Description
A ransomware attack was observed in September 2024, targeting an endpoint with limited visibility. The threat actor used stolen Administrator credentials to enable RDP and deploy malicious executables. They installed a vulnerable driver, TrueSight RogueKiller Antirootkit, to disable security applications. The ransomware, named ReadText34, utilized various techniques to disable system recovery and encrypt files. The attack involved the use of BianLian Go Trojan for command and control. File encryption was performed using the native Windows utility cipher.exe. A ransom note was left, threatening to release stolen data if not contacted within 72 hours. The incident highlights the importance of comprehensive endpoint monitoring, incident response planning, and attack surface reduction efforts.
Date
| Published | Created | Modified |
|---|---|---|
| Sept. 24, 2024, 2:22 p.m. | Sept. 24, 2024, 2:22 p.m. | Sept. 24, 2024, 2:38 p.m. |
Indicators
ac66828fbdf661d67562da5afb7cc8f55d9a8739ab1524e775d5dcebfc4de069
90daac69da7201e4e081b59b61ca2a2116772318621c430f75c91a65e56ea085
8368925651fefcd85e0e73790082b9a69237fa66225f932c2a44014cc356acdc
94.198.50.195
ithelp15@yousheltered.com
ithelp15@securitymy.name
Attack Patterns
BianLian Go Trojan
ReadText34
T1021.001
T1543.003
T1036.004
T1490
T1573.002
T1059.003
T1071.001
T1070.004
T1562.001
T1486
T1055
T1027
T1112
T1078