LASER_oneXM

Level 36
Verified
The Maze Ransomware gang breached and successfully encrypted the systems of VT San Antonio Aerospace, as well as stole and leaked unencrypted files from the company's compromised devices in April 2020.

VT San Antonio Aerospace (VT SAA) is a leading North American aircraft MRO (maintenance, repair, and overhaul) service provider specialized in airframe maintenance repair and overhaul, line maintenance, aircraft modifications, and aircraft engineering services.

VT SAA is a subsidiary of ST Engineering (part of ST Aerospace, its aerospace arm), one of the largest firms listed on the Singapore Exchange and an engineering group with customers in the defense, government, and commercial segments in over 100 countries, and roughly 23,000 people across Asia, Europe, Middle East, and the United States.

ST Aerospace provides repair and overhaul services for more than 25,000 mechanical and avionics component types fitted on various Airbus and Boeing aircraft and helicopters.
.. ...
 

cruelsister

Level 37
Verified
Trusted
Content Creator
The ransomware is fine, but this particular instance must be used quickly (preferably targeted) as the decision to use the artifact kit of Cobalt Strike to build the malware is questionable as most security products will now seek anything (dll's and exe's) that used it and then flag the entire file as malware. In this way a pretty code can be wasted with a bad obfuscation routine.

Also once again the authors were nice enough to add a Rule to WF (netsh advfirewall firewall set rule group="remote desktop" new enable=Y ) to allow a connection to our friends (Hi Katya!) in Moscow.
 

Vitali Ortzi

Level 20
Verified
The ransomware is fine, but this particular instance must be used quickly (preferably targeted) as the decision to use the artifact kit of Cobalt Strike to build the malware is questionable as most security products will now seek anything (dll's and exe's) that used it and then flag the entire file as malware. In this way a pretty code can be wasted with a bad obfuscation routine.

Also once again the authors were nice enough to add a Rule to WF (netsh advfirewall firewall set rule group="remote desktop" new enable=Y ) to allow a connection to our friends (Hi Katya!) in Moscow.
If you have time can you test now maze samples in your videos ?
And raise security awareness.
And what is the hash of this sample?
 

avstor

Level 1
the decision to use the artifact kit of Cobalt Strike to build the malware is questionable

the malicious actors more than likely were fully aware of this and yet they still managed to get what they wanted
or they could have just paid someone to do their dirt coding and whomever did it did not do anything about it if they were aware of it at all
point is there are a billon roads to pwn even the slow and sloppy ones work
being high and tight with your operation is wasted effort and money when it is so easy to pwn your adversary or target

the real issue in this entire case, like the never ending stream of others, is that enterprise\institutional security on the whole is atrociously bad
that fact can be attributed to one single factor in the vast majority of cases
they refuse to change for the sake of security
 
Top