printer friendly version

Ransomware impersonates employees and self-spreads

Following a recent incident, the Kaspersky Global Emergency Response team is shedding light on an attack where adversaries crafted their own variant of encryption malware equipped with self-propagation capabilities. Exploiting stolen privileged administrator credentials, the cybercriminals breached infrastructure. This incident took place in West Africa, but other regions are also experiencing attacks with builder-based ransomware, albeit lacking the sophisticated features observed in this case.

The latest incident occurred in Guinea-Bissau, revealing that custom ransomware employs unseen techniques. It can create an uncontrolled avalanche effect, with infected hosts attempting to spread the malware further within the victim’s network. After the recent occurrence, Kaspersky is providing a detailed analysis.

Impersonation. The threat actor impersonates the system administrator with privileged rights by leveraging illicitly acquired credentials. This scenario is critical, as privileged accounts provide extensive opportunities to execute the attack and gain access to the most critical areas of the corporate infrastructure.

Self-spreading. The customised ransomware can also spread autonomously across the network using highly privileged domain credentials and conduct malicious activities, such as disabling Windows Defender, encrypting network shares, and erasing Windows Event Logs to encrypt data and conceal its actions. The malware’s behaviour results in a scenario where each infected host attempts to infect other hosts within the network.

Adaptive features. The customised configuration files and the aforementioned features enable the malware to tailor itself to the specific configurations of the victimised company’s architecture. For example, the attacker can configure the ransomware to infect only specific files, such as all .xlsx and .docx files, or only a set of specific systems.

When executing this custom build in a virtual machine, Kaspersky observed it performing malicious activities and generating a custom ransom note on the desktop. In real scenarios, this note includes details on how the victim should contact the attackers to obtain the decryptor.

“The LockBit 3.0 builder was leaked in 2022, but attackers still actively use it to create customised versions – and it does not even require advanced programming skills. This flexibility gives adversaries many opportunities to enhance the effectiveness of their attacks, as the recent case shows. It makes these kinds of attacks even more dangerous, considering the escalating frequency of corporate credential leaks,” says Cristian Souza, Incident Response Specialist at Kaspersky Global Emergency Response Team.

Kaspersky also found that attackers used the SessionGopher script to locate and extract saved passwords for remote connections in the affected systems.

LockBit is a cybercriminal group offering ransomware as a service (RaaS). In February 2024, an international law-enforcement operation seized control of the group. A few days after the operation, the ransomware group defiantly announced that it was back in action.

Measures to mitigate ransomware attacks

• Implement a frequent backup schedule and conduct regular testing.

• Deploy robust security solutions.

• Reduce your attack surface by disabling unused services and ports.

• Maintain up-to-date systems and software to patch vulnerabilities promptly.

• Regularly perform penetration tests and vulnerability scanning to detect weaknesses and implement appropriate countermeasures.

• Provide regular cybersecurity training to employees to increase awareness of cyber threats and mitigation strategies.

Share this article:

Further reading: