{ "id": "626d677f-ed59-4fdf-bac5-a62bdb0cd471", "created_at": "2026-04-06T00:10:34.681984Z", "updated_at": "2026-04-10T13:11:58.083779Z", "deleted_at": null, "sha1_hash": "38d35a5e43e71499039e0bf9352a678f6a053c0b", "title": "Response When Minutes Matter: When Good Tools Are Used for (R)Evil", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 3247835, "plain_text": "Response When Minutes Matter: When Good Tools Are Used for\r\n(R)Evil\r\nBy Joshua Fraser\r\nArchived: 2026-04-05 22:31:28 UTC\r\nThis Falcon Complete incident response investigation recap was originally published by IT-daily.net on Apr. 13,\r\n2021. It was late on a Saturday afternoon, and the Southern Hemisphere CrowdStrike Falcon® Complete™ team\r\nwas getting ready to clock off and hand over to our Northern Hemisphere colleagues; things were seemingly quiet\r\nand under control. After a long week, we were ready to kick back and enjoy the weekend. However, within\r\nseconds, thousands and thousands of high-severity detections started to roll in for one customer, filling the queues\r\nwith a proverbial flood.\r\nAnd So It Begins\r\nWith our Northern Hemisphere colleagues clocked on, it took just one minute to realize the severity of the\r\nsituation, and together the two teams jumped into action. The detections themselves were not complicated, but it\r\nwas unusual to see them on so many unique hosts in a single victim environment. We were able to quickly\r\nleverage the CrowdStrike Falcon® UI to determine the root of the problem, as the interface clearly displayed the\r\nprocess tree related to the malicious process to illustrate what was happening.\r\nThe detection that had appeared on all managed hosts was an attempt to execute a command via PowerShell. The\r\nprocess tree showed us that a trusted IT management tool was running and had spawned cmd.exe and\r\nhttps://www.crowdstrike.com/blog/how-falcon-complete-thwarted-a-revil-ransomware-attack/\r\nPage 1 of 8\n\nsubsequently attempted to run an encoded PowerShell command. This malicious activity was successfully being\r\nprevented by the Falcon sensor.\r\nInvestigating the Threat\r\nAs the malicious activity was being blocked by the sensor, we had time to take a step back and ask two critical\r\nquestions:\r\n1. How was this legitimate service deploying the malicious code?\r\n2. What PowerShell code was the adversary attempting to execute on the host?\r\nIn response to the first question, Falcon Complete analysts reviewed the process tree and identified that within the\r\ncommand-line parameters for the execution of the IT management tool (which has software deployment\r\ncapabilities), we could see the domain name of the cloud management platform for the tool, and this allowed us to\r\nconfirm our suspicion that this was in fact a trusted IT management tool. It is common in these types of intrusions\r\nthat the threat actor takes control of an administrative account either through phishing or brute force techniques.\r\nHowever, these techniques generally also rely on certain weaknesses on cloud platforms (in this case, a cloud-based IT management tool), including a lack of multifactor authentication (MFA) or failure to implement IP\r\naddress restrictions. This intrusion was no exception. With the additional information gathered through our\r\nanalysis, we concluded that the admin account for the application had been compromised and was being used to\r\npush out malicious code. Falcon Complete analysts contacted the customer immediately to share the details\r\ndiscovered so far and advised them to disable the affected account and enable MFA for it before resetting the\r\npassword and reenabling it.\r\nGetting Clarity Quickly with Falcon\r\nFalcon Complete understands the importance of responding to detections in a timely manner. To ensure that we\r\ncan stay a step ahead of the adversary in protecting the victim environment, a team of analysts coordinates across\r\na multitude of tasks to deliver a seamless managed response. In this case, one analyst was solely focused on\r\ncommunicating with the customer via the bridged phone call, providing clear and accurate information on the\r\ndetection as details emerged, as well as providing timely recommendations. Another analyst was working on\r\nunderstanding the malware samples identified and ensuring Falcon would block it, and others had a more general\r\nfocus of investigating the detections. Splitting the functions like this enables Falcon Complete to perform at high\r\nspeed and with high