Mark Loman (@markloman) / Twitter

body { -ms-overflow-style: scrollbar; overflow-y: scroll; overscroll-behavior-y: none; } .errorContainer { background-color: #FFF; color: #0F1419; max-width: 600px; margin: 0 auto; padding: 10%; font-family: Helvetica, sans-serif; font-size: 16px; } .errorButton { margin: 3em 0; } .errorButton a { background: #1DA1F2; border-radius: 2.5em; color: white; padding: 1em 2em; text-decoration: none; } .errorButton a:hover, .errorButton a:focus { background: rgb(26, 145, 218); } .errorFooter { color: #657786; font-size: 80%; line-height: 1.5; padding: 1em 0; } .errorFooter a, .errorFooter a:visited { color: #657786; text-decoration: none; padding-right: 1em; } .errorFooter a:hover, .errorFooter a:active { text-decoration: underline; } #placeholder, #react-root { display: none !important; } body { background-color: #FFF !important; }

JavaScript is not available.

We’ve detected that JavaScript is disabled in this browser. Please enable JavaScript or switch to a supported browser to continue using twitter.com. You can see a list of supported browsers in our Help Center.

Terms of Service Privacy Policy Cookie Policy Imprint Ads info © 2023 Twitter, Inc.

Follow

Click to Follow markloman

Mark Loman

@markloman

Computer Doctor | We stop ransomware, exploits, hacker techniques on-device (low carbon footprint) | Sophos HitmanPro & Intercept X dev | Tweets are my own

Hengelo, The Netherlandshitmanpro.comJoined July 2010

4,533 Followers

Mark Loman’s Tweets

Pinned Tweet

LockFile ransomware attempts to evade protection with 'intermittent encryption' and making Windows write the encrypted documents for them, throwing off statistical content analysis and runtime behavior detection. Get the lowdown in our dissection 101: news.sophos.com/en-us/2021/08/

Embedded video

GIF

63

177

Ferrari wordt afgeperst met gestolen klantgegevens buitgemaakt bij ransomware aanval

Quote Tweet

Ferrari said it was hit by a ransomware attack that exposed information on the Italian sports car maker’s customers trib.al/zWraKU0

1

1

Sophos CryptoGuard - our zero-trust architecture against ransomware - thwarts unknown data exfiltration via legitimate but vulnerable Avast executable, leading to side-loaded PlugX USB worm touching ten timezones. More here:

news.sophos.com

A border-hopping PlugX USB worm takes its act on the road

Borne aloft by DLL sideloading, a far-flung infection touches ten time zones

3

3

Mark Loman Retweeted

@CountryBoy7333

Don't miss your chance to win a free license key for HitmanPro Alert! Enter the

Christmas Giveaway at

@MalwareTipscom

now:

malwaretips.com

HitmanPro Alert Christmas Giveaway: Advanced Malware and...

2

Mark Loman Retweeted

OpenSSL has pre-announced the release of OpenSSL version 3.0.7 to be made available on Tuesday 1st November 2022 between 1300-1700 UTC. This version is a security-fix release rated CRITICAL. 1/2

1

14

19

Show this thread

Mark Loman Retweeted

Landelijke Eenheid

@POL_Lnd_Eenheid

In een brief waarschuwt Team High Tech Crime van de politie de hostingsector voor de gevaren & risico’s van het in zee gaan met bepaalde hosting resellers. Het gaat om een specifieke groep hosting resellers die aangeven bulletproof diensten te leveren.

Politie waarschuwt hostingsector voor hosting resellers

Een schoner internet en een veiliger digitaal Nederland. Dat is het doel van een waarschuwing van de politie gericht aan internet- en hostingbedrijven die bepaalde hosting resellers mogelijk als...

1

19

26

Mark Loman Retweeted

After nine months of killing and in many cases torturing civilians; after razing whole towns; the Russians call blowing up a bridge "terrorism." That takes the fucking cake.

3,436

34.1K

170.8K

Mark Loman Retweeted

This is how a very good and decent human being - a real American leader - behaves. To anyone who isn’t moved by this, I feel truly sorry for your broken soul. I am so proud to support

Embedded video

0:24

18.4M views

From

4,628

20.2K

125.7K

Mark Loman Retweeted

Lindsey O'Donnell Welch

I talked to

@chetwisniewski

and

@AltShiftPrtScn

with

yesterday about organizations being hit by multiple #ransomware groups at the same time, IABs, average attacker dwell time and much, much more. Take a listen:

Decipher Podcast: Chester Wisniewski and Peter Mackenzie

Peter Mackenzie, director of incident response at Sophos, and Chester Wisniewski, principal research scientist at Sophos, talk about why more ransomware attackers are clustering onto vulnerable...

