In this article we examine the ransomware used in the recent Kaseya attack
"We will see what happens when a machine is infected by this ransomware by looking at some of the visible Indicators of Compromise, such as modified wallpaper, several '<random string>-readme.txt' files in different folders, and changes in the filenames with <random string> extensions. We will also discuss in more details how DLL side-loading was implemented along with other malware tricks that the ransomware used.
Fortunately, FortiEDR detects and blocks the DLL side-loading event when the ransomware executes the valid application, such as MsMpEng.exe, while it loads the malicious payload, mpsvc.dll. As a result, customers will not be able to see all of the related IOCs because the malware is prevented from running..."
Read More ...