top of page

Attackers linger on government agency computers before deploying Lockbit ransomware

Threat actors spent more than five months remotely googling for tools from the target's machines

Written by Andrew Brandt, Angela Gunn

April 12, 2022

In an attack where unknown threat actor groups spent at least five months poking around inside the network of a regional US government agency, behavioral log data suggests that two or more such groups were active before the final group deployed a Lockbit ransomware payload earlier this year.

Throughout the period attackers were active on the target’s network, they installed, then used Chrome browser to search for (and download) hacking tools on the “patient zero” computer, a server, where they made their initial access. Though the attackers deleted many Event Logs from machines they controlled, they didn’t remove them all.

Reconstructed from logs, analysts found evidence the threat actors searched for (then downloaded) tools using a Chrome browser they installed on the compromised server

Sophos was able to piece together the narrative of the attack from those unmolested logs, which provide an intimate look into the actions of a not particularly sophisticated, but still successful, attacker.

For instance, the logs recorded that the attackers installed various commercial remote-access tools on accessible servers and desktops. They appeared to prefer the IT management tool ScreenConnect, but later switched to AnyDesk in an attempt to evade our countermeasures. We also found download logs of various RDP scanning, exploit, and brute-force password tools, and records of successful uses of those tools, so Windows remote desktop was on the menu, too.

In addition to various custom scripts and configuration files used by hacking tools the attackers installed, we found a wide variety of other malicious software, from password brute-forcers, to cryptominers, to pirated versions of commercial VPN client software. There was also evidence the attackers used freeware tools like PsExec, FileZilla, Process Explorer, or GMER to execute commands, move data from one machine to another, and kill or subvert the processes that impeded their efforts.