SharePoint attackers add Velociraptor to ransomware tools

SharePoint attackers add Velociraptor to ransomware tools

Briefly

"The ransomware gang caught exploiting Microsoft SharePoint zero-days over the summer has added a new tool to its arsenal: Velociraptor, an open-source digital forensics and incident response app not previously tied to ransomware incidents. In August, Cisco's Talos incident response team dealt with a ransomware attack in which the criminals deployed Warlock, LockBit, and Babuk ransomware to encrypt VMware ESXi virtual machines and Windows servers, and used Velociraptor to maintain stealthy access while they encrypted the victim organization's files. "Talos assesses with moderate confidence that this activity can be attributed to the group Storm-2603," Talos' researchers Michael Szeliga, Aliza Johnson, and Jaeson Schultz said in a Thursday threat report."

"Storm-2603 is a newish crew that first emerged in July after Microsoft caught the criminals abusing vulnerable on-premises SharePoint servers to deploy ransomware. At the time, Redmond said it suspected the criminals were based in China, although they were not necessarily a government-backed group. However, in a separate report published this month, anti-ransomware firm Halcyon said Storm-2603 has "some ties to Chinese nation-state actors," and is the same group also tracked as Warlock and CL-CRI-1040, as well as being a LockBit affiliate."