lockbit2 attacks cyberapex
Incident Date:
April 14, 2022
Overview
Title
lockbit2 attacks cyberapex
Victim
cyberapex
Attacker
Lockbit2
Location
First Reported
April 14, 2022
CyberApex Technology Limited Targeted by Play Ransomware Group
Overview of the Attack
CyberApex Technology Limited, a Hong Kong-based company within the Business Services sector, has recently fallen victim to the Play Ransomware group. This incident was disclosed on a dark web leak site, highlighting the company's vulnerability. The Play Ransomware group, also identified as Playcrypt, has been operational since June 2022, targeting around 300 entities across various continents including North America, South America, and Europe.
Company Profile and Vulnerabilities
Despite being a relatively small entity, CyberApex Technology Limited's insufficient cybersecurity measures made it a prime target for the Play Ransomware group. The lack of detailed information on the company's website about its size or the services it offers suggests a potential underestimation of cybersecurity threats. The breach could have been facilitated by exploiting known vulnerabilities or through inadequate security practices such as unpatched systems or the use of weak passwords.
Play Ransomware Group Tactics
The Play Ransomware group employs sophisticated evasion techniques to circumvent detection by conventional security tools. This underscores the necessity for organizations to integrate Comprehensive Threat Intelligence (CTI) platforms for early detection of emerging threats from the dark web. The group's modus operandi includes leveraging valid accounts, exploiting exposed Remote Desktop Protocol (RDP) servers, and utilizing FortiOS vulnerabilities for initial access. Subsequent to gaining entry, they deploy tools like AdFind to extract information from Active Directory and disseminate malicious executables across the network through Group Policy Objects, scheduled tasks, or PsExec.
Recommended Mitigation Strategies
To counter the threat of ransomware attacks, it is imperative for organizations to implement multifactor authentication, adhere to the principle of least privilege, and ensure both logical and physical network segmentation. Additional measures include attack surface management, securing domain controllers, maintaining offline and encrypted backups, and diligently tracking security patches along with software and operating system updates. Leveraging Dark Web News modules for the latest intelligence can also equip organizations with the knowledge to preempt potential cyber threats.
Sources
- "Understanding Ransomware and Strategies for Defense" - https://www.cisa.gov/uscert/ncas/tips/ST19-001
- "AdFind Command Reference" - https://joeware.net/freetools/tools/adfind/index.htm
- "FortiOS Vulnerability Analysis" - https://www.fortiguard.com/encyclopedia/ips
Recent Ransomware Attacks
The Recent Ransomware Attacks (RRA) site acts as a watchtower, providing you with near real-time ransomware tracking of attacks, groups and their victims. Given threat actors’ overarching, lucrative success so far, ransomware attacks have become the most ubiquitous, and financially and informationally impactful cyber threat to businesses and organizations today.
The site’s data is generated based on hosting choices of real-world threat actors, and a handful of other trackers. While sanitization efforts have been taken, we cannot guarantee 100% accuracy of the data. Attack updates will be made as source data is reported by reputable sources. By viewing, accessing, or using RRA you acknowledge you are doing so at your own risk.