Here's a thread that explains their TTP (tactics, techniques & procedures):
![](https://pbs.twimg.com/media/DtHa1yqWsAAe6YK.jpg)
sophos.com/en-us/medialib…
What follows is a summary of some of what we covered in the report
![](https://pbs.twimg.com/media/DtHcZZ7WkAEs5Rz.jpg)
![](https://pbs.twimg.com/media/DtHdNY8XoAE4RLu.jpg)
If you have RDP open, please close it now.
![](https://pbs.twimg.com/media/DtHhHOLWkAAqFoN.jpg)
![](https://pbs.twimg.com/media/DtHhr-EWwAA4kOA.jpg)
You couldn't just restore from backups. You needed to reimage the disk first. Pure evil.
![](https://pbs.twimg.com/media/DtHmhfhWoAAL9vm.jpg)
![](https://pbs.twimg.com/media/DtHlGhuWwAAGqOP.jpg)
These disappeared as soon as the victim paid. Only a few screenshots exist. Here's one:
![](https://pbs.twimg.com/media/DtHlz54XQAIVFyj.jpg)
All these "silent victims" were large businesses.
![](https://pbs.twimg.com/media/DtHoHBkX4AIP-sw.jpg)
Now that we know who the attackers were, the motivation seems kind of obvious
![](https://pbs.twimg.com/media/DtHocnkXoAcKtOL.jpg)
Nobody's been arrested, and there is still a lot of low-hanging fruit out there.
news.sophos.com/en-us/2018/07/…