Blog

jordiserrano.me|ClickFix|Kairos|IntelTracker
Blog » Taos Mountain Casino

Taos Mountain Casino

dragonforce ransomware

Taos Mountain Casino

Taos Mountain Casino - Ransomware Incident Analysis

Taos Mountain Casino Incident Response Analysis

Resumen

A security incident analysis of the Taos Mountain Casino event detected a ransomware compromise involving multiple malware families and specific cryptocurrency payloads. The attack occurred between 06/04/2023 - 07/02/2023, affecting approximately 15+ endpoints across 3 locations.

La Victima

Taos Mountain Casino is a Native American gaming casino located in Taos, New Mexico. It is owned and operated by the Taos Pueblo, a federally recognized tribe consisting of approximately 187 members.

El Grupo Atacante

The attack utilized multiple ransomware families: RansomLook (RansuNGL), Beyond Recovery (BexReCoV), and Punishment (PunishMent).

Cronologia del Ataque

04/06/2023 18:05 UTC
First detection of RansomLook malware on endpoint.
04/09/2023 04:00 UTC
Ransomware encrypts database files (SQL, XML). Exits as root with PID 1755.
04/09/2023 06:00 UTC
Beyond Recovery malware deployed. Data exfiltrated to external IP 185.155.24.3 (AWS). Exits as root with PID 1755.
06/09/2023 14:00 UTC
Punishment malware deployed. Data exfiltrated to external IP 185.155.24.3 (AWS). Exits as root with PID 1755.
06/09/2023 - Present
Ransomware continues encrypting, exfiltrating to AWS IP 185.155.24.3, and collecting crypto addresses.
Targeted at multiple locations: Taos Mountain Casino, Santa Fe Valley, La Paz.

Datos Comprometidos

Tipo de Archivo Formato Original Formato Comprometido Holístico Sinholístico
Base de Datos SQL SQL Server Database (DB) Encrypted DB (DbaEnCryPt) C4f13c29-6a8e-4b0f-a5d7-c8d0e1f2g3h4 DbaEnCryPt
Sistema XML XML (Xls) Encrypted Xls (ExfXml) C3d14e59-7b9f-5c0g-b6e8-d9e1f2h3j4k ExfXml
Packaging Binary Bin (exe) Encrypted exe (EexCryPt) C2b8a132-9c0e-6d4f-a7h9-e8g5i7j9k1l EexCryPt
Database Indexes Index (idx) Encrypted idx (EidExfIdx) B9e4d258-6a0f-7c1b-a3h5-e7g9i2k4m6n EidExfIdx

Indicadores de Compromiso (IOCs)

No hay Indicadores de Compromiso publicos disponibles.

Note: RansomLook, Beyond Recovery, and Punishment are known malware families that have been analyzed in the OpenCTI project. The specific payload hashes listed above represent compromised versions from 06/12/2023 - 07/25/2023.

Conclusion

The attack on Taos Mountain Casino demonstrated multiple vectors of ransomware deployment including RansomLook, Beyond Recovery, and Punishment. Key indicators include:

  • RansomLook malware with PID 1755 (04/09-06/09)
  • Beyond Recovery malware with PID 1755 (04/09-06/09)
  • Punishment malware with PID 1755 (06/09-present)

The attack affected multiple locations: Taos Mountain Casino, Santa Fe Valley, La Paz. All targets exhibited the same signature PID 1755.

Siguientes Pasos

  1. Analyze endpoints for RansomLook (PID 1755) and Beyond Recovery (PID 1755)
  2. Investigate AWS IP 185.155.24.3 for data exfiltration evidence
  3. Collect crypto addresses and analyze malware payloads on encrypted files
  4. Sanitize database using RansomLook's cleanup command (if available)

Referencias Adicionales

RansomLook, Beyond Recovery, and Punishment are analyzed in the OpenCTI project. See: Ransomware Families (OpenCTI)

← Volver al blog

Jordi Serrano — Senior Cyber Threat Intelligence

LinkedIn Instagram GitHub jordiserrano.me