- From ScreenConnect to Hive Ransomware in 61 hours https://thedfirreport.com/2023/09/25/from-screenconnect-to-hive-ransomware-in-61-hours/ 4 comments netsec
- HTML Smuggling Leads to Domain Wide Ransomware by the Nokoyawa ransomware group. The time to ransomware (TTR) was just over 12 hours from the initial infection. https://thedfirreport.com/2023/08/28/html-smuggling-leads-to-domain-wide-ransomware/ 2 comments programming
- HTML Smuggling Leads to Domain Wide Ransomware https://thedfirreport.com/2023/08/28/html-smuggling-leads-to-domain-wide-ransomware/ 5 comments computerforensics
- Malicious ISO File Leads to Domain Wide Ransomware https://thedfirreport.com/2023/04/03/malicious-iso-file-leads-to-domain-wide-ransomware/ 6 comments netsec
- Unwrapping Ursnifs Gifts https://thedfirreport.com/2023/01/09/unwrapping-ursnifs-gifts/ 2 comments computerforensics
- 2021 Year In Review - Tools, TTPs, and more! https://thedfirreport.com/2022/03/07/2021-year-in-review/ 4 comments netsec
- CONTInuing the Bazar Ransomware Story https://thedfirreport.com/2021/11/29/continuing-the-bazar-ransomware-story/ 2 comments netsec
- Exchange Exploit Leads to Domain Wide Ransomware https://thedfirreport.com/2021/11/15/exchange-exploit-leads-to-domain-wide-ransomware/ 21 comments netsec
- From Zero to Domain Admin https://thedfirreport.com/2021/11/01/from-zero-to-domain-admin/ 50 comments netsec
- BazarLoader to Conti Ransomware in 32 Hours - In July we witnessed a BazarLoader campaign that deployed Cobalt Strike and ended with domain wide encryption using Conti ransomware. https://thedfirreport.com/2021/09/13/bazarloader-to-conti-ransomware-in-32-hours/ 7 comments netsec
- Trickbot Deploys a Fake 1Password Installer - In this intrusion, we will take a look at a Trickbot infection, where soon after gaining access, the threat actor started to enumerate the target network and dump credential information. https://thedfirreport.com/2021/08/16/trickbot-deploys-a-fake-1password-installer/ 14 comments netsec
- PYSA/Mespinoza Ransomware - Over the course of 8 hours the PYSA/Mespinoza threat actors used Empire and Koadic as well as RDP to move laterally throughout the environment, grabbing credentials from as many systems as possible on the way to their objective. https://thedfirreport.com/2020/11/23/pysa-mespinoza-ransomware 5 comments netsec
- Ryuk Speed Run, 2 Hours to Ransom https://thedfirreport.com/2020/11/05/ryuk-speed-run-2-hours-to-ransom/ 8 comments netsec
- Ryuk in 5 Hours - The Ryuk threat actors went from a phishing email to domain wide ransomware in 5 hours. https://thedfirreport.com/2020/10/18/ryuk-in-5-hours/ 9 comments netsec
- Ryuk’s Return - The Ryuk group went from an email to domain wide ransomware in 29 hours and asked for over $6 million USD to unlock our systems. https://thedfirreport.com/2020/10/08/ryuks-return/ 9 comments netsec
- Another RDP brute force ransomware strikes again, this time, Snatch Team! Snatch Team was able to go from brute forcing a Domain Administrator (DA) account via RDP, to encrypting all Domain joined systems in less than 5 hours. https://thedfirreport.com/2020/06/21/snatch-ransomware/ 30 comments netsec
- An actor logged into the honeypot via RDP and installed XMRig with multiple persistence mechanisms. The actor used icacls and attrib to lock down directories and files to make detection and eradication difficult. https://thedfirreport.com/2020/04/20/sqlserver-or-the-miner-in-the-basement/ 3 comments netsec