This intelligence report describes a sophisticated cyber intrusion linked to three prominent ransomware groups: Play, RansomHub, and DragonForce. The attack commenced with a malicious file masquerading as DeskSoft's EarthTime application, which deployed the SectopRAT malware. SectopRAT is known for its capabilities in reconnaissance and persistence. The threat actors employed a suite of tools to facilitate various stages of the attack lifecycle: SystemBC and Betruger backdoor for maintaining access and command and control; AdFind and SharpHound for network reconnaissance and enumeration; and Grixba for additional post-exploitation activities. Lateral movement was achieved using Remote Desktop Protocol (RDP) and Impacket's wmiexec utility, enabling the attackers to execute commands remotely and move across the network stealthily. For data collection and exfiltration, the attackers used legitimate tools such as WinRAR for archiving data and WinSCP for secure file transfer, which helps evade detection by blending malicious activity with normal administrative operations. The intrusion persisted for six days before the attackers were removed, demonstrating advanced persistent threat (APT) tactics and operational security. The involvement of multiple ransomware gangs indicates a possible collaboration or shared infrastructure, blurring traditional lines between distinct ransomware operations. The attack leveraged numerous MITRE ATT&CK techniques, including T1053.005 (Scheduled Task/Job: Scheduled Task), T1560.001 (Archive Collected Data: Archive via Utility), T1087.002 (Account Discovery: Domain Account), T1204.002 (User Execution: Malicious File), T1566.002 and T1566.001 (Phishing), T1036 (Masquerading), T1136.001 (Create Account: Local Account), T1090 (Proxy), T1072 (Software Deployment Tools), T1059.001 (Command and Scripting Interpreter: PowerShell), T1547.001 (Boot or Logon Autostart Execution: Registry Run Keys/Startup Folder), T1048 (Exfiltration Over Alternative Protocol), T1562.001 (Impair Defenses: Disable or Modify Tools), T1027 (Obfuscated Files or Information), T1570 (Lateral Tool Transfer), T1046 (Network Service Scanning), T1021.001 (Remote Services: Remote Desktop Protocol), T1003.006 (OS Credential Dumping: Security Account Manager), and T1078.003 (Valid Accounts: Local Accounts). This complex attack chain underscores the high level of coordination and technical expertise involved, posing significant challenges for detection and response.

For European organizations, this threat poses substantial risks to confidentiality, integrity, and availability of critical systems and data. The use of legitimate administrative tools for lateral movement and data exfiltration complicates detection, increasing the likelihood of prolonged undetected presence within networks. Data exfiltration can lead to exposure of sensitive personal data, intellectual property, and strategic business information, potentially resulting in regulatory penalties under GDPR and reputational damage. The collaboration among multiple ransomware gangs suggests a higher probability of follow-up ransomware deployment, which could disrupt business operations, cause financial losses, and impact supply chains. Given the advanced persistent nature of the intrusion, recovery efforts may be prolonged and costly. The threat actors’ ability to create local accounts and disable defenses further exacerbates the risk by enabling sustained access and evasion of security controls. European sectors with critical infrastructure, finance, healthcare, and manufacturing are particularly vulnerable due to their reliance on interconnected systems and the value of their data to ransomware operators.

European organizations should implement a multi-layered defense strategy tailored to the tactics observed in this intrusion. Specific recommendations include: 1) Enforce strict application whitelisting and verify digital signatures to prevent execution of masqueraded files like the fake EarthTime application. 2) Harden RDP access by disabling it where unnecessary, enforcing multi-factor authentication (MFA), and restricting access via VPN or jump hosts with strict logging. 3) Monitor and restrict the use of administrative tools such as Impacket utilities, PowerShell, WinRAR, and WinSCP, employing application control and behavioral analytics to detect anomalous usage. 4) Deploy advanced endpoint detection and response (EDR) solutions capable of identifying lateral movement techniques and credential dumping activities. 5) Conduct regular network segmentation to limit lateral movement opportunities and isolate critical assets. 6) Implement continuous monitoring for creation of new local accounts and changes to autostart registry keys. 7) Establish robust data loss prevention (DLP) controls to detect and block unauthorized data archiving and exfiltration attempts. 8) Conduct frequent threat hunting exercises focusing on indicators of compromise related to SectopRAT, SystemBC, Betruger, and Grixba malware. 9) Maintain up-to-date incident response plans that include procedures for rapid eviction of persistent threat actors. 10) Educate users on phishing risks and enforce strict email filtering to reduce initial infection vectors. These targeted measures go beyond generic advice by addressing the specific tools and techniques employed in this multi-gang intrusion.