passion review

Collection and you may exfiltration

Toward a few of the equipment the newest crooks finalized into the, jobs have been made to get and exfiltrate detailed degrees of data about business, plus domain name settings and you can pointers and rational assets. To do so, brand new burglars utilized both MEGAsync and Rclone, that happen to be renamed as legitimate Screen procedure names (such as for instance, winlogon.exe, mstsc.exe).

Event domain information allowed new crooks to succeed subsequent in their assault just like the said guidance you may pick possible needs getting horizontal movement or those that do improve the criminals spreading the ransomware cargo. To take action, the fresh crooks once again used ADRecon.ps1with numerous PowerShell cmdlets like the after the:

• Get-ADRGPO – becomes class policy objects (GPO) within the a domain name
• Get-ADRDNSZone – will get all of the DNS zones and you can ideas for the a site
• Get-ADRGPLink – becomes the classification coverage hyperlinks placed on a scope off management during the a domain

While doing so, the brand new burglars dropped and you can utilized ADFind.exe requests to gather information on people, hosts, organizational units, and you may believe advice, including pinged dozens of products to evaluate relationships.

Rational property theft more than likely desired the new attackers so you can jeopardize the discharge of data whether your further ransom money was not repaid-a habit called “twice extortion.” To help you deal rational possessions, the latest criminals directed and obtained analysis regarding SQL databases. They also navigated using listing and you can opportunity folders, as well as others, of each and every equipment they could access, after that exfiltrated the content they utilized in people.

The exfiltration taken place getting numerous days with the multiple products, and therefore allowed this new attackers to get large amounts of data one they might after that have fun with to possess double extortion. （更多…）