Search This Blog
Powered by Blogger.

Blog Archive

Labels

About Me

Load More
Trendy Right Now

Popular Posts

Showing posts with label ransomware attacks. Show all posts
ransomware attacks
Cybersecurity Threats Document converter malware Fake file converters malware Online Scams ransomware attacks

FBI Warns Against Fake Online Document Converters Spreading Malware

 

iThe FBI Denver field office has issued a warning about cybercriminals using fake online document converters to steal sensitive data and deploy ransomware on victims' devices. Reports of these scams have been increasing, prompting authorities to urge users to be cautious and report incidents.

"The FBI Denver Field Office is warning that agents are increasingly seeing a scam involving free online document converter tools, and we want to encourage victims to report instances of this scam," the agency stated.

Cybercriminals create fraudulent websites that offer free document conversion, file merging, or media download services. While these sites may function as expected, they secretly inject malware into downloaded files, enabling hackers to gain remote access to infected devices.

"To conduct this scheme, cybercriminals across the globe are using any type of free document converter or downloader tool," the FBI added.

These sites may claim to:
  • Convert .DOC to .PDF or other file formats.
  • Merge multiple .JPG files into a single .PDF.
  • Offer MP3 or MP4 downloads.
Once users upload their files, hackers can extract sensitive information, including:
  • Names and Social Security Numbers
  • Cryptocurrency wallet addresses and passphrases
  • Banking credentials and passwords
  • Email addresses
Scammers also use phishing tactics, such as mimicking legitimate URLs by making slight alterations (e.g., changing one letter or replacing "CO" with "INC") to appear trustworthy.

“Users who in the past would type ‘free online file converter’ into a search engine are vulnerable, as the algorithms used for results now often include paid results, which might be scams,” said Vikki Migoya, Public Affairs Officer for FBI Denver.

Cybersecurity experts have confirmed that these fraudulent websites are linked to malware campaigns. Researcher Will Thomas recently identified fake converter sites, such as docu-flex[.]com, distributing malicious executables like Pdfixers.exe and DocuFlex.exe, both flagged as malware.

Additionally, a Google ad campaign in November was found promoting fake converters that installed Gootloader malware, a malware loader known for:

  1. Stealing banking credentials
  2. Installing trojans and infostealers
  3. Deploying Cobalt Strike beacons for ransomware attacks

"Visiting this WordPress site (surprise!), I found a form for uploading a PDF to convert it to a .DOCX file inside a .zip," explained a cybersecurity researcher.

Instead of receiving a legitimate document, users were given a JavaScript file that delivered Gootloader, which is often used in ransomware attacks by groups like REvil and BlackSuit.

In order to stay safe,
  • Avoid unknown document conversion sites. Stick to well-known, reputable services.
  • Verify file types before opening. If a downloaded file is an .exe or .JS instead of the expected document format, it is likely malware.
  • Check reviews before using any online converter. If a site has no reviews or looks suspicious, steer clear
  • Report suspicious sites to authorities. Victi
  • ms can file reports at IC3.gov.
  • While not all file converters are malicious, thorough research and caution are crucial to staying safe online.
Read more »
Ransomwares
Backdoor Backdoor Attacks Critical Infrastructure Cyber Attacks RansomHub ransomware ransomware attacks Ransomwares

Betruger Backdoor Linked to RansomHub Ransomware Attacks on Critical Infrastructure

 

A newly discovered backdoor malware, dubbed Betruger, has been identified in multiple recent ransomware attacks. Researchers at Symantec believe at least one affiliate of the RansomHub ransomware-as-a-service (RaaS) operation is using this sophisticated tool to facilitate cyber intrusions. 

Unlike many conventional malware strains, Betruger functions as a multi-purpose backdoor designed to prepare networks for ransomware deployment while minimizing the need for additional malicious software. Betruger comes equipped with several advanced features commonly associated with pre-ransomware attack stages. These include keylogging, network scanning, privilege escalation, credential theft, screenshot capture, and the ability to upload files to a command-and-control (C2) server. 

Its design suggests that attackers are looking to streamline their intrusion process, reducing reliance on multiple external tools and instead using a single, custom-built malware to execute various attack functions. This approach is relatively rare, as ransomware operators typically rely on widely available tools such as Mimikatz and Cobalt Strike to conduct their attacks. To avoid detection, cybercriminals are disguising Betruger under the filenames ‘mailer.exe’ and ‘turbomailer.exe,’ making it appear like a legitimate email-related application. 

