In a recent incident response case, Kaspersky dealt with a variant of the Mimic ransomware with some interesting customization features.
The attackers were able to connect via RDP to the victim’s server after a successful brute force attack and then launch the ransomware. After that, the adversary was able to elevate their privileges by exploiting the CVE-2020-1472 vulnerability (Zerologon). The identified variant abuses the Everything library and provides an easy-to-use GUI for the attacker to customize the operations performed by the malware. It also has features for disabling security mechanisms and running system commands. This ransomware variant is named “Elpaco” and contains files with extensions under the same name. In this post, Kaspersky researchers provide details about Elpaco, besides already shared, as well the tactics, techniques and procedures (TTPs) employed by the attackers.
Read more…
Source: Kaspersky
Related:
- NSA Advocates Data Sharing Framework
June 23, 2017
The economics of cybersecurity are skewed in favor of attackers, who invest once and can launch thousands of attacks with a piece of malware or exploit kit. That’s why Neal Ziring, technical director for the NSA’s Capabilities Directorate, wants to flip the financial equation on bad guys. “We need to conduct defenses in a way that ...

