Weekly Intelligence Report – 04 Aug 2023

Published On : 2023-08-04
Share :
Weekly Intelligence Report – 04 Aug 2023

Ransomware of the Week

Ransomware of the Week
CYFIRMA Research and Advisory Team would like to highlight ransomware trends and insights gathered while monitoring various forums. This includes multiple – industries, geography, and technology – which could be relevant to your organization.

Type: Ransomware.
Target Technologies: Linux OS, VMware ESXi servers.
Target Geographies: Canada, Sweden, Switzerland, United Kingdom, United States of America.
Target Industries: Chemicals, Delivery Services, Food & Beverage, Health Care Providers, Heavy Construction, Industrial Engineering, Industrial goods and services, Oil & Gas, Retail, and Software.

CYFIRMA Research and Advisory Team has found ransomware known as Abyss Locker while monitoring various underground forums as part of our Threat Discovery Process.

Relevancy: From the onset of its operation, the ransomware has targeted various industries, recent victims include:

  • Food & Beverage industry in Canada
  • Industrial Engineering industry in the United Kingdom

Abyss Locker:
Abyss Locker, a ransomware operation that emerged in March 2023, has significantly increased its activity in recent days, targeting companies with more sophisticated attacks. Abyss Locker is the latest ransomware operation to develop a Linux encryptor specifically targeting VMware’s ESXi virtual machines platform.

The ransomware operators will breach corporate networks, steal data for double extortion, and encrypt devices on the network.

The ransomware has 17 known victims at the beginning of August 2023.

As can be observed from the commands below, the ‘esxcli’ command-line VMware ESXi management tool is utilized by the encryptor to first list all available virtual machines and then proceed to terminate them:

  • esxcli vm process list
  • esxcli vm process kill -t=soft -w=%d
  • esxcli vm process kill -t=hard -w=%d
  • esxcli vm process kill -t=force -w=%d

During the shutdown process, Abyss Locker employs the ‘vm process kill’ command with one of the available options: soft, hard, or forced.

The soft option facilitates a graceful shutdown, while the hard option terminates the virtual machine immediately. In cases where necessary, the force option is used as a last resort.

By terminating all virtual machines, the encryptor ensures that associated virtual disks, snapshots, and metadata can be encrypted effectively. Specifically, files with the extensions .vmdk (virtual disks), .vmsd (metadata), and .vmsn (snapshots) are encrypted for this purpose.
The ransomware encrypts all other files on the device, adding the .crypt extension to their filenames.

Screenshot of files encrypted by Abyss ransomware. (Source: Surface Web)

For each file, the encryptor generates a corresponding file with a .README_TO_RESTORE extension, serving as the ransom note. The ransom note provides details about the file’s situation and includes a unique link to the threat actor’s Tor negotiation site. The negotiation site is minimalistic, featuring a chat panel that allows communication with the ransomware gang for potential negotiations.

Abyss Locker Ransomware Note (source: Surface Web)

Researchers believe that the Abyss Locker Linux encryptor is derived from the Hello Kitty ransomware. It employs ChaCha encryption instead, signifying potential modifications and enhancements to the original codebase.

HelloKitty generally uses a combination of AES-256 and RSA-2048 or even NTRU+AES- 128.

Countries targeted by Abyss Locker ransomware.


  • Ransomware gangs are leveraging the growing adoption of virtualization in enterprises, with VMware ESXi being a popular platform. As a result, they have developed Linux encryptors specifically targeting virtual servers, causing a significant threat to businesses relying on virtualized environments.
  • The higher number of victims in the United States indicates that it is likely the primary target for the Abyss ransomware, suggesting a significant focus on targeting entities within the USA.
  • Below is the chart representing the top 5 targeted industries from this ransomware.
  • The ransomware employs ChaCha encryption, indicating the use of a strong encryption algorithm to secure the files it encrypts. ChaCha encryption is known for its efficiency and security, making it challenging for victims to decrypt their files without the ransomware’s decryption key.

