Blurring the Lines: Intrusion Shows Connection With Three Major Ransomware Gangs

Description

This intelligence report details a sophisticated cyber intrusion with links to three major ransomware groups: Play, RansomHub, and DragonForce. The attack began with a malicious file impersonating DeskSoft's EarthTime application, which deployed SectopRAT malware. The threat actors used various tools for reconnaissance, lateral movement, and data exfiltration, including SystemBC, Betruger backdoor, AdFind, SharpHound, and Grixba. They leveraged RDP and Impacket's wmiexec for lateral movement, and used WinRAR and WinSCP for data collection and exfiltration. The intrusion lasted six days before the threat actors were evicted, showcasing a range of advanced persistent threat techniques and highlighting the blurred lines between different ransomware operations.