The New Zealand Computer Emergency Response Team (CERT NZ) has released an advisory on a ransomware campaign leveraging remote access technologies. Malicious cyber actors are targeting organizations’ networks through remote access tools, such as Remote Desktop Protocol and virtual private networks, to exploit unpatched vulnerabilities and weak authentication.
After gaining access, cyber actors use various tools—including mimikatz, PsExec, Cobalt Strike, and Nefilim ransomware—for privilege escalation, lateral movement, persistence, and data exfiltration and encryption. Due to the level of access gained before deploying ransomware, the issue cannot be resolved by simply restoring data from backup.
The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review the CERT NZ Advisory, Active Ransomware Campaign Leveraging Remote Access Technologies, for more information and mitigations as well as indicators of compromise associated with Nefilim ransomware. CISA also encourages organizations to review the following resources for more information on protecting against and responding to ransomware.