Malicious Actors Exploit Velociraptor DFIR Tool in Ransomware Attacks

Malicious actors, likely associated with the threat group Storm-2603 (also known as CL-CRI-1040 or Gold Salem), have been exploiting Velociraptor, an open-source digital forensics and incident response (DFIR) tool, in ransomware attacks. This group is known for deploying ransomware strains such as Warlock and LockBit. The use of Velociraptor by attackers was documented by Sophos last month. Velociraptor is designed to collect and analyze data from endpoints, making it a powerful tool for both defenders and attackers. By leveraging Velociraptor, attackers can perform reconnaissance, lateral movement, and data exfiltration while blending in with legitimate activity, making detection and response more challenging. This tactic, known as "living off the land," highlights the need for cybersecurity professionals to monitor and control the use of DFIR tools within their networks. Robust endpoint detection and response (EDR) solutions that can distinguish between legitimate and malicious use of such tools are essential. The exploitation of Velociraptor by malicious actors underscores the importance of continuous monitoring, threat hunting, and implementing controls to ensure these tools are only used by authorized personnel. This trend of attackers using legitimate tools to evade detection requires cybersecurity professionals to adapt their strategies to detect and respond to such sophisticated attacks effectively.