Full Report
Phishing remained the top initial access method in Q2 2025, while ransomware incidents see the emergence of new Qilin tactics.
Analysis Summary
# Incident Report: Ransomware Attacks Leveraging Compromised Credentials and Novel TTPs
## Executive Summary
This reporting period saw phishing remain the dominant initial access vector, frequently utilizing compromised trusted partner email accounts for credential harvesting, often as a precursor to ransomware deployment. Half of all engagements involved ransomware or pre-ransomware activity, including a first-time response to Qilin ransomware, which displayed novel exfiltration techniques. Response focused on immediate containment, eradication of ransomware elements, and rebuilding affected systems, highlighting the need to monitor credential brokering trends and rapidly evolving ransomware tactics.
## Incident Details
- **Discovery Date:** Not specified (Report covers activities over a quarter)
- **Incident Date:** Not specified (Report covers activities over a quarter)
- **Affected Organization:** Multiple organizations (General industry review)
- **Sector:** Various (Based on IR engagements)
- **Geography:** Not specified
## Timeline of Events
### Initial Access
- **Date/Time:** Ongoing throughout the quarter
- **Vector:** Phishing (33% of engagements), leveraging compromised internal or trusted business partner email accounts (75% of phishing engagements).
- **Details:** Malicious emails directed victims to fake O365 login pages to steal credentials and MFA session tokens.
### Lateral Movement
- **Date/Time:** Post-initial access (Specific Qilin example)
- **Vector:** Commercial Remote Monitoring and Management (RMM) solutions, including TeamViewer, VNC, AnyDesk, Chrome Remote Desktop, Distant Desktop, QuickAssist, and ToDesk.
- **Details:** Used RMM tools for staging data and moving across the network after initial access via stolen credentials.
### Data Exfiltration/Impact
- **Date/Time:** Pre-encryption
- **Vector:** Qilin actors used CyberDuck (file transfer tool) hosted on Backblaze infrastructure—a previously unreported exfiltration method for this group.
- **Details:** Ransomware (Qilin, Medusa, Chaos) and pre-ransomware incidents comprised 50% of engagements. Qilin utilized a suspected custom-compiled encryptor.
### Detection & Response
- **Date/Time:** Post-compromise
- **Vector:** Incident Response engagement by Cisco Talos IR.
- **Details:** Response to Qilin identified new TTPs. The prevalence of ransomware led to widespread infections requiring system rebuilds.
## Attack Methodology
- **Initial Access:** Phishing links sent from compromised trusted accounts (T1078 Valid Accounts).
- **Persistence:** Qilin actors established an **AutoRun entry in the Software registry Hive** and a **scheduled task** to relaunch the ransomware upon system reboot or new logon (T1053 Scheduled Task/Job).
- **Privilege Escalation:** Potential use of **Process Injection** (T1055) and modification of domain/tenant policy (T1484) suggested in general tactics.
- **Defense Evasion:** Ransomware actors leveraged a **dated version of PowerShell (1.0)** in one-third of engagements, likely for evasion flexibility (T1562.001 Impair Defenses). Evidence deletion/modification (T1070) is implied for ransomware activity.
- **Credential Access:** Direct credential harvesting via convincing MFA prompts (T1558.003 implied for token theft).
- **Discovery:** Not explicitly detailed, but RMM usage implies reconnaissance/discovery occurred.
- **Lateral Movement:** RMM solutions used extensively (TeamViewer, AnyDesk, etc.). **WMI execution** (T1569) may have been used.
- **Collection:** Data staging observed prior to exfiltration.
- **Exfiltration:** Qilin actors used **CyberDuck hosted on Backblaze C2 infrastructure**.
- **Impact:** System encryption via ransomware.
## Impact Assessment
- **Financial:** Not quantifiable, but significant rebuild costs implied for widespread ransomware infections.
- **Data Breach:** Credential theft was the primary goal of most phishing attacks; proprietary data exfiltration observed in some ransomware cases (Qilin).
- **Operational:** Widespread infection requiring complete system rebuilds.
- **Reputational:** Not detailed, but typical of high-impact ransomware events.
## Indicators of Compromise
- **Network indicators (Defanged):** Backblaze-hosted C2 infrastructure (specific URLs obfuscated).
- **File indicators:** Suspected custom-compiled Qilin encryptor.
- **Behavioral indicators:** Use of PowerShell 1.0, creation of AutoRun registry entries (Software Hive), and scheduled tasks for persistence.
## Response Actions
- **Containment:** Not explicitly detailed, but implied containment of active ransomware spread (likely network segmentation and disabling RMM tool traffic).
- **Eradication:** Removal of custom encryptors, RMM agents, and persistence mechanisms (registry entries, scheduled tasks).
- **Recovery:** Widespread rebuild of infected systems.
## Lessons Learned
- **Credential brokering appears to be a highly profitable and low-suspicion avenue for cybercriminals**, leading to prioritized credential harvesting via phishing.
- **Leveraging trusted business partner accounts is highly effective** for initial access, bypassing common security controls.
- **Ransomware actors (specifically Qilin) are incorporating commercially available, legitimate tools (CyberDuck, RMMs)** and novel persistence/exfiltration methods rapidly.
- The use of **dated components like PowerShell 1.0** is a deliberate tactic to avoid modern EDR/scanning signatures.
## Recommendations
- **Enhance Phishing Mitigation:** Implement stronger controls/warnings for links originating from known third-party domains or those mimicking O365 authentication pages.
- **Restrict RMM Usage:** Audit and tightly control the use of commercial RMM tools internally, ensuring they are not exploitable for wide-scale lateral movement or staging.
- **Monitor Low-Level System Artifacts:** Improve detection capabilities to flag anomalous AutoRun registry modifications and newly created scheduled tasks associated with execution during peak hours.
- **Threat Intelligence Focus:** Prioritize tracking new ransomware variants like Qilin for newly observed TTPs before they are widely adopted.