Following are the TTPs based on MITRE Attack Framework.

Sr. No Tactics Techniques/Sub-Techniques
1 TA0002: Execution T1059: Command and Scripting
2 TA0005: Defense
T1036: Masquerading
3 TA0007: Discovery T1082: System Information Discovery
T1083: File and Directory Discovery
4 TA0009: Collection T1005: Data from Local System
5 TA0040: Impact T1486: Data Encrypted for Impact
T1490: Inhibit System Recovery


  • Implement competent security protocols and encryption, authentication, or access credentials configurations to access critical systems in your cloud and local environments.
  • Ensure that backups of critical systems are maintained which can be used to restore data in case a need arises.


  • A data breach prevention plan must be developed considering, (a) the type of data being managed by the company; (b) the remediation process; (c) where and how the data is stored; (d) if there is an obligation to notify the local authority.
  • Enable zero-trust architecture and multifactor authentication (MFA) to mitigate the compromise of credentials.
  • Foster a culture of cybersecurity, where you encourage and invest in employee training so that security is an integral part of your organization.


  • Update all applications/software regularly with the latest versions and security patches alike.

Trending Malware of the Week

Type: Downloader
Objective: Malware Implant
Threat Actor: TA544 Target
Geography: Italy
Active Malware of the Week
This week “WikiLoader” is trending.

Researchers discovered a new malware called WikiLoader, which is an advanced downloader designed to install a second malware payload. It employs sophisticated evasion techniques and custom-coded implementations to make detection and analysis challenging. It is believed that WikiLoader was created with the intention of being rented out to specific cybercriminal threat actors. As multiple threat actors have been observed using WikiLoader, researchers predict that it will likely be adopted by other threat actors, particularly those operating as initial access brokers (IABs).

Attack Method
WikiLoader uses packed downloaders, a common technique employed by threat actors to avoid detection and analysis. This technique makes the delivered executable smaller as it only serves to download the actual payload instead of embedding it in the file. It grants threat actors control over payload delivery, allowing them to implement IP filtering or limit downloads to a specific timeframe (first 24 hours of the campaign). The technical analysis of WikiLoader revealed a multi-stage execution chain, including the following stages:

  • First Stage: Packed Loader
  • Second Stage: Shellcode
  • Third Stage: Shellcode (part of the Packed Loader)
  • Fourth Stage: Shellcode (part of the Packed Loader)
  • Fifth Stage: Encoded PE

These stages demonstrate the progression from the initial loader to the final payload of WikiLoader.

First Stage: Packed Loader
The first stage of WikiLoader is highly obfuscated, with call instructions replaced by push/jmp instructions to simulate a return without using the return instruction explicitly. This obfuscation poses challenges for analysis tools like IDA Pro and Ghidra. Additionally, WikiLoader employs indirect syscalls to evade endpoint detection and response (EDR) solutions and sandbox hooks.

In its initial stage, WikiLoader finds the address of NtCreateThreadEx, which allows it to create a thread pointing to GetModuleFileNameA. During this process, the malware ensures no trampolines or hooks have been placed within the NT function. These are techniques commonly used by sandboxes and EDR systems to intercept function calls. By checking the initial bytes of a given function, this behavior can be detected. Once the thread is created, WikiLoader starts it in a suspended state and hides it from debuggers using a flag. The malware further modifies the instruction pointer (RIP) using a combination of NtGetContextThread and NtSetContextThread, directing it to the decrypted shellcode.

With the modified RIP, the malware resumes the thread with NtResumeThread, initiating the next stage of the attack.

Second Stage: Shellcode
In the second stage of WikiLoader, its main objective is to decrypt the next stage of shellcode. Stage 3 is encrypted using a single-byte XOR key and is appended to the end of the stage 2 shellcode. Stage 2 locates the reference to the beginning of stage 3, decrypts it using the XOR key, and then transfers execution to stage 3. The start of the next stage of the shellcode is positioned at the end of the last function in stage 2.

