According to Huntress researchers, it took the new INC Ransomware gang no more than a week – possibly less – to infiltrate and encrypt an organization’s computer systems.
Although they were able to see what happened on three infected servers of an unidentified organization, the researchers were unable to determine how the attackers gained access — more specifically how the gang obtained the employee’s credentials. But they were able to build an interesting profile for the Defenders to get a sense of how this particular gang operated.
On the first day, the attackers briefly connected to server 1 with valid credentials. After about four and a half hours, valid account credentials were used to access the same system via Windows Remote Desktop Protocol (RDP). For about 30 minutes, the attackers collected information about the system.
On the second day, there was only a short connection to server 2. The next day, server 2 was accessed again. But this time, several 7-Zip archiver commands were run to collect and organize the data for extraction. The attacker also used native tools such as Wordpad, Notepad and Microsoft Paint to display the contents of documents and image/JPEG files.
On the fourth day, the cybercriminal again accessed server 2 via RDP and continued issuing commands to collect and transmit data, as he had done the day before.
On the fifth day, it reached Server 3 via RDP for only six minutes, with little activity seen in endpoint telemetry. Nothing happened on the sixth day.
But on the seventh day, instead of resting, the cybercriminal struck. He got into Server 3 via RDP, installed a free network scanner called Advanced IP Scanner, and a free SSH and telnet client called PuTTY that could be used to transfer files. About three hours after the initial connection to server 3, the attacker executed credential access commands on all three servers, all of which point to the use of lsassy.py, a Python tool for remote credential extraction on a set of hosts.
Approximately four hours after the initial connection to server 3, the cybercriminal issued a number of copy commands in rapid succession, possibly by running a batch file or script, to push the file-encrypting executable to multiple endpoints within the IT infrastructure. These copy commands were followed in quick succession by a similar series of commands by the Windows utilities wmic.exe and PSExec (the latter renamed) to run the file encryption executable on each of these endpoints.
What can we conclude from this? The researchers note that “there is often significant activity that triggers the deployment of an encrypted executable file, such as initial access, credential access and privilege elevation, repository infrastructure and mapping.” “In the case of data theft (in stages and theft), this can often be noticed long before the file encryption executable is published. »
The full Huntress report can be Downloaded here.
The original article is available at IT World Canadasister post Informational guidance.
French adaptation and translation by Renaud Larue-Langlois.
