Cobalt Strike used in ransomware attack prevented by Cybersecurity


Cybersecurity researchers at Sophos were brought in to investigate after Cobalt Strike was detected on its network.

It was reported in ZDNet in May that Cobalt Strike is being weaponized in malware campaigns. The cybersecurity tool is now being used by threat actors, as well.

In May the Ransomware Task Force issued a report with recommendations on the increasing number of ransomware attacks in the U.S.

Cobalt strike used in attempted malware infection 

The company that experienced the threat chooses to remain anonymous. But they have allowed the release of details of the investigation. They hope that other businesses and organizations can learn how to avoid similar attacks.

Cobalt Strike is primarily used by cybercriminals because it partially runs in-memory, which makes it hard to detect on a network. And that was the case here. It looked like legitimate access software was being remotely installed on 130 endpoints of the business network. 

The ransomware gang was responsible for the remote desktop software. This was the foundation for the ransomware attack. Their next step would have been to encrypt the entire network with REvil ransomware.