Malspam Campaign Drops IcedID and Leads to REvil Ransomware
released on 2021-03-29 @ 04:53:39 PM
In March, The DFIR Report observed an intrusion which started with malicious spam that dropped IcedID (Bokbot) into the environment and subsequently allowed access to a group distributing Sodinokibi ransomware. During the intrusion the threat actors escalated privileges to Domain Administrator, exfiltrated data, and used Sodinokibi to ransom all domain joined systems.