this post was submitted on 26 Nov 2024
5 points (85.7% liked)

cybersecurity

3299 readers
74 users here now

An umbrella community for all things cybersecurity / infosec. News, research, questions, are all welcome!

Community Rules

Enjoy!

founded 1 year ago
MODERATORS
 

Introduction

In a recent incident response case, we dealt with a variant of the Mimic ransomware with some interesting customization features. The attackers were able to connect via RDP to the victim’s server after a successful brute force attack and then launch the ransomware. After that, the adversary was able to elevate their privileges by exploiting the CVE-2020-1472 vulnerability (Zerologon).

The identified variant abuses the Everything library and provides an easy-to-use GUI for the attacker to customize the operations performed by the malware. It also has features for disabling security mechanisms and running system commands.

This ransomware variant is named “Elpaco” and contains files with extensions under the same name. In this post, we provide details about Elpaco, besides already shared, as well the tactics, techniques and procedures (TTPs) employed by the attackers.

no comments (yet)
sorted by: hot top controversial new old
there doesn't seem to be anything here