Sophos became involved a few days before the attackers deployed the ransomware. This is based on data suggesting attackers got more "focused" four months into the breach, as well as new IP addresses that were traced to a wide variety of nations - though Sophos concedes the addresses may have just been Tor exit nodes. Moreover, the actors "used freeware tools like PsExec, FileZilla, Process Explorer, or GMER to execute commands, move data from one machine to another, and kill or subvert the processes that impeded their efforts."īrandt and Gunn argued based on behavioral data that two or more groups were "poking around" in this five-month period. The tools included ScreenConnect, now called ConnectWise Control, and later AnyDesk for remote access attackers also used remote desktop protocol (RDP) scanning, exploits and brute-force password tools, as well as cryptocurrency miners and pirated VPN software. The researchers wrote that attackers spent five months remotely Googling for - and downloading - hacking tools from the agency's own machines before successfully deploying LockBit ransomware.
The ransomware, offered primarily to Russian-speaking users, has been used in a number of notable attacks, including last year's breach against consulting giant Accenture. As is standard practice now, LockBit uses a double-extortion method with which it both encrypts data and threatens to leak a victim's data if the victim doesn't pay. LockBit is a prominent ransomware-as-a-service gang that has been active since at least mid-2019. Instead, Sophos researchers Andrew Brandt and Angela Gunn provided a picture of the attack and used event logs the hackers hadn't deleted to piece together a timeline of events. The report did not name the agency, nor what state or local government said agency is connected to.
0 kommentar(er)
