Back to Intelligence

Ransomware Partnership Alert: Detecting and Defending Against Industrialized Encryption-Based Attacks from TeamPCP Collaboration

SA
Security Arsenal Team
July 5, 2026
10 min read

Introduction

Security researchers have issued a critical warning regarding a dangerous new development in the ransomware landscape: a major encryption-based cyber incident gang has partnered with TeamPCP, a known threat actor group. This collaboration threatens to accelerate "industrialized" cyber-attacks, potentially leading to unprecedented scale and efficiency in ransomware operations. The FBI has also issued an advisory highlighting the severity of this threat alliance.

What makes this partnership particularly concerning is the potential for combining sophisticated encryption techniques with streamlined attack infrastructure. For defenders, this means we must prepare for faster, more widespread encryption events that can devastate organizations before detection mechanisms trigger. The time from initial compromise to full system encryption may shrink dramatically, reducing our already narrow incident response windows.

This blog post provides actionable detection strategies and remediation guidance to help security teams defend against this emerging industrialized threat.

Technical Analysis

Threat Overview

The collaboration between a prominent ransomware operation and TeamPCP represents a shift toward more industrialized attack methodologies. Rather than manual, targeted operations, this partnership aims to automate and scale encryption-based attacks, potentially affecting multiple organizations simultaneously through pre-established infrastructure.

Attack Chain Analysis

Based on available intelligence, the attack chain follows a sophisticated multi-stage approach:

  1. Initial Access: Through exposed Remote Desktop Protocol (RDP), VPN vulnerabilities, or phishing campaigns delivering malicious attachments
  2. Credential Harvesting: Using tools like Mimikatz or specialized utilities to dump credentials for lateral movement
  3. Lateral Movement: Leveraging stolen credentials and PsExec, WMI, or SMB for network propagation
  4. Privilege Escalation: Exploiting misconfigurations or known vulnerabilities to gain domain admin privileges
  5. Data Exfiltration: Before encryption, sensitive data is exfiltrated to cloud storage for double-extortion leverage
  6. System Encryption: Deploying industrialized encryption tools capable of encrypting hundreds of systems in parallel

Affected Platforms

  • Windows Server 2019/2022
  • Windows 10/11 Enterprise editions
  • Virtualized environments (VMware, Hyper-V)
  • Network-attached storage (NAS) devices
  • Backup systems (Veeam, Commvault, and similar platforms)

Exploitation Status

Active exploitation has been confirmed in the wild, with multiple incident response firms reporting cases involving this collaboration. The attack infrastructure is operational and actively targeting organizations across multiple sectors, including critical infrastructure, healthcare, and financial services.

Detection & Response

The following detection rules and hunt queries are designed to identify behaviors associated with this specific ransomware partnership and industrialized encryption attacks.

SIGMA Rules

YAML
---
title: Suspicious Mass File Encryption Activity
id: a1b2c3d4-5678-90ab-cdef-1234567890ab
status: experimental
description: Detects patterns consistent with industrialized mass file encryption operations, including rapid file modifications across multiple directories.
references:
  - https://www.infosecurity-magazine.com/news/industrialized-cyberattacks/
author: Security Arsenal
date: 2026/05/15
tags:
  - attack.impact
  - attack.t1486
logsource:
  category: file_change
  product: windows
detection:
  selection:
    TargetFilename|endswith:
      - '.locked'
      - '.encrypted'
      - '.teamPCP'
  condition: selection
falsepositives:
  - Legitimate encryption tools
  - File system utilities
level: high
---
title: Ransomware Lateral Movement via PsExec
id: b2c3d4e5-6789-01bc-def2-345678901234
status: experimental
description: Detects potential ransomware lateral movement using PsExec with suspicious parameters consistent with TeamPCP-affiliated operations.
references:
  - https://www.infosecurity-magazine.com/news/industrialized-cyberattacks/
author: Security Arsenal
date: 2026/05/15
tags:
  - attack.lateral_movement
  - attack.t1021.002
logsource:
  category: process_creation
  product: windows
detection:
  selection:
    Image|endswith:
      - '\psexec.exe'
      - '\psexec64.exe'
    CommandLine|contains:
      - '-accepteula'
      - '\\*'
  filter:
    User|contains:
      - 'ADMIN'
      - 'svc_'
  condition: selection and not filter
falsepositives:
  - System administration activities
  - Legitimate software deployment
level: medium
---
title: Suspicious Shadow Copy Deletion
id: c3d4e5f6-7890-12cd-ef34-567890123456
status: experimental
description: Detects commands attempting to delete shadow copies, a common ransomware tactic to prevent recovery, particularly associated with TeamPCP operations.
references:
  - https://www.infosecurity-magazine.com/news/industrialized-cyberattacks/
author: Security Arsenal
date: 2026/05/15
tags:
  - attack.impact
  - attack.t1490
logsource:
  category: process_creation
  product: windows
detection:
  selection:
    Image|endswith:
      - '\vssadmin.exe'
      - '\wmic.exe'
    CommandLine|contains:
      - 'delete shadows'
      - 'shadowstorage delete'
  condition: selection
falsepositives:
  - System maintenance activities
  - Legitimate backup management
level: high