accuracy. The Falcon UI proved to be an invaluable asset in the speed of this response, as a\r\nsimple toggle in the UI enabled analysts to quickly decode the encoded PowerShell, which saved a few extra\r\nseconds for each detect it handled. The toggle and its resulting decoded output can be seen in the image below:\r\nhttps://www.crowdstrike.com/blog/how-falcon-complete-thwarted-a-revil-ransomware-attack/\r\nPage 2 of 8\n\nThe PowerShell code first checks which version of Windows is running on the hosts by reviewing the Processor\r\nArchitecture variable to check whether 32-bit or 64-bit. This is because the payload didn't support 64-bit\r\nexecution, and therefore the script needed to use a 32-bit version of PowerShell to execute the malicious payload.\r\nThe more important component of this script is its calls to a pastebin URL — this reveals the main malicious\r\nscript that is trying to be pulled down to the host.\r\nhttps://www.crowdstrike.com/blog/how-falcon-complete-thwarted-a-revil-ransomware-attack/\r\nPage 3 of 8\n\nOn reviewing the script, copied from the pastebin URL, it was identified to be an Invoke-ReflectivePEInjection\r\nfunction from the well-known PowerSploit tool. Interestingly, though, the Portable Executable (PE) file that was\r\nembedded in the script was identified as Sodinokibi/REvil ransomware. This malware is commonly associated\r\nwith the threat actor PINCHY SPIDER and its affiliates operating under a ransomware-as-a-service (RaaS) model.\r\nRead more about PINCHY SPIDER and other ransomware adversaries in this blog, “Double Trouble:\r\nRansomware with Data Leak Extortion, Part 1.”\r\nShifting Gears and Neutralizing the Threat\r\nhttps://www.crowdstrike.com/blog/how-falcon-complete-thwarted-a-revil-ransomware-attack/\r\nPage 4 of 8\n\nAs we were communicating with the customer about this matter, thousands more detections started to come in, but\r\nthe encoded commands had changed. This ransomware actor was not going to give up on their payday — they\r\nwere working on their weekend and didn’t want to miss out. Aware that their initial malicious script execution\r\nattempts had failed, and suspecting that pastebin was blocked on the customer’s network, they shifted to hastebin.\r\nThese changes continued roughly every 30 minutes, when new tickets for detections would start to roll in.\r\nUnfortunately, remediation of this intrusion was delayed as the customer was unable to regain control of the\r\ncompromised account. We realized that the threat actor would continue to change their code until they\r\nsuccessfully deployed ransomware to those hosts. We pivoted and quickly developed a new solution to the\r\nproblem by leveraging internal tools to temporarily kill the running application until the customer could regain\r\ncontrol of that admin account. With approval from the customer, we used a Custom IOA Rule Group to prevent\r\nthe threat actor from leveraging the IT management tool to deploy their malicious code. Once the rule was set up,\r\nthe detections stopped — crisis averted.\r\nResponse Summary and Lessons Learned\r\nSpeed was a critical element to stopping this intrusion. The malicious activity was blocked by the Falcon sensor,\r\nand within the first 15 minutes, we had investigated, started remediation and gained a deep understanding of the\r\nevent: A remote management application was compromised by a threat actor that was trying to deploy REvil\r\nransomware. Within 25 minutes, we were able to establish a bridge call with the customer, clearly communicate\r\nthe issue, and advise that the threat originated from compromised admin accounts for remote control software.\r\nWithin 40 minutes, we observed that the threat actor had shifted techniques and made a new attempt to deploy\r\nREvil. Approximately two hours into the response, we were given approval to disable the IT management tool\r\nusing Falcon.\r\nhttps://www.crowdstrike.com/blog/how-falcon-complete-thwarted-a-revil-ransomware-attack/\r\nPage 5 of 8\n\nKey lessons learned from this intrusion include:\r\n1. IT administration tools continue to be used by threat actors to achieve their actions on objectives, which in\r\nthis example included attempted ransomware deployment. The move to cloud-based services can\r\nsignificantly increase the risk of compromise, unless appropriate security controls are implemented. The\r\nFalcon Complete team sees this recurring pattern, where trusted — but improperly hardened —\r\napplications are misused by threat actors. As the example shows, once a threat actor gains control of one of\r\nthese cloud-based administration tools, they can easily deploy whatever software they desire. The below\r\npicture shows one of these cloud-based management tools — it’s user-friendly and has a button that allows\r\nthe user to easily run commands across all managed devices. MFA is essential for protecting cloud services\r\nlike this, and additional controls like IP restrictions and geolocation blocking would be ideal.