Vice Society: A Tale of Victim Data Exfiltration via PowerShell, aka Stealing off the Land
https://unit42.paloaltonetworks.com/vice-society-ransomware-powershell/ — April 13, 2023 Unit 42 BlogClick to view a description of the article
During a recent incident response (IR) engagement, the Unit 42 team identified that the Vice Society ransomware gang exfiltrated data from a victim network using a custom built Microsoft PowerShell (PS) script. We’ll break down the script used, explaining how each function works in order to shed light on this method of data exfiltration.
Ransomware gangs use a plethora of methods to steal data from their victims’ networks. Some gangs bring in outside tools, including tools such as FileZilla, WinSCP and rclone. Other gangs use living off the land binaries and scripts (LOLBAS) methods, such as PS scripts, copy/paste via Remote Desktop Protocol (RDP) and Microsoft’s Win32 API (e.g., Wininet.dll calls). Let’s examine what happens when a PS script is used to automate the data exfiltration stage of a ransomware attack.
The Curious Case of “Monti” Ransomware: A Real-World Doppelganger
https://for528.com/monti — September 7, 2022 BlackBerry BlogClick to view a description of the Monti article
A ransomware victim called in the BlackBerry Incident Response (IR) team during this year’s 4th of July holiday weekend. We quickly realized we were investigating an attack by a previously unknown group, calling themselves “MONTI.” They encrypted nearly 20 user hosts along with a multi-host VMware ESXi cluster that brought down over 20 servers.
Threat research shows that the only credible reference of the “Monti” ransomware group prior to today was a tweet from security researchers at MalwareHunterTeam, posted on June 30, 2022. The Twitter post mentioned the possibility that Monti ransomware may have had “5-10 victims in the past months,” though no data is publicly available on these victims.
Most Indicators of Compromise (IOCs) identified by the BlackBerry IR team in the Monti attack were also seen in previous Conti ransomware cases — except one: Monti threat actors leveraged the Action1 Remote Monitoring and Maintenance (RMM) agent.
This article provides a general overview of the incident, denotes the unique characteristics of this “new” threat actor group, and includes malware analysis of the payload used. We also include a breakdown of “Veeamp,” a password stealer malware targeting the Veeam data backup application, which was identified during the incident.
REvil Under the Microscope
https://blogs.blackberry.com/en/2021/11/revil-under-the-microscope — September 10, 2021 SC Media
Recommended Sources for Ransomware Information
https://www.sans.org/blog/recommended-sources-for-ransomware-information/ — July 2, 2021 SANS Blog
Incident Response: Details in the Data
https://www.pluralsight.com/blog/security-professional/incident-response-prep — June 2017, Pluralsight Security Professional Blog
Landing a Hands-On Security Gig – Part 1
https://www.tripwire.com/state-of-security/risk-based-security-for-executives/connecting-security-to-the-business/landing-a-hands-on-security-gig-part-1/ — July 2015, Tripwire State of Security Blog
Landing a Hands-On Security Gig – Part 2
https://www.tripwire.com/state-of-security/risk-based-security-for-executives/connecting-security-to-the-business/landing-a-hands-on-security-gig-part-2/ — July 2015, Tripwire State of Security Blog
Testing Network Forensics Skills: Challenge Accepted!
https://www.tripwire.com/state-of-security/security-data-protection/security-controls/testing-network-forensics-skills-challenge-accepted/ — April 2015, Tripwire State of Security Blog
Quoted / Interviewed
Oakland got hacked — and so could you. Here’s what to do if it happens
https://www.sfchronicle.com/bayarea/article/oakland-hacked-what-to-do-17823478.php — March 7, 2023 San Francisco Chronicle
What is a ransomware attack? An expert explains.
https://oaklandside.org/2023/03/01/what-is-a-ransomware-attack-an-expert-explains/ — March 1, 2023 The Oaklandside
So, you need to reset thousands of passwords…
https://www.itbrew.com/stories/2022/10/13/so-you-need-to-reset-thousands-of-passwords — October 13, 2022 IT Brew
LAUSD not out of woods with cyberattack, security experts say
https://www.dailynews.com/2022/09/08/lausd-not-out-of-woods-with-cyberattack-security-experts-say — September 8, 2022 Los Angeles Daily News
Rethinking the approach to health care’s reliance on IT as security leaders
https://www.scmagazine.com/feature/strategy/rethinking-the-approach-to-health-cares-reliance-on-it-as-security-leaders — September 3, 2021 SC Media
How to Prepare Your Windows Network for a Ransomware Attack
https://www.csoonline.com/article/3627390/how-to-prepare-your-windows-network-for-a-ransomware-attack.html — August 4, 2021 CSO Online
Ryan Chapman, SANS Certified Instructor Candidate: The Implications of the Kaseya Ransomware Attack
https://www.enterprisesecuritytech.com/post/ryan-chapman-sans-certified-instructor-the-implications-of-the-kaseya-ransomware-attack — July 9, 2021 Enterprise Security Tech
Executives and Ransomware: Stop, Collaborate, and Listen! Webcast Q&A
https://www.sans.org/blog/executives-and-ransomware-stop-collaborate-and-listen/ — July 6, 2021 SANS Webcast Q&A
Sitdown with a SOC Star: 11 Questions with SANS Instructor Ryan Chapman
https://www.siemplify.co/blog/sitdown-with-a-soc-star-11-questions-with-sans-instructor-ryan-chapman/ — November 2020, Siemplify Blog
Kaseya-Angriff erinnert Unternehmen, sich vor Ransomware aus allen Richtungen zu schützen
https://www.infopoint-security.de/kaseya-angriff-erinnert-unternehmen-sich-vor-ransomware-aus-allen-richtungen-zu-schuetzen/a28094/ — July 7, 2021 InfoPoint Security (Germany)
Supply-Chain-Angriff bei Kaseya: Warnung für Unternehmen vor Ransomware aus allen Richtungen
https://www.datensicherheit.de/kaseya-supply-chain-warnung-ransomware — July 7, 2021 datensicherheit.de (Germany)