In a recent article by “The DFIR Report” the company outlined a timeline in which it took a mere 2 hours for ransomware operators to take over an entire enterprise and encrypt all its assests.
Like a lot of cases of successful breaches, everything began from a phishing email containing a link to a google drive hosted file which executed the “Bazaar” malware, from there the attackers used the conventional discovery and C2C tools like CobaltStrike and AdFind which eventually lead to a successful exploitation of the ZeroLogon vulnerability in Microsoft domain controllers. From this point forward, it was a speedy deployment of the Ryuk ransomware across the entire network and the successful encryption of all assets within less than an hour.
Once again, this proves the immense importance of security awareness trainings to prevent phishing and swift security patching of critical vulnerabilities like ZeroLogon.
News Site: thedfirreport.com