KQL (Microsoft Sentinel / Defender)

KQL — Microsoft Sentinel / Defender
// Hunt for suspicious mass file encryption patterns
let FileEncryptionThreshold = 100;
DeviceFileEvents
| where ActionType == "FileCreated"
| where FileName endswith ".locked" 
    or FileName endswith ".encrypted" 
    or FileName endswith ".teamPCP"
| summarize EncryptedFileCount = count(), 
    UniqueDirectories = dcount(FolderPath),
    FirstSeen = min(Timestamp),
    LastSeen = max(Timestamp)
    by DeviceName, InitiatingProcessAccountName, InitiatingProcessFolderPath
| where EncryptedFileCount > FileEncryptionThreshold
| extend TimeDelta = datetime_diff('minute', LastSeen, FirstSeen)
| where TimeDelta < 30  // More than 100 encrypted files in 30 minutes
| project DeviceName, 
    InitiatingProcessAccountName, 
    EncryptedFileCount, 
    UniqueDirectories,
    TimeDelta,
    FirstSeen,
    LastSeen,
    RiskScore = EncryptedFileCount * UniqueDirectories / (TimeDelta + 1)
| order by RiskScore desc

// Detect potential ransomware lateral movement
DeviceProcessEvents
| where FileName in~ ("psexec.exe", "psexec64.exe")
| where ProcessCommandLine has_any ("-accepteula", "-d", "-s")
| summarize Count = count(), 
    TargetHosts = dcount(ProcessCommandLine), 
    Processes = make_set(ProcessCommandLine)
    by DeviceName, AccountName, Timestamp
| where Count > 5
| project DeviceName, AccountName, Count, TargetHosts, Processes, Timestamp
| order by Count desc

// Identify shadow copy deletion attempts
DeviceProcessEvents
| where FileName in~ ("vssadmin.exe", "wmic.exe")
| where ProcessCommandLine has_any ("delete shadows", "shadowstorage delete")
| project Timestamp, 
    DeviceName, 
    AccountName, 
    FileName, 
    ProcessCommandLine, 
    InitiatingProcessFileName
| order by Timestamp desc

Velociraptor VQL

VQL — Velociraptor
-- Hunt for ransomware encryption processes and suspicious mass file operations
SELECT * FROM foreach(
    SELECT Pid, Name, CommandLine, Exe, Username, CreateTime
    FROM pslist()
    WHERE Name =~ '(?i)(encrypt|lock|crypto|teamPCP)'
      OR CommandLine =~ '(?i)-encrypt|-lock|-crypto|teamPCP'
      OR Exe =~ '(?i)(temp|appdata|public).*\\.*\.exe$'
) {
    SELECT Pid, 
           Name, 
           CommandLine, 
           Exe, 
           Username, 
           CreateTime,
           count(item=FullPaths) AS FileCount,
           group_by=Pid
    FROM glob(globs='**/*', root=Exe)
    WHERE FileCount > 50
}

-- Detect network connections associated with TeamPCP infrastructure
SELECT Connection.Pid, 
       Connection.RemoteAddr, 
       Connection.RemotePort, 
       Process.Name,
       Process.CommandLine,
       Connection.State
FROM netstat()
LEFT JOIN Process ON Connection.Pid = Process.Pid
WHERE Connection.RemotePort IN (443, 80, 445, 3389, 22)
  AND Connection.State = 'ESTABLISHED'
  AND (Process.Name =~ '(?i)(powershell|cmd|wmi|psexec)' 
       OR Process.CommandLine =~ '(?i)(download|invoke|request|curl|wget)')

-- Identify recent creation of suspicious encrypted files
SELECT FullPath, 
       Size, 
       Mode, 
       Mtime,
       Btime,
       Now() - Mtime AS AgeMinutes
FROM glob(globs=['C:/Users/**/*.locked', 'C:/Users/**/*.encrypted', 'C:/Users/**/*.teamPCP'])
WHERE AgeMinutes < 1440  // Files created in last 24 hours
ORDER BY Mtime DESC
LIMIT 500

Remediation Script (PowerShell)

