SophosLabs analysts investigated WantToCry ransomware attacks that involved the threat actors abusing the Server Message Block (SMB) service for initial access and then exfiltrating files to attacker-controlled infrastructure for remote encryption. The detection surface is significantly reduced because WantToCry operates without local malware execution, and there is no post-compromise activity beyond exfiltrating files and rewriting them to disk.
Read more…
Source: SophosLabs
Sign up for the Cyber Security Review Newsletter
The latest cyber security news and insights delivered right to your inbox
Related:
- Exposed Docker Server Abused to Drop Cryptominer, DDoS Bot
September 8, 2020
Malicious actors continue to target environments running Docker containers. We recently encountered an attack that drops both a malicious cryptocurrency miner and a distributed denial-of-service (DDoS) bot on a Docker container built using Alpine Linux as its base image. A similar attack was also reported by Trend Micro in May; in that previous attack, threat ...
- Chilean bank shuts down all branches following ransomware attack
September 7, 2020
BancoEstado, one of Chile’s three biggest banks, was forced to shut down all branches on Monday following a ransomware attack that took place over the weekend. “Our branches will not be operational and will remain closed today,” the bank said in a statement published on its Twitter account on Monday. Details about the attack have not been ...
- France warns of Emotet attacking companies, administration
September 7, 2020
The French national cyber-security agency today published an alert warning of a surge in Emotet attacks targeting the private sector and public administration entities throughout the country. French public administration has three sub-sectors: central public administrations (APUC), local government (LUFA), and social security administrations (ASSO). Emotet, originally a run-of-the-mill banking Trojan first spotted in 2014, is now ...
- Ransomware attack halts Argentinian border crossing for four hours
September 6, 2020
Argentina’s official immigration agency, Dirección Nacional de Migraciones, suffered a Netwalker ransomware attack that temporarily halted border crossing into and out of the country. While ransomware attacks against cities and local agencies have become all too common, this may be a first known attack against a federal agency that has interrupted a country’s operations. According to a ...
- FBI issues second alert about ProLock ransomware stealing data
September 4, 2020
The FBI issued a second warning this week to alert US companies of ProLock ransomware operators stealing data from compromised networks before encrypting their victims’ systems. The 20200901-001 Private Industry Notification seen by BleepingComputer on September 1st comes after the MI-000125-MW Flash Alert on the same subject issued by the FBI four months ago, on May ...
- Thanos Ransomware: Destructive Variant Targeting State-Run Organizations in the Middle East and North Africa
September 4, 2020
On July 6 and July 9, 2020, we observed files associated with an attack on two state-run organizations in the Middle East and North Africa that ultimately installed and ran a variant of the Thanos ransomware. The Thanos variant created a text file that displayed a ransom message requesting the victim transfer “20,000$” into a ...