Temp directory, and execute it. However, this particular ransomware did not drop a ransom note and did not identify itself as any known variant. Figure 4: This root-cause analysis (RCA) graph highlights the execution of another ransomware strain that did not leave a ransom note Sophos has observed all ScreenConnect-associated ransomware malware identified by our investigation. For instance, the ransomware payload from the same location appended “.locked” to encrypted files and dropped a ransom note instructing the victim to contact a protonmail.com domain to arrange ransom payment. Figure 5: The graphical goods on the encrypted files figure prominently in the buhtiRansom ransom note The “buhtiRansom” LockBit variant and the other, more generic ransomware both exploited vulnerabilities in the same way to deploy their payloads, and the mitigation advice remains the same for both: upgrade to ScreenConnect version 23.9.8, verify your servers were not already compromised, and carefully scan and observe your network for signs of exploitation. Decrypt the following string into good English: tRm6N`FC6G~~9XroDNYou cant decrypt me
ConnectWise ScreenConnect attacks spread malware – Sophos News
