www.malwarebytes.com Open in urlscan Pro
2600:9000:223c:da00:16:26c7:ff80:93a1  Public Scan

Form analysis
2 forms found in the DOM

GET

<form id="search-form" onsubmit="submitSearchBlog(event)" method="get">
  <div class="searchbar-wrap-rightrail">
    <label for="cta-labs-rightrail-search-submit-en" aria-label="cta-labs-rightrail-search-submit-en" aria-labelledby="cta-labs-rightrail-search-submit-en">
      <input type="text" id="st-search-input-rightrail" class="st-search-input-rightrail" placeholder="Search Labs">
    </label>
    <button type="submit" id="cta-labs-rightrail-search-submit-en" aria-label="Submit your search query">
      <svg class="svg-icon svg-stroke-mwb-blue svg-search">
        <use href="/images/component-project/templates/blog/blog-svg.svg#svg-search"></use>
      </svg>
    </button>
  </div>
</form>

/newsletter/

<form class="newsletter-form form-inline" action="/newsletter/">
  <div class="email-input">
    <label for="cta-footer-newsletter-input-email-en" aria-label="cta-footer-newsletter-input-email-en" aria-labelledby="cta-footer-newsletter-input-email-en">
      <input type="text" class="email-input-field" id="cta-footer-newsletter-input-email-en" name="email" placeholder="Email Address">
    </label>
    <input name="source" type="hidden" value="">
    <input type="submit" class="submit-bttn" id="cta-footer-newsletter-subscribe-email-en" value="">
  </div>
</form>

Text Content

       
Personal
Personal
 * Security & Antivirus
 * Free Antivirus >
 * Malwarebytes Premium for Windows >
 * Malwarebytes Premium for Mac >
 * Malwarebytes for Chromebook >
 * Malwarebytes Premium for Android >
 * Malwarebytes Premium for iOS >
 * Malwarebytes Premium for Teams >
 * Malwarebytes Premium + Privacy VPN >
 * AdwCleaner for Windows >
 *  
   Online Privacy
 * Malwarebytes Privacy VPN >
 * Malwarebytes Browser Guard >

 * How can we help?

 * Have a current computer infection?
   
   CLEAN YOUR DEVICE NOW 

 *  

 * Try out Malwarebytes Premium, with a full-featured trial
   
   DOWNLOAD NOW  

 *  

 * Find the right solution for you
   
   SEE PERSONAL PRICING 

 *  

 * Activate, upgrade and manage your subscription in MyAccount
   
   SIGN IN TO YOUR ACCOUNT 

 *  

 * Get answers to frequently asked questions and troubleshooting tips
   
   VISIT OUR SUPPORT PAGE 


Business
Business
 * Solutions
 * BY COMPANY SIZE
 * Small Businesses
 *  1-99 Employees 
 * Mid-size Businesses
 *  100-999 Employees
 * Large Enterprise
 *  1000+ Employees
 * BY INDUSTRY
 * Education
 * Finance
 * Healthcare
 * Government

 * Products
 * CLOUD-BASED SECURITY MANAGEMENT
 * Endpoint Protection
 * Endpoint Protection for Servers
 * Endpoint Detection & Response
 * Endpoint Detection & Response for Servers
 * Incident Response
 * Nebula Platform Architecture
 * Mobile Security
 * CLOUD-BASED SECURITY MODULES
 * DNS Filtering
 * Vulnerability & Patch Management
 * Remediation Connector Solution
 * Application Block
 * SECURITY SERVICES
 * Managed Detection and Response 
 * Cloud Storage Scanning Service 
 * Malware Removal Service
 * NEXT-GEN ANTIVIRUS FOR SMALL BUSINESS
 * For Teams

 * Get Started
 *  * Find the right solution for your business
    * See business pricing
   
   --------------------------------------------------------------------------------
   
    * Don't know where to start?
    * Help me choose a product
   
   --------------------------------------------------------------------------------
   
    * See what Malwarebytes can do for you
    * Get a free trial
   
   --------------------------------------------------------------------------------
   
    * Our sales team is ready to help. Call us now
    * +49 (800) 723-4800

Pricing
Partners
Partners
 * Explore Partnerships

 * Partner Solutions
 * Resellers
 * Managed Service Providers
 * Computer Repair
 * Technology Partners
 * Affiliate Partners
 * Contact Us

 * Partner Success Story
 * Marek Drummond
   Managing Director at Optimus Systems
   
   "Thanks to the Malwarebytes MSP program, we have this high-quality product in
   our stack. It’s a great addition, and I have confidence that customers’
   systems are protected."

