Security News > 2022 > April > Don't let ransomware crooks spend months in your network – like this govt agency did

Lockbit ransomware operators spent nearly six months in a government agency's network, deleting logs and using Chrome to download hacking tools, before eventually deploying extortionware, according to Sophos threat researchers.

As Sophos researchers noted, the point of entry is "Nothing spectacular." It's not said exactly how the miscreants got in - via brute-forcing a weak password, using a stolen credential, tapping up a rogue insider, or exploiting a security bug, for example - but we're told the intruders managed to hijack a local administrator account on the server that also had Windows domain admin privileges, which would make exploring and compromising the network simple.

"Unusual remote access connections, even from legitimate accounts, can be a sign of possible intrusion," Sophos Director of Threat Research Christopher Budd noted in an email to The Register.

"With no protection in place, the attackers installed ScreenConnect to give themselves a backup method of remote access, then moved quickly to exfiltrate files from file servers on the network to cloud storage provider Mega," Brandt and Gunn wrote.

After five months of Googling malware and poking around on the agency's network, the criminals' behavior changed "Dramatically," Sophos noted.

Sophos' write-up includes a series of indicators-of-compromise gathered from this infection for you to scan for on your network.

News URL

https://go.theregister.com/feed/www.theregister.com/2022/04/14/ransomware_gang_network/