While other ransomware groups have developed proprietary tools for data exfiltration, such as BlackMatter’s Exmatter and BlackByte’s Exbyte, Betruger appears to have a broader range of capabilities beyond just stealing data. The emergence of Betruger coincides with ongoing attacks by RansomHub, a ransomware operation that has been active since February 2024. Previously known as Cyclops and Knight, RansomHub has gained a reputation for focusing on extortion through data theft rather than encrypting victim files. 

Over the past year, the group has targeted several major organizations, including Halliburton, Christie’s, Frontier Communications, Rite Aid, and Kawasaki’s EU division. It was also responsible for leaking Change Healthcare’s stolen data after the BlackCat/ALPHV group’s $22 million exit scam. More recently, RansomHub claimed responsibility for breaching BayMark Health Services, a leading addiction treatment provider in North America. 

The company operates over 400 treatment centers across the U.S. and Canada, serving approximately 75,000 patients daily. The FBI has linked RansomHub affiliates to more than 200 ransomware attacks affecting various critical infrastructure sectors in the U.S., including government agencies, healthcare institutions, and other essential services. With the deployment of Betruger, the group’s operations appear to be evolving, indicating a continued threat to businesses and organizations worldwide.
Read more »
Ransomwares
CISA & FBI CISA advisory Cyber Attacks Malwares Medusa Attacks Medusa Ransomware RaaS ransomware attacks ransomware-as-a-service (RaaS) Ransomwares

Medusa Ransomware Attacks: CISA, FBI, and MS-ISAC Issue #StopRansomware Advisory

 

The Cybersecurity and Infrastructure Security Agency (CISA), in partnership with the FBI and the Multi-State Information Sharing and Analysis Center (MS-ISAC), has issued a #StopRansomware advisory, warning organizations about the increasing threat of Medusa ransomware. 

Medusa, a ransomware-as-a-service (RaaS) variant, was first detected in 2021 and has since targeted over 300 victims across multiple critical infrastructure sectors. Industries such as healthcare, law, education, insurance, technology, and manufacturing have been particularly affected, highlighting the wide reach and severity of the ransomware’s impact. Medusa initially operated as a closed ransomware variant, meaning its developers had full control over its deployment and operations. 

Over time, it transitioned to an affiliate-based model, allowing external cybercriminals to use the ransomware while keeping certain aspects, such as ransom negotiations, under the control of the original developers. This shift has allowed Medusa to expand its reach, increasing its effectiveness as a cyber threat. Medusa demands ransoms ranging from $100,000 to as much as $15 million. 

Like many modern ransomware variants, it employs double extortion tactics—stealing sensitive data before encrypting victim networks. This strategy puts additional pressure on victims, as attackers can threaten to leak or sell stolen data if the ransom is not paid. Cybersecurity researchers from Symantec’s Threat Hunter team recently reported a rise in Medusa-related attacks over the past year. 

Medusa’s developers use initial access brokers (IABs) to gain entry into victim networks. These brokers operate within cybercriminal forums and marketplaces, selling access to compromised systems for amounts ranging from $100 to $1 million. Medusa affiliates rely on phishing campaigns and vulnerability exploitation to gain initial access, making it crucial for organizations to bolster their email security and patch known vulnerabilities. Once inside a system, Medusa operators use “living-off-the-land” (LotL) techniques, leveraging legitimate system tools to evade detection while conducting reconnaissance, data theft, and lateral movement.

Given Medusa’s evolving tactics, cybersecurity experts stress the importance of proactive defense measures. Organizations should deploy security patches, implement network segmentation, and restrict access to critical services from untrusted sources. Dan Lattimer, area vice president for Semperis in the UK and Ireland, emphasized the need for an “assumed breach” mindset, urging companies to shift from a prevention-focused approach to rapid detection, response, and recovery. 

As ransomware attacks grow more sophisticated, organizations must remain vigilant, continuously updating their cybersecurity strategies to mitigate risks and strengthen their defenses against threats like Medusa.
Read more »
User Security
Cyber Crime Pressure Tactics Ransom Payment ransomware attacks User Security

Turning The Screws: Pressure Techniques Used by Ransomware Outfits

 

Over the past ten years, ransomware attacks have increased in frequency and sophistication. While exploits like social engineering and unpatched software may help with an initial breach, it's the coercive tactics that force victims to make rash and emotionally charged decisions, like paying the ransom. 