 * See full story

Resources
Resources
 * Learn About Cybersecurity
 * Antivirus
 * Malware
 * Ransomware
 * Malwarebytes Labs – Blog
 * Glossary
 * Threat Center

 * Business Resources
 * Reviews
 * Analyst Reports
 * Case Studies
 * Press & News

 * Reports
 * 
   
   
   
   The State of Malware 2023 Report
   

 * See Report

Support
Support
 * Technical Support
 * Personal Support
 * Business Support
 * Premium Services
 * Forums
 * Vulnerability Disclosure
 * Report a False Positive

 *  Product Videos
 * 

 * Featured Content
 * 
   
   
   
   Activate Malwarebytes Privacy on Windows device.

 * See Content

FREE DOWNLOAD
CONTACT US
CONTACT US
 * Personal Support
 * Business Support
 * Talk to Sales
 * Contact Press
 * Partner Programs
 * Submit Vulnerability

COMPANY
COMPANY
 * About Malwarebytes
 * Careers
 * News & Press

SIGN IN
SIGN IN
 * MyAccount: manage your personal/Teams subscription >
 * Cloud Console: manage your cloud business products >
 * Partner Portal: management for Resellers and MSPs >

SUBSCRIBE


Business


UNDERSTANDING RANSOMWARE REINFECTION: AN MDR CASE STUDY

Posted: June 27, 2023 by Bill Cozens

Ransomware is like that stubborn cold that you thought you kicked, but creeps
back up determined to run amok again.

Ransomware is like that stubborn cold that you thought you kicked, but creeps
back up determined to run amok again. The question is what medicine is available
to kick this nasty infection for good.

In this post, we'll break down the idea of ransomware reinfection and share a
real-life episode where Malwarebytes Managed Detection and Response (MDR)
mitigated a resilient ransomware reinfection from the Royal ransomware gang.


WHAT IS RANSOMWARE REINFECTION?

Imagine this scenario: You've recently battled a vicious ransomware attack,
finally restoring your systems to their normal functionality. You breathe a sigh
of relief, secure in the knowledge that your data is safe and operations are
running smoothly.

Alas, it's not the end of the story.

The ransomware attack you just countered was actually just the final act of a
long-drawn series of malicious activities. In other words, many ransomware
attacks aren't the start of the problem; they're often the result of an
unresolved network compromise.

The true culprit is how the threat actor is gaining access to begin with. Once
inside, they steal login credentials, deploy malware, or establish a backdoor—a
secret gateway into the network that can be exploited later. This is like them
leaving a hidden door unlocked for future visits.

Even after successfully mitigating the immediate ransomware attack, these hidden
doors may remain unnoticed, enabling the attackers to infiltrate your network
stealthily once more. This is the essence of ransomware reinfection.

Having clarified the terminology, let's delve into a real-world instance of a
ransomware reinfection in action.


INITIAL RANSOMWARE ATTACK – NOVEMBER 23, 2022

Prior to their engagement with Malwarebytes, our customer experienced a
ransomware attack on their AWS environment. They chose not to pay the ransom.

The subsequent countermeasure involved a complete system rebuild from backup to
recover their operations.


ONBOARDING WITH MALWAREBYTES MDR AND DETECTION OF REINFECTION – DECEMBER 9, 2022

In response to the initial compromise, the customer onboarded with our Managed
Detection and Response (MDR) service and Endpoint Detection and Response (EDR)
product. Immediately after installing the EDR on the endpoint, detections for
additional ransomware were identified.

Our MDR analyst spotted file detections linked to the previous ransomware
attack, attempted outbound communications to a known malicious site (a Cobalt
Strike C2 server), and remote inbound RDP connection attempts. The MDR analyst
promptly contacted the customer, recommending to block the C2 server and the
source of the RDP connections, which the customer promptly implemented.


NEW THREAT EMERGES – DECEMBER 11, 2022

Only two days later, a new set of remote host RDP connection attempts were
detected. Again, the MDR team advised the customer to block the connection
source to prevent further infiltration.


