Report Walkthrough: Russian Ransomware C2 Network Discovered In Censys Data
Join Matt Lembright, Director of Federal Applications, as he does a deep dive into our findings.
All registrants will also receive a copy of our report that covers an overview and explanation of our findings, a link analysis diagram, and a proactive hunt playbook.
Around June 24 2022, out of over 4.7 million hosts Censys observed in Russia, Censys discovered two Russian hosts containing an exploitation tool, Metasploit, and Command and Control (C2) tool, Deimos C2. Historical analysis indicated one of these Russian hosts also used the tool PoshC2. These tools allow penetration testers and hackers to gain access to and manage target hosts.
Censys then used details from the PoshC2 certificate to locate, among hosts elsewhere in the world including the U.S., two additional Russian hosts also using the PoshC2 certificate. Censys data showed these two Russian hosts possessing confirmed malware packages, one of which included a ransomware kit and a file that indicated two additional Russian Bitcoin hosts.
Censys conducts continuous technical Internet scanning on all publicly available IPv4 hosts in the world. In this investigation, Censys leveraged its own data in the form of software enumeration, certificate documentation, historical evidence, HTTP body responses, and geolocational data to identify and pivot through this network. Censys confirmed the offensive exploit, C2, and malware tools through 3rd party sources referenced in this report.
Director of Federal Applications, Censys
Matt Lembright is the Director of Federal Applications at Censys. Matt has been in cybersecurity for over 11 years, starting in the Army as an intelligence officer, helping build the Army Cyber Opposing Forces and USCYBERCOM’s Cyber Mission Forces.