![]() This included usernames such as: DomainAdmin, Support1, Support2, WDAGUtilityAccount and clienttest. Multiple local administrator accounts had been created for additional persistence (across multiple devices).The threat actor had live remote sessions on the compromised device via the legitimate remote administration tool, TightVNC.First stepsĪn initial forensic review of the host generating PSExec activity revealed a few key findings: The Varonis team also observed PSExec used to perform lateral movement and remote execution within the environment. ![]() Using the Varonis platform, the forensics team immediately identified the ransomware strain as "LockBit" and determined the full scope of impact. In the early morning, the company took immediate action to disable the compromised domain Administrator account and engaged Varonis to assist in the incident response and recovery process. These events originated from a single user, and patterns detected within the events resembled those often generated by ransomware. Overnight, the victim company received an alert that appeared to show ransomware propagating on multiple file shares. The threat actor obtained long-term persistence, escalated privileges to domain administrator, executed command and control of multiple hosts, achieved mass data exfiltration, and ultimately destroyed data. Last updated JThe Varonis Forensics Team recently investigated and remediated a ransomware event that resulted in large-scale encryption and exfiltration across multiple file servers.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |