Microsoft has detailed the activities of six Iranian hacker groups that are behind waves of ransomware attacks that have arrived every six to eight weeks since September 2020.
Russia is often seen as the home of the biggest cyber-criminal ransomware threats, but state-sponsored attackers from North Korea and Iran have also shown a growing interest in ransomware.
Microsoft said Iranian hacking groups are using ransomware to either collect funds or disrupt their targets, and are “patient and persistent” while engaging with their targets – although they will use aggressive brute-force attacks.
SEE: A winning strategy for cybersecurity (ZDNet special report)
The most consistent of the six Iranian threat groups is one Microsoft tracks as Phosphorus (others call it APT35). Microsoft has been playing cat and mouse with the group for the past two years. While initially known for cyber espionage, Microsoft details the group’s strategies for deploying ransomware on targeted networks, often using Microsoft’s Windows disk-encryption tool BitLocker to encrypt victim files.
Other cybersecurity firms last year detected a rise in ransomware from Iranian state-backed hackers using known Microsoft Exchange vulnerabilities to install persistent web shells on email servers and Thanos ransomware.
According to Microsoft, Phosphorus was