McAfee recently released research on the Cuba ransomware. These attackers have pivoted to leaking data to extort funds from the firms they are attacking. As is typical these days, the attackers had access to the network before they activated the ransomware. This allowed them to examine the network and review how best to attack the network.
The attackers used PowerShell commands to move laterally in the network. PowerShell was called from the SysWOW64 folder using the command
Powershell -windowstyle hidden to hide it from the user. The ransomware looked for specific languages, for example Russian, to provide flexibility for the attacker. The attackers then reviewed what each workstation has access to and the last connection to each workstation to gain more targets. The attackers also used the SeDebugPrivilege process to elevate privileges. The attack sequence disabled certain services including ones related to SQL, email and other communication processes.
Attackers’ favorite Windows privileges
Windows privileges are often used and abused in other attacks: