LockBit may be using TeamViewer in its ransomware attacks

LockBit may be using TeamViewer in its ransomware attacks

LockBit may be using TeamViewer in its ransomware attacks

Researchers detect popular remote access tool used to deploy ransomware.

Security researchers at Huntress have observed a couple of ransomware attempts that appear to have used TeamViewer to gain initial access to targeted systems.

The folks at Huntress detected the activity after a small number of ransomware canary files (files deployed to alert security systems about encryption attempts) on affected systems were encrypted by ransomware, which appears to be similar to that used by the LockBit gang in the past.

In both cases, Huntress was able to use TeamViewer log files to measure the time the criminals spent on each system. One session lasted just seven and a half minutes, while the second, which was stopped by security software installed on the system, lasted just over 10 minutes.

Both access attempts came from the same specific endpoint and both began the initial deployment from a DOS batch file on the desktop of the affected system. In the second case, when the deployment was stopped, the threat actor attempted several times to bypass the security software and launch an executable called LB3.exe, which likely represents LockBit 3.0, the full name of the gang.

The file and another file curiously named ZZZZZZZ were eventually quarantined by security software, after which the threat actor seems to have given up.

According to Huntress, keeping track of the software installed on your machines is as important as any physical inventory.

“Basic security measures are based on an inventory of assets, not only of physical and virtual endpoints, but also of installed applications,” Huntress researcher Harlan Carvey said in a blog post.

“This, and previous incidents observed by Huntress SOC analysts, clearly demonstrate that threat actors seek any available means of access to individual endpoints to wreak havoc and possibly extend their reach even further into the infrastructure.”

Leave a Reply

Your email address will not be published. Required fields are marked *