Full Report
This quarter, phishing attacks surged as the primary method for initial access. Learn how you can detect and prevent pre-ransomware attacks.
Analysis Summary
# Incident Report: Phishing Surge Leading to Pre-Ransomware Attacks Leveraging Valid Accounts
## Executive Summary
This report summarizes trends from Q1 2025, where phishing attacks surged to become the initial access vector in 50% of engagements, significantly replacing the use of compromised valid accounts seen in 2024. A major multi-stage campaign, leveraging BlackBasta and Cactus ransomware Tactics, Techniques, and Procedures (TTPs), targeted manufacturing and construction organizations, using vishing to establish remote access and deploy pre-ransomware tooling. Successful defensive measures in pre-ransomware scenarios highlight the value of early IR engagement and robust TTP monitoring.
## Incident Details
- **Discovery Date:** Q1 2025 Reporting Period (Reported April 28, 2025)
- **Incident Date:** Occurred throughout Q1 2025
- **Affected Organization:** Multiple organizations, specifically highlighted in manufacturing and construction sectors.
- **Sector:** Manufacturing and Construction (Primary focus for major campaign)
- **Geography:** Not explicitly specified, implied global/enterprise scope.
## Timeline of Events
### Initial Access
- **Date/Time:** Throughout Q1 2025
- **Vector:** Phishing (50% of engagements), predominantly Vishing (over 60% of phishing).
- **Details:** Threat actors initiated contact, often via phone (vishing), guiding victims to establish Microsoft Quick Assist remote access sessions, or delivering emails with malicious links to steal credentials and MFA tokens.
### Lateral Movement
- **Date/Time:** Following credential/token theft.
- **Vector:** Leveraging stolen valid accounts.
- **Details:** Actors used stolen access to pivot deeper, deploy enterprise applications (in O365 environments), clone active access tokens, and gather system information via command execution. Escalation and movement were observed subsequent to establishing persistence.
### Data Exfiltration/Impact
- **Date/Time:** Pre-ransomware deployment stage.
- **Impact:** Ultimate goal appeared to be the deployment of ransomware (BlackBasta or Cactus). Pre-ransomware activity involved disabling endpoint protections and preparing systems for encryption.
### Detection & Response
- **How it was discovered:** Through Cisco Talos Incident Response (Talos IR) engagements across various client environments.
- **Response actions taken:** In pre-ransomware scenarios, early engagement with IR teams and robust monitoring of actor TTPs successfully halted the deployment of ransomware executables, despite initial system compromise.
## Attack Methodology
- **Initial Access:** Phishing (Vishing, malicious links, malicious attachments, BEC).
- **Persistence:** Establishing persistence mechanisms; creating a scheduled task to execute malicious JavaScript upon user login; creating the `TitanPlus` registry key.
- **Privilege Escalation:** Observed following control establishment, often preceding lateral movement.
- **Defense Evasion:** Disabling endpoint protections during remote access sessions.
- **Credential Access:** Stealing credentials via phishing and stealing active access tokens/MFA session tokens.
- **Discovery:** Running commands to gather system information.
- **Lateral Movement:** Expanding foothold after initial access via valid accounts, moving through the network to prepare for payload deployment.
- **Collection:** Gathering system information.
- **Exfiltration:** Not explicitly detailed as primary objective for *this* stage, but established access was used to pivot deeper.
- **Impact:** Preparation for destruction/extortion via ransomware deployment (BlackBasta/Cactus variants).
## Impact Assessment
- **Financial:** Inference of potential major costs associated with ransomware remediation and business disruption.
- **Data Breach:** Theft of user access tokens and credentials, leading to unauthorized access to M365 environments and potential downstream data exposure.
- **Operational:** Significant risk of operational halt due to impending ransomware deployment. Some pre-ransomware incidents were successfully stopped before this stage.
- **Reputational:** Potential damage from public disclosure of ransomware infections.
## Indicators of Compromise
*Note: Indicators are derived from TTP summaries and tooling mentioned, specific defanged IPs/URLs are not provided in the source text.*
- **Network indicators:** Command and Control (C2) communication obfuscated using character substitution targeting the `TitanPlus` registry key.
- **File indicators:** Malicious JavaScript file deployed via scheduled task. BlackBasta and Cactus ransomware executables (including an undocumented Cactus variant).
- **Behavioral indicators:** User deception via phone call leading to establishment of Microsoft Quick Assist remote sessions; cloning of active access tokens; creation of new credentials for outbound connections; use of tools like PsExec, LaZagne, Impacket, Mimikatz, AdFind, Rubeus, and Tasklist indicators (if deployed).
## Response Actions
- **Containment measures:** Not specified directly, but the interception of pre-ransomware activity implies timely network isolation or user account disabling led to containment.
- **Eradication steps:** Not specified, but eradication would necessarily involve removing persistence mechanisms (`TitanPlus` key, scheduled tasks) and disabling compromised accounts.
- **Recovery actions:** Rebuilding systems or restoring from backups if ransomware was deployed. Validation of full scope of access theft.
## Lessons Learned
- Phishing, particularly vishing, has returned as the overwhelmingly dominant initial access vector, displacing valid account compromise as the primary entry point.
- Adversaries prioritize using compromised valid accounts for persistence and deeper network access rather than simple data/monetary theft via initial phishing.
- Robust monitoring of the TTPs associated with threat actors (e.g., the BlackBasta/Cactus campaign) allows for successful intervention *before* full ransomware execution.
- Threat actors demonstrated high agility, modifying TTPs (like switching ransomware families) in response to public reporting.
## Recommendations
- **Strong MFA Enforcement:** Implement phishing-resistant MFA solutions to prevent token/session theft following credential compromise.
- **Advanced Phishing Defense:** Enhance detection and blocking capabilities specifically targeting vishing attempts and social engineering tactics leveraging Quick Assist.
- **Implement Proactive Monitoring:** Deploy robust EDR/XDR solutions specifically monitoring for TTPs mentioned (registry key modifications, scheduled task creation, unauthorized remote session initiation, and known post-exploitation tool usage).
- **Zero Trust Principles:** Limit the scope of access granted by valid accounts immediately post-authentication to restrict lateral movement capabilities.