The New Zealand Computer Emergency Response Team (CERT NZ) has released an advisory on a ransomware campaign leveraging remote access technologies. Malicious cyber actors are targeting organizations’ networks through remote access tools, such as Remote Desktop Protocol and virtual private networks, to exploit unpatched vulnerabilities and weak authentication.

After gaining access, cyber actors use various tools—including mimikatz, PsExec, Cobalt Strike, and Nefilim ransomware—for privilege escalation, lateral movement, persistence, and data exfiltration and encryption. Due to the level of access gained before deploying ransomware, the issue cannot be resolved by simply restoring data from backup.

Users and administrators to review the CERT NZ Advisory, Active Ransomware Campaign Leveraging Remote Access Technologies, for more information and mitigations as well as indicators of compromise associated with Nefilim ransomware.

For more information, please see the certnz Active ransomware campaign leveraging remote access technologies webpage.