CRITICAL INCIDENT AND RESPONSE – DECEMBER 13, 2022

A new wave of local host file detections indicated a return of the previously
encountered ransomware. An unencountered persistent mechanism was also
identified, suggesting that the threat was not completely eliminated. As part of
our response, we raised a critical incident to the customer, carried out an
extensive threat hunt, and identified two compromised domain admin accounts, a
domain controller (DC), and an SQL server.

A Potentially Unwanted Modification (PUM) detection of a disabled Windows system
restore setting.

The customers’ C:Program Files directory showed peculiar files like
'desktop.ici.royal.w', 'PackageManagement', 'README.TXT', and 'Uninstall
Information'.



This new detection, "Ransomware.Royal", suggests that the attackers were either
still present in the network or had gained access again.

Our MDR team promptly reached out to the customer's Security team and initiated
a strategic consultation via a Zoom call. Detailed insights were shared on the
Indicators of Compromise (IoCs) encountered, and we advised the customer to
change the passwords of the affected domain admin accounts.

In response, the customer implemented an enterprise-wide password change and
blocked the newly identified C2 server. Additionally, the decision was made to
rebuild the compromised DC.


LESSONS FROM THE INCIDENT

This episode underscores the relentless threat of ransomware reinfection in
today's threat landscape, as well as the critical role that 24x7x365 diligence
of trained cybersecurity experts, swift responses, and collaborative
efforts play in cyber defense.

Without having a similar level of expertise in-house, the reality is that many
organizations will see reinfections that could lead to catastrophic results.

In this case, our customer had assumed full recovery from the initial ransomware
attack, and if not for the MDR service, they may never had realized that the
attack was still ongoing. Fortunately, the collaborative efforts of Malwarebytes
MDR, EDR, and the customer successfully mitigated the threat and safeguarded the
customer’s digital space.

For more information of our EDR and MDR products and services, please visit
https://try.malwarebytes.com/mdr-consultation-new/

Read more:

 * HOW TO CHOOSE AN MDR VENDOR: 6 QUESTIONS TO ASK

 * Is an outsourced SOC worth it? Looking at the ROI of MDR

 * 3 WAYS MDR CAN DRIVE BUSINESS GROWTH FOR MSPS

 * Cyber threat hunting for SMBs: How MDR can help



SHARE THIS ARTICLE

--------------------------------------------------------------------------------

COMMENTS



--------------------------------------------------------------------------------

RELATED ARTICLES

Business


COMPANY FINDS LOST SSD—AND CONFIDENTIAL DATA—FOR SALE ON EBAY

June 27, 2023 - Major software company SAP is putting the pieces of a story
involving missing SSD disks back together.

CONTINUE READING 0 Comments

News | Personal | Privacy


SOFTWARE COMPANY ACCUSED OF ILLEGALLY PROFILING MILLIONS OF MOBILE PHONE USERS

June 27, 2023 - A digital rights and privacy organization has filed a complaint
against software company TeleSign for gathering and selling information on
millions of mobile phone users.

CONTINUE READING 0 Comments

News


81% CONCERNED ABOUT CHATGPT SECURITY AND SAFETY RISKS, MALWAREBYTES SURVEY SHOWS

June 27, 2023 - ChatGPT may have already hit its public perception wall,
according to a Malwarebytes survey that showed high levels of distrust and
concern in the tool's trustworthiness and safety.

CONTINUE READING 0 Comments

News


SUPREMEBOT AND MARIO CROSS THE FINISH LINE TOGETHER

June 27, 2023 - Download your games from trusted sources or you may get more
than you bargained for...

CONTINUE READING 0 Comments

News | Personal


9 BASIC SECURITY TIPS FOR SENIORS

June 26, 2023 - Help the people around you that are less computer literate with
some basic security tips and settings.

CONTINUE READING 0 Comments

--------------------------------------------------------------------------------

ABOUT THE AUTHOR

Bill Cozens
Content Writer

Bill Cozens is content writer for the Malwarebytes business blog, where he
writes about industry challenges and how best to address them.


Contributors


Threat Center


Podcast


Glossary


Scams


Write for Labs

Cyberprotection for every one.

Cybersecurity info you can't do without

Want to stay informed on the latest news in cybersecurity? Sign up for our
newsletter and learn how to protect your computer from threats.



Cyberprotection for every one.

