A ransomware attack was observed in September 2024, targeting an endpoint with limited visibility. The threat actor used stolen Administrator credentials to enable RDP and deploy malicious executables. They installed a vulnerable driver, TrueSight RogueKiller Antirootkit, to disable security applications. The ransomware, named ReadText34, utilized various techniques to disable system recovery and encrypt files. The attack involved the use of BianLian Go Trojan for command and control. File encryption was performed using the native Windows utility cipher.exe. A ransom note was left, threatening to release stolen data if not contacted within 72 hours. The incident highlights the importance of comprehensive endpoint monitoring, incident response planning, and attack surface reduction efforts. Author: AlienVault
Related Tags:
ReadText34
T1036.004
T1573.002
T1070.004
T1543.003
bianlian
T1562.001
T1021.001
T1059.003
Associated Indicators:
AC66828FBDF661D67562DA5AFB7CC8F55D9A8739AB1524E775D5DCEBFC4DE069
90DAAC69DA7201E4E081B59B61CA2A2116772318621C430F75C91A65E56EA085
F7042CD7C363EB85FBB9D4B42B667DE4ACBFF24E
891202963430A4B1DEA2DC5B9AF01DC5
94.198.50.195