The FBI issued an alert to private industry on the threat for infections of both LockerGoga and MegaCortex. According to the FBI report, both ransomwares have been seen gaining their initial hold on target networks through the use of phishing attacks, SQL injection, stolen login credentials, and exploits. Prior to deploying either LockerGoga or MegaCortex, the group will install Cobalt Strike–a common security tool utilized by penetration testers, and then wait quietly inside their victims’ network for months before deploying either ransomware. According to the FBI report, once the attackers deploy either ransomware, they will execute a kill.bat or stop.bat batch file that terminates processes and services related to security programs, disables Windows Defender scanning features, and disable security-related services. The threat actors will also use a variety of LOLBins and legitimate software such as 7-Zip, PowerShell scripts, wmic, nslookup, adfind.exe, mstds.exe, Mimikatz, Ntsdutil.exe, and massscan.exe.
By: Dan McNemar It is not a new concept that criminals use the Darknet to