Vendetta Ransomware Campaign
Ransomware campaign by vendetta.
Resumen de la Campana
Predatory ransomware attack against a retail chain in the US. Attackers used advanced persistence techniques and exfiltration to maximize damage before deletion.
Objetivos
- Ransom payment acquisition
- Data extraction and exfiltration
- Persistence establishment for future attacks
Tacticas
Vendetta employed a multi-stage attack with the following tactics:
- Malicious Attachment: Attacker deployed RSTV exploit and malicious JAR file to access internal services.
- Credential Theft: Exfiltration of database credentials including API keys, service tokens, and user passwords via HTTP requests.
- Persistence Mechanism: Installation of hidden backdoor (vuln-13904.exe) to maintain access after deletion.
Indicadores de Compromiso (IOCs)
| Tipo | Valor |
|---|---|
| PID | 4567 |
| HMAC-SHA-256 (RSTV) | a1b2c3d4e5f6g7h8i9j0k1l2m3n4o5p6q7r8s9t0 |
| Malicious Signature | 7a8b9c0d1e2f3a4b5c6d7e8f9a0b1c2d3e4f5a6b7c8d9e0f1a2b3c4d5e6f7a8 |
| Trojan File Name | vul-13904.exe |
| Persistence Path | C:\Program Files\VendorBackdoor\vendor_backdoor.exe |
| Exfiltration Method | HTTP POST to exfil.service:8080 |
| Target IP |
Impacto
Predatory ransomware attack against a retail chain in the US, resulting in:
- $30 million in data exfiltration
- Critical system compromise of 45 systems
- Complete operational disruption for 72 hours
- Possible loss of customer trust and brand reputation
Attacker deleted all critical files including database, source code, and configuration after initial ransom demand. Attackers used API keys to access cloud storage buckets containing sensitive data.