Financially Motivated Threat Actor Wine Tempest

Wine Tempest (formerly PARINACOTA) typically uses human-operated ransomware for attacks, mostly deploying the Wadhrama ransomware. They are resourceful, changing tactics to match their needs and have used compromised machines for various purposes, including cryptocurrency mining, sending spam emails, or proxying for other attacks. The group most often employs a smash-and-grab method, whereby they attempt to infiltrate a machine in a network and proceed with subsequent ransom in less than an hour. Wine Tempest’s attacks by typically brute forcing their way into servers that have Remote Desktop Protocol (RDP) exposed to the internet, with the goal of moving laterally inside a network or performing further brute-force activities against targets outside the network. Frequently, the group targets built-in local administrator accounts or a list of common account names. In other instances, the group targets Active Directory accounts that they compromised or have prior knowledge of, such as service accounts of known vendors.