Below are three of the most common tactics used by ransomware perpetrators to persuade victims into complying with their extortion demands.

1. Fear and humiliation 

Fear is a potent emotion that threat actors use. When a victim's documents are encrypted, the message is usually clear: pay the ransom or lose your data forever. In addition to the fear of data loss, cybercriminals use the threat of humiliation to demand ransom in order to prevent the disclosure of sensitive information such as company files, financial data, or personal images. 

Cybercriminals sometimes go one step further by threatening legal action, especially in highly regulated sectors like healthcare or finance: Pay the ransom, or we'll denounce you to the authorities. Due to the increased pressure, victims are compelled to take action out of fear about possible legal action. 

2. Deadlines and ultimatums

Most ransomware demands include a tight deadline to intensify the pressure. Attackers usually give victims a deadline, like 48 hours, to comply, frequently along with a clear warning of the repercussions. Some ransomware programs show a countdown meter, which acts as a continual reminder that time is running out, to further exacerbate panic. Attackers may raise the stakes, such as making some of the stolen material publicly available, or double the ransom if the deadline is missed.

3. False hope and fake assurances 

False promises are another tactic used by ransomware operators to trick victims into believing there is a possible solution. However, victims are merely coerced into complying by this hope. Attackers may provide a solution like a trial decryption tool to "prove" their solution works, a discount for speedy payment, or an extension on the payment deadline—tactics intended to strengthen the notion that paying the ransom would result in a complete recovery.

In reality, just 4% of individuals who pay are able to restore all their data. Furthermore, criminals frequently say that if the ransom is paid, the stolen data will be completely destroyed and the victim will be left alone. However, 78% of victims who pay report recurring attacks, proving that these assurances are nothing more than intentional deception. 

Mitigation tips 

The following are some best practices that can help organisations in handling these pressure tactics: 

Preparedness:    Ransomware attacks can happen to anyone. Employers must provide clear instructions and techniques for their employees to follow, as well as teach them how to respond and report in stressful situations while remaining calm and composed. 

Avoiding impulsiveness:  Avoid making decisions primarily based on emotional factors such as anxiousness or desperation. Evaluate all available information and investigate possible solutions and alternatives. 

Not making a payment right away: Don't ever give in to the urge to pay. Speak with law enforcement, cybersecurity experts, and skilled ransomware negotiators, or get advice from cyber insurance companies. Investigate backups and other recovery options. Online decryptors may even be accessible for some ransomware strains.
Read more »
Security Vendors
Cyber Attacks Cyber attacks on Industrial leaders IBM research ransomware attacks Ransomwares resilience Security Vendors

Cyberattacks on Single Points of Failure Are Driving Major Industry Disruptions


Cybercriminals are increasingly targeting single points of failure within companies, causing widespread disruptions across industries. According to cybersecurity firm Resilience, attackers have shifted their focus toward exploiting key vulnerabilities in highly interconnected organizations, triggering a “cascading effect of disruption and chaos downstream.” This strategy allows cybercriminals to maximize the impact of their attacks, affecting not just the initial target but also its partners, clients, and entire industries. 


The financial consequences of these attacks have been severe. According to IBM research, the global average cost of a data breach in 2024 was nearly $4.9 million. However, some breaches were far more expensive. One of the most significant incidents involved a ransomware attack on Change Healthcare, a subsidiary of UnitedHealth that processes billions of medical claims annually. UnitedHealth reported that the attack cost the company $3.1 billion in response efforts, making it one of the most financially damaging cyber incidents in recent history. 

The attack caused major disruptions across the healthcare sector, impacting hospitals, insurance providers, and pharmacies. John Riggi, national cybersecurity advisor for the American Hospital Association, described the incident as “the most significant and consequential cyberattack in the history of U.S. health care.” Another major ransomware attack targeted CDK Global, a software provider for car dealerships across the U.S. The breach resulted in over $1 billion in collective losses for affected dealerships, according to estimates from Anderson Economic Group. 

This attack further demonstrated how cybercriminals can cripple entire industries by targeting critical service providers that businesses rely on for daily operations. Resilience’s analysis indicates that third-party risk has become a dominant driver of cyber insurance claims. In 2024, third-party breaches accounted for 31% of all claims filed by its clients. While the number was slightly higher in 2023 at 37%, none of those incidents resulted in material financial losses. The report also found that ransomware targeting vendors has become a significant concern, contributing to 18% of all incurred claims.  

