"An operational security failure allowed researchers to recover data that the INC ransomware gang stole from a dozen U.S. organizations. A deep forensic examination of the artifacts left behind uncovered tooling that had not been used in the investigated attack, but exposed attacker infrastructure that stored data exfiltrated from multiple victims."
"The operation was conducted by Cyber Centaurs, a digital forensics and incident response company that disclosed its success last November and now shared the full details with BleepingComputer. The Cyber Centaurs investigation began after a client U.S. organization detected ransomware encryption activity on a production SQL Server. The payload, a RainINC ransomware variant, was executed from the PerfLogs directory, which is typically created by Windows. However, ransomware actors have begun to use it more frequently for staging."
An operational security failure allowed recovery of data stolen by the INC ransomware gang from a dozen U.S. organizations. Cyber Centaurs performed a deep forensic examination of artifacts and found tooling that had not been used in the investigated attack while exposing attacker infrastructure that stored exfiltrated victim data. The investigation started after a client detected ransomware encryption on a production SQL Server. The executed payload was a RainINC ransomware variant launched from the Windows-created PerfLogs directory. Ransomware operators have increasingly used the PerfLogs directory for staging activities.
Read at DataBreaches.Net
Unable to calculate read time
Collection
[
|
...
]