Cobalt Strike used in ransomware attack prevented by Cybersecurity


Cybersecurity researchers at Sophos were brought in to investigate after Cobalt Strike was detected on its network.

It was reported in ZDNet in May that Cobalt Strike is being weaponized in malware campaigns. The cybersecurity tool is now being used by threat actors, as well.

In May the Ransomware Task Force issued a report with recommendations on the increasing number of ransomware attacks in the U.S.

Signup for the USA Herald exclusive Newsletter

Cobalt strike used in attempted malware infection 

The company that experienced the threat chooses to remain anonymous. But they have allowed the release of details of the investigation. They hope that other businesses and organizations can learn how to avoid similar attacks.

Cobalt Strike is primarily used by cybercriminals because it partially runs in-memory, which makes it hard to detect on a network. And that was the case here. It looked like legitimate access software was being remotely installed on 130 endpoints of the business network. 

The ransomware gang was responsible for the remote desktop software. This was the foundation for the ransomware attack. Their next step would have been to encrypt the entire network with REvil ransomware.

REvil ransomware that was used in another incident investigated by Sophos. It was successfully deployed against JBS who paid $11 million for the decryption key.

The ransomware gang managed to encrypt data on some of the unprotected devices. They also deleted online backups when they noticed the investigators were working on the case. 

A ransom note was left by REvil on one of the few encrypted devices. The cybercriminals wanted $2.5 million in bitcoin for a decryption key.  

Naturally, in this case, no ransom was paid. The company had already discovered the planted software. And the cybercriminals were stopped in their tracks when cybersecurity experts were called in. 

Issues with Remote Access

The fact remains that attackers managed to gain enough control of the network to install software on over 100 machines. The company did discover the attack just in time. But it was close.

Paul Jacobs, the incident response lead at Sophos explains why the targeted company didn’t notice what was happening on their network sooner.

“As a result of the pandemic, it’s not unusual to find remote access applications installed on employee devices,” Jacobs explains.

“When we saw Screen Connect on 130 endpoints, we assumed it was there intentionally, to support people working from home. It turned out the company knew nothing about it – the attackers had installed the software to ensure they could maintain access to the network and compromised devices.”

The cyber-gang got onto the network by setting up remote access accounts and gaining admin privileges in order to use Cobalt Strike.

“From what we have seen in our investigations, there is a variety of methods used, most commonly it is users being phished often weeks or months earlier, then there is the exploitation over firewall and VPN vulnerabilities or brute-forcing RDP if it is exposed to the internet,” Sophos Rapid Response manager Peter Mackenzie, reported to ZDNet.

Closely monitor your network

Sophos says there are steps every business needs to take to protect their network. The key is to close down initial access to your system.

“Firstly, ensure every single computer on your network has security software installed and managed centrally. Attackers love unprotected machines. Next, make sure they are getting patches regularly and remember if a computer hasn’t rebooted for a year, then it likely hasn’t applied any patches either,” said Mackenzie.

It’s important to constantly check for suspicious activity on any network. A good cybersecurity team can detect and react quickly to any threat. In this ransomware attempt, the team discovered the use of Cobalt Strike being used before a lot of damage was done.