SophosLabs analysts investigated WantToCry ransomware attacks that involved the threat actors abusing the Server Message Block (SMB) service for initial access and then exfiltrating files to attacker-controlled infrastructure for remote encryption. The detection surface is significantly reduced because WantToCry operates without local malware execution, and there is no post-compromise activity beyond exfiltrating files and rewriting them to disk.
Read more…
Source: SophosLabs
Sign up for the Cyber Security Review Newsletter
The latest cyber security news and insights delivered right to your inbox
Related:
- Hackers abuse Windows error reporting tool to deploy malware
January 4, 2023
Hackers are abusing the Windows Problem Reporting (WerFault.exe) error reporting tool for Windows to load malware into a compromised system’s memory using a DLL sideloading technique. The use of this Windows executable is to stealthy infect devices without raising any alarms on the breached system by launching the malware through a legitimate Windows executable. The new campaign ...
- Rackspace confirms Play ransomware was behind recent cyberattack
January 4, 2023
Texas-based cloud computing provider Rackspace has confirmed that the Play ransomware operation was behind a recent cyberattack that took down the company’s hosted Microsoft Exchange environments. This follows a report last month by cybersecurity firm Crowdstrike, which detailed a new exploit used by the ransomware group to compromise Microsoft Exchange servers and gain access to a ...
- Cyber attack leaves six North Carolina counties locked out of their online records
December 30, 2022
They’re responsible for keeping and protecting your most important records, but Thursday, a company that works with local governments across North Carolina has been paralyzed by a cyber attack with no end in sight. Cott Systems said they work with 300 local offices in 21 states, but right now that work is on hold and local ...
- LockBit ransomware claims attack on Port of Lisbon in Portugal
December 30, 2022
A cyberattack hitting the Port of Lisbon Administration (APL), the third-largest port in Portugal, on Christmas day, has been claimed by the LockBit ransomware gang. The Port of Lisbon is part of the critical infrastructure in Portugal’s capital city, being one of the most accessed ports in Europe, due to its strategic location, and serving container ...
- Canadian mining firm shuts down mill after ransomware attack
December 30, 2022
The Canadian Copper Mountain Mining Corporation (CMMC) in British Columbia has announced that it was the target of a ransomware attack that impacted its operations. CMMC, partly owned by Mitsubishi Materials Corporation, is an 18,000-acre claim that produces an average of 100 million pounds of copper per year and has an estimated mineral reserve capacity for ...
- CISA Adds Two Known Exploited Vulnerabilities to Catalog
December 29, 2022
CISA has added two new vulnerabilities to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation. These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise. Note: To view the newly added vulnerabilities in the catalog, click on the arrow in the “Date Added ...