Member
- Joined
- Oct 14, 2023
- Messages
- 225
- Thread Author
- #1
Finance, accounting, and reports are sent to hackers and then securely encrypted.
In August 2023, the Sophos was brought in to support an organization in Australia infected with the Money Message ransomware. This attack vector, known for its stealth, does not add any extensions to encrypted data, making it difficult for victims to identify encrypted files by searching for such extensions.
The attack reviewed by Sophos experts began with the hacking of an account with one-factor authentication to access a corporate VPN. The attackers then disabled Microsoft Defender protection using Group Policy.
Next, they used the psexec utility to run a script to enable RDP and gain remote access to the company's network. After that, the attackers managed to steal the hive SAM registry file with all the passwords using a special Python script.
The attackers gained access to the company's financial data, accounting records, sales reports, and personnel information. The data was then output via the MEGAsync cloud service. For subsequent encryption, two versions of the ransomware were used — for Windows and Linux.
To protect against such attacks, organizations need to implement MFA for VPNs, monitor whether protection is disabled, restrict access via RDP, and strengthen control over confidential data. It is also vital to use EDR solutions.
In August 2023, the Sophos was brought in to support an organization in Australia infected with the Money Message ransomware. This attack vector, known for its stealth, does not add any extensions to encrypted data, making it difficult for victims to identify encrypted files by searching for such extensions.
The attack reviewed by Sophos experts began with the hacking of an account with one-factor authentication to access a corporate VPN. The attackers then disabled Microsoft Defender protection using Group Policy.
Next, they used the psexec utility to run a script to enable RDP and gain remote access to the company's network. After that, the attackers managed to steal the hive SAM registry file with all the passwords using a special Python script.
The attackers gained access to the company's financial data, accounting records, sales reports, and personnel information. The data was then output via the MEGAsync cloud service. For subsequent encryption, two versions of the ransomware were used — for Windows and Linux.
To protect against such attacks, organizations need to implement MFA for VPNs, monitor whether protection is disabled, restrict access via RDP, and strengthen control over confidential data. It is also vital to use EDR solutions.
You do not have permission to view link
Log in or register now.