How Ransomware Groups Target Multiple Organizations

INCIDENT ANALYSIS: HOW A FOG RANSOMWARE AFFILIATE GAINED ACCESS VIA VPN CREDENTIALS, EXPLOITED AD, AND MOVED LATERALLY ACROSS NETWORKS ℹ️ Researchers provide an in-depth analysis of a ransomware affiliate operation linked to the Fog ransomware group. This operation was uncovered through the discovery of an open directory in December 2024, which contained a comprehensive toolkit used for various stages of the intrusion. 📍  KEY FINDINGS ■ Initial Access: The attackers gained entry using compromised SonicWall VPN credentials. ■ Toolset: The toolkit included tools for reconnaissance, exploitation, credential theft, and C2 activities. Notable tools were SonicWall Scanner, DonPAPI, Certipy, Zer0dump, and Pachine/noPac. ■ Persistence and Lateral Movement: Persistence was maintained through AnyDesk, automated by a PowerShell script that preconfigured remote access credentials. Sliver C2 executables were hosted on the server for C2 operations, alongside Proxychains tunneling. ■ Victim Profile: The victims spanned multiple industries, including technology, education, and logistics, across Europe, North America, and South America, highlighting the affiliate’s broad targeting scope. ℹ️ The report underscores the importance of robust cybersecurity measures, including regular monitoring of VPN access, securing Active Directory configurations, and vigilant network traffic analysis to detect and mitigate such sophisticated threats. Report: https://lnkd.in/dWVY--su #threathunting #threatdetection #threatanalysis #threatintelligence #cyberthreatintelligence #cyberintelligence #cybersecurity #cyberprotection #cyberdefense

Modus Operandi of a ransomware group that compromised organizations in 70+ countries in the last 4 years: Every Ransomware gang has 2 simple goals: 1) To run commands on a victim's machine 2) To run those commands stealthily Here's how Ghost ransomware gang achieves both (based on recent report by FBI/CISA). 𝗔𝘁𝘁𝗮𝗰𝗸 𝗙𝗹𝗼𝘄: 1) Attacker targets a company > Scans their public facing assets that have unpatched CVEs > Exploits them > Gains initial access. 2) Attacker uses PowerShell on compromised asset to install 'Cobalt Strike' beacon malware > Once a beacon is implanted, attackers can run commands, move laterally, and spread rapidly. All without needing fresh exploits. 3) Attacker now leverages Cobalt Strike's in-built feature to display list of running processes > Identifies anti-virus software > Turns if off.   4) Attacker now runs Cobalt Strike's 'hashdump' to collect passwords from memory > Using those passwords attacker moves to new systems.   5) Attacker also scans for open network shares and remote systems to move to those as well > On all the compromised new systems, attacker installs Cobalt Strike beacon so that they can run further commands easily and repeat above cycle. 6) Once the attacker spreads across several hundreds of systems, finally pulls the trigger >Deploys ransomware > Encrypts systems > Clears Windows event logs, deletes shadow copies to prevent recovery.  𝗔 𝗙𝗲𝘄 𝗧𝗵𝗼𝘂𝗴𝗵𝘁𝘀: 1) A huge part of this story simply rests on Cobalt Strike. Cobalt Strike is a good example of 'right tool in the wrong hands'. It's a powerful tool intended for pen testers but leveraged by attackers.   2) Cobalt Strike has various capabilities but the most striking feature is this: planting a 'beacon' that establishes persistent communication between the attacker and the target. Once a beacon is implanted, attackers can run commands, move laterally, and spread rapidly. All without needing fresh exploits. 3) Organizations that have basic hygiene (timely patching, running devices without local admin privilege, monitoring AV disablement etc.) should be able to repel these. Others may not. 4) How do we detect? Cobalt Strike servers come with a default certificate displaying specific values for the serial number, the issuer etc. Look for these values. If they have not been modified by the attackers, it’s a definite sign.   5) Attackers often use Cobalt Strike's DNS-based communication that is pretty hard to detect compared to classic HTTP traffic. Look for irregular DNS request patterns, (ex: unusually long domain names, an excessive number of subdomains)   6) Google has open-sourced YARA Rules and a collection of IOCs to detect Cobalt Strike (link in comments).   If you enjoyed this or learned something, follow me at Rohit Tamma for more in future! #ransomware #cybsersecurity #malware #infosec #threatdetection #incidentresponse