Third Stage: Shellcode (part of the Packed Loader)
The third stage of WikiLoader is the primary stage where most of the loader’s functionality is implemented. It uses a decoding technique for strings, skipping over every even character to decode specific strings. The loader makes an HTTPS request to Wikipedia.com and verifies that the response contains the string “The Free.” This tactic likely serves as an evasion technique to avoid triggering automated analysis environments, ensuring the device is connected to the internet and not in a simulated environment that blocks external connections.

The loader then deliberately sends a request to an unregistered domain, and if a valid response is received, the malware terminates. This is done to evade certain automated analysis environments that return valid responses to all DNS queries by default, encouraging malware execution to continue. Organizations with DNS logs or EDR systems can identify infected systems by looking for DNS lookups related to the unique domains used by WikiLoader.

The loader checks the GetTickCount64 value, and based on whether it’s less than 125 or more, it makes requests to different hardcoded URLs. The reason for this switch based on the tick count is unclear. Later versions of the loader iterate over a set of URLs until a valid response is received. The response page contains a comment with the string “gmail” followed by base64 encoded text. The loader uses “gmail” as an anchor to retrieve the base64 text, decodes it, replaces any “+” characters with “/”, and appends the resulting string to a hardcoded Discord URL. This base64 text serves as the file path to retrieve the next stage hosted on Discord’s CDN.It is important to note that although the threat actors utilize Discord resources, this does not indicate that Discord itself has been compromised. Instead, the actors uploaded the sample to any Discord chat and copied the link to the attachment.

Fourth Stage: Shellcode (part of the Packed Loader)
In the next stage of WikiLoader, the shellcode downloaded and executed from Discord follows a similar process as the previous stage. It checks for kernel32.dll and GetProcAddress, uses string decoding, and relies on GetTickCount64 to choose the next hardcoded URL string. The URLs in this stage are the same as the previous one, except they contain “id=2” instead of “id=1”. The loader follows the same process of locating the “gmail” string, using it as an anchor to decode and modify characters in the URI to determine the location of the next file hosted on Discord. However, this time, the retrieved file is XOR encoded with a hardcoded, single byte. After decoding the file, it is executed.

Fifth Stage: Encoded PE
The fifth stage of WikiLoader downloads a PE file containing 16 encoded bytes. To create a valid PE file, the loader drops every other byte of the first 16 bytes. The final payload in this stage is the Ursnif banking trojan with GroupID “5050”.
WikiLoader Malware Evolution

Researchers have identified multiple versions of the malware, indicating ongoing development and updates. The following is a timeline with the relevant differences and updates observed in each version.

First version | 27 December 2022:

  • No string encoding within the shellcode layers
  • Structures used for indirect syscalls were simpler.
  • Shellcode layers didn’t contain as much obfuscation.
  • Fewer APIs were used within the shellcode layer.
  • Potentially one less stage of shellcode
  • The fake domain was manually created rather than via automation.

Second version | 8 February 2023

  • Added complexity to the syscall structure.
  • Implemented more busy loops
  • Began using encoded strings.
  • Started deleting artifacts from file download.

Third version | 11 July 2023

  • Strings still encoded via skip encoding.
  • New technique for implementing indirect syscalls
  • The second filename is pulled via the MQTT protocol rather than reaching the compromised webhosts.
  • Cookies are exfiltrated from the loader which contain basic host information.
  • Full execution of the loader takes almost an hour given the abundance of busy loops.
  • Shellcode stages are written byte by byte via NtWriteVirtualMemory rather than a single pass.


  • WikiLoader is a sophisticated and constantly evolving malware threat observed by researchers. It functions as a downloader for subsequent malware payloads and employs multi-stage execution with obfuscation and encryption to avoid detection. The malware is actively developed, and its authors make regular changes to remain undetected and evade security measures.
  • So far, researchers have only observed WikiLoader deliver Ursnif as a second-stage payload. However, given its use by multiple threat actors, it is possible more crime actors, especially those operating as IABs, will use WikiLoader in the future as a mechanism to deliver additional malware payloads.
  • Since December 2022, researchers have found eight campaigns distributing WikiLoader through emails containing Microsoft Excel, Microsoft OneNote, or PDF attachments. WikiLoader has been observed being distributed by two threat actors, TA544 and TA551, both of which targeted Italy. Despite many cybercriminal threat actors moving away from using macro enabled documents for malware delivery, TA544 has persisted in using them, including delivering WikiLoader.

