August 23, 2024 at 06:36AM
Summary:
A recent Qilin ransomware attack involved stealing credentials from Google Chrome browsers, using compromised VPN portal credentials, then editing the default domain policy to harvest credentials and erase evidence after exfiltrating them. Ransomware groups continue to evolve tactics, with Russian-speaking groups earning over $500 million from ransomware proceeds and an increase in attacks targeting industrial organizations.
Key Takeaways from the Meeting Notes:
1. The Qilin ransomware attack involved stealing credentials from Google Chrome browsers on compromised endpoints and using them for unauthorized access to the network.
2. The attackers used various tactics such as abusing VPN credentials, deploying PowerShell and batch scripts to harvest credentials, exfiltrating stolen data, and erasing evidence before encrypting files and dropping ransom notes.
3. Ransomware groups like Mad Liberator and Mimic have been observed using tactics like unsolicited AnyDesk requests and exploiting internet-exposed Microsoft SQL servers for initial access.
4. Ransomware attacks continue to be profitable, with increasing ransom payments and a surge in Russian-speaking threat groups accounting for a majority of cryptocurrency proceeds linked to ransomware.
5. Specific sectors, especially industrial organizations, are prime targets due to the mission-critical nature of their operations and the potential for high ransom payments.
6. There has been a significant increase in ransomware attacks targeting small and medium-sized businesses, with a noticeable shift towards targeting edge services.
7. Ongoing law enforcement actions, takedowns of cybercriminal forums, and leak of ransomware source codes have led to the fragmentation of active ransomware groups and available variants.
Overall, the meeting notes highlight the evolving and sophisticated nature of ransomware attacks, the increasing ransom payments, and the need for organizations to enhance their cybersecurity measures to mitigate the risk of such attacks.