Introduction
Security researchers have issued a critical warning regarding a dangerous new development in the ransomware landscape: a major encryption-based cyber incident gang has partnered with TeamPCP, a known threat actor group. This collaboration threatens to accelerate "industrialized" cyber-attacks, potentially leading to unprecedented scale and efficiency in ransomware operations. The FBI has also issued an advisory highlighting the severity of this threat alliance.
What makes this partnership particularly concerning is the potential for combining sophisticated encryption techniques with streamlined attack infrastructure. For defenders, this means we must prepare for faster, more widespread encryption events that can devastate organizations before detection mechanisms trigger. The time from initial compromise to full system encryption may shrink dramatically, reducing our already narrow incident response windows.
This blog post provides actionable detection strategies and remediation guidance to help security teams defend against this emerging industrialized threat.
Technical Analysis
Threat Overview
The collaboration between a prominent ransomware operation and TeamPCP represents a shift toward more industrialized attack methodologies. Rather than manual, targeted operations, this partnership aims to automate and scale encryption-based attacks, potentially affecting multiple organizations simultaneously through pre-established infrastructure.
Attack Chain Analysis
Based on available intelligence, the attack chain follows a sophisticated multi-stage approach:
- Initial Access: Through exposed Remote Desktop Protocol (RDP), VPN vulnerabilities, or phishing campaigns delivering malicious attachments
- Credential Harvesting: Using tools like Mimikatz or specialized utilities to dump credentials for lateral movement
- Lateral Movement: Leveraging stolen credentials and PsExec, WMI, or SMB for network propagation
- Privilege Escalation: Exploiting misconfigurations or known vulnerabilities to gain domain admin privileges
- Data Exfiltration: Before encryption, sensitive data is exfiltrated to cloud storage for double-extortion leverage
- System Encryption: Deploying industrialized encryption tools capable of encrypting hundreds of systems in parallel
Affected Platforms
- Windows Server 2019/2022
- Windows 10/11 Enterprise editions
- Virtualized environments (VMware, Hyper-V)
- Network-attached storage (NAS) devices
- Backup systems (Veeam, Commvault, and similar platforms)
Exploitation Status
Active exploitation has been confirmed in the wild, with multiple incident response firms reporting cases involving this collaboration. The attack infrastructure is operational and actively targeting organizations across multiple sectors, including critical infrastructure, healthcare, and financial services.
Detection & Response
The following detection rules and hunt queries are designed to identify behaviors associated with this specific ransomware partnership and industrialized encryption attacks.
SIGMA Rules
---
title: Suspicious Mass File Encryption Activity
id: a1b2c3d4-5678-90ab-cdef-1234567890ab
status: experimental
description: Detects patterns consistent with industrialized mass file encryption operations, including rapid file modifications across multiple directories.
references:
- https://www.infosecurity-magazine.com/news/industrialized-cyberattacks/
author: Security Arsenal
date: 2026/05/15
tags:
- attack.impact
- attack.t1486
logsource:
category: file_change
product: windows
detection:
selection:
TargetFilename|endswith:
- '.locked'
- '.encrypted'
- '.teamPCP'
condition: selection
falsepositives:
- Legitimate encryption tools
- File system utilities
level: high
---
title: Ransomware Lateral Movement via PsExec
id: b2c3d4e5-6789-01bc-def2-345678901234
status: experimental
description: Detects potential ransomware lateral movement using PsExec with suspicious parameters consistent with TeamPCP-affiliated operations.
references:
- https://www.infosecurity-magazine.com/news/industrialized-cyberattacks/
author: Security Arsenal
date: 2026/05/15
tags:
- attack.lateral_movement
- attack.t1021.002
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith:
- '\psexec.exe'
- '\psexec64.exe'
CommandLine|contains:
- '-accepteula'
- '\\*'
filter:
User|contains:
- 'ADMIN'
- 'svc_'
condition: selection and not filter
falsepositives:
- System administration activities
- Legitimate software deployment
level: medium
---
title: Suspicious Shadow Copy Deletion
id: c3d4e5f6-7890-12cd-ef34-567890123456
status: experimental
description: Detects commands attempting to delete shadow copies, a common ransomware tactic to prevent recovery, particularly associated with TeamPCP operations.
references:
- https://www.infosecurity-magazine.com/news/industrialized-cyberattacks/
author: Security Arsenal
date: 2026/05/15
tags:
- attack.impact
- attack.t1490
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith:
- '\vssadmin.exe'
- '\wmic.exe'
CommandLine|contains:
- 'delete shadows'
- 'shadowstorage delete'
condition: selection
falsepositives:
- System maintenance activities
- Legitimate backup management
level: high
KQL (Microsoft Sentinel / Defender)
// Hunt for suspicious mass file encryption patterns
let FileEncryptionThreshold = 100;
DeviceFileEvents
| where ActionType == "FileCreated"
| where FileName endswith ".locked"
or FileName endswith ".encrypted"
or FileName endswith ".teamPCP"
| summarize EncryptedFileCount = count(),
UniqueDirectories = dcount(FolderPath),
FirstSeen = min(Timestamp),
LastSeen = max(Timestamp)
by DeviceName, InitiatingProcessAccountName, InitiatingProcessFolderPath
| where EncryptedFileCount > FileEncryptionThreshold
| extend TimeDelta = datetime_diff('minute', LastSeen, FirstSeen)
| where TimeDelta < 30 // More than 100 encrypted files in 30 minutes
| project DeviceName,
InitiatingProcessAccountName,
EncryptedFileCount,
UniqueDirectories,
TimeDelta,
FirstSeen,
LastSeen,
RiskScore = EncryptedFileCount * UniqueDirectories / (TimeDelta + 1)
| order by RiskScore desc
// Detect potential ransomware lateral movement
DeviceProcessEvents
| where FileName in~ ("psexec.exe", "psexec64.exe")
| where ProcessCommandLine has_any ("-accepteula", "-d", "-s")
| summarize Count = count(),
TargetHosts = dcount(ProcessCommandLine),
Processes = make_set(ProcessCommandLine)
by DeviceName, AccountName, Timestamp
| where Count > 5
| project DeviