iscover
Share this article on:
Powered by
MOMENTUM
MEDIA
Researchers spot a popular remote access tool being used to deploy ransomware.
Security researchers from Huntress have observed a pair of ransomware attempts that appear to have used TeamViewer to gain initial access to targeted systems.
Huntress’ people spotted the activity after a small number of ransomware canary files – files deployed to alert security systems to encryption attempts – on the impacted systems were encrypted by ransomware, which appears to be similar to that used by the LockBit gang in the past.
In both instances, Huntress was able to use TeamViewer log files to measure the time the bad guys spent on each system. One session lasted just seven and a half minutes, while the second – which was stopped by security software installed on the system – lasted a bit over 10 minutes.
Both access attempts came from the same specific endpoint, and both began initial deployment from a DOS batch file on the affected system’s desktop. In the second instance, where the deployment was stopped, the threat actor tried multiple times to get around the security software and launch an executable called LB3.exe – likely standing for LockBit 3.0, the gang’s full name.
The file and another file curiously called ZZZZZZZ were both eventually quarantined by the security software, after which the threat actor appears to have given up.
According to Huntress, keeping track of what software is installed on your machines is just as important as any physical inventory.
“Basic security measures are predicated on an asset inventory, of not just physical and virtual endpoints, but also of installed applications,” said Huntress researcher Harlan Carvey in a blog post.
“This – and previous incidents observed by Huntress SOC analysts – clearly demonstrate that threat actors look for any available means of access to individual endpoints to wreak havoc and possibly extend their reach further into the infrastructure.”
David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.
Be the first to hear the latest developments in the cyber industry.