Ransomware remained the top cause of financial loss in cyber incidents last year, responsible for 62% of claims involving monetary damages. However, Resilience’s research suggests that while ransomware remains a major threat, its frequency may be declining in broader markets. This trend is attributed to cybercriminals shifting their focus from random, large-scale attacks to more strategic operations against high-value targets that offer larger payouts. 

The evolving threat landscape underscores the need for organizations to strengthen cybersecurity measures, particularly in highly interconnected industries. With cyberattacks becoming more sophisticated and financially motivated, businesses must prioritize risk management, enhance third-party security assessments, and invest in cyber resilience to prevent large-scale disruptions.
Read more »
ransomware payments
Cyber Security cybersecurity trends Law enforcement takedowns ransomware attacks ransomware payments

Ransomware Payments Plummet in 2024 Despite Surge in Cyberattacks

 

The past year witnessed a series of devastating ransomware attacks that disrupted critical sectors. Cyber extortion groups targeted Change Healthcare, crippling hundreds of US pharmacies and clinics, exploited security loopholes in Snowflake's customer accounts to infiltrate high-profile targets, and secured a record-breaking $75 million from a single victim.

Despite these high-profile incidents, data reveals an unexpected trend: overall ransomware payments declined in 2024, with the second half of the year experiencing the steepest drop ever recorded. A report by cryptocurrency analytics firm Chainalysis shows that ransomware payments totaled $814 million in 2024, marking a 35% decrease from the record $1.25 billion paid in 2023. The decline became more pronounced between July and December, when hackers collected only $321 million, compared to $492 million in the first half of the year—representing the largest six-month reduction in ransomware payments observed by Chainalysis.

“The drastic reversal of the trends we were seeing in the first half of the year to the second was quite surprising,” says Jackie Burns Koven, head of cyber threat intelligence at Chainalysis. She attributes this shift to law enforcement takedowns and disruptions, some of which had delayed effects as organizations grappled with major breaches.

Significant law enforcement actions in late 2023 and early 2024 targeted major ransomware groups. Just before Christmas in 2023, the FBI exploited vulnerabilities in BlackCat (AlphV)'s encryption software, distributed decryption keys to victims, and dismantled the group’s dark-web infrastructure. In February 2024, the UK's National Crime Agency (NCA) struck a major blow against Lockbit, seizing its cryptocurrency wallets and exposing its cybercriminal network.

Initially, both groups appeared to recover. AlphV orchestrated a major attack on Change Healthcare, disrupting payments at US pharmacies and extorting $22 million. Lockbit quickly reestablished its operations through a new dark-web platform. However, law enforcement actions had deeper consequences than initially apparent. AlphV executed an “exit scam,” disappearing with the ransom and leaving its hacker affiliates empty-handed. Lockbit’s operations also diminished following the NCA’s crackdown, with distrust growing in cybercriminal circles after authorities identified its alleged leader, Dmitry Khoroshev. In May 2024, the US Treasury imposed sanctions on Khoroshev, complicating ransom payments to the group.

New Ransomware Gangs Struggle to Match Predecessors

While emerging ransomware groups attempted to fill the void left by these takedowns, many lacked the sophistication to target high-value victims. “Their talent is not quite as robust as their predecessors,” notes Burns Koven. As a result, ransom demands shrank, often amounting to tens of thousands rather than millions of dollars.

Although 2024 saw an increase in ransomware attacks—4,634 incidents compared to 4,400 in 2023—lower ransom payouts suggest that newer cybercriminals prioritized volume over impact. “What we're seeing in terms of payments is a reflection of newer threat actors being attracted by the amount of money that they see you can make in ransomware, trying to get into the game and not being very good at it,” says Allan Liska, a threat intelligence analyst at Recorded Future.

Stronger Cyber Defenses and Cryptocurrency Regulations

Beyond law enforcement interventions, the decline in payments is also linked to heightened awareness and improved cybersecurity measures. Governments and institutions have implemented stronger ransomware response strategies, while increased cryptocurrency regulation and crackdowns on illicit financial channels have complicated ransomware payments. Authorities have particularly targeted crypto mixers, tools used by cybercriminals to anonymize transactions.

