Quote:Low-skilled hackers likely from Iran have joined the ransomware business targeting companies in Russia, India, China, and Japan. They are going after easy hits, using publicly available tools in their activity.
The new group is deploying Dharma ransomware. Based on forensic artifacts, this is a non-sophisticated, financially-motivated gang that is new to cybercrime.
The threat actor is not greedy. Their demand is between 1-5 Bitcoin (currently $11,700 - $59,000), which is on the lower range of ransom demand compared to other ransomware operations.
They find victims by scanning IP address ranges on the internet for exposed remote desktop connections (RDP); their tool of choice for this stage is Masscan, an open-source port scanner.
Next, they launch a brute-force with NLBrute, a utility that tries a list of RDP passwords in an attempt to find a combo that works. Once in, they sometimes try to elevate privileges by exploiting an old vulnerability (CVE-2017-0213) in Windows 7 through 10.
Researchers at cybersecurity company Group-IB learned about this new group in June during an incident response engagement at a company in Russia. Based on forensic artifacts, they determined the attacker to be “Persian-speaking newbie hackers.”
Supporting this conclusion are clues from the next steps of the attack, which seem to lack the confidence of an actor that knows what to do once after breaching a network.
“Interestingly, the threat actors likely didn’t have a clear plan on what to do with the compromised networks. Once they established the RDP connection, they decide on which tools to deploy to move laterally,” Group-IB
Read more: https://www.bleepingcomputer.com/news/se...ansomware/
![[-]](https://www.geeks.fyi/images/collapse.png)
