Nitrogen Campaign Drops Sliver and Ends With BlackCat Ransomware

NetmanageIT OpenCTI - opencti.netmanageit.com

Nitrogen Campaign Drops Sliver and Ends With BlackCat Ransomware



SUMMARY :

A BlackCat ransomware intrusion began with a Nitrogen malware campaign impersonating Advanced IP Scanner. The attackers used Sliver and Cobalt Strike beacons for post-exploitation, leveraging Python scripts for memory loading. They performed network enumeration using various tools and moved laterally with Impacket after credential harvesting. Data exfiltration was conducted using the Restic backup tool. Eight days after initial access, the attackers modified a privileged user's password and deployed BlackCat ransomware across the domain using PsExec to execute a batch script. The intrusion lasted 156 hours over 8 days, ending with file encryption and ransom notes left on affected systems.

OPENCTI LABELS :

cobalt strike,ransomware,data exfiltration,lateral movement,blackcat,alphv,noberus,sliver,nitrogen,credential harvesting


Open in NetmanageIT OpenCTI Public Instance with below link!


Use public read only username and password on login page.

NOTE : Use Public READ only user credentials on login page banner.


Nitrogen Campaign Drops Sliver and Ends With BlackCat Ransomware