Despite the downward trend in payments, historical data suggests that ransomware remains cyclical. In 2022, total payments fell to $655 million, down from $1.07 billion in 2021, only to surge again in 2023 to $1.25 billion. Experts caution against interpreting short-term declines as long-term victories. “If the baddies had a couple of brilliant quarters, a dip will follow, same as if the goodies had some good quarters,” says Brett Callow, managing director at FTI Consulting. “That’s why we really need to analyze trends over a longer period.”

Additionally, the true scale of ransomware payments remains difficult to quantify, as cybercriminals often inflate their success and many victims choose not to report attacks due to stigma or regulatory concerns.

Chainalysis researchers emphasize that the decline in ransomware payments should not be mistaken for a lasting solution. “We're still standing in the rubble, right? We can't go tell everyone, everything's great, we solved ransomware—they’re continuing to go after schools, after hospitals and critical infrastructure,” says Burns Koven. However, the data does serve as an important indicator that sustained investment in ransomware defense is yielding results.
Read more »
ransomware payments
Cybercrime Trends cybersecurity news Data Breach law enforcement crackdown Cyber Attacks ransomware attacks ransomware payments

Ransomware Payments Drop 35% in 2024 Amid Increased Resistance and Law Enforcement Crackdowns

 

Ransomware payments saw a significant decline in 2024, dropping 35% year-over-year to $813.55 million from the $1.25 billion recorded in 2023. Additionally, only about 30% of victims engaged in ransom negotiations proceeded with payments.

These insights, reported by blockchain intelligence firm Chainalysis, highlight a downward trend despite 2024 being a record-breaking year for ransomware attacks. A notable incident involved a Fortune 50 company paying $75 million to the Dark Angels ransomware group—the largest known payout of the year. Meanwhile, cybersecurity firm NCC Group recorded 5,263 successful ransomware breaches in 2024, marking the highest-ever attack volume.

Despite the increase in attacks, ransomware actors are facing difficulties in extorting payments. Chainalysis noted a surge in disclosures on data leak sites, indicating that cybercriminals are resorting to increased exposure tactics to pressure victims. However, a growing number of organizations are resisting ransom demands.

This shift is driven by heightened cybersecurity awareness, improved protective measures, and a realization that attackers’ promises to delete stolen data are often unreliable. Legal scrutiny has also played a role, pushing companies to forgo negotiations, instead opting to restore systems from backups while mitigating reputational risks.

Another critical factor behind the payment decline is the impact of law enforcement operations. In 2024, global agencies targeted ransomware groups, with ‘Operation Cronos’ taking down LockBit, one of the most prolific gangs. Additionally, the collapse of ALPHV/BlackCat created instability, leaving smaller groups unable to dominate the space, despite RansomHub’s attempts.

Chainalysis data indicates that even when ransoms were paid, they were often significantly reduced through negotiations. Cybercriminals are also facing increasing difficulties laundering their illicit earnings. Crackdowns on cryptocurrency mixers and non-compliant exchanges have forced ransomware actors to shift to alternative methods, such as cross-chain bridges, to obscure transactions.

Centralized exchanges remained the primary cash-out method in 2024, handling 39% of all ransomware proceeds. However, an increasing number of affiliates are now opting to hold funds in personal wallets, wary of law enforcement tracking and potential arrests.

Despite the surge in ransomware activity, victims are becoming more resistant, and law enforcement is tightening its grip, signaling a potential long-term shift in the cybersecurity landscape.
Read more »
Sophos
Cyberbreaches CyberCrime Fake IT Support malware Micrpsoft Teams ransomware attacks Sophos

Fake IT Support Used by Ransomware Gangs in Microsoft Teams Breaches

 


The Sophos security team has identified two ransomware campaigns that are utilizing Microsoft Teams to steal data from organizations, and the crooks may be allied with Black Basta and FIN7. In the X-Ops Managed Detection and Response (MDR) service, Sophos X-Ops responds to incidents related to two different groups of threat actors. In each case, the attackers gained access to targeted organizations by using the Microsoft Office 365 platform to steal data and deploy ransomware to steal data. 

This pair of separate clusters of activity were investigated by Sophos MDR in November and December 2024 as a result of customer reports, and the threat is tracked as STAC5143 and STAC5777, respectively. The two groups are utilizing Microsoft Office 365 services, including Teams and Outlook, to gain access to victim organizations, according to Sophos, who has observed over 15 incidents in just the past two weeks, the majority of which took place between November and December 2024. 