Group-IB's latest research traces how a single affiliate cycled through #Qilin's operation, staged a public payment dispute as strategic cover, and launched The #Gentlemen — a fully operational #RaaS — within weeks. The first ransomware sample was uploaded five days before the "grievance" went public. This was not a reaction. It was a plan. What our team uncovered should concern every executive responsible for infrastructure security. The operator maintains a shared database of 14,700 pre-compromised #FortiGate devices — freely accessible to affiliates. 969 validated VPN credentials sit ready for deployment. 94 organisations attacked in months, not years. Targets are selected by revenue, regulatory exposure, and ease of privilege escalation. AI tools — ChatGPT, Gemini, open-source models — are embedded directly in the development pipeline. And the group is actively reverse-engineering #Babuk, #LockBit 5.0, #Qilin, and #Medusa to absorb their best encryption and evasion capabilities. This is industrialised cybercrime with a supply chain, a talent pipeline, and a product roadmap. The numbers tell a structural story: 14,700 compromised devices means initial access is no longer a bottleneck - it is a commodity. When attackers share resources at this scale while many defenders still operate in silos, the asymmetry is not technical. It is organisational. Collective defence and predictive intelligence are no longer aspirational frameworks. They are operational necessities. Full technical research for Threat Intelligence teams is here: https://lnkd.in/eKMzrBy3

🚨 The FBI and CISA just issued a critical security advisory about a dangerous ransomware group called "Ghost" that's actively targeting organizations across 70+ countries. Unlike typical ransomware operations that rely on phishing, Ghost exploits unpatched vulnerabilities in internet-facing servers to gain access and deploy their malicious payload. What makes Ghost particularly concerning is their methodology. Operating out of China, these threat actors (who also go by names like Cring, Phantom, and Strike) target vulnerabilities in common business applications like Fortinet FortiOS, Adobe ColdFusion, and Microsoft SharePoint. Some of the exploited vulnerabilities date back to 2009, highlighting a critical gap in many organizations' security practices. Once inside a network, Ghost uploads web shells to compromised servers and uses Cobalt Strike (ironically, a legitimate penetration testing tool) to steal credentials, disable antivirus software, and move laterally through systems. Security experts describe this as a "commercial global onslaught" that particularly threatens organizations with poor patch management practices. The future of ransomware attacks will likely continue this trend of targeting known but unpatched vulnerabilities. As security professionals note, attackers are evolving faster than many organizations can patch their systems. We'll see more sophisticated exploitation of "patch fatigue" – where overwhelmed security teams simply can't keep up with the volume of vulnerabilities. Legacy systems and IoT devices with long lifecycles will become increasingly vulnerable targets. What should you be thinking about? The FBI recommends four immediate actions: 1. Maintain regular system backups stored separately from source systems 2. Patch known vulnerabilities promptly 3. Segment networks to restrict lateral movement 4. Implement phishing-resistant multi-factor authentication for privileged accounts Beyond these basics, consider implementing a privileged access management solution with zero-trust principles. Develop a long-term operations and risk mitigation plan for legacy systems. And remember – the FBI strongly discourages paying ransoms, as this only encourages more attacks. Is your organization prepared for threats that bypass traditional phishing defenses? How current is your patch management strategy? The time to act is now. 🔐 Source: forbes

Ransomware crews do their research when setting ransom demands. It's not just about what they steal—they're tapping into the same business intelligence sources your sales team might use. Digging into the leaked Blackbasta chat logs, we counted 787 direct references to zoominfo.com. That means these crews are going far beyond reviewing exfiltrated files. They're pulling up revenue numbers, org charts, and even figuring out which employees have payment authority. The actual workflow looks like this: ➡️ Start by exfiltrating sensitive data and pulling internal docs  ➡️ Then comb through resources like ZoomInfo to map out company structure and revenue  ➡️ Use that intelligence to size the ransom demand to what they think you'll pay Seen from an OffSec angle, it’s classic recon—just with a modern twist. Ransomware groups are blending criminal tactics with commercial-grade data mining to shape their approach, not just blasting out random numbers. If you want to see how this plays out in the raw logs, I dropped a link to the leaked chats in the comments. Curious—are there other business data sources you’ve seen threat actors abusing for target research? #Cybersecurity #Ransomware #ThreatIntelligence

