Sophos, a global leader in next-generation cybersecurity, recently discovered a collection of third-party programs used to quietly carry out attacks while investigating the Netwalker ransomeware. This includes legitimate, publicly-available software (like TeamViewer), files cribbed from public code repositories (such as Github), and scripts (PowerShell) that were created by the attackers as well.
“Ransomware attacks nowadays are not single-shot events like WannaCry was in 2017. Cybercriminals now have well-established procedures and toolsets that they routinely use. The attacks are usually longer and multi-faceted, meaning attackers spend days or even weeks within targeted organizations, carefully mapping internal networks while gathering credentials and other useful information. In this process, they use legitimate third-party tools that may not be detected by the defenses. However, if defenders know and understand the processes and the tools the attackers using, they can better prepare against these attacks and detect them in the early stages before the actual ransomware payload is delivered,” said Gabor Szappanos, senior director, threat research at SophosLabs.
The Netwalker threat actor has struck a diverse set of targets based in the US, Australia, and Western Europe, and recent reports indicate that the attackers have decided to concentrate their efforts targeting large organizations, rather than individuals. The tooling uncovered supports this hypothesis as it includes programs intended to capture Domain Administration credentials from an enterprise network, combined with orchestration tools that employ software distribution served from a Domain Controller, common in enterprise networks but rare among home users.
For more information about the toolbox used by the cybercriminals related to Netwalker ransomware, you can visit SophosLabs Uncut article here.