February 01, 2022

Midas Ransomware

Industry: Technology | Level: Tactical | Source: Sophos

Sophos reported, deployment of Midas ransomware against a technology vendor in December 2021. A review of the threat indicators identified the attackers were active on the network for at least two months with the earliest indicator of compromise found on October 13th, 2021. The organization’s network was unfortunately not complicated following a flat topology with no network segmentation. The attackers also took advantage of commercial remote access tools, AnyDesk and TeamViewer, to move laterally in the network as the organization had utilized the software previously for tests, however, did not uninstall them from the servers. Identified by Sophos a unique aspect of the compromise, involves the attackers crafting and installing PowerShell scripts as services prior to the deployment of ransomware. The activity was carefully engineered during the two months they were on the network. Due to a visibility gap, it is unknown how the attackers accessed the domain controller or obtained Admin permissions. Threat activity progressed slowly from October 13th to November 2nd and picked up again on November 25th with ransomware deployment on December 7th. Observed threat activity on the network included using process hacker to identify processes, Mimikatz for credential harvesting, execution of scripts from TEMP and AppData directories and exfiltrating data to a cloud service.

  • Anvilogic Use Cases:
    • Windows Service Created
    • Obfuscated Powershell Techniques
    • RDP Hijacking
    • Mimikatz
    • Executable Process from Suspicious Folder