PARINACOTA group

2020-03-12 13:11:46 +01:00 · 2020-03-12 13:11:46 +01:00 · a706b8ef2e
parent b007d5d3ce
commit a706b8ef2e
2 changed files with 40 additions and 2 deletions
--- a/clusters/microsoft-activity-group.json
+++ b/clusters/microsoft-activity-group.json
@ -258,7 +258,26 @@
      ],
      "uuid": "6085aad0-1d95-11ea-a140-078d42aced40",
      "value": "GALLIUM"
+    },
+    {
+      "description": "One actor that has emerged in this trend of human-operated attacks is an active, highly adaptive group that frequently drops Wadhrama as payload.\n PARINACOTA impacts three to four organizations every week and appears quite resourceful: during the 18 months that we have been monitoring it, we have observed the group change tactics to match its needs and use compromised machines for various purposes, including cryptocurrency mining, sending spam emails, or proxying for other attacks. The group’s goals and payloads have shifted over time, influenced by the type of compromised infrastructure, but in recent months, they have mostly deployed the Wadhrama ransomware.\nThe group most often employs a smash-and-grab method, whereby they attempt to infiltrate a machine in a network and proceed with subsequent ransom in less than an hour. There are outlier campaigns in which they attempt reconnaissance and lateral movement, typically when they land on a machine and network that allows them to quickly and easily move throughout the environment.\nPARINACOTA’s attacks typically brute forces their way into servers that have Remote Desktop Protocol (RDP) exposed to the internet, with the goal of moving laterally inside a network or performing further brute-force activities against targets outside the network. This allows the group to expand compromised infrastructure under their control. Frequently, the group targets built-in local administrator accounts or a list of common account names. In other instances, the group targets Active Directory (AD) accounts that they compromised or have prior knowledge of, such as service accounts of known vendors.\nThe group adopted the RDP brute force technique that the older ransomware called Samas (also known as SamSam) infamously used. Other malware families like GandCrab, MegaCortext, LockerGoga, Hermes, and RobbinHood have also used this method in targeted ransomware attacks. PARINACOTA, however, has also been observed to adapt to any path of least resistance they can utilize. For instance, they sometimes discover unpatched systems and use disclosed vulnerabilities to gain initial access or elevate privileges.",
+      "meta": {
+        "refs": [
+          "https://www.microsoft.com/security/blog/2020/03/05/human-operated-ransomware-attacks-a-preventable-disaster/"
+        ]
+      },
+      "related": [
+        {
+          "dest-uuid": "42148074-196b-4f8c-b149-12163fc385fa",
+          "tags": [
+            "estimative-language:likelihood-probability=\"likely\""
+          ],
+          "type": "uses"
+        }
+      ],
+      "uuid": "00edb40d-2fed-4d36-98b1-c85fc2bb1168",
+      "value": "PARINACOTA"
    }
  ],
-  "version": 7
+  "version": 8
 }
--- a/clusters/ransomware.json
+++ b/clusters/ransomware.json
@ -13733,7 +13733,26 @@
      },
      "uuid": "ea35282c-0686-4115-a001-bc4203549418",
      "value": "Razor"
+    },
+    {
+      "meta": {
+        "refs": [
+          "https://www.microsoft.com/security/blog/2020/03/05/human-operated-ransomware-attacks-a-preventable-disaster/",
+          "https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=ransom:win32/wadhrama.c&ThreatID=2147730655"
+        ]
+      },
+      "related": [
+        {
+          "dest-uuid": "00edb40d-2fed-4d36-98b1-c85fc2bb1168",
+          "tags": [
+            "estimative-language:likelihood-probability=\"likely\""
+          ],
+          "type": "used-by"
+        }
+      ],
+      "uuid": "42148074-196b-4f8c-b149-12163fc385fa",
+      "value": "Wadhrama"
    }
  ],
-  "version": 82
+  "version": 83
 }