FOR PERSONAL

Windows Antivirus

Mac Antivirus

iPhone Antivirus

Android Antivirus

Free Antivirus

VPN App (All Devices)

SEE ALL

COMPANY

About Us

Contact Us

Careers

News and Press

Blog

Scholarship

Forums

FOR BUSINESS

Small Businesses

Mid-size Businesses

Large Enterprise

Endpoint Protection

Endpoint Detection & Response

Managed Detection and Response (MDR)

FOR PARTNERS

Managed Service Provider (MSP) Program

Resellers

MY ACCOUNT

Sign In

SOLUTIONS

Free Rootkit Scanner

Free Trojan Scanner

Free Virus Scanner

Free Spyware Scanner

Anti Ransomware Protection

SEE ALL

ADDRESS

3979 Freedom Circle
12th Floor
Santa Clara, CA 95054

ADDRESS

One Albert Quay
2nd Floor
Cork T12 X8N6
Ireland

LEARN

Malware

Hacking

Phishing

Ransomware

Computer Virus

Antivirus


What is VPN?

COMPANY

About Us

Contact Us

Careers

News and Press

Blog

Scholarship

Forums

MY ACCOUNT

Sign In

ADDRESS

3979 Freedom Circle, 12th Floor
Santa Clara, CA 95054

ADDRESS

One Albert Quay, 2nd Floor
Cork T12 X8N6
Ireland

   English
Legal
Privacy
Accessibility
Vulnerability Disclosure
Terms of Service


© 2023 All Rights Reserved

Select your language

 * English
 * Deutsch
 * Español
 * Français
 * Italiano
 * Português (Portugal)
 * Português (Brasil)
 * Nederlands
 * Polski
 * Pусский
 * 日本語
 * Svenska

New Buy Online Partner Icon Warning Icon Edge icon

This site uses cookies in order to enhance site navigation, analyze site usage
and marketing efforts. Please see our privacy policy for more information.
Privacy Policy

Cookies Settings Decline All Accept All Cookies



PRIVACY PREFERENCE CENTER

When you visit any website, it may store or retrieve information on your
browser, mostly in the form of cookies. This information might be about you,
your preferences or your device and is mostly used to make the site work as you
expect it to. The information does not usually directly identify you, but it can
give you a more personalized web experience. Because we respect your right to
privacy, you can choose not to allow some types of cookies. Click on the
different category headings to find out more and change our default settings.
However, blocking some types of cookies may impact your experience of the site
and the services we are able to offer.
Privacy Policy
Allow All


MANAGE CONSENT PREFERENCES

STRICTLY NECESSARY

Always Active

These cookies are necessary for the website to function and cannot be switched
off in our systems. They are usually only set in response to actions made by you
which amount to a request for services, such as setting your privacy
preferences, logging in or filling in forms.    You can set your browser to
block or alert you about these cookies, but some parts of the site will not then
work. These cookies do not store any personally identifiable information.

Cookies Details‎

PERFORMANCE AND FUNCTIONALITY

Performance and Functionality

These cookies enable the website to provide enhanced functionality and
personalisation. They may be set by us or by third party providers whose
services we have added to our pages.    If you do not allow these cookies then
some or all of these services may not function properly.

Cookies Details‎

SOCIAL MEDIA

Social Media

These cookies are set by a range of social media services that we have added to
the site to enable you to share our content with your friends and networks. They
are capable of tracking your browser across other sites and building up a
profile of your interests. This may impact the content and messages you see on
other websites you visit.    If you do not allow these cookies you may not be
able to use or see these sharing tools.

Cookies Details‎

ANALYTICS

Analytics

These cookies allow us to count visits and traffic sources so we can measure and
improve the performance of our site. They help us to know which pages are the
most and least popular and see how visitors move around the site.    All
information these cookies collect is aggregated and therefore anonymous. If you
do not allow these cookies we will not know when you have visited our site, and
will not be able to monitor its performance.

Cookies Details‎

ADVERTISING

Advertising

These cookies may be set through our site by our advertising partners. They may
be used by those companies to build a profile of your interests and show you
relevant adverts on other sites.    They do not store directly personal
information, but are based on uniquely identifying your browser and internet
device. If you do not allow these cookies, you will experience less targeted
advertising.

Cookies Details‎
Back Button


BACK



Search Icon
Filter Icon

Clear
checkbox label label
Apply Cancel
Consent Leg.Interest
checkbox label label
checkbox label label
checkbox label label

 * 
   
   View Cookies
   
    * Name
      cookie name

Decline All Confirm My Choices