Tracking An Effective Ransomware Campaign – Part 3

Posted on November 29th, 2021

The more things change, the more they stay the same. Ransomware attacks continue to disrupt organizations across all sectors while the results of law enforcement actions are waiting to be seen.  We continue to monitor an effective threat group that shows no signs of slowing down.

The following domains were identified and attributed to this threat group:

 

azuregroupusa.com getprintservices.com twebhost.com
chipfirmware.com itacrobat.com vip-source.com
databasegroupinc.com mikrotikinside.com webnofy.com
dmaorlando.com release-app.net webonlinecompany.com
easyupdatepro.com slim-well.com windows-upd.com
esc-ok.com softlinesys.com wmsmicro.com
eztechnet.com sonyblueprint.com  
gdbcrew.com spdevhost.com  

 

One positive note, we observed a distinct change in adversarial TTPs with this group in the past month.  Threat actors have moved away from their preferred domain name registrar, NameCheap, to other providers like NetEarth One and Hosting Concepts B.V. d/b/a Registrar.eu.

The best defense against ransomware continues to be centered on reliable backups, active monitoring of networks and systems for vulnerabilities and weaknesses, and active patch management solutions.  An ounce of prevention is worth a pound of cure. If your enterprise is missing one or more best practices, please contact us to help get you on the right track before it is too late.

If you are in need of incident response support or ways to defend against this and other threats, please contact us at https://breakpoint-labs.com/.