10

13

Mark Loman Retweeted

3 attackers, 2 weeks – 1 entry point... Lockbit, Hive, and BlackCat attack an automotive supplier in this triple #ransomware attack. After gaining access via RDP, all three threat actors encrypted files, in an investigation complicated by event log clearing and backups. 1/17

3

91

163

Show this thread

Mark Loman Retweeted

@AltShiftPrtScn

My summary of investigating hundreds of ransomware attacks: Users are sensors that need monitoring, not blaming. It wasn't them that gave everyone domain admin, built a flat network, didn't patch Exchange, forgot to enforce MFA, or decided to open RDP to the world.

6

133

562

Onderwerp is "Mijn Overheid" en is afkomstig van: OM <noreply@gent.nl>

Show this thread

Pas op! Er gaat een valse e-mail uit naam van de Berichtenbox-app van MijnOverheid rond. Klik niet op de link en vul geen gegevens in op de phishingpagina. De mail is niet van MijnOverheid en de valse link komt uit op hxxps://20711-3425.s1.webspace.re/

1

3

1

Show this thread

Mark Loman Retweeted

Update (2022-05-31) SophosLabs has updated endpoint protection signatures for static, dynamic, and behavioral detection of CVE-2022-30190 maldocs and payloads; Microsoft guidance to disable MSDT is linked in the article.

Embedded video

GIF

Quote Tweet

NEW: Malicious Word doc taps previously unknown #Microsoft Office #vulnerability MSDT.exe misuse in May makes for Memorial Day Monday mayhem... 1/13

Show this thread

5

9

Out now! New version of Sophos HitmanPro.Alert! With a new direct syscall mitigation (Hell's Gate), LSASS cloning protection, NVMe/GPT support against wiper malware, lots of other improvements + BSOD fix for Windows 11 users running KB5013943. More: wilderssecurity.com/threads/hitman

3

30

85

Mark Loman Retweeted

Ruben Korthorst

Interessante draad over nepnieuws:

Quote Tweet

Weer bijzonder dit. @Sara40597412 die volgens hem/haar eigen profiel niet tegen onrecht kan, post een foto dat hij/zij het boek van Baudet zou lezen.

Show this thread

4

1

Mark Loman Retweeted

NEW: Countermeasures and observability key to defending against attackers trying to buy security products The leak of #Conti #ransomware's internal chat logs revealed the attackers tried to buy security software so they could figure out how to bypass it and avoid detection… 1/7

3

39

81

Show this thread

Mark Loman Retweeted

Strong

product endorsement from Conti crew: "софос жрёт всё че роняется" ("Sophos eats everything that drops")

5

21

97

Show this thread

Mark Loman Retweeted

Ruben Korthorst

Heeft Willem Engel al getweet dat al die dode Russische militairen waarschijnlijk gevaccineerd zijn? #dtv

36

46

737

Mark Loman Retweeted

Two ransomware gangs entered a healthcare org through the same vulnerability. One “just” stole data and dropped a note. The other…encrypted everything, including the first gang’s note.

news.sophos.com

Conti and Karma actors attack healthcare provider at same time through ProxyShell exploits

An unpatched Microsoft Exchange Server let both ransomware actors in; Karma just stole data, while Conti encrypted.

11

211

418

Show this thread

Mark Loman Retweeted

📺 NEW VIDEO The world stands with Ukraine against Putin’s unlawful invasion. #DefeatPutin

Embedded video

2:58

3.5M views

922

12K

21.6K

Show this thread

Question: when the latest update of a popular wallpaper app starts descrambling your Chrome/Edge browser secrets, like MFA session cookies and web credentials, what would you want us do?

2

Wat is 'ranDsomEware'?