The Scattered Spider 🕷️ threat group is now actively targeting organisations' virtualisation platforms, particularly VMware vSphere as a launchpad for #ransomware deployment. Here’s some interesting insights from Mandiant (part of Google Cloud)(GTIG). 𝗜𝗻𝗶𝘁𝗶𝗮𝗹 𝗔𝗰𝗰𝗲𝘀𝘀 🔸Social engineering via phone calls to IT help desks 🔸Impersonation of staff to gain valid credentials 🔸No software exploits used, pure human manipulation 𝗧𝗿𝗮𝗱𝗲𝗰𝗿𝗮𝗳𝘁𝘀 🔺Living off the land (LoTL) techniques, pretty much using legitimate admin tools 🔺Compromise of Active Directory (AD) as central pivot point 🔺Pivot into VMware vSphere environments 🔺Exfiltrate data and deploy ransomware directly from ESXi hypervisors 𝗪𝗵𝘆 𝗵𝘆𝗽𝗲𝗿𝘃𝗶𝘀𝗼𝗿𝘀? 👉EDR tools often blind to ESXi and vCenter activity 👉Minimal traditional IoCs 𝗡𝗼𝘄 𝘄𝗵𝗮𝘁? ✅Validate that your SIEM sees the right signals ✅Test #incidentresponse plans for a hypervisor level breach ✅Conduct purple team exercises simulating Scattered Spider known TTPs Read on https://lnkd.in/g2Q_PcX9 📌Validate detections for how attackers really move. Don’t wait for the ransomware splash screen.

Ransomware groups aren't targeting MSP clients anymore. They're targeting the MSPs themselves. RMM gives you privileged access to hundreds or thousands of endpoints. One login, manage everything. That's the value proposition. It's also why MSPs are the highest-value target for ransomware operations. Compromise one MSP, get hundreds of victims. It's multiplication. It's efficient. Attacks targeting MSP infrastructure increased 70% in 2025 according to CrowdStrike. Here's how it actually plays out: DragonForce exploited SimpleHelp RMM in May. Compromised one MSP. Used their legitimate RMM access to deploy ransomware across multiple customer endpoints simultaneously. Qilin hit ScreenConnect in January. Bypassed MFA with phishing. Gained super admin access. Pushed malicious instances to multiple customers. Different ransomware password for each client. SafePay attacked Ingram Micro in July. Six-day global supply chain disruption. Thousands of MSPs affected worldwide. The pattern is clear. RMM tools are designed for remote access and control. That makes them perfect attack vectors. And when vulnerabilities get discovered, you're dependent on vendor patching timelines. SimpleHelp had three critical CVEs in May. MSPs running it had to wait. No control over the schedule. Verizon's 2025 report confirms it: 44% of breaches involve ransomware (up from 32%), 30% involve third parties (doubled from 15%). You're not just a service provider. You're an attack vector. Security isn't just about endpoint protection. It's about your infrastructure. Your tools. Your access. Your dependencies. You can't stop using RMM. But you can control what you use, how it's secured, and whether you're sitting around waiting for vendors to patch critical vulnerabilities. Because ransomware groups already figured out the math. One MSP breach equals hundreds of victims. They're coming for your tools.

The U.S. Department of Justice recently indicted Aleksey Olegovich Volkov, an "Initial Access Broker" (IAB). See https://lnkd.in/etanPbys. An IAB obtains access to victim networks and provides such access to ransomware groups or other threat actors, in exchange for a percentage of the ransom proceeds. When organizations make big announcements, such as corporate transactions, ransomware groups and other threat actors commonly reach out to IABs on the dark web or criminal forums to see who ALREADY has access to the organization. See https://lnkd.in/eFmW5XC3. If an IAB already has access, they use the opportunity for a ransomware attack. What is the upshot? Before your organization makes a big announcement, make sure your security team is aware so that they can help batten down the hatches. The security team may want to conduct a compromise assessment or other testing to help confirm that the organization is not already compromised and there is not an IAB hiding under a desk somewhere. The security team may want to increase monitoring or other defenses. It may not always work, but better to give them a fighting chance!

