FOLLOW US

Cybersecurity researchers at Sophos were brought in to investigate after Cobalt Strike was detected on its network.

It was reported in ZDNet in May that Cobalt Strike is being weaponized in malware campaigns. The cybersecurity tool is now being used by threat actors, as well.

In May the Ransomware Task Force issued a report with recommendations on the increasing number of ransomware attacks in the U.S.

Cobalt strike used in attempted malware infection 

The company that experienced the threat chooses to remain anonymous. But they have allowed the release of details of the investigation. They hope that other businesses and organizations can learn how to avoid similar attacks.

Cobalt Strike is primarily used by cybercriminals because it partially runs in-memory, which makes it hard to detect on a network. And that was the case here. It looked like legitimate access software was being remotely installed on 130 endpoints of the business network. 

The ransomware gang was responsible for the remote desktop software. This was the foundation for the ransomware attack. Their next step would have been to encrypt the entire network with REvil ransomware.

REvil ransomware that was used in another incident investigated by Sophos. It was successfully deployed against JBS who paid $11 million for the decryption key.

The ransomware gang managed to encrypt data on some of the unprotected devices. They also deleted online backups when they noticed the investigators were working on the case. 

A ransom note was left by REvil on one of the few encrypted devices. The cybercriminals wanted $2.5 million in bitcoin for a decryption key.  

Naturally, in this case, no ransom was paid. The company had already discovered the planted software. And the cybercriminals were stopped in their tracks when cybersecurity experts were called in. 

Issues with Remote Access

The fact remains that attackers managed to gain enough control of the network to install software on over 100 machines. The company did discover the attack just in time. But it was close.

Paul Jacobs, the incident response lead at Sophos explains why the targeted company didn't notice what was happening on their network sooner.

"As a result of the pandemic, it's not unusual to find remote access applications installed on employee devices," Jacobs explains.

"When we saw Screen Connect on 130 endpoints, we assumed it was there intentionally, to support people working from home. It turned out the company knew nothing about it – the attackers had installed the software to ensure they could maintain access to the network and compromised devices."