Attackers also Deploy a Cryptominer and Lockbit Ransomware

OXFORD, U.K.  — avril 12, 2022 —

Sophos, a global leader in next-generation cybersecurity, today released findings on how attackers breached and spent five months inside a regional government server in the U.S., using it to browse online for a mix of hacker and IT administration tools that could help them carry out the attack. The attackers also installed a cryptominer before exfiltrating data and deploying Lockbit ransomware. The findings are detailed in a new article, “Attackers Linger on Government Agency Computers Before Deploying Lockbit Ransomware,” and suggest that multiple attackers infiltrated the vulnerable server. The attack was contained and investigated by Sophos’ incident response team.

“This was a very messy attack. Working together with the target, Sophos researchers were able to build a picture that started with what appears to be novice attackers breaking into the server, poking around the network and using the compromised server to Google a combination of pirated and free versions of hacker and legitimate admin tools to use in their attack. They then seemed unsure of what to do next,” said Andrew Brandt, principal security researcher at Sophos. “About four months after the initial breach, the nature of the attack activity changed, in some cases so drastically that it suggests attackers with very different skills had joined the fray. These attackers went on to attempt to uninstall security software. They eventually stole data and encrypted files on several machines by deploying Lockbit ransomware.”

The Sequence of Attack

Sophos researchers found that the initial point of access for the attack was an open remote desktop protocol (RDP) port on a firewall that was configured to provide public access to a server. The attackers breached the server in September 2021. They then used a browser on the breached server to search online for the tools to use for hacking and attempted to install them. In some cases, the search for tools led the attackers to shady download sites that delivered adware to the hacked server, instead of the tools they were looking for.

The research shows that attackers’ behaviors changed significantly in mid-January, with signs of more skilled and focused activity. These attackers attempted to remove the malicious cryptominer and uninstall security software, taking advantage of the fact that the target had inadvertently left a protective feature disabled after completing maintenance. The attackers then collected and exfiltrated data and deployed the Lockbit ransomware. The ransomware attack had limited success and the attackers failed to encrypt data on some machines.

Staying Protected

The tools the attackers tried to install for malicious purposes included Advanced Port Scanner, FileZilla, LaZagne, mimikatz, NLBrute, Process Hacker, PuTTY, Remote Desktop Passview, RDP Brute Forcer, SniffPass, and WinSCP. The attackers also installed commercial remote access tools, including ScreenConnect and AnyDesk.

“If a member of the IT team hasn’t downloaded them for a specific purpose, the presence of such tools on machines on your network is a red flag for an ongoing or imminent attack,” said Brandt. “Unexpected or unusual network activity, such as a machine scanning the network is another such indicator. Repeated RDP login failures on a machine only accessible inside the network is a sign someone might be using a brute-force tool to try to move laterally. As are active connections from commercial remote access tools the IT team has not installed or may have used in the past but have not used for a while.

“A robust, proactive, 24/7 defense-in-depth approach will help to prevent such an attack from taking hold and unfolding. The most important first step is to try to prevent attackers from gaining access to a network in the first place, for example by implementing multi-factor authentication and setting firewall rules to block remote access to RDP ports in the absence of a VPN connection.”

For further information read the article, “Attackers Linger on Government Agency Computers Before Deploying Lockbit Ransomware” on Sophos News.

À propos de Sophos

Sophos est un leader mondial innovant dans le domaine des solutions de sécurité avancées qui neutralisent les cyberattaques. La Société a fait l’acquisition de Secureworks en février 2025, réunissant ainsi deux pionniers qui ont redéfini l’industrie de la cybersécurité grâce à leurs services, technologies et produits innovants, optimisés par l’intelligence artificielle native. 
Sophos est désormais le plus grand fournisseur spécialisé de services de détection et réponse managées (MDR) protégeant plus de 28,000 organisations à travers et d’autres services, son portefeuille complet comprend les solutions de sécurité de pointe pour les endpoints, les réseaux, les emails et le cloud, qui interagissent et s’adaptent dynamiquement pour assurer une défense efficace via la plateforme Sophos Central.  
Secureworks apporte à cette alliance ses technologies innovantes et leaders sur le marché, notamment Taegis XDR/MDR, la détection et réponse aux menaces sur l’identité (ITDR), des capacités SIEM nouvelle génération, la gestion des risques ainsi qu’un ensemble complet de services de conseil en cybersécurité.  
Sophos commercialise l’ensemble de ces solutions à travers un réseau mondial de revendeurs, de fournisseurs de services managés (MSP) et de fournisseurs de services de sécurité managés (MSSP), protégeant plus de 600 000 entreprises contre le phishing, les ransomwares, le vol de données et d’autres cybermenaces, qu’elles soient quotidiennes ou menées par des Etats-nations.  
Toutes les solutions sont alimentées par des renseignements sur les menaces en temps réel et historiques issus de Sophos X-Ops et de la Counter Threat Unit (CTU) récemment intégrée.  
Le siège social de Sophos est situé à Oxford, au Royaume-Uni. Pour plus d’informations, consultez le site sophos.fr.