Blurring the Lines: Intrusion Shows Connection With Three Major Ransomware Gangs

SUMMARY :

This intelligence report details a sophisticated cyber intrusion with links to three major ransomware groups: Play, RansomHub, and DragonForce. The attack began with a malicious file impersonating DeskSoft's EarthTime application, which deployed SectopRAT malware. The threat actors used various tools for reconnaissance, lateral movement, and data exfiltration, including SystemBC, Betruger backdoor, AdFind, SharpHound, and Grixba. They leveraged RDP and Impacket's wmiexec for lateral movement, and used WinRAR and WinSCP for data collection and exfiltration. The intrusion lasted six days before the threat actors were evicted, showcasing a range of advanced persistent threat techniques and highlighting the blurred lines between different ransomware operations.

OPENCTI LABELS :

ransomware,data exfiltration,lateral movement,systembc,sectoprat,grixba,betruger,multi-group operation


AI COMMENTARY :

1. Blurring the Lines: Intrusion Shows Connection With Three Major Ransomware Gangs In a recent intelligence report, analysts uncovered a deeply sophisticated attack that intertwines the efforts of three notorious ransomware groups, known as Play, RansomHub, and DragonForce. This multi-group operation challenges conventional attribution models and highlights how threat actors share tools, techniques, and infrastructure to amplify their impact. The blurred lines between these gangs underscore an alarming trend in the ransomware ecosystem, where collaboration and tool reuse make it harder for defenders to predict and mitigate attacks.

2. The Initial Intrusion and SectopRAT Deployment The operation commenced when victims received a malicious file masquerading as EarthTime, an otherwise legitimate application by DeskSoft. Once executed, this trojanized installer deployed SectopRAT, a stealthy remote access tool designed to maintain persistent control. SectopRAT’s modular architecture allowed the intruders to install additional payloads and evade detection, setting the stage for a prolonged six-day intrusion before ejection by incident responders.

3. Reconnaissance and Lateral Movement Following SectopRAT installation, the attackers performed extensive reconnaissance using AdFind and SharpHound to map Active Directory objects and domain relationships. They then leveraged remote desktop protocol channels alongside Impacket’s wmiexec module for lateral movement, hopping between systems without triggering conventional security alerts. SystemBC provided a reliable SOCKS5 proxy, enabling covert command and control communications that bypassed network monitoring tools.

4. Advanced Backdoors and Credential Harvesting To maintain their foothold, the threat actors deployed the Betruger backdoor on high-value targets. This custom implant allowed them to execute arbitrary commands, exfiltrate credentials, and escalate privileges at will. Meanwhile, Grixba—a lightweight .NET-based tool—was used to harvest stored credentials and tokens from memory. The combination of Betruger and Grixba ensured that even if one implant was detected, the adversaries could fall back on alternative means to preserve access.

5. Data Collection and Exfiltration Tactics With credentials in hand, the intruders pivoted to data collection, compressing critical files using WinRAR for efficient packaging. They then staged these archives for exfiltration through WinSCP, transferring stolen data to remote servers under their control. This methodical approach to data exfiltration underscores the group’s focus on maximizing impact while minimizing detection by traditional network defenses.

6. Attribution Challenges and Multi-Group Collaboration Traditional attribution models typically assign attacks to a single group, but this incident defies that paradigm. Forensic evidence reveals shared code fragments and overlapping infrastructure among Play, RansomHub, and DragonForce. Such co-operation illustrates a shift toward a mercenary model in ransomware operations, where affiliates and core developers collaborate across gang boundaries, each contributing specialized skills to a single campaign.

7. Lessons Learned and Defensive Recommendations This intrusion offers several critical lessons for defenders. First, robust application whitelisting can prevent trojanized installers from executing in the first place. Second, continuous monitoring of Active Directory queries and unusual RDP or wmiexec traffic can expose lateral movement early. Third, implementing network segmentation and strict egress filtering can disrupt SystemBC-based command and control channels. Finally, comprehensive incident response playbooks must account for the possibility of multiple ransomware groups operating in concert.

8. Conclusion The convergence of Play, RansomHub, and DragonForce in this intrusion underscores an emerging reality in the threat landscape: ransomware groups no longer operate in silos. The sharing of sophisticated tools such as SectopRAT, Betruger, and Grixba demonstrates that collaboration amplifies both the scale and the stealth of attacks. Organizations must adapt their defenses accordingly, embracing layered security controls and threat-centric visibility to stay ahead of these increasingly unified adversaries.


OPEN NETMANAGEIT OPENCTI REPORT LINK!


Use public read only username and password on login page.

NOTE : Use Public READ only user credentials on login page banner.


Blurring the Lines: Intrusion Shows Connection With Three Major Ransomware Gangs