Ransomware attackers are exploiting TeamViewer, a popular remote access tool, to infiltrate organizations and deploy ransomware. This method, first noticed in 2016, involves using leaked user credentials rather than exploiting software vulnerabilities.
The recent attacks, analyzed by cybersecurity firm Huntress, revealed a common attacker in multiple cases, where TeamViewer was used for legitimate administrative tasks or less frequently monitored endpoints. Attackers attempted to deploy ransomware using a batch file and a DLL file, with varied success due to antivirus interventions.
These attacks resemble those by LockBit ransomware, especially after the 2022 leak of its builder, LockBit 3.0. The leaked builder, used by various gangs, facilitates creating different ransomware versions. The recent attacks specifically utilized a password-protected LockBit 3 DLL.
TeamViewer emphasized the importance of strong security practices, including complex passwords, two-factor authentication, allow-lists, and regular software updates to prevent unauthorized access. The company has published best practices for secure unattended access, stressing that most unauthorized accesses involve weakened default security settings, often due to the use of outdated software versions.