Many victims mistakenly assume that criminals immediately leave a compromised network.
When a company is attacked using ransomware, many victims believe that attackers quickly install malware and leave the network to avoid detection. But in reality, criminals do not so quickly give up a compromised resource, the BleepingComputer reported.
Instead, cyber attacks can occur several days and weeks after hacking a vulnerable network. Hacking can be carried out using a vulnerable remote desktop service, vulnerabilities in VPN software, or by remote access provided by malicious programs such as TrickBot, Dridex and QakBot.
Criminals use tools like Mimikatz, PowerShell Empire and PSExec to steal credentials and move around the network. By gaining access to computers on the network, attackers use stolen credentials to steal sensitive data from backup devices and servers before deploying ransomware. Many victims mistakenly assume that at this stage the criminals leave the compromised network, but this belief is far from the truth.
For example, Maze ransomware operators reported on their website about hacking a network of a subsidiary of ST Engineering called VT San Antonio Aerospace (VT SAA). The criminals published a document containing the victim’s IT department report on their attack. As the stolen document shows, Maze operators were still hiding on the victim’s network and continued to steal files while investigating the incident.
__________________
When a company is attacked using ransomware, many victims believe that attackers quickly install malware and leave the network to avoid detection. But in reality, criminals do not so quickly give up a compromised resource, the BleepingComputer reported.
Instead, cyber attacks can occur several days and weeks after hacking a vulnerable network. Hacking can be carried out using a vulnerable remote desktop service, vulnerabilities in VPN software, or by remote access provided by malicious programs such as TrickBot, Dridex and QakBot.
Criminals use tools like Mimikatz, PowerShell Empire and PSExec to steal credentials and move around the network. By gaining access to computers on the network, attackers use stolen credentials to steal sensitive data from backup devices and servers before deploying ransomware. Many victims mistakenly assume that at this stage the criminals leave the compromised network, but this belief is far from the truth.
For example, Maze ransomware operators reported on their website about hacking a network of a subsidiary of ST Engineering called VT San Antonio Aerospace (VT SAA). The criminals published a document containing the victim’s IT department report on their attack. As the stolen document shows, Maze operators were still hiding on the victim’s network and continued to steal files while investigating the incident.
__________________