December 8, 2022

Volume XII, Number 342


December 08, 2022

Subscribe to Latest Legal News and Analysis

December 07, 2022

Subscribe to Latest Legal News and Analysis

December 06, 2022

Subscribe to Latest Legal News and Analysis

Relic Project: A New Threat Group or Rebranded Ransomware?

A ransom note, UNLOCK_FILES.793DF82AFCB81B75.txt, appeared on computers throughout a company and when triaging what happened, encrypted files were observed. The ransom note (shown below) gave specific instructions as to what was happening, details on how to resolve the problem and a link where to contact them.

A typical ransomware response was initiated, and forensic analysis was completed. An unpatched FortiGate appliance, which controlled Remote Desktop Protocol (RDP) access for users, was found to be the likely entry point into the environment. 

This vulnerability allows any user to connect without having to authenticate, allowing access and granting administrator privileges. This access was leveraged and a user account was created that had a similar name to that of a legitimate administrator account. PSEXESVC was executed which let users execute processes on remote systems without the need to have any kind of client software present on the remote computers. The threat actors used RDP to find the domain controller which became the hub of their activity. 

Cobalt Strike was executed which has the ability to create connections (using Cobalt Strike servers) to compromise networks and create persistent channels between the target and the attackers. In this instance "Cobalt Strike” was renamed “rsmvc.dll” which was run from the domain controller. Also, “klink.exe” was executed on the domain controller which is a free telnet/ssh client for Windows. Connections to most systems in the environment was done via RDP.

The threat actor was in the environment for five days before an attempt to launch the ransomware payload. File 793DF82AFCB81B75.64.exe was executed but only ran for 30 seconds before terminating. The threat actor downloaded an .exe to .msi program and ran 793DF82AFCB81B75.64.msi but it also terminated after 30 seconds. The threat actor created a batch file named “start.bat” which appeared to copy “793DF82AFCB81B75.64” to every server. Also, a batch file named “rmd.bat” was run. This allowed the threat actor to update the configuration for the endpoint software.

Scheduled tasks were created to automate the ransomware deployment but that too was unsuccessful. As the ransom note and encrypted files were discovered, the threat actor was blocked. Some files were encrypted but a large majority were not.

Key Takeaways

  1. It is believed that there was no C2 beaconing due to the direct connection via telnet and RDP.

  2. There was no forensic evidence that indicated what data was exfiltrated from the environment.

  3. Unpacking and analyzing the malware did not reveal anything with a unique signature.

  4. The ransomware appeared to be generic, possibly an edited version of a previous variant.

  5. Initial negotiations with this group indicated they may be new due to not having an active “shame” site and trouble with them configuring their direct chat channel.

After a few weeks, they had their “shame” active and had posted victim data. All victim data that was posted appeared to be from current victims. There was no historical data as is observed with other sites.

793DF82AFCB81B75.64.exe (MD5 1f61c4e1e363f44094432045b2251497)

793DF82AFCB81B75.64.msi (MD5 19d7382e3e9069b1fc6e9629f2ccf0b4)

Jeffrey Wappelhorst also contributed to this article.

Copyright © 2022 Ankura Consulting Group, LLC. All rights reserved.National Law Review, Volume XII, Number 327

About this Author

Christopher Todd Doss Senior Managing Director Ankura
Senior Managing Director

Christopher “Todd” Doss is a Senior Managing Director at Ankura with more than 35 years of experience in law enforcement. Todd is a senior executive with proven ability to lead global security, criminal, counterterrorism, counterintelligence, cyber, and intelligence operations in high-risk, complex environments. He links results-oriented solutions to critical incidents worldwide by partnering and collaborating and building global teams to effectively address complex and politically challenging investigations. He also develops and presents strategies for effective...

Brent Riley Managing Director Ankura
Managing Director

Brent Riley is a Managing Director at Ankura and is based in New York. Brent specializes in cybersecurity, incident response, digital forensics, and expert witness testimony. He has 12 years of law enforcement and over eight years of digital forensics and cybercrime investigatory experience.


Brent’s professional experience includes:

  • Brent currently investigates cybersecurity related incidents and conducts digital forensics as part of the cybersecurity and incident response...