Today > 2 Critical | 2 High | 6 Medium vulnerabilities   -   You can now download lists of IOCs here!

ReadText34 Ransomware Incident

Sept. 24, 2024, 2:38 p.m.

Description

A ransomware attack was observed in September 2024, targeting an endpoint with limited visibility. The threat actor used stolen Administrator credentials to enable RDP and deploy malicious executables. They installed a vulnerable driver, TrueSight RogueKiller Antirootkit, to disable security applications. The ransomware, named ReadText34, utilized various techniques to disable system recovery and encrypt files. The attack involved the use of BianLian Go Trojan for command and control. File encryption was performed using the native Windows utility cipher.exe. A ransom note was left, threatening to release stolen data if not contacted within 72 hours. The incident highlights the importance of comprehensive endpoint monitoring, incident response planning, and attack surface reduction efforts.

Date

Published: Sept. 24, 2024, 2:22 p.m.

Created: Sept. 24, 2024, 2:22 p.m.

Modified: Sept. 24, 2024, 2:38 p.m.

Indicators

ac66828fbdf661d67562da5afb7cc8f55d9a8739ab1524e775d5dcebfc4de069

90daac69da7201e4e081b59b61ca2a2116772318621c430f75c91a65e56ea085

8368925651fefcd85e0e73790082b9a69237fa66225f932c2a44014cc356acdc

94.198.50.195

ithelp15@yousheltered.com

ithelp15@securitymy.name

Attack Patterns

BianLian Go Trojan

ReadText34

T1021.001

T1543.003

T1036.004

T1490

T1573.002

T1059.003

T1071.001

T1070.004

T1562.001

T1486

T1055

T1027

T1112

T1078