereason NGAV activated, consider doing so to prevent against threats like these.
  • For Cybereason MDR customers, the Cybereason team will monitor and triage as well as assist in the mitigation of potential infections.

Download This Threat Alert

SUFFERED A BREACH?
TALK TO A SPECIALIST