The group that operates under the motto "Adversaries Don't Break In, They Log In": For about 3 years now Scattered Spider is using the same social engineering modus operandi to breach companies in various industries: 🔹 They run basic OSINT research, sometimes just limited to LinkedIn & some Google searches, and get an idea of the company personnel and their partners. They pick some. 🔹 They (typically) call the organization's IT help desk, or any IT personnel that may be available, and pretend to be someone internal (often a new hire) or an external business partner, needing a password reset. OR They impersonate someone from their target organization's IT department, and send a text/ or call others within the target organization claiming that their password has expired and that they need to reset it. 🔸 Insufficient training and the lack of a social engineering defense protocol (which includes an identity verification procedure) , make the next steps of this attack possible, and successful. 🔹 While on the phone, they will convince their targets to help them bypass multi-factor authentication procedures and or disable other security measures and ignore alerts. 🔹 Eventually, they obtain login credentials and the rest, as they say, is history. This is the general blueprint. Millions of dollars are lost starting from a simple phone call. While many news reports have been calling this type of social engineering "sophisticated", it has been existing for long before Scattered Spider. It is a popular approach and in fact, it is one of the attacks discussed as "classic & frequently used" in our social engineering defense classes. In our work with clients and during trainings we see many and diverse reasons why this is working. Sometimes it is the company culture, sometimes the lack of training, sometimes the management that does not take the threat too seriously (or is entirely ignorant of it). Ignorance or the uncertainty of how to respond in a situation like the this play a big role. The results remain the same, and they benefit the adversaries. Take a moment to reflect on whether this type of attack would work in your organization. Consider setting up social engineering defense protocols. Train employees & help desks on a caller identification protocol and on how to recognize & respond to social engineering. Reach out if you need help with it 🎯 Every security strategy needs to be tailored the organization, practical, and realistic. https://lnkd.in/eG8F4itb

Recent Disruption in Small Cooperative Banks in India due to Security Breach: Learnings A ransomware attack on a prominent joint venture, C Edge Technologies, targeting its supplier Brontoo Technology, had led to the shutdown of payment systems in nearly 300 small Indian local banks. The attack by the RansomEXX group disrupted ATM operations and online payments in India, originating from a misconfigured Jenkins server exploited by the attackers. Although it was minimal impact to payment ecosystem but has learnings for all. Key Learnings for Enterprises: - The vulnerability of service providers is highlighted, emphasizing the critical role they play in the banking ecosystem. - The sophistication of RansomEXX v2.0 is evident through advanced techniques like strong encryption algorithms, evasion tactics, and diverse infection vectors such as phishing emails and exploiting remote desktop protocol vulnerabilities. - Supply chain attacks pose a significant threat as attackers target third-party service providers to compromise larger organizations. - Robust security measures, including properly configured servers and regular security audits, are essential to prevent such attacks. Organizations can take several measures to prevent supply chain attacks: 1. Establish clear and comprehensive security requirements for vendors and ensure they provide proof of their security controls. 2. Adopt a zero-trust approach, which assumes that threats could be both external and internal, and verifies every request as though it originates from an open network. 3. Keep all software up-to-date. 4. Implement PAM solutions to control and monitor access to critical systems and data. 5. Prepare and regularly update an incident response plan 6. Enhance visibility into the supply chain to identify and address potential vulnerabilities- by creating a software Bill of Material. 7. Develop strong, trusted relationships with suppliers to ensure they adhere to security best practices. 8. Deploy honeytokens, which act as decoys to alert organizations. 9. Conduct Regular Security Audits of both internal systems and those of third-party vendors. 10. Employee Training on recognizing phishing attempts and other common attack vectors Be #digitallysafe #informationsecurity