‘Textbook identity attack’ dropped ransomware via fake KeePass site

A February call from a European IT services provider that experienced a ransomware attack led researchers at WithSecure to what security pros are calling a "textbook identity attack."

Threat actors lured victims to a malicious look-alike KeePass download site advertised on Bing while the attackers waited for victims who believed it was the legitimate open-source password manager.

Once a victim installed the malicious password manager, the malware then downloaded and deployed a Cobalt Strike tool for command-and-control (C2) and exported the existing KeePass password database in clear text. This let the attackers gain access to networks, VPNs and cloud services.

Using the same Black Basta-linked watermark as seen in past ransomware incidents, the operators executed a ransomware payload that encrypted VMware ESXi datastores, taking down the VMs in one action.

“The breach is a textbook identity attack,” said Jason Soroko, senior fellow at Sectigo. “By turning a trusted password safe into a credential harvesting mechanism, the adversary harvested domain admin passwords, vSphere root keys, and service-account secrets that function as the organization’s digital identities. Those stolen identities negated perimeter controls, neutralized the company’s Veeam backups and enabled hypervisor-level ransomware deployment.”

Boris Cipot, senior security engineer at Black Duck, added that this case presents a cybersecurity issue that’s problematic from several sides: It touches on open-source usage and development, it shows how users can trust false advertising, and it showcases the vast capabilities cybercriminals have by exploiting the two.

“The attackers focused on VMWare ESXi servers where they deployed their ransomware payloads,” said Cipot. “By gathering the passwords stored in KeePass, the attackers had access to the hosts running on those ESXi servers and with this they could start a highly disruptive and efficient attack on hundreds of targets without needing to attack individual, virtual machines.”

The most important lesson learned here: never blindly trust advertisements. Cipot said it’s also important not to assume that OSS — even if it’s available to the public — is safe.

“It’s essential to ensure uncompromised trust in software and to know … where it comes from and make sure that it’s legit before you apply it to your own development or to your computer,” said Cipot.

Rom Carmel, co-founder and CEO at Apono, added that this case is a powerful example of how identity misuse, not just malware, is at the core of modern ransomware attacks. Carmel said the attack hinged on identity and credential compromise: By trojanizing KeePass, attackers gained access to a trove of stored credentials, including admin accounts, service accounts, and API keys, giving them the ability to move laterally and escalate privileges.

“These credentials, often lacking MFA or proper access controls, let attackers access and encrypt critical infrastructure like ESXi servers,” said Carmel. “This breach highlights how unmanaged credentials and overprivileged identities — both human and non-human — are prime targets and key enablers in modern ransomware campaigns.”