Home Science & Technology Ransomware companies linked to Iranian government hackers DEV-0270

Ransomware companies linked to Iranian government hackers DEV-0270


Security researchers have linked several ransomware companies to DEV–0270 (also known as Nemesis Kitten).

A menacing actor widely considered a subset of Iranian actors PHOSPHORUSconducts various malicious network operations on behalf of the Iranian government, according to a new Microsoft filing.

However, judging by the threat actor’s geographic and sectoral focus (which often lacks strategic importance for the regime), Microsoft also suggested that some DEV-0270 attacks could be a form of part-time work for personal or company-specific income.

From a technical perspective, the tech giant said that DEV-0270 uses exploits, especially for recently discovered high-severity vulnerabilities, to gain access to devices.

“DEV–0270 also makes extensive use of out-of-country binaries (LOLBins) throughout the attack chain to detect and access credentials. This extends to abuse of built-in BitLocker a tool to encrypt files on compromised devices,” Microsoft’s advisory explains.

A threat actor typically gains initial access with administrative or system-level privileges by injecting its web shell into a privileged process on a vulnerable web server. Then he uses ImpactWMIExec to switch to other systems on the network laterally and add or create a new user account to maintain security.

DEV-0270 has also been observed to use several defensive evasion techniques to avoid detection, including disabling Microsoft Defender Antivirus.

In some cases where encryption was successful, Microsoft said the time to ransom (TTR) between initial access and the ransom notification was reportedly around two days.

“The group has been observed demanding US$8,000 for decryption keys,” the company wrote. “Furthermore, it has been observed that the actor is looking for other ways to generate income through his activities.”

For example, in one attack observed by Microsoft, the victim organization refused to pay the ransom, so the actor put the data stolen from the organization up for sale in a SQL database dump.

“We hope that this analysis, which Microsoft uses to protect customers from related attacks, will further expose and disrupt the expansion of DEV–0270’s operations,” the tech giant wrote.

A full list of DEV–0270 tactics and techniques, as well as some steps to mitigate the threat, are available in the original Microsoft text advisory.

The blog post comes days after Iranian threat actor MuddyWater was spotted exploiting Log4j 2 vulnerabilities in SysAid applications to target organizations in Israel.

Previous articleRenewable energy projects win $16.6 million in awards to provide New York with stored energy
Next articleArcBest’s update shows signs of moderation; Saia EPS estimates cut