8

5

11

Mark Loman Retweeted

NEW ransomware actor uses password-protected archives to bypass encryption protection Calling themselves "Memento team", actors use Python-based ransomware that they reconfigured after setbacks... 1/13

2

60

121

Show this thread

Mark Loman Retweeted

Replying to

and

Would you be able to validate the policy being applied? With "Prevent credential theft" enabled, I'm observing LSASS access being blocked as expected. There is not an alert that will pop-up, but no file will be written. Full Disclosure: I work at Sophos

3

6

42

Mark Loman Retweeted

2021-11-01: 👁️🔥#Conti #Ransomware | Peculiar File & Folder Whitelist 🆕File “CONTI_LOG.txt” & Folder Avoid “…HitmanPro” 1⃣File/Extension {readme.txt, CONTI_LOG.txt} 2⃣Folder {Trend Micro,Sophos, HitmanPro} 3⃣Usual Mutex "kasKDJSAFJauisiudUASIIQWUA82" 🛡️

2

33

67

Mark Loman Retweeted

How do you differentiate between IP addresses that are up to no good versus IP addresses that are harmless? Madeline Schiappa explains everything you need to know: news.sophos.com/en-us/2021/05/

4

9

Mark Loman Retweeted

@AltShiftPrtScn

We looked into the most common ways #ransomware gangs put pressure on their victims. Including calling them on the phone. We include a voicemail from SunCrypt in this article.

news.sophos.com

The Top 10 Ways Ransomware Operators Ramp Up the Pressure to Pay

Ransomware operators don’t just target systems and data, they target people in their ever-increasing efforts to get the victim to pay

1

52

69

Mark Loman Retweeted

Windows 11 Requirements Check Tool 1.3.1 is out! Added French language. Download here: bytejams.com

Screenshot version 1.3.1

read image description

ALT

9

10

Mark Loman Retweeted

Here's what we can tell you about that Linux & Windows Monero Miner / Windows credential stealer spread through a hijacked NPM repo:

news.sophos.com

Node poisoning: hijacked package delivers coin miner and credential-stealing backdoor

A hacked NPM account was used to deliver Linux and Windows Monero miners and Windows credential-stealing malware along with a popular node.js library.

6

11

Mark Loman Retweeted

PSA: If you or someone you know got hit by BlackMatter in the past couple of months, please reach out. More details can be found here:

Hitting the BlackMatter gang where it hurts: In the wallet

A bug in BlackMatter's encryption enabled us to help victims recover their data and avoiding tens of millions of dollars in ransom demands.

4

78

127

Mark Loman Retweeted

New Blog - #Ransomware Decryption Intelligence blog.bushidotoken.net/2021/10/ransom

3

78

136

Mark Loman Retweeted

Spijker en kop

"Zijn we nu helemaal gek en murw geworden?" #1115

10

120

301

Mark Loman Retweeted

Python ransomware script targets ESXi server for encryption 🐍🐍🐍 Configuration errors rapidly escalated to a ransomware attack inside a virtual machine hypervisor... 1/12

2

76

173

Show this thread

Mark Loman Retweeted

If I looked like David Beckham or had a voice like Beyoncé, I'd endorse HitmanPro.Alert for FREE. Pretty robust detection of [safe] mfeann.exe trying to execute mfc.ini (bad beacon) via LockDown.dll in-memory. No statics, no generics, wins at what it does.

4

9

Show this thread

Mark Loman Retweeted

I was having

streaming issues for months 🤬. Annoying hiccups and sometimes unable to stream songs at all. I finally figured out that

DNS is the issue. Turns out I am not the only one

community.spotify.com

Random Stopping with CloudFlare DNS (1.1.1.1) - The Spoti…

Country UK Device Device Agnostic Operating System Windows, Linux My Question or Issue When using cloudflare DNS (1.1.1.1) playback stop…

1

3

4

Show this thread

Mark Loman Retweeted

Looks like during the takedown of parts of the REvil infrastructure several months ago LEA got their hands on the secret key required to decrypt the ransom note key blobs which include the secret key for the system. Great news for older victims who can decrypt their files now. :)

2

57

159

Mark Loman Retweeted

Windows 11 Requirements Check Tool 1.0 is out! Now with code signing certificate: bytejams.com

6

4

Mark Loman Retweeted

Windows 11 Requirements Check Tool 0.9.3 is out! Updated to support the additional processors Microsoft recently announced on Friday 27th August. Information + Download: bytejams.com

Screenshot 0.9.3 RC

read image description

ALT

5

7

LockFile ransomware’s box of tricks: intermittent encryption and evasion news.sophos.com/en-us/2021/08/ #proxyshell #petitpotam #lockfile

news.sophos.com

LockFile ransomware’s box of tricks: intermittent encryption and evasion

A new ransomware family leveraging the ProxyShell attack uses intermittent encryption of files in an attempt to defeat detection by anti-ransomware tools.

5

7