analyzed the activities of six Iranian hacker groups behind waves of ransomware attacks that have been occurring every six to eight weeks since September 2020. Russia is often viewed as the home of the biggest cybercriminal ransomware threats, but state-sponsored attackers from North Korea and Iran have also shown growing interest in ransomware.
Iranian hacking groups use ransomware to either collect money or to disrupt their goals, according to Microsoft. They are “patient and persistent” while they are preoccupied with their goals – although they also use aggressive brute force attacks, according to Microsoft.
The most consistent of the six Iranian threat groups is one that Microsoft calls Phosphorus (APT35). Microsoft has played cat and mouse with this group for the past two years. The group was originally known for cyber espionage. She is now supposed to smuggle ransomware into the networks of her targets and use the Bitlocker drive encryption to encrypt files of her victims.
According to Microsoft, Phosphorus recently had it on unpatched Exchange servers and Fortinet’s FortiOS SSLapart to install ransomware. “After the original server was compromised (via a vulnerable VPN or Exchange Server), the attackers switched to another system on the victim’s network to gain access to higher-value resources,” wrote the Microsoft Threat Intelligence Center (MSTIC) in a blog post. “From there, they used a script to encrypt the drives on multiple systems. The victims were instructed to contact a specific Telegram site to pay for the decryption key. “