Your new post is loading...
Sophos’s Managed Threat Response (MTR) team has warned the industry of a dangerous new ransomware trick – encrypting data only after rebooting Windows PCs into ‘safe mode’.
Deployed recently by the Russian-developed ‘Snatch’ ransomware – named after the 2000 movie of the same name – it’s effective against much endpoint security software, which often doesn’t load when safe mode is in operation.
That’s despite the fact that in real-world attacks analysed by MTR, Snatch starts out like many other ransomware campaigns currently targeting business networks.
The attackers look for weakly secured Remote Desktop (RDP) ports to force their way into Azure servers, a foothold they use to move sideways to Windows domains controllers, often spending weeks gathering reconnaissance.
In one network attack, the attackers the installed the ransomware on around 200 machines using command and control (C2) after utilising a grab-bag of legitimate tools (Process Hacker, IObit Uninstaller, PowerTool, PsExec, Advanced Port Scanner) plus some of their own.
The same software profile was detected in other attacks in the US, Canada and several European countries, which also exploited exposed RDP.
Learn more / En savoir plus / Mehr erfahren:
https://www.scoop.it/t/securite-pc-et-internet/?&tag=RANSOMWARE
Sophos’s Managed Threat Response (MTR) team has warned the industry of a dangerous new ransomware trick – encrypting data only after rebooting Windows PCs into ‘safe mode’.
Deployed recently by the Russian-developed ‘Snatch’ ransomware – named after the 2000 movie of the same name – it’s effective against much endpoint security software, which often doesn’t load when safe mode is in operation.
That’s despite the fact that in real-world attacks analysed by MTR, Snatch starts out like many other ransomware campaigns currently targeting business networks.
The attackers look for weakly secured Remote Desktop (RDP) ports to force their way into Azure servers, a foothold they use to move sideways to Windows domains controllers, often spending weeks gathering reconnaissance.
In one network attack, the attackers the installed the ransomware on around 200 machines using command and control (C2) after utilising a grab-bag of legitimate tools (Process Hacker, IObit Uninstaller, PowerTool, PsExec, Advanced Port Scanner) plus some of their own.
The same software profile was detected in other attacks in the US, Canada and several European countries, which also exploited exposed RDP.
Learn more / En savoir plus / Mehr erfahren:
https://www.scoop.it/t/securite-pc-et-internet/?&tag=RANSOMWARE