VERY IMPORTANT

In this intrusion from December 2021, the threat actors utilized IcedID as the initial access vector. IcedID is a banking trojan that first appeared in 2017, usually, it is delivered via malspam campaigns and has been widely used as an initial access vector in multiple ransomware intrusions. Upon execution of the IcedID DLL, discovery activity was performed which was followed by the dropping of a Cobalt Strike beacon on the infected host. Along the way, the threat actors installed remote management tools such as Atera and Splashtop for persisting in the environment. While remaining dormant most of the time, the adversary deployed Conti ransomware on the 19th day (shortly after Christmas), resulting in domain wide encryption.