Security intelligence firm Group-IB reports that attackers from a recently created ransomware group – EstateRansomware – exploited a year old vulnerability (CVE-2023-27532) in backup software from Veeam as part of a complex attack chain.

Anatomy of an attack

EstateRansomware exploited a dormant account in Fortinet FortiGate firewall SSL VPN appliances to gain initial access.

After access was achieved, the group deployed a persistent backdoor, conducted network discovery, and harvested credentials.

Exploitation attempts of the CVE-2023-27532 vulnerability in Veeam were followed by activation of a shell and rogue user account creation, Group-IB reports. These rogue user accounts facilitated lateral movement.

The attackers made extensive use NetScan, AdFind, and various tools provided by NirSoft to conduct network discovery, enumeration, and credential harvesting.

EstateRansomware ultimately deployed its ransomware payload after disabling Windows Defender.

A variant of the Lockbit 3.0 ransomware was used to encrypt files and clear logs.

LockBit 3.0 shares similarities with other ransomware variants like BlackMatter and Alphv (also known as BlackCat), suggesting possible connections or inspirations between these groups.

EstateRansomware

The EstateRansomware group first surfaced in April 2024 and is active in attacks in UAE, France, Hong Kong, Malaysia, and the US, according to Group-IB.

The group is one of several currently active ransomware groups, many of which take advantage of affiliates to carry out attacks as part of a ransomware-as-a-service business model.

“The EstateRansomware group demonstrates a methodical and well-resourced approach to ransomware attacks, especially the amount of pre-exploitation activity involved,” Fearghal Hughes, cyber threat intelligence analyst at ReliaQuest told CSOonline. “This showcases the need for a comprehensive and proactive cybersecurity strategy.”

EstateRansomware‘s methodology relies in large part on exploiting unpatched network security vulnerabilities.

Martin Greenfield, CEO of continuous controls monitoring firm Quod Orbis, commented, “EstateRansomware is likely to target those organisations that are simply not getting the basics right, like patching, back-ups or ensuring access control is tightened.”

He added, “Not doing the basics correctly is the exact reason why so many breaches occur. Organisations must ensure that there are regular and secure backups, your controls should be applied consistently and your whole architecture should be built for failure to make your environment resilient.”

Action plan

ReliaQuest provided a five-point action plan to deal with EstateRansomware and similar threats:

• Prioritizing timely patching of known vulnerabilities, especially those disclosed in widely used software.
• Adopting a zero-trust approach to network security.
• Deploy multi-factor authentication for all remote access points and critical systems.
• Implement network segmentation to limit the spread of ransomware.
• Ensuring that backup systems are secure, regularly tested, and segmented from the main network.