Ransomware Deployment Through TeamViewer

Analysts recently notified customers about two separate endpoints that were found to be weakly impacted by ransomware, which means that just a small number of ransomware canary files were encrypted. In neither case was there any evidence of the threat actor conducting reconnaissance actions beyond the impacted endpoint or attempting to migrate laterally to other endpoints inside the infrastructure.

In one of the situations, the threat actor’s efforts were thwarted by the security software. Based on the discovered file names, the occurrences appear to be comparable to what was discussed in the VMWare blog on October 15, 2022, titled “LockBit 3.0 Ransomware Unlocked”.

The initial ransomware propagation began with a DOS batch file executed from the user’s desktop:

C:\Users\user\Desktop\PP.bat

This batch file in turn executed the following rundll32.exe command:

rundll32 C:\Users\user\Desktop\LB3_Rundll32_pass.dll, gdll -pass <32-character password>

The ransomware’s impact on endpoint A was not just confined, but specific to that endpoint.

However, on endpoint B, installed protection measures slowed the threat actor’s progress and forced him to make many attempts to encrypt files on the endpoint. After receiving log messages showing that the aforementioned DLL file was quarantined, the threat actor attempted to launch the following file numerous times before it was quarantined by security software:

C:\Users\user\Desktop\LB3.exe

Installed security software quarantined the following file prior to any apparent attempt to execute it:

C:\Users\user\Desktop\ZZZZZZZ

Following this point in the logs, no more threat actor activity was detected throughout the login session.