PowerShell
# Ransomware Detection and Initial Response Script
# Version: 1.0
# Purpose: Detect indicators of industrialized ransomware activity and initiate containment

# Import required modules
Import-Module ActiveDirectory

# Configuration parameters
$LogPath = "C:\Windows\Temp\RansomwareDetection_$(Get-Date -Format 'yyyyMMdd_HHmmss').log"
$EncryptionExtensions = @('.locked', '.encrypted', '.teamPCP', '.crypt', '.enc')
$SuspiciousProcesses = @('teamPCP*', 'encrypt*', 'lock*', 'crypto*')
$CriticalServices = @('TermService', 'LanmanServer', 'W3SVC')

function Write-Log {
    param([string]$Message)
    $timestamp = Get-Date -Format "yyyy-MM-dd HH:mm:ss"
    "[$timestamp] $Message" | Out-File -FilePath $LogPath -Append
    Write-Host $Message
}

function Test-MassEncryption {
    Write-Log "Checking for mass file encryption activity..."
    
    $encryptionEvents = @()
    foreach ($extension in $EncryptionExtensions) {
        $files = Get-ChildItem -Path "C:\Users" -Filter "*$extension" -Recurse -ErrorAction SilentlyContinue -File | 
                 Where-Object { $_.LastWriteTime -gt (Get-Date).AddHours(-2) }
        if ($files) {
            $encryptionEvents += $files
        }
    }
    
    if ($encryptionEvents.Count -gt 50) {
        Write-Log "CRITICAL: Detected $($encryptionEvents.Count) recently encrypted files. Potential ransomware activity."
        return $true
    }
    return $false
}

function Test-SuspiciousProcesses {
    Write-Log "Scanning for suspicious encryption processes..."
    
    $suspiciousFound = @()
    foreach ($pattern in $SuspiciousProcesses) {
        $processes = Get-Process | Where-Object { $_.ProcessName -like $pattern -or $_.Path -like "*$pattern*" }
        if ($processes) {
            foreach ($proc in $processes) {
                Write-Log "ALERT: Found suspicious process: $($proc.ProcessName) (PID: $($proc.Id), Path: $($proc.Path))"
                $suspiciousFound += $proc
            }
        }
    }
    return $suspiciousFound
}

function Test-ShadowCopyStatus {
    Write-Log "Checking shadow copy availability..."
    
    $shadowCopies = Get-CimInstance -ClassName Win32_ShadowCopy
    if ($shadowCopies.Count -eq 0) {
        Write-Log "WARNING: No shadow copies found. Potential indicator of ransomware activity."
        return $false
    }
    
    $recentShadows = $shadowCopies | Where-Object { $_.InstallDate -gt (Get-Date).AddDays(-1) }
    if ($recentShadows.Count -eq 0) {
        Write-Log "WARNING: No recent shadow copies found."
    }
    
    return $true
}

function Invoke-Containment {
    Write-Log " initiating emergency containment procedures..."
    
    # Disable inbound RDP
    Write-Log "Disabling RDP..."
    Set-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\Terminal Server" -Name "fDenyTSConnections" -Value 1
    
    # Disable SMBv1
    Write-Log "Disabling SMBv1..."
    Set-SmbServerConfiguration -EnableSMB1Protocol $false -Force
    
    # Stop critical non-essential services
    Write-Log "Stopping critical services..."
    foreach ($service in $CriticalServices) {
        if (Get-Service -Name $service -ErrorAction SilentlyContinue) {
            Stop-Service -Name $service -Force -ErrorAction SilentlyContinue
            Set-Service -Name $service -StartupType Disabled -ErrorAction SilentlyContinue
            Write-Log "Stopped and disabled service: $service"
        }
    }
    
    # Block suspicious processes
    Write-Log "Creating firewall rules to block ransomware processes..."
    foreach ($pattern in $SuspiciousProcesses) {
        New-NetFirewallRule -DisplayName "Block Ransomware Process $pattern" -Direction Outbound -Program "*$pattern*" -Action Block -ErrorAction SilentlyContinue
    }
}

function Get-RansomwareIndicators {
    Write-Log "Collecting ransomware indicators for IR..."
    
