{"id":46233,"date":"2022-04-13T11:17:00","date_gmt":"2022-04-13T11:17:00","guid":{"rendered":"http:\/\/e8c57cb8-537a-4697-b1bd-1cbdbdab2244"},"modified":"2022-04-13T11:17:00","modified_gmt":"2022-04-13T11:17:00","slug":"clueless-hackers-spent-months-inside-a-network-and-nobody-noticed-but-then-a-ransomware-gang-turned-up","status":"publish","type":"post","link":"https:\/\/www.threatshub.org\/blog\/clueless-hackers-spent-months-inside-a-network-and-nobody-noticed-but-then-a-ransomware-gang-turned-up\/","title":{"rendered":"Clueless hackers spent months inside a network and nobody noticed. But then a ransomware gang turned up"},"content":{"rendered":"<div><img decoding=\"async\" src=\"https:\/\/www.zdnet.com\/a\/img\/resize\/d8a4561bd603e904bb24700fb3fb97cb37cc5f4e\/2021\/08\/25\/99bd596a-6b7d-47a5-9d50-5726551168c3\/getty-hands-typing-on-a-laptop-keyboard.jpg?width=770&amp;height=578&amp;fit=crop&amp;auto=webp\" class=\"ff-og-image-inserted\"><\/div>\n<p>Novice hackers who didn&#8217;t know what they were doing spent months inside a government agency network without being detected \u2013 before higher-skilled attackers came in after them and launched a ransomware attack.&nbsp;<\/p>\n<p>Analysis of the incident at an unspecified US regional government agency <a href=\"https:\/\/news.sophos.com\/en-us\/2022\/04\/12\/attackers-linger-on-government-agency-computers-before-deploying-lockbit-ransomware\/\" target=\"_blank\" rel=\"noopener noreferrer nofollow\" data-component=\"externalLink\">by cybersecurity researchers at Sophos<\/a> found that the amateur intruders left plenty of indicators they were in the network. Yet despite a lack of subtly and leaving a trail behind, they weren&#8217;t detected because what Sophos researchers describe as &#8220;strategic choices&#8221; made by the IT team that made life easy for them.&nbsp;<\/p>\n<p>The attackers initially broke into the network using <a href=\"https:\/\/www.zdnet.com\/article\/big-jump-in-rdp-attacks-as-hackers-target-staff-working-from-home\/\" target=\"_blank\" rel=\"noopener\">one of the most popular techniques deployed by cyber criminals<\/a> \u2013 breaching the password of internet-facing Windows Remote Desktop Protocol (RDP) on a firewall. It&#8217;s uncertain how the password itself was breached, but <a href=\"https:\/\/www.zdnet.com\/article\/ransomware-these-are-the-two-most-common-ways-hackers-get-inside-your-network\/\" target=\"_blank\" rel=\"noopener\">common methods include brute-force attacks and phishing emails.<\/a>&nbsp;<\/p>\n<p>They also got lucky, because the compromised RDP account wasn&#8217;t only a local admin on the server, but also had domain administrator permissions, allowing the account to be exploited to create admin accounts on other servers and desktops.&nbsp;<\/p>\n<p>But despite all this power, the intruders didn&#8217;t seem to know what to do once they had access to the network. Analysis of activity logs suggested they used the servers they controlled inside the network to run Google searches to look for hacking tools, then following pop-up ads to pirated software downloads.&nbsp;<\/p>\n<p>Researchers say this left the server riddled with <a href=\"https:\/\/www.zdnet.com\/article\/this-data-stealing-malware-has-returned-with-new-attacks-and-nasty-upgraded-features\/\" target=\"_blank\" rel=\"noopener\">adware<\/a> and the hackers unintentionally infecting the servers they controlled with <a href=\"https:\/\/www.zdnet.com\/article\/what-is-malware-everything-you-need-to-know-about-viruses-trojans-and-malicious-software\/\" target=\"_blank\" rel=\"noopener\">malware<\/a>. The victim organisation didn&#8217;t notice any of this was happening. &nbsp;<\/p>\n<p><strong>SEE:&nbsp;<\/strong><a href=\"https:\/\/www.zdnet.com\/article\/cloud-security-a-business-guide-to-essential-tools-and-best-practices\/\"><strong>Cloud security in 2022: A business guide to essential tools and best practices<\/strong><\/a><\/p>\n<p>Log data suggests that the attackers were regularly disappearing for days at a time before returning to look around the network, occasionally creating new accounts to gain access to other machines. This continued for months, with the attackers seemingly learning how to hack networks as they went along, as well as installing <a href=\"https:\/\/www.zdnet.com\/article\/free-money-cyber-criminals-are-installing-cryptojacking-malware-on-unpatched-microsoft-exchange-servers\/\" target=\"_blank\" rel=\"noopener\">cryptomining malware<\/a> on the compromised servers.