Rustam Mirkasymov and Oleg Skulkin of Group-IB write:
The email raised no suspicions. An employee of a Russian medical company boldly clicked on the link and downloaded the attached ZIP archive. The message with the subject “Bill due” looked like it had been sent by the Finance Department of a large Russian media holding, the RBC Group. After the executable file was run for just twenty seconds, Windows Defender detected and deleted the malware. Yet these twenty seconds were enough for the Trojan to achieve persistence in the infected system. The victim failed to notice anything. Three weeks later, the company’s employees arrived at work and were greeted by an alarming message on their computer screens: “Your files have been encrypted”.
Read more on Group-1B.
h/t, Catalin Cimpanu, ZDNet
Russian threat actors attacking Russian entities? Well, that’s new and different — if they really are Russian threat actors and not just posing as Russians.