This was followed by remote Local Security Authority (LSA) registry dump attempts from a remote machine on the network. On November 3, suspicious Server Message Block (SMB) requests occurred on the earliest machine to get infected on the victim network. While it is a legitimate tool, ConnectWise has frequently been exploited by ransomware attackers in recent times to gain access to victim networks.
A few hours later, Noberus was deployed, indicating that the attackers may have leveraged access to ConnectWise to deploy their payload. Later on November 18, shortly before Noberus was deployed, ConnectWise was also executed. During this time, suspicious network activity was observed.
The first suspicious activity observed by Symantec occurred on a victim’s network on November 3, approximately two weeks before Noberus was deployed. This blog contains information about the attack chain we observed in one victim organization, as well as technical details about the operation of this ransomware. Noberus appears to carry out the now-typical double extortion ransomware attacks where they first steal information from victim networks before encrypting files. Noberus is an interesting ransomware because it is coded in Rust, and this is the first time we have seen a professional ransomware strain that has been used in real-world attacks coded in this programming language. This would appear to show that this ransomware was active earlier than was previously reported, with MalwareHunterTeam having told BleepingComputer they first saw this ransomware on November 21.
Symantec, a division of Broadcom Software, tracks this ransomware as Ransom.Noberus and our researchers first spotted it on a victim organization on November 18, 2021, with three variants of Noberus deployed by the attackers over the course of that attack. Symantec’s Threat Hunter Team has additional technical information to share on the new ALPHV/BlackCat ransomware that was first published about last week, and which we have been tracking for several weeks.
0 kommentar(er)