&nbsp;<\/p>\n<p>&#8220;This was a very messy attack,&#8221; says Andrew Brandt, principal security researcher at Sophos. &#8220;They then seemed unsure of what to do next&#8221;.&nbsp;<\/p>\n<p>But after four months, the attacks suddenly became more focused and more sophisticated. Following a three-week hiatus with no activity, attackers remotely connected and installed the password-sniffing tool Mimikatz in order to gain access to additional usernames and passwords, storing them all in a text file on the desktop of admin-level accounts they created. &nbsp;<\/p>\n<p>These attackers also looked to remove the coinminer which had previously been installed and attempted to uninstall antivirus software on endpoints. It&#8217;s likely that the higher sophistication of the attacks mean new intruders had gained access to the network.&nbsp;<\/p>\n<p>&#8220;When you see an abrupt change in both goals and skill level in an attack like this, in which the original ingress point is at that point still open as it was in this case, the safe bet is that another attacker has entered the space&#8221; says Brandt.<\/p>\n<p>It was at this point the IT department noticed something strange was happening, taking servers offline to investigate \u2013 but in order to do this, they also disabled some cybersecurity protections \u2013 and the attackers took advantage. &nbsp;<\/p>\n<p>The intruders repeatedly dumped new account credentials and created new accounts in order to continue their attacks. The logs were also wiped repeatedly, in what could have been an attempt to cover their tracks.&nbsp;<\/p>\n<p><strong>SEE:&nbsp;<\/strong><a href=\"https:\/\/www.zdnet.com\/topic\/cybersecurity-lets-get-tactical\/#link=%7B%22linkText%22:%22Cybersecurity:%20Let's%20get%20tactical%20(ZDNet%20special%20report)%22,%22target%22:%22_blank%22,%22href%22:%22https:\/\/www.zdnet.com\/topic\/cybersecurity-lets-get-tactical\/%22,%22role%22:%22standard%22,%22absolute%22:%22%22%7D%23link=%7B%22role%22:%22standard%22,%22href%22:%22https:\/\/www.zdnet.com\/topic\/cybersecurity-lets-get-tactical\/%23link=%7B%22linkText%22:%22Cybersecurity:%20Let's%20get%20tactical%20(ZDNet%20special%20report)%22,%22target%22:%22_blank%22,%22href%22:%22https:\/\/www.zdnet.com\/topic\/cybersecurity-lets-get-tactical\/%22,%22role%22:%22standard%22,%22absolute%22:%22%22%7D%22,%22target%22:%22%22,%22absolute%22:%22%22,%22linkText%22:%22%3Cstrong%3ECybersecurity:%20Let's%20get%20tactical%20(ZDNet%20special%20report%3C\/strong%3E%22%7D\"><strong>Cybersecurity: Let&#8217;s get tactical<\/strong><\/a><strong>&nbsp;(ZDNet special report)<\/strong><\/p>\n<p>The new, much more sophisticated attackers also stole a set of sensitive files as they worked towards the apparent end goal of a <a href=\"https:\/\/www.zdnet.com\/article\/ransomware-an-executive-guide-to-one-of-the-biggest-menaces-on-the-web\/\" target=\"_blank\" rel=\"noopener\">ransomware attack<\/a>, which fully encrypted some of the machines on the network with <a href=\"https:\/\/www.zdnet.com\/article\/fbi-watch-out-for-lockbit-2-0-ransomware-heres-how-to-reduce-the-risk-to-your-network\/\" target=\"_blank\" rel=\"noopener\">LockBit ransomware<\/a>. But the attack didn&#8217;t affect all the machines and the IT department, with the aid of Sophos analysts, were able to clean up and restore services.