Case of Ransomware Infection in a Company Using Local Administrator Accounts Set with Same Password

After analyzing the infected systems of the company that suffered damage from the recent Lockis ransomware infection, the ASEC analysis team discovered that the attacker executed the ransomware after RDP accessing the infected systems with local Administrator accounts.  An investigation of local Administrator information of the infected systems showed that their passwords have not been changed for 1-2 years and that they were all set with the same password.  Furthermore, upon decrypting the NTLM Hash, the team discovered that the … Continue reading Case of Ransomware Infection in a Company Using Local Administrator Accounts Set with Same Password