Ransomware impersonates employees and self-spreads

April 2024 News & Events

Following a recent incident, the Kaspersky Global Emergency Response team is shedding light on an attack where adversaries crafted their own variant of encryption malware equipped with self-propagation capabilities. Exploiting stolen privileged administrator credentials, the cybercriminals breached infrastructure. This incident took place in West Africa, but other regions are also experiencing attacks with builder-based ransomware, albeit lacking the sophisticated features observed in this case.

The latest incident occurred in Guinea-Bissau, revealing that custom ransomware employs unseen techniques. It can create an uncontrolled avalanche effect, with infected hosts attempting to spread the malware further within the victim’s network. After the recent occurrence, Kaspersky is providing a detailed analysis.

Impersonation. The threat actor impersonates the system administrator with privileged rights by leveraging illicitly acquired credentials. This scenario is critical, as privileged accounts provide extensive opportunities to execute the attack and gain access to the most critical areas of the corporate infrastructure.

Self-spreading. The customised ransomware can also spread autonomously across the network using highly privileged domain credentials and conduct malicious activities, such as disabling Windows Defender, encrypting network shares, and erasing Windows Event Logs to encrypt data and conceal its actions. The malware’s behaviour results in a scenario where each infected host attempts to infect other hosts within the network.

Adaptive features. The customised configuration files and the aforementioned features enable the malware to tailor itself to the specific configurations of the victimised company’s architecture. For example, the attacker can configure the ransomware to infect only specific files, such as all .xlsx and .docx files, or only a set of specific systems.

When executing this custom build in a virtual machine, Kaspersky observed it performing malicious activities and generating a custom ransom note on the desktop. In real scenarios, this note includes details on how the victim should contact the attackers to obtain the decryptor.

“The LockBit 3.0 builder was leaked in 2022, but attackers still actively use it to create customised versions – and it does not even require advanced programming skills. This flexibility gives adversaries many opportunities to enhance the effectiveness of their attacks, as the recent case shows. It makes these kinds of attacks even more dangerous, considering the escalating frequency of corporate credential leaks,” says Cristian Souza, Incident Response Specialist at Kaspersky Global Emergency Response Team.

Kaspersky also found that attackers used the SessionGopher script to locate and extract saved passwords for remote connections in the affected systems.

LockBit is a cybercriminal group offering ransomware as a service (RaaS). In February 2024, an international law-enforcement operation seized control of the group. A few days after the operation, the ransomware group defiantly announced that it was back in action.

Measures to mitigate ransomware attacks

• Implement a frequent backup schedule and conduct regular testing.

• Deploy robust security solutions.

• Reduce your attack surface by disabling unused services and ports.

• Maintain up-to-date systems and software to patch vulnerabilities promptly.

• Regularly perform penetration tests and vulnerability scanning to detect weaknesses and implement appropriate countermeasures.

• Provide regular cybersecurity training to employees to increase awareness of cyber threats and mitigation strategies.

Share this article:
Share via emailShare via LinkedInPrint this page

Further reading:

Pentagon appointed as Milestone distributor
Elvey Security Technologies News & Events Surveillance
Milestone Systems appointed Pentagon Distribution (an Elvey Group company within the Hudaco Group of Companies) as a distributor. XProtect’s open architecture means no lock-in and the ability to customise the connected video solution that will accomplish the job.

From the editor's desk: AI and events
Technews Publishing News & Events
      Welcome to the 2024 edition of the SMART Surveillance Handbook. Reading through this issue will demonstrate that AI has undoubtedly made its mark on the surveillance industry. Like ‘traditional’ video ...

Forbatt SA to distribute and support Tiandy in South Africa
Forbatt SA News & Events
The big news in this year’s SMART Surveillance Handbook is that Forbatt SA has signed a new distribution agreement with Tiandy Technologies. This brand has had limited exposure and support in South Africa in the past, but has posted significant growth internationally.

Introducing the SecuShot Bullseye Robotic Guard MK2
Secutel Technologies News & Events Surveillance
The SecuShot Bullseye Robotic Guard MK2 is a marvel of modern engineering. It integrates CCTV monitoring, remote-controlled PTZ capabilities, and a gas-powered marker into a single, compact unit.

Gallagher Security’s Integrate Roadshow
Gallagher News & Events
Gallagher Security recently teamed up with nine technology partners to showcase the latest integrated security capabilities at the Integrate Roadshow in Durban, bringing together about 60 attendees, including end users, channel partners, consultants, and other industry professionals.

Level of RDP abuse unprecedented
Sophos News & Events
Cybercriminals abused Remote Desktop Protocol (RDP) in 90% of attacks handled by Sophos Incident Response in 2023, Sophos’ newest Active Adversary Report finds. External remote services were the number-one way attackers’ initially breached networks.

Hexagon rebrands Qognify
News & Events
Hexagon’s Safety, Infrastructure & Geospatial division announced that Qognify has officially adopted the Hexagon corporate identity and fully integrated into the division as the physical security business unit.

Five efficiency strategies for your security installation business
Securex South Africa News & Events
A recent conversation with one Securex South Africa 2024 exhibitor, led to the event organisers being able to share some advice on helping security installers make their businesses more efficient.

Sophos celebrates partners and cybersecurity innovation at annual conference
News & Events Information Security
[Sponsored] Sun City hosted Sophos' annual partner event this year, which took place from 12 to 14 March. Sophos’ South African cybersecurity distributors and resellers gathered for an engaging two-day conference.

Sales basics for security installers
News & Events
Being the best security business in South Africa means little if no one uses your services. Your business success is only partly linked to how good you are at security installations.