A recent report by security intelligence firm Group-IB reveals that a new ransomware group called EstateRansomware has exploited a year-old vulnerability in Veeam backup software, identified as CVE-2023-27532, as part of a sophisticated attack chain.
The attack started with the exploitation of a dormant account in Fortinet FortiGate firewall SSL VPN appliances to gain initial access. Once inside the network, the attackers deployed a persistent backdoor, conducted network discovery, and harvested credentials. Subsequently, they exploited the Veeam vulnerability to activate a shell and create rogue user accounts for lateral movement within the network.
To carry out these activities, the attackers utilized tools like NetScan, AdFind, and various NirSoft tools for network discovery, enumeration, and credential harvesting. After disabling Windows Defender, EstateRansomware deployed the LockBit 3.0 ransomware variant to encrypt files and clear logs. This ransomware variant has similarities to other known ransomware variants like BlackMatter and Alphv, implying potential connections or inspirations between these groups.
EstateRansomware first emerged in April 2024 and has been targeting organizations in UAE, France, Hong Kong, Malaysia, and the US, according to Group-IB. The group operates alongside several other active ransomware groups, often utilizing affiliates to carry out attacks as part of a ransomware-as-a-service model.
Cyber threat intelligence analyst Fearghal Hughes from ReliaQuest highlighted EstateRansomware’s methodical and well-resourced approach to attacks, emphasizing the importance of a comprehensive cybersecurity strategy. The group primarily relies on exploiting unpatched network security vulnerabilities, as noted by Martin Greenfield, CEO of Quod Orbis, who stressed the necessity for organizations to prioritize basics like patching, backups, and access control.
In response to the threat posed by EstateRansomware and similar groups, ReliaQuest proposed a five-point action plan:
1. Prioritize timely patching of known vulnerabilities, especially those in widely used software.
2. Adopt a zero-trust approach to network security.
3. Implement multi-factor authentication for all remote access points and critical systems.
4. Deploy network segmentation to contain the spread of ransomware.
5. Ensure secure, regularly tested backup systems that are segmented from the main network.
By following these recommendations and strengthening cybersecurity measures, organizations can enhance their resilience against ransomware attacks like EstateRansomware. As cyber threats continue to evolve, proactive security strategies and adherence to best practices are crucial to safeguarding sensitive data and critical systems.