In addition to credential dumping, the malware also tries to steal credentials by using the CredEnumerateW function to get all the other user credentials potentially stored on the credential store. It then scans the local network for admin$ shares, copies itself across the network, and executes the newly copied malware binary remotely using PSEXEC. If it gets a response, the malware attempts to copy a binary on the remote machine using regular file-transfer functionalities with the stolen credentials. A special behavior is reserved for Domain Controllers or servers: this ransomware attempts to call DhcpEnumSubnets() to enumerate DHCP subnets for each subnet, it gathers all hosts/clients (using DhcpEnumSubnetClients()) for scanning for tcp/139 and tcp/445 services. Once the ransomware has valid credentials, it scans the local network to establish valid connections on ports tcp/139 and tcp/445.
using existing legitimate functionalities to execute the payload or abusing SMB vulnerabilities for unpatched machinesīecause users frequently log in using accounts with local admin privileges and have active sessions opens across multiple machines, stolen credentials are likely to provide the same level of access the user has on other machines. using file-shares to transfer the malicious file across machines on the same network stealing credentials or re-using existing active sessions The ransomware spreading functionality is composed of multiple methods responsible for:
The Petya attack leverages lateral movement capabilities and only takes a single infected machine to affect a network. Petya: multiple lateral movement techniques For example, take into consideration our understanding of the Petya attack, a highly effective malware that affected many central file servers and critical data. Our research team, ProLion Labs, is continuously studying new attacks, and testing it against our detection methodologies to keep our customers always-on. We have detected many known variants including CryptoLocker, WannaCry, Petya, Locky, and more with industry leading accuracy. Being targeted by Ransomware is becoming a “when” and not an “if” threat for most organizations. Ransomware is growing exponentially, across geographies and industries.
0 kommentar(er)
