Vice Society: A Tale of Victim Data Exfiltration via PowerShell, aka Stealing off the Land — April 13, 2023 Unit 42 Blog

Click to view a description of the article

During a recent incident response (IR) engagement, the Unit 42 team identified that the Vice Society ransomware gang exfiltrated data from a victim network using a custom built Microsoft PowerShell (PS) script. We’ll break down the script used, explaining how each function works in order to shed light on this method of data exfiltration.

Ransomware gangs use a plethora of methods to steal data from their victims’ networks. Some gangs bring in outside tools, including tools such as FileZilla, WinSCP and rclone. Other gangs use living off the land binaries and scripts (LOLBAS) methods, such as PS scripts, copy/paste via Remote Desktop Protocol (RDP) and Microsoft’s Win32 API (e.g., Wininet.dll calls). Let’s examine what happens when a PS script is used to automate the data exfiltration stage of a ransomware attack.

The Curious Case of “Monti” Ransomware: A Real-World Doppelganger — September 7, 2022 BlackBerry Blog

Click to view a description of the Monti article

A ransomware victim called in the BlackBerry Incident Response (IR) team during this year’s 4th of July holiday weekend. We quickly realized we were investigating an attack by a previously unknown group, calling themselves “MONTI.” They encrypted nearly 20 user hosts along with a multi-host VMware ESXi cluster that brought down over 20 servers.

Threat research shows that the only credible reference of the “Monti” ransomware group prior to today was a tweet from security researchers at MalwareHunterTeam, posted on June 30, 2022. The Twitter post mentioned the possibility that Monti ransomware may have had “5-10 victims in the past months,” though no data is publicly available on these victims.

Most Indicators of Compromise (IOCs) identified by the BlackBerry IR team in the Monti attack were also seen in previous Conti ransomware cases — except one: Monti threat actors leveraged the Action1 Remote Monitoring and Maintenance (RMM) agent.

This article provides a general overview of the incident, denotes the unique characteristics of this “new” threat actor group, and includes malware analysis of the payload used. We also include a breakdown of “Veeamp,” a password stealer malware targeting the Veeam data backup application, which was identified during the incident.

REvil Under the Microscope — September 10, 2021 SC Media

Recommended Sources for Ransomware Information — July 2, 2021 SANS Blog

Incident Response: Details in the Data — June 2017, Pluralsight Security Professional Blog

Landing a Hands-On Security Gig – Part 1 — July 2015, Tripwire State of Security Blog

Landing a Hands-On Security Gig – Part 2 — July 2015, Tripwire State of Security Blog

Testing Network Forensics Skills: Challenge Accepted! — April 2015, Tripwire State of Security Blog

Quoted / Interviewed

Oakland got hacked — and so could you. Here’s what to do if it happens — March 7, 2023 San Francisco Chronicle

What is a ransomware attack? An expert explains. — March 1, 2023 The Oaklandside

So, you need to reset thousands of passwords… — October 13, 2022 IT Brew

LAUSD not out of woods with cyberattack, security experts say — September 8, 2022 Los Angeles Daily News

Rethinking the approach to health care’s reliance on IT as security leaders — September 3, 2021 SC Media

How to Prepare Your Windows Network for a Ransomware Attack — August 4, 2021 CSO Online

Ryan Chapman, SANS Certified Instructor Candidate: The Implications of the Kaseya Ransomware Attack — July 9, 2021 Enterprise Security Tech

Executives and Ransomware: Stop, Collaborate, and Listen! Webcast Q&A — July 6, 2021 SANS Webcast Q&A

Sitdown with a SOC Star: 11 Questions with SANS Instructor Ryan Chapman — November 2020, Siemplify Blog

International Articles

Kaseya-Angriff erinnert Unternehmen, sich vor Ransomware aus allen Richtungen zu schützen — July 7, 2021 InfoPoint Security (Germany)

Supply-Chain-Angriff bei Kaseya: Warnung für Unternehmen vor Ransomware aus allen Richtungen — July 7, 2021 (Germany)