Indicators of Compromise
Kindly refer to the IOCs Section to exercise controls on your security systems.


  • Deploy an Extended Detection and Response (XDR) solution as part of the organization’s layered security strategy that provides detection/prevention for malware and malicious activities that do not rely on signature-based detection methods.
  • Block exploit-like behaviour. Monitor endpoints memory to find behavioural patterns that are typically exploited, including unusual process handle requests. These patterns are features of most exploits, whether known or new. This will be able to provide effective protection against zero-day/critical exploits and more, by identifying such patterns.
  • Assess and deploy alternatives for an advanced endpoint protection solution that provides detection/prevention for malware and malicious activities that do not rely on signature-based detection methods.


  • Strengthen boundary defence such as network segmentation and have a strong access management capability in line with the Principle of Least Privilege (POLP) that can assist in mitigating cyberattacks.
  • Implement real-time website monitoring to analyse network traffic going in and out of the website to detect malicious behaviours.
  • Develop, maintain, and use approved supplier lists for the products and services.
  • Security Awareness training should be mandated for all company employees. The training should ensure that employees:
    • Avoid downloading and executing files from unverified sources. For example, be wary of Word and Excel documents sent from an unknown source or acquired from the Internet that prompts you to ‘Enable Macros’.
    • Always inspect the full URL before downloading files to ensure it matches the source (e.g., Microsoft Team should come from a Microsoft domain).
  • Inspect file extensions. Do not trust the filetype logo alone. An executable file can be disguised as a PDF or office document.


  • Build and undertake safeguarding measures by monitoring/ blocking the IOCs and strengthening defence based on the tactical intelligence provided.
  • Enable network protection to prevent applications or users from accessing malicious domains and other malicious content on the internet.
  • Place all websites behind web application firewall.
  • Enable Network traffic/security monitoring, security incident detection, notification, and alerting by leveraging SIEM solutions.

Weekly Intelligence Trends/Advisory

Weekly Attack Type and Trends

Key Intelligence Signals:

  • Attack Type: Malware Implants, Ransomware Attacks, Vulnerabilities & Exploits, DDoS, Data Leaks.
  • Objective: Unauthorized Access, Data Theft, Data Encryption, Financial Gain. Espionage.
  • Business Impact: Data Loss, Financial Loss, Reputational Damage, Loss of Intellectual Property, Operational Disruption.
  • Ransomware –8Base Ransomware | Malware – WikiLoader
  • 8Base Ransomware – One of the ransomware groups.
  • Please refer to the trending malware advisory for details on the following:
  • Malware – WikiLoader
  • Behavior –Most of this malware uses phishing and social engineering techniques as its initial attack vector. Apart from these techniques, exploitation of vulnerabilities, defence evasion, and persistence tactics are being observed.

Threat Actor in Focus

Lancefly APT Noticed Operating Cyber Espionage Campaigns with Merdoor Backdoor

  • Threat Actors: Lancefly
  • Attack Type: Vulnerability Exploitation and Phishing emails
  • Objective: Espionage
  • Target Technology: Windows
  • Target Geographies: Unknown
  • Target Industries: Government, Telecommunication, Aviation
  • Business Impact: Operational Disruption


  • In a recent observation, researchers observed APT Lancefly using advanced malware. The APT Lancefly has been active since 2018 and known for its espionage activity. The threat actor employed ZXShell rootkit and Merdoor backdoor in its recent campaign. The improved ZXShell rootkit is smaller and uses sophisticated detection evasion tactics. Both the Merdoor loader and the rootkit share an installation and update application, indicating a single codebase for Lancefly’s products. While Lancefly shows tangential connections to Chinese APT organizations APT17 and APT41, using the ZXShell rootkit, the readily accessible rootkit source code weakens this link.
  • The Merdoor backdoor infection involves establishing a connection to the command and control (C2) server and injecting the backdoor into legitimate processes like perfhost.exe or svchost.exe. This allows attackers to execute commands, extract data from LSASS memory, and steal user passwords. Lancefly actors also use Black loader and Prcloader, associated with the PlugX RAT, in their campaigns.
  • Detecting Merdoor activity requires monitoring for suspicious behaviours, such as unusual network traffic connecting to known malicious IP addresses or domains, associated with the C2 server. Additionally, watching for the injection of the backdoor into legitimate processes, detecting keylogging functionality, and identifying the use of tools related to Merdoor, like Black loader and Prcloader, can help in detection.

Lancefly’s custom malware, named Merdoor, is a robust backdoor that seems to have been in operation since 2018. Researchers have detected its usage in various instances throughout 2020, 2021, and even in the recent campaign that persisted into the first quarter of 2023. It employs a dropper technique to inject itself into legitimate processes. Notably, the dropper has been observed abusing older versions of legitimate applications from well-known companies such as McAfee, Sophos, Google, Avast, and Norton for DLL sideloading.

Indicators of Compromise
Kindly refer to the IOCs (Indicators of Compromise) Section to exercise controls on your security systems.

Major Geopolitical Developments in Cybersecurity

Russian hackers targeting foreign diplomats
Researchers are tracking a cyberespionage campaign against diplomatic services that Russia’s foreign intelligence known as SVR ran between February and June of this year. According to the researchers, the targeting reflected Russia’s continuing interest in European governments, especially their diplomats. The attack starts with spearphishing, as is typical, with the baits imitating the ambassador’s itinerary like invitations to an embassy function or ads for used cars of a particular preference. The message then redirects to a compromised domain from which the hackers deploy malware that gives them access to their target’s network.

Cyberattacks in support of influence operations hit Kenya
Anonymous Sudan (a front for Russian intelligence services on which Cyfirma will issue a standalone report this Friday) has claimed responsibility for a cyberattack against Kenya’s eCitizen portal. The government in Nairobi acknowledged the attack, which temporarily disabled the service but said that no data had been lost. As is traditional with the group, it has used large-scale distributed denial-of-service (DDoS) attacks and claimed disproportionate impact, while pushing pro-Russian narratives at the same time. The claimed rationale Anonymous Sudan offered for the campaign was supposed to hide the more likely reason, which was a diplomatic snub of Kenya’s President William Ruto towards Russia, when the leader of Kenya declined to attend the Russo-African summit and gave as his reason the impropriety of appearing to support one side in Russia’s war on Ukraine, which has a crushing impact on the price of imported grain, which is a major concern in many African nations.

Rise in Malware/Ransomware and Phishing

Exbon Development, Inc is Impacted by 8Base Ransomware

  • Attack Type: Ransomware
  • Target Industry: Construction
  • Target Geography: The United States of America
  • Ransomware: 8Base Ransomware
  • Objective: Data Theft, Data Encryption, Financial Gains
  • Business Impact: Financial Loss, Data Loss, Reputational Damage

From the External Threat Landscape Management (ETLM) Perspective, CYFIRMA observed in the dark forum that a company from the United States of America, (www[.]exbon[.]com), was compromised by 8Base Ransomware. Exbon Development, Inc. provides construction services. The Company offers general contracting services for highway and street construction. The compromised data comprises Receipts, Designs, Internal documents, Personal documents, Accounting documents, SSNs, Driver’s licenses, Various certificates, Forms containing personal information, a vast collection of personal files, Passports, and other sensitive information.

