Ransomware 1 March 2022

Ransomware – Lifa

Company

Lifa

Sector

Land Surveying / Engineering

Actor

Conti

## Description

Lifa's website and IT systems were compromised. Director Thomas Boding refused to pay the ransom. The entry point was a vulnerability missed by an external vulnerability scanner, according to a Truesec investigation.

Six related IP addresses were identified, used for cryptomining (Chimaera malware), C2 operations, and remote access (Atera RAT).

## Security Advisory

Truesec

## Indicators of Compromise (IOC)

150.129.234[.]203:82
51.222.121[.]180:82
103.142.218[.]18:18
45.32.120[.]201
176.113.115[.]107
193.27.228[.]127

## References

Truesec — TeamTNT gang is part of FIN12/Conti syndicate
Computerworld — Den danske million-virksomhed Lifa ramt af russisk hackerangreb
Computerworld — Sådan kan russiske hackere være kommet ind i Lifas IT-systemer
TV2 — Dansk firma lagt ned af russiske hackere
Finans.dk — Det ville være en meget søgt forklaring

← All incidents View source on GitHub