Type
Incident
Actors
Pub. date
September 13, 2023
Initial access
Unknown
Impact
RansomOp
Observed techniques
References
Status
Stub
Last edited
Jun 2, 2024 8:02 AM
The threat actors gained access to the customer's Azure portal, where they obtained the Azure key required to access the storage account programmatically. The adversary encoded the keys using base-64 and inserted them into the ransomware binary with execution command lines below. The “-o” argument targets an Azure Storage account name and access key, and the same binary was executed multiple times to target 39 unique Azure Storage Accounts, resulting in successful encryption.