&nbsp;<\/p>\n<p>However, the whole attack could&#8217;ve been prevented if better cybersecurity strategies were in place, as attackers were able to freely enter and move around the network without being detected &#8211; particularly as measures were implemented to improve efficiency rather than improving cybersecurity, even when it was clear the organisation was under attack.&nbsp;<\/p>\n<p>&#8220;Disabling features like tamper protection on endpoint security software seemed to be the critical lever the attackers needed to completely remove protection and complete their jobs without hindrance,&#8221; researchers said in the blog post.&nbsp;<\/p>\n<p>Applying <a href=\"https:\/\/www.zdnet.com\/article\/better-than-the-best-password-how-to-use-2fa-to-improve-your-security\/\" target=\"_blank\" rel=\"noopener\">multi-factor authentication<\/a> to user accounts would have helped prevent them from being exploited and login notifications would&#8217;ve provided a warning that something suspicious was under way. &nbsp;<\/p>\n<p>Meanwhile, <a href=\"https:\/\/www.zdnet.com\/article\/the-key-to-stopping-cyberattacks-understanding-your-own-systems-before-the-hackers-strike\/\" target=\"_blank\" rel=\"noopener\">properly monitoring the network<\/a> would&#8217;ve had indicated something was wrong when the attackers were snooping around, and certainly before another set of hackers broke in and <a href=\"https:\/\/www.zdnet.com\/article\/ransomware-even-when-the-attackers-are-in-your-network-its-not-too-late-to-fight-back\/\" target=\"_blank\" rel=\"noopener\">laid the foundation for a ransomware attack<\/a>. &nbsp;<\/p>\n<p>&#8220;Defenders have to keep watch on their network, whether in-house or through a managed-services partner. Keeping an eye out for smaller oddities or incidents \u2013 even something as simple as someone logging into a system at odd hours or from an unusual location \u2013 can make the difference,&#8221; said Brandt.&nbsp;<\/p>\n<p><strong>MORE ON CYBERSECURITY<\/strong><\/p>\n<p> READ MORE <a href=\"https:\/\/www.zdnet.com\/article\/clueless-hackers-spent-months-inside-a-network-and-nobody-noticed-then-a-ransomware-gang-took-over\/#ftag=RSSbaffb68\">HERE<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>A series of poor cybersecurity decisions meant the victim didn&#8217;t notice intruders on their network &#8211; until more sophisticated attackers arrived.<br \/>\nREAD MORE HERE&#8230;<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"colormag_page_layout":"default_layout","footnotes":""},"categories":[62],"tags":[],"class_list":["post-46233","post","type-post","status-publish","format-standard","hentry","category-zdnet-security"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.6 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>Clueless hackers spent months inside a network and nobody noticed. But then a ransomware gang turned up 2026 | ThreatsHub Cybersecurity News<\/title>\n<meta name=\"description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security &amp; Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.threatshub.org\/blog\/clueless-hackers-spent-months-inside-a-network-and-nobody-noticed-but-then-a-ransomware-gang-turned-up\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Clueless hackers spent months inside a network and nobody noticed. But then a ransomware gang turned up 2026 | ThreatsHub Cybersecurity News\" \/>\n<meta property=\"og:description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security &amp; Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.threatshub.org\/blog\/clueless-hackers-spent-months-inside-a-network-and-nobody-noticed-but-then-a-ransomware-gang-turned-up\/\" \/>\n<meta property=\"og:site_name\" content=\"ThreatsHub Cybersecurity News\" \/>\n<meta property=\"article:published_time\" content=\"2022-04-13T11:17:00+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.zdnet.com\/a\/img\/resize\/d8a4561bd603e904bb24700fb3fb97cb37cc5f4e\/2021\/08\/25\/99bd596a-6b7d-47a5-9d50-5726551168c3\/getty-hands-typing-on-a-laptop-keyboard.jpg?width=770&amp;height=578&amp;fit=crop&amp;auto=webp\" \/>\n<meta