We Incident Responders from CERT Orange CyberDefense often face the same proven TTPs over and over by threat actors. Similar initial entry, privilege escalation, lateral movements, exfiltration, etc. techniques are seen in the numerous forensics cases we handled per year. Known ransomware gangs in particular follow scripted playbooks, as training documents from the Conti leaks and abundant public incident response reports already showed.
So when a victim came to us for help last November, our analysts expected to run into “Yet Another Ransomware” case. But it turned out way more interesting than initially thought. We’ll walk you into this case, that surprised in some ways even our most experienced analysts and reversers.