Ransomware has traditionally revolved around the encryption of victims’ files. But even if encryption remains ransomware groups’ most common approach, it isn’t really their priority–extortion is. Financially-motivated cybercriminals care more about extracting payment from their victims than they do about the particular methods used to achieve that goal.

Ransomware is the fast-growing category of cybercrime. It’s estimated that over 4,000 ransomware attacks occur daily. Given the sheer volume of these attacks and the deep attack surface connections between organizations and their vendors, there’s a high likelihood that some of your employee credentials have already been compromised in a ransomware attack, which means the keys to your corporate network could currently be published on a ransomware gang’s data leak site.

Security practitioners may know about common command-and-control (C2) frameworks, such as Cobalt Strike and Sliver, but fewer have likely heard of the so-called Chinese sibling framework “Manjusaka” (described by Talos in an excellent writeup). Like other C2 frameworks, we studied the Manjusaka implant/server network communications in our lab environment, and here we document some of the detection methods available. We have also open-sourced the content we describe.

In today’s business environment, the risk of a ransomware attack is high and continues to grow. Threat actors are well financed, motivated, and very organized. While securing your environment and infrastructure is critically important, preparation to respond to an actual ransomware attack is essential. With an incalculable number of potential vulnerabilities and attack vectors, you have to be prepared to effectively respond to and recover from an attack.

Over the past few months, a new info stealer has emerged. Erbium Stealer is developed by an underground Russian-based group that has been operating since July. The group seems to work very professionally, creating proper documentation and keeping their clients in the loop regarding new features on an almost weekly basis, via their Telegram channel.

The Mirai botnet is infamous for the impact and the everlasting effect it has had on the world. Since the inception and discovery of this malware in 2016, to present day and all the permutations that have spawned as a result, cybersecurity professionals have been keeping a keen eye on this form of Command and Control (C2 or CnC) malware and associated addresses.

Using the ChangeNTLM and SetNTLM commands in Mimikatz, attackers can manipulate user passwords and escalate their privileges in Active Directory. Let’s take a look at these commands and what they do.

2022 began with successful ransomware attacks against global IT and digital transformation providers, no thanks to the notorious LAPSUS$ ransomware gang. Often, any discussion about ransomware impact has mostly centered on affected organizations. Rightly so, as victimized organizations usually suffer significant disruption to their operations. In 2021, the US Federal Bureau of Investigation received 3,729 complaints identified as ransomware.

LockBit (a.k.a. ABCD) emerged in September 2019 and became one of the most relevant RaaS (Ransomware-as-a-Service) groups among others like REvil, BlackMatter, Night Sky, Maze, Conti and Netwalker. The group targets many organizations around the world with a double-extortion scheme, where the attackers steal sensitive data and threaten to leak everything if the ransom is not paid.