name=\"author\" content=\"TH Author\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@threatshub\" \/>\n<meta name=\"twitter:site\" content=\"@threatshub\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"TH Author\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"4 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/clueless-hackers-spent-months-inside-a-network-and-nobody-noticed-but-then-a-ransomware-gang-turned-up\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/clueless-hackers-spent-months-inside-a-network-and-nobody-noticed-but-then-a-ransomware-gang-turned-up\\\/\"},\"author\":{\"name\":\"TH Author\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/person\\\/12e0a8671ff89a863584f193e7062476\"},\"headline\":\"Clueless hackers spent months inside a network and nobody noticed. But then a ransomware gang turned up\",\"datePublished\":\"2022-04-13T11:17:00+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/clueless-hackers-spent-months-inside-a-network-and-nobody-noticed-but-then-a-ransomware-gang-turned-up\\\/\"},\"wordCount\":889,\"publisher\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/clueless-hackers-spent-months-inside-a-network-and-nobody-noticed-but-then-a-ransomware-gang-turned-up\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.zdnet.com\\\/a\\\/img\\\/resize\\\/d8a4561bd603e904bb24700fb3fb97cb37cc5f4e\\\/2021\\\/08\\\/25\\\/99bd596a-6b7d-47a5-9d50-5726551168c3\\\/getty-hands-typing-on-a-laptop-keyboard.jpg?width=770&amp;height=578&amp;fit=crop&amp;auto=webp\",\"articleSection\":[\"ZDNet | Security\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/clueless-hackers-spent-months-inside-a-network-and-nobody-noticed-but-then-a-ransomware-gang-turned-up\\\/\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/clueless-hackers-spent-months-inside-a-network-and-nobody-noticed-but-then-a-ransomware-gang-turned-up\\\/\",\"name\":\"Clueless hackers spent months inside a network and nobody noticed. But then a ransomware gang turned up 2026 | ThreatsHub Cybersecurity News\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/clueless-hackers-spent-months-inside-a-network-and-nobody-noticed-but-then-a-ransomware-gang-turned-up\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/clueless-hackers-spent-months-inside-a-network-and-nobody-noticed-but-then-a-ransomware-gang-turned-up\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.zdnet.com\\\/a\\\/img\\\/resize\\\/d8a4561bd603e904bb24700fb3fb97cb37cc5f4e\\\/2021\\\/08\\\/25\\\/99bd596a-6b7d-47a5-9d50-5726551168c3\\\/getty-hands-typing-on-a-laptop-keyboard.jpg?width=770&amp;height=578&amp;fit=crop&amp;auto=webp\",\"datePublished\":\"2022-04-13T11:17:00+00:00\",\"description\":\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/clueless-hackers-spent-months-inside-a-network-and-nobody-noticed-but-then-a-ransomware-gang-turned-up\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/clueless-hackers-spent-months-inside-a-network-and-nobody-noticed-but-then-a-ransomware-gang-turned-up\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/clueless-hackers-spent-months-inside-a-network-and-nobody-noticed-but-then-a-ransomware-gang-turned-up\\\/#primaryimage\",\"url\":\"https:\\\/\\\/www.zdnet.com\\\/a\\\/img\\\/resize\\\/d8a4561bd603e904bb24700fb3fb97cb37cc5f4e\\\/2021\\\/08\\\/25\\\/99bd596a-6b7d-47a5-9d50-5726551168c3\\\/getty-hands-typing-on-a-laptop-keyboard.jpg?width=770&amp;height=578&amp;fit=crop&amp;auto=webp\",\"contentUrl\":\"https:\\\/\\\/www.zdnet.com\\\/a\\\/img\\\/resize\\\/d8a4561bd603e904bb24700fb3fb97cb37cc5f4e\\\/2021\\\/08\\\/25\\\/99bd596a-6b7d-47a5-9d50-5726551168c3\\\/getty-hands-typing-on-a-laptop-keyboard.jpg?width=770&amp;height=578&amp;fit=crop&amp;auto=webp\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/clueless-hackers-spent-months-inside-a-network-and-nobody-noticed-but-then-a-ransomware-gang-turned-up\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Clueless