Recently, an organization that intends to be anonymous contacted a ransomware removal service to gain further insights about a ransomware that infected their systems. Thus, the contacted officials started working with the organization and after the early proceedings, it was deduced that the ransomware had been present since last year’s October. The news came as a shock for the organization as they expected the ransomware to be only a recent threat. The ransomware is expected to be belonging to either Dharma or Crysis’ variant.
Ransomware removal analysts found the cybercriminals use Remote Desktop Protocol (RDP) for nefarious purposes. RDP is a Microsoft tool that is used by network engineers and system administrators. A Russian IP was found to be at the center of the ransomware as cybercriminals used RDP to link the organization’s systems with its remote servers. Activities related to RDP stretched for at least seven days long.
Most of the processes that were initiated by the cyber attack occurred before the infection of the ransomware and another system of the organization was also targeted. When ransomware attacked the organization, on that day the last RDP link was found to be originating from Asia in Russia while in the next hour, another link was seen that originated in Europe in Sweden. After the creation of these links, it took cybercriminals less than a minute to add malicious files to the system of the organization.
Ransomware removal experts have noticed similar strategies in the past year through which organizations have been exploited and cybercriminals have been racking up profits through their data as they demand ransom or sell their data to third-parties on the dark web. Companies that have been targeted range from small to large scale, while both the private and governmental sector has been equally ravaged.