The following screenshot was observed published on the dark web:

Source: Dark Web


  • The 8Base group’s identity, methods, and motivations largely remain a mystery. However, based on its leak site and public accounts, along with the group’s communications, researchers think the group’s verbal style is quite similar to that of RansomHouse; a group that typically purchases already compromised data or works with data leak sites to extort victims. This has led to speculation that 8Base may be an offshoot of RansomHouse.
  • 8Base uses a variety of ransomware strains, including a variant known as Phobos. The group has customized Phobos by appending ‘.8base’ to their encrypted files, but the format of the entire appended portion remains the same as Phobos, which includes an ID section, an email address, and then the file extension. This suggests that 8Base is leveraging Ransomware-as-a-Service (RaaS) offerings, a common practice among ransomware groups.

Vulnerabilities and Exploits Vulnerability in Splunk SOAR

  • Attack Type: Vulnerabilities & Exploits
  • Target Technology: Server applications / IDS/IPS systems, Firewalls, and proxy servers
  • Vulnerability: CVE-2023-3997 (CVSS Base Score 8.6)
  • Vulnerability Type: OS Command Injection

The vulnerability allows a remote attacker to execute arbitrary shell commands on the target system.

The vulnerability exists due to improper input validation.

A remote unauthenticated attacker can send a maliciously crafted web request containing special ANSI characters and inject arbitrary entries into the log file, which can lead to remote OS command execution when the log file is viewed via the terminal.

Affected Products: https[:]//advisory[.]splunk[.]com/advisories/SVD-2023-0702

Latest Cyber-Attacks, Incidents, and Breaches

The biggest oil refinery in Israel experiences website downtime due to a DDoS attack

  • Threat Actors: Cyber Avengers aka CyberAv3ngers
  • Objective: Operational Disruption
  • Target Technology: DDoS
  • Target Geographies: Israel
  • Target Industries: Energy
  • Business Impact: Operational Disruption

The cyber systems of BAZAN Group, the largest oil refinery operator in Israel, have been compromised, and as a result, the company’s website is currently inaccessible from many parts of the world. BAZAN Group’s websites, bazan.co.il and eng.bazan.co.il, are experiencing issues with incoming traffic, resulting in HTTP 502 errors or complete refusals by the company’s servers. The threat actors have claimed responsibility for the hack. The oil refinery’s website has been made inaccessible to most visitors from around the world. However, it is accessible from within Israel, possibly after the imposition of a geo-block by BAZAN in an attempt to thwart an ongoing cyber-attack. Over the weekend, the Iranian hacktivist group known as ‘Cyber Avengers,’ also referred to as ‘CyberAv3ngers,’ asserted that they successfully infiltrated BAZAN’s network in a Telegram channel. Furthermore, the group released what seemed to be screenshots of BAZAN’s SCADA systems, which are software applications employed for monitoring and managing industrial control systems. A representative from BAZAN has refuted the authenticity of the leaked materials, stating that they are “completely fabricated.” The hackers disclosed their method of breaching the company, stating that they exploited a vulnerability in a Check Point firewall. The IP address associated with the firewall device is confirmed to be assigned to Oil Refineries Ltd. The Check Point representative clarified that there have been no previous vulnerabilities that could have facilitated such an attack.

The threat actor conveyed a message on Telegram, stating, “We have caused significant disruptions since 2020, but be prepared for even more severe actions in the future.” Apart from the website breach, CyberAvengers have taken credit for the 2021 fires at petrochemical plants in Haifa Bay, which were caused by a pipeline malfunction. They have also claimed responsibility for targeting industrial servers, resulting in attacks on 28 Israeli railway stations in 2020.

