Her researchers McAfee they wanted to study tools and the tactics used by hackers behind the Sodinokibi Ransomware to infect the systems of their victims. For this purpose they created one network honeypots.
The hackers behind it ransomware are divided into groups, which have different names. It thus appears who affected the victim's system and who should be paid.
This separation into groups helped the researchers monitor their behavior and understand how they attacked victims and spread across the network.
McAfee's research team used one worldwide network of Remote Desktop Protocol (RDP) honeypots to monitor the activities of the three groups.
The teams behind Sodinokibi Ransomware are named Group 1, affiliate #34, and affiliate #19. All three groups first breached the systems via RDP and then tried to breach the rest of the network.
Researchers noted that all three groups were trying to gain access to the rest of the network, using port scanning tools to detect accessible RDPs servers. Then they used it brutal forcing tool, NLBrute RDP, to gain access to servers.
The # 34 and # 19 groups used more specialized ones techniques to carry out attacks. For example, they used Mimikatz batch files theft of credentials and other illegal activities.
The hackers in the # 19 team seem to have the most potential. The hackers tried to use local exploits to gain access access Admin to the violated computers. Access to an administrator account is very important for hackers, as it can affect systems across the network more easily.
Researchers also noticed that the # 34 team was trying to install cryptomining payloads (MinerGate and XMRig), in addition to Sodinokibi Ransomware.
McAfee was able to locate the address e-mail one of the hackers.
"Based on our analysis, this person is probably a member of a team stealing credentials and other types of data." This data is used for brute-force attacks.
Using the Everything software to locate documents
Team # 34 took advantage of it for file locator software Everything.
Everything helps you easily and quickly find files and folders on your computer by simply using a keyword. In addition, content can be searched within the files.
McAfee investigators were unable to see the exact searches made by the hackers. However, they realized that the hackers had searched the files on the victims' computers.
Researchers believe that hackers installed the Everything software to easily search for sensitive ones archives.
The hackers thus found the important files, stole them and then demanded money from the victims.
Using the Everything software in ransomware attacks is a very interesting tactic. The businesses They have to be alert, as data theft is one of the most common attacks nowadays.