    $indicators = @{
        Timestamp = Get-Date
        Hostname = $env:COMPUTERNAME
        SuspiciousProcesses = @()
        EncryptedFiles = 0
        NetworkConnections = @()
        RecentEvents = @()
    }
    
    # Get suspicious processes
    $indicators.SuspiciousProcesses = Get-Process | 
        Where-Object { $_.ProcessName -match 'encrypt|lock|crypto|teamPCP' -or $_.CommandLine -match 'encrypt|lock|crypto|teamPCP' } | 
        Select-Object Id, ProcessName, Path, CommandLine, StartTime
    
    # Count encrypted files
    foreach ($extension in $EncryptionExtensions) {
        $count = (Get-ChildItem -Path "C:\Users" -Filter "*$extension" -Recurse -ErrorAction SilentlyContinue -File | 
                 Where-Object { $_.LastWriteTime -gt (Get-Date).AddHours(-24) }).Count
        $indicators.EncryptedFiles += $count
    }
    
    # Get recent suspicious event logs
    $indicators.RecentEvents = Get-WinEvent -FilterHashtable @{
        LogName = 'Security', 'System', 'Application'
        StartTime = (Get-Date).AddHours(-2)
    } -MaxEvents 100 -ErrorAction SilentlyContinue | 
        Where-Object { $_.Message -match 'shadow copy|vssadmin|encryption|teamPCP' }
    
    return $indicators
}

# Main execution
Write-Log "Starting ransomware detection and initial response..."
Write-Log "Hostname: $env:COMPUTERNAME"
Write-Log "User: $env:USERNAME"

$massEncryptionDetected = Test-MassEncryption
$suspiciousProcesses = Test-SuspiciousProcesses
$shadowCopyStatus = Test-ShadowCopyStatus

if ($massEncryptionDetected -or $suspiciousProcesses.Count -gt 0) {
    Write-Log "CRITICAL: Ransomware indicators detected. Initiating containment."
    
    # Collect indicators before containment
    $indicators = Get-RansomwareIndicators
    $indicators | ConvertTo-Json | Out-File -FilePath "$LogPath.indicators."
    
    # Initiate containment
    Invoke-Containment
    
    Write-Log "CRITICAL: IMMEDIATE INCIDENT RESPONSE REQUIRED. Contact security team."
    Write-Log "Indicators saved to: $LogPath.indicators."
} else {
    Write-Log "No critical ransomware indicators detected at this time."
}

Write-Log "Script execution completed. Log saved to: $LogPath"

Remediation

Immediate Response Actions

  1. Isolate Affected Systems:

    • Disconnect infected systems from the network immediately
    • Disable all network interfaces including wireless adapters
    • Power off virtual machines if infrastructure is compromised
    • Do NOT reboot systems until forensic image is acquired
  2. Preserve Evidence:

    • Acquire forensic images of affected systems using write-blocking hardware
    • Capture volatile memory first (RAM) using appropriate tools
    • Document system state, running processes, network connections, and open files
    • Preserve Windows Event Logs, IIS logs, and application logs
  3. Password Reset:

    • Force password reset for all accounts, especially privileged ones
    • Revoke all existing Kerberos tickets
    • Reset service account credentials used by affected systems
    • Implement MFA where not already deployed

System Recovery Steps

  1. Identify Patient Zero:

    • Review logs to determine initial infection vector
    • Analyze firewall and proxy logs for suspicious ingress connections
    • Check VPN/RDP logs for unauthorized access
    • Review email logs for potential phishing delivery
  2. Rebuild from Known Good:

    • Do NOT trust backups from infected systems—verify integrity before restoration
    • Rebuild systems from clean media (gold images)
    • Apply all security patches before reconnecting to network
    • Restore data from offline, immutable backups only
  3. Vulnerability Remediation:

    • Patch all systems with the latest security updates
    • Disable unused services and protocols (RDP, SMBv1)
    • Implement network segmentation to limit lateral movement
    • Configure aggressive account lockout policies
  4. Monitoring Enhancements:

    • Deploy EDR/XDR solutions across all endpoints
    • Implement behavioral analytics for anomaly detection
    • Configure SIEM alerts for ransomware indicators
    • Establish 24/7 monitoring during recovery period

Long-Term Security Improvements

  1. Backup Strategy:

    • Implement 3-2-1 backup rule (3 copies, 2 media types, 1 offsite)
    • Ensure backups are immutable and air-gapped where possible
    • Test restoration procedures quarterly
    • Encrypt backups both in transit and at rest
  2. Access Controls:

    • Implement just-in-time (JIT) access for administrative privileges
    • Enforce least privilege across all systems
    • Deploy Privileged Access Management (PAM) solution
    • Regular access reviews and recertification
  3. Security Architecture:

    • Implement zero trust network architecture principles
    • Deploy network micro-segmentation
    • Configure application allow-listing
    • Implement secure remote access with MFA

Official Resources

Related Resources

Security Arsenal Incident Response Services AlertMonitor Platform Book a SOC Assessment incident-response Intel Hub

incident-responseransomwarebreach-responseforensicsdfirteampcpencryption-attacksindustrialized-threatsdetection-response

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.