According to Sophos, the attackers took advantage of a Microsoft Teams configuration that allows users from external domains to initiate chats or meetings with internal users, thereby taking advantage of a default configuration, he warned. As a result of threat actors exploiting Microsoft Teams to pose as tech support personnel, attackers gain initial access to victim organizations by using the platform, and their goal is to steal data and deploy ransomware, according to a report released on Tuesday by Sophos, which examined ongoing threat campaigns related to these two threats. 

A customer who received over 3,000 spam emails in 45 minutes in November of last year first brought STAC5143 to the attention of the Sophos team. Shortly thereafter, a Microsoft Teams call from outside the organization, coming from a bogus "Help Desk Manager" account, reached out to the customer, and he was instructed to allow a remote screen control session through Microsoft Teams to resolve the issue. 

As it turned out, the attacker was exploiting this vulnerability to inject malicious files into the victim's computer as well as infect the computer with malware by opening a command shell and dropping some files on it. The attacker had downloaded a Java archive (JAR) file (MailQueue-Handler.jar), as well as Python scripts (RPivot backdoor). As soon as the attackers have established a command-and-control channel with their target, they utilize the target's credentials to disable multifactor authentication and antivirus protections. 

They then connect to other computers in the network and move laterally to compromise additional computers and systems. Java code performed some reconnaissance work as well, mostly scoping out the user's account name and local network, before extracting and running from the snow.zip archive the payload contained a Python-based backdoor that could be used to remote control the Windows computer remotely. 

Python code included a lambda function to obfuscate the malware, which matched Python malware loaders previously spotted as part of the FIN7 malware campaign.  Two other Python pieces were extracted as part of the malware, including copies of the publicly available reverse SOCKS proxy RPivot, which FIN7 had previously used in its earlier attacks. 

As with the STAC5777 attacks, the malware started with large amounts of spam emails being sent to targeted organizations, followed by team messages claiming to be from the organization's IT department and requesting that they be contacted to stop the spam. CyberScoop spoke to Sean Gallagher, Sophos's principal threat researcher, and the study's lead author. 

Gallagher explained that his team had observed multiple individuals and at least 15 organizations using these tactics, and most of them were blocked before they were able to compromise the device they were attempting to compromise. Using the social engineering technique of posing as a technical support representative is a well-known social engineering method used by malicious hackers to compromise large, multinational companies.

Cybercriminal groups such as Lapsus$ have used this scheme for several years to compromise large, multinational corporations. It is, however, mainly smaller organizations that have been targeted by Office 365 and Teams, and it illustrates how threat groups have increasingly capitalized on the rush by small and mid-sized businesses to adopt cloud computing and digitization, especially after the COVID-19 virus pandemic. 

A significant portion of these small organizations were left vulnerable by the fact that, for the first time, they were using unfamiliar software like Microsoft Office 365, Teams, and Azure. It is a piece of malware, winhttp.dll, that is sideloaded into a legitimate oneDriveStandaloneUpdater.exe process, which is then relaunched by a PowerShell command when Windows starts up. Through the Windows API, the malicious DLL logs the user's keystrokes, gathers credential information from files and the registry, and scans the network for potential pivot points via SMB, RDP, and WinRM. 

Once a C2 connection has been established, the OneDriveStandaloneUpdater.exe process is started and a check is performed to see if there are any Remote Desktop Protocol hosts or Windows Remote Management hosts that can be accessed with stolen credentials. It appears that the attackers then attempted to move laterally to other hosts to continue their attack. 

One instance of this was when the attackers used the backdoor to uninstall local multifactor authentication integration on a compromised device, and Sophos has also found that the attackers have been hoovering up local files whose names contained the word "password". In one instance, STAC5777 was trying to infect the machine with the Black Basta ransomware - even though Sophos assured that its security protections blocked it from infecting the machine. 

According to the researchers, the threat actor has access to Notepad and Word files that have the word "password" in them. Moreover, the attackers also accessed two Remote Desktop Protocol files, likely searching for credentials. To prevent external domains from initiating messages and calls on Microsoft Teams and disabling Quick Assist in critical environments, organizations should consider implementing these tactics in the ransomware space as they become more prevalent.
Read more »
Subscribe to: Posts (Atom)