Severity
Medium
Analysis Summary
A GlobeImposter ransomware outbreak took place at a Financial services’ subsidiary company, resulting in encryption of a server and the NAS storage which hosted the virtual machines connected to them. Initially, a brute force RDP attack was launched on an admin account on the first compromised server, resulting in 1800 failed login attempts within 5 hours, prior to getting access. Once the access was gained, the attackers deployed advanced port scanner, credential stealing malware Mimikatz and a crypto-mining malware. The attackers then proceeded to deploy the ransomware, which, the researchers reported to be GlobeImposter. However, evidence of data exfiltration has not been found.
Impact
Indicators of Compromise
IP(s) / Hostname(s)
185.220.101[.]32
Malware Hash (MD5/SHA1/SH256)
Remediation