Data Leaks

Masterdiskon’s Data Advertised in Leak Site

  • Attack Type: Data Leaks
  • Target Industry: Hospitality and Tourism
  • Target Geography: Indonesia
  • Target Technology: SQL Database
  • Objective: Data Theft, Financial Gains
  • Business Impact: Data Loss, Reputational Damage

CYFIRMA Research team observed a potential data leak related to Masterdiskon, {www[.]masterdiskon[.]com}. Masterdiskon is a company that has been in the tour and travel sector since 2019 in Jakarta, which provides you with various travel and adventure needs. It provides easy access to a wide selection of flight, train, bus, and hotel bookings on just one platform. The leaked data consists of various sensitive details, including user IDs, user codes, titles, first and last names, usernames, email addresses, password hashes with salt, referral codes, birthdates, genders, nationalities, unique national identifiers, province IDs, province names, city IDs, city names, addresses, postal codes, and other confidential information. The data is in SQL format and has a total size of 1.7 GB.

Source: Underground forums

There are constantly vigilant cybercriminals driven by financial motives, who actively seek out exposed and vulnerable systems and applications. Most of these attackers operate in clandestine online communities, engaging in discussions and trading stolen digital assets. Unlike ransomware or extortion groups that often publicize their attacks, these attackers prefer to work discreetly. They exploit unpatched systems or vulnerabilities in applications to gain unauthorized access and pilfer valuable data. The stolen information is subsequently advertised, sold, and repurposed by other attackers for their own malicious purposes.

Other Observations

CYFIRMA Research team observed a potential data leak related to Qraved, {www[.]qraved[.]com}. Qraved is a one-stop dining solution. The Jakarta-based online company is a vast dining aggregation platform that facilitates unforgettable dining experiences. The data made available to the public consists of a customer database that includes unique identifiers, first names, last names, dates of birth, email addresses, phone numbers, password hashes (md5), relevance scores, and other confidential information.

Source: Underground forums


  • Attack Surface Management should be adopted by organizations, ensuring that a continuous closed-loop process is created between attack surface monitoring and security testing.
  • Deploy a unified threat management strategy – including malware detection, deep learning neural networks, and anti-exploit technology – combined with vulnerability and risk mitigation processes.
  • Incorporate Digital Risk Protection (DRP) in the overall security posture that acts as a proactive defence against external threats targeting unsuspecting customers.
  • Implement a holistic security strategy that includes controls for attack surface reduction, effective patch management, active network monitoring, through next generation security solutions and ready to go incident response plan.
  • Create risk-based vulnerability management with deep knowledge about each asset. Assign a triaged risk score based on the type of vulnerability and criticality of the asset to help ensure that the most severe and dangerous vulnerabilities are dealt with first.


  • Take advantage of global Cyber Intelligence providing valuable insights on threat actor activity, detection, and mitigation techniques.
  • Proactively monitor the effectiveness of risk-based information security strategy, the security controls applied and the proper implementation of security technologies, followed by corrective actions remediations, and lessons learned.
  • Move beyond the traditional model of security awareness towards improved simulation and training exercises that mimic real attack scenarios, account for behaviours that lead to a compromised, and, are measured against real attacks the organization receives.
  • Consider implementing Network Traffic Analysis (NTA) and Network Detection and Response (NDR) security systems to compensate for the shortcoming of EDR and SIEM solutions.
  • Detection processes are tested to ensure awareness of anomalous events. Timely communication of anomalies and continuously evolved to keep up with refined ransomware threats.


  • Patch software/applications as soon as updates are available. Where feasible, automated remediation should be deployed since vulnerabilities are one of the top attack vectors.
  • Consider using security automation to speed up threat detection, improve incident response, increase the visibility of security metrics, and rapid execution of security checklists.
  • Build and undertake safeguarding measures by monitoring/ blocking the IOCs and strengthen defences based on tactical intelligence provided
  • Deploy detection technologies that are behavioural anomaly-based to detect ransomware attacks and help to take appropriate measures.
  • Implement a combination of security control such as reCAPTCHA (Completely Automated Public Turing test to tell Computers and Humans Apart), Device fingerprinting, IP backlisting, Rate-limiting, and Account lockout to thwart automated brute-force attacks.
  • Ensure email and web content filtering uses real-time blocklists, reputation services, and other similar mechanisms to avoid accepting content from known and potentially malicious sources.
This site is registered on wpml.org as a development site. Switch to a production site key to remove this banner.