\r\nhttps://www.crowdstrike.com/blog/how-falcon-complete-thwarted-a-revil-ransomware-attack/\r\nPage 6 of 8\n\n2. Legitimate IT administration tools will often require exclusions and allowlisting from security\r\ntechnologies. For example, network connections to trusted sites will often be excluded from SSL\r\ninspection, and folder directories for execution will often be excluded or allow listed in legacy endpoint\r\nsecurity tools. Because the Falcon platform takes a different and more holistic approach to protecting the\r\nendpoint, it does not suffer from these same weaknesses. Without the right tooling, these attacks can easily\r\nbe missed until it’s too late.\r\n3. Sophisticated and motivated adversaries will always try to circumvent security prevention capabilities —\r\nthat's why you need a dedicated and elite 24/7/365 threat hunting and managed service team to\r\ncontinuously hunt for new intrusions on security data streamed real-time into our cloud from Falcon\r\nagents. This allows us to stop the threats for you, so you can focus on what is important to your business.\r\nThe Falcon Complete service provides a unique managed security service that really is an industry leader. We\r\nmonitor and respond to all detections 24/7, usually within minutes, and we have the expert OverWatch team\r\nhunting 24/7 for undiscovered and previously unknown threats. If you are worried about the threat of ransomware,\r\nreach out to us and we can chat about how we can help.\r\nAdditional Resources\r\nRead more about ransomware adversaries tracked by CrowdStrike Intelligence in the new CrowdStrike\r\n2021 Global Threat Report.\r\nVisit the Falcon Complete webpage to learn more about endpoint protection delivered as a service.\r\nhttps://www.crowdstrike.com/blog/how-falcon-complete-thwarted-a-revil-ransomware-attack/\r\nPage 7 of 8\n\nLearn more about the powerful, cloud-native CrowdStrike Falcon®platform by visiting the product\r\nwebpage.\r\nGet a full-featured free trial of CrowdStrike Falcon® Prevent™ and learn how true next-gen AV performs\r\nagainst today’s most sophisticated threats.\r\nSource: https://www.crowdstrike.com/blog/how-falcon-complete-thwarted-a-revil-ransomware-attack/\r\nhttps://www.crowdstrike.com/blog/how-falcon-complete-thwarted-a-revil-ransomware-attack/\r\nPage 8 of 8", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "origins": [ "web" ], "references": [ "https://www.crowdstrike.com/blog/how-falcon-complete-thwarted-a-revil-ransomware-attack/" ], "report_names": [ "how-falcon-complete-thwarted-a-revil-ransomware-attack" ], "threat_actors": [ { "id": "8610b0d9-a6af-4010-818f-28671efc5d5e", "created_at": "2023-01-06T13:46:38.897477Z", "updated_at": "2026-04-10T02:00:03.138459Z", "deleted_at": null, "main_name": "PINCHY SPIDER", "aliases": [], "source_name": "MISPGALAXY:PINCHY SPIDER", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "c84bbd2e-003d-4c43-8a46-d777455db2c7", "created_at": "2022-10-25T15:50:23.701006Z", "updated_at": "2026-04-10T02:00:05.378962Z", "deleted_at": null, "main_name": "GOLD SOUTHFIELD", "aliases": [ "GOLD SOUTHFIELD", "Pinchy Spider" ], "source_name": "MITRE:GOLD SOUTHFIELD", "tools": [ "ConnectWise", "REvil" ], "source_id": "MITRE", "reports": null }, { "id": "9df68733-9bcd-43b1-88f1-24b110fa3d56", "created_at": "2022-10-25T16:07:24.051993Z", "updated_at": "2026-04-10T02:00:04.851037Z", "deleted_at": null, "main_name": "Pinchy Spider", "aliases": [ "G0115", "Gold Garden", "Gold Southfield", "Pinchy Spider" ], "source_name": "ETDA:Pinchy Spider", "tools": [ "Agentemis", "Cobalt Strike", "CobaltStrike", "GandCrab", "GrandCrab", "REvil", "Sodin", "Sodinokibi", "VIDAR", "Vidar Stealer", "certutil", "certutil.exe", "cobeacon" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434234, "ts_updated_at": 1775826718, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/38d35a5e43e71499039e0bf9352a678f6a053c0b.pdf", "text": "https://archive.orkl.eu/38d35a5e43e71499039e0bf9352a678f6a053c0b.txt", "img": "https://archive.orkl.eu/38d35a5e43e71499039e0bf9352a678f6a053c0b.jpg" } }