A RomCom Targeting Ukraine

 






About

RomCom is an active threat actor group, that was discovered in mid 2022. Since the emerging war between Russia and Ukraine, this group is targeting Ukraine and its aiding Western countries. They deploy a trojanized version of Devolutions Remote Desktop Manager, that encourages the victims to download it after they are guided to a clone website via phishing tactics. 

RomCom depends on the specially curated information about its victims. It make use of a malicious technique of typosquatting, in which the actor registers its fake domain as a real one but differs by the suffix. After the successful installation of the malware, it systematically starts collecting essential host and user metadata from the infected system to transfer to its command-and-control server. 

Geopolitical Motivations

Evidently, RomCom is not motivated financially but following a geopolitical agenda. However, who is behind this group is unclear with no clear link to existing nation-state. They targets sensitive information like military secrets, military training programs, etc. 

Prevention

General methods to combat a ransomware attack are as follows-
  • Mandatory strong password policies and multi-factor authentication for all critical services.
  • Use updated or modern Identity and Access Management (IAM) tools.
  • Employ advanced endpoint security products on all endpoints.
  • Regularly update all the software and operating systems. 
  • Have the least privilege approach to security, including the removal of all the unnecessary access to administrative shares and other services.
  • Administer a solid backup strategy including offline, encrypted, and immutable backup of data.












































Comments

Popular posts from this blog

Deployment (Part 3)

Deployment (Part 1)

Project Resourcing (Part 2)