Threat Intel
Last update we had was when LockBit released a transcript of a chat alleged to be between LockBit and the RoyalMail ransomware negotiator.
Thanks to Domonic far tagging me, we can see an update has occurred on the LB site:
Read more “The RoyalMail Ransomware Saga”
Threat Intel
Ransomware this, ransomware that! The problem is, you can be tired of the subject but that doesn’t mean the threat has gone away! So what are the currently active ransomware groups posting victims?
Well here’s a list of currently active group (Both Ransomware and Marketplaces) names who have ONLINE “DARK WEB” (TOR) hidden services online and who are posting victims or are markets:
Read more “Active Cybercrime Groups”
Education
The loss of availability Ransomware causes is enough to make your day/week/s bad, the loss of data, bad month/quarter or longer.
Lockbit posted “Royal Mail need new negotiator.” Followed by “ALL AVAILABLE DATA PUBLISHED !”
What we actually found is that they published the chat history:
Read more “Lockbit 3.0 and Royal Mail – Chats Published”
Vulnerabilities
I knocked this up quickly but I “think” it’s accurate. Use at own risk etc.
Let me know if you find any errors/changes required etc.
Guides
Did you ever read about ransomware actors? They often use mega upload to exfiltrate data! So I figured, why would we not detect this with MDE?
I mean sure we should probably block this with a custom indicator using Web Content Filtering and sure it would probably get blocked by Protective DNS but let’s say for whatever reason you don’t have those in place, let’s look at a really simple query to find mega connections in MDE:
Read more “Ransomware + Mega = Mega Cyber Pain”
Uncategorized
A common way to deploy an encryption routine used in Ransomware scenarios is to create a scheduled task to launch a cyptor exe. This is commonly deployed via a Group Policy Object (GPO).
So I wanted to look at how with Microsoft Defender for Endpoint (MDE) we could detect this both on domain controllers but also on CLIENT devices (MEMBER SERVERS/PCs)
Read more “Hunting for New Group Policies Where Scheduled Tasks are used”
Uncategorized
A very common technique in ransomware scenarios is the deployment of Scheduled Tasks via Group Policy object.
So I thought I’d start to post some content around this. To start with I was looking locally to enable the following:
“Show me all the command lines used in scheduled tasks on Windows with PowerShell”
So I knocked up this really simple proof of concept (there are other ways to write this obvs)
Read more “Malicious Scheduled Tasks”
Threat Intel
breaking news: Royal mails international tracking services are down and have been for > 24 hours:
The ICO have been contacted! The NCSC and NCA have been contacted! What should you do?
Read more “Royal Mail Cyber Attack! What should you do?”
Threat Intel
We’ve all been there haven’t we! We’ve pwn3d a network, pivoted and moved around for months and then accidentally got the wrong company name… oh wait.
Well, this story isn’t fiction, CLOP ransomware group have breached a water company and then written it up as the wrong organisation. Read more “CLOP Ransomware Group Breaches Water Company and then misattributes to THAMES WATER”
Defense
“Ransomware is a major issue!”
Hang on maybe we need to re-phrase that:
“Weak security postures are a major issue!”
or perhaps.. why not both!
I’ve been working with digital technology management for over 20 years, I started out when I was a kid (literally) fixing people’s PCs in their offices, removing malware, improving configurations, writing batch file menus, and playing games. As time has gone on technology has shrunk and continually become more and more of our everyday lives.
Back in 2003 I responded internally to MSBlaster, an SMB worm that had a devastating effect for the time, by today’s standards it was child play, however I remember saying “it’s a good job it didn’t delete everything whilst it was here.” (Or something very similar. Post NACHI/Blaster my friends and I were talking about how worse it could get. Fast forward in time and it’s much worse. Yet when I look at networks, they don’t look very different to how they did back in the 2000s.
Despite a multi-billion-dollar cyber security industry, it seems daily that organisations are succumbing to “cyber-attacks” which commonly include ransomware. Why are they successful and why are they so impactful? Well, let’s take a look! Read more “Why are ransomware attacks so devastating? – Part 1”