Back in April of this year, a new ransomware group called “Money Message” became active. While the cybercriminals have previously flown under the radar, Sophos X-Ops was now able to take a closer look at the cybercriminals' activities while investigating an attack on an Australian organization.
The group provides a prime example of what has become a very widespread attack variant: sneaking through hijacked company networks in a variety of ways in order to avoid detection and elimination. For example, in 78 percent of the cases analyzed by the Sophos Incident Response Team in the first half of 2023, internal RDP services were misused by cybercriminals for their own purposes.
Vulnerable VPN connections attacked
In this particular case, Money Message used a vulnerable VPN connection to gain access to the network. They then moved laterally on the network using the Remote Desktop Protocol (RDP) used by the company. The attackers were also able to disable Windows Defender and gain access to various organizational credentials before they began to harvest sensitive data.
The freely available English investigation report “Step by step through the money message ransomware” provides all details about the attack and tips for preventing such cover-up attacks.
About Sophos More than 100 million users in 150 countries trust Sophos. We offer the best protection against complex IT threats and data loss. Our comprehensive security solutions are easy to deploy, use and manage. They offer the lowest total cost of ownership in the industry. Sophos offers award-winning encryption solutions, security solutions for endpoints, networks, mobile devices, email and the web. In addition, there is support from SophosLabs, our worldwide network of our own analysis centers. The Sophos headquarters are in Boston, USA and Oxford, UK.