hackers spent months inside a network and nobody noticed. But then a ransomware gang turned up\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#website\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\",\"name\":\"ThreatsHub Cybersecurity News\",\"description\":\"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform\",\"publisher\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\"},\"alternateName\":\"Threatshub.org\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\",\"name\":\"ThreatsHub.org\",\"alternateName\":\"Threatshub.org\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/05\\\/Threatshub_Favicon1.jpg\",\"contentUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/05\\\/Threatshub_Favicon1.jpg\",\"width\":432,\"height\":435,\"caption\":\"ThreatsHub.org\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\"},\"sameAs\":[\"https:\\\/\\\/x.com\\\/threatshub\"]},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/person\\\/12e0a8671ff89a863584f193e7062476\",\"name\":\"TH Author\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"caption\":\"TH Author\"}}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Clueless hackers spent months inside a network and nobody noticed. But then a ransomware gang turned up 2026 | ThreatsHub Cybersecurity News","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.threatshub.org\/blog\/clueless-hackers-spent-months-inside-a-network-and-nobody-noticed-but-then-a-ransomware-gang-turned-up\/","og_locale":"en_US","og_type":"article","og_title":"Clueless hackers spent months inside a network and nobody noticed. But then a ransomware gang turned up 2026 | ThreatsHub Cybersecurity News","og_description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","og_url":"https:\/\/www.threatshub.org\/blog\/clueless-hackers-spent-months-inside-a-network-and-nobody-noticed-but-then-a-ransomware-gang-turned-up\/","og_site_name":"ThreatsHub Cybersecurity News","article_published_time":"2022-04-13T11:17:00+00:00","og_image":[{"url":"https:\/\/www.zdnet.com\/a\/img\/resize\/d8a4561bd603e904bb24700fb3fb97cb37cc5f4e\/2021\/08\/25\/99bd596a-6b7d-47a5-9d50-5726551168c3\/getty-hands-typing-on-a-laptop-keyboard.jpg?width=770&amp;height=578&amp;fit=crop&amp;auto=webp","type":"","width":"","height":""}],"author":"TH Author","twitter_card":"summary_large_image","twitter_creator":"@threatshub","twitter_site":"@threatshub","twitter_misc":{"Written by":"TH Author","Est. reading time":"4 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.threatshub.org\/blog\/clueless-hackers-spent-months-inside-a-network-and-nobody-noticed-but-then-a-ransomware-gang-turned-up\/#article","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/clueless-hackers-spent-months-inside-a-network-and-nobody-noticed-but-then-a-ransomware-gang-turned-up\/"},"author":{"name":"TH Author","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476"},"headline":"Clueless hackers spent months inside a network and nobody noticed. But then a ransomware gang turned up","datePublished":"2022-04-13T11:17:00+00:00","mainEntityOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/clueless-hackers-spent-months-inside-a-network-and-nobody-noticed-but-then-a-ransomware-gang-turned-up\/"},"wordCount":889,"publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/clueless-hackers-spent-months-inside-a-network-and-nobody-noticed-but-then-a-ransomware-gang-turned-up\/#primaryimage"},"thumbnailUrl":"https:\/\/www.zdnet.com\/a\/img\/resize\/d8a4561bd603e904bb24700fb3fb97cb37cc5f4e\/2021\/08\/25\/99bd596a-6b7d-47a5-9d50-5726551168c3\/getty-hands-typing-on-a-laptop-keyboard.jpg?width=770&amp;height=578&amp;fit=crop&amp;auto=webp","articleSection":["ZDNet | Security"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.threatshub.org\/blog\/clueless-hackers-spent-months-inside-a-network-and-nobody-noticed-but-then-a-ransomware-gang-turned-up\/","url":"https:\/\/www.threatshub.org\/blog\/clueless-hackers-spent-months-inside-a-network-and-nobody-noticed-but-then-a-ransomware-gang-turned-up\/","name":"Clueless hackers spent months inside a network and nobody noticed. But then a ransomware gang turned up 2026 | ThreatsHub Cybersecurity News","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/clueless-hackers-spent-months-inside-a-network-and-nobody-noticed-but-then-a-ransomware-gang-turned-up\/#primaryimage"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/clueless-hackers-spent-months-inside-a-network-and-nobody-noticed-but-then-a-ransomware-gang-turned-up\/#primaryimage"},"thumbnailUrl":"https:\/\/www.zdnet.com\/a\/img\/resize\/d8a4561bd603e904bb24700fb3fb97cb37cc5f4e\/2021\/08\/25\/99bd596a-6b7d-47a5-9d50-5726551168c3\/getty-hands-typing-on-a-laptop-keyboard.jpg?width=770&amp;height=578&amp;fit=crop&amp;auto=webp","datePublished":"2022-04-13T11:17:00+00:00","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","breadcrumb":{"@id":"https:\/\/www.threatshub.org\/blog\/clueless-hackers-spent-months-inside-a-network-and-nobody-noticed-but-then-a-ransomware-gang-turned-up\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.threatshub.org\/blog\/clueless-hackers-spent-months-inside-a-network-and-nobody-noticed-but-then-a-ransomware-gang-turned-up\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/clueless-hackers-spent-months-inside-a-network-and-nobody-noticed-but-then-a-ransomware-gang-turned-up\/#primaryimage","url":"https:\/\/www.zdnet.com\/a\/img\/resize\/d8a4561bd603e904bb24700fb3fb97cb37cc5f4e\/2021\/08\/25\/99bd596a-6b7d-47a5-9d50-5726551168c3\/getty-hands-typing-on-a-laptop-keyboard.jpg?width=770&amp;height=578&amp;fit=crop&amp;auto=webp","contentUrl":"https:\/\/www.zdnet.com\/a\/img\/resize\/d8a4561bd603e904bb24700fb3fb97cb37cc5f4e\/2021\/08\/25\/99bd596a-6b7d-47a5-9d50-5726551168c3\/getty-hands-typing-on-a-laptop-keyboard.jpg?width=770&amp;height=578&amp;fit=crop&amp;auto=webp"},{"@type":"BreadcrumbList","@id":"https:\/\/www.threatshub.org\/blog\/clueless-hackers-spent-months-inside-a-network-and-nobody-noticed-but-then-a-ransomware-gang-turned-up\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.threatshub.org\/blog\/"},{"@type":"ListItem","position":2,"name":"Clueless hackers spent months inside a network and nobody noticed. But then a ransomware gang turned up"}]},{"@type":"WebSite","@id":"https:\/\/www.threatshub.org\/blog\/#website","url":"https:\/\/www.threatshub.org\/blog\/","name":"ThreatsHub Cybersecurity News","description":"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform","publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"alternateName":"Threatshub.org","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.threatshub.org\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.threatshub.org\/blog\/#organization","name":"ThreatsHub.org","alternateName":"Threatshub.org","url":"https:\/\/www.threatshub.org\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","contentUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","width":432,"height":435,"caption":"ThreatsHub.org"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/x.com\/threatshub"]},{"@type":"Person","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476","name":"TH Author","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","caption":"TH Author"}}]}},"_links":{"self":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/46233","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/comments?post=46233"}],"version-history":[{"count":0,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/46233\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/media?parent=46233"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/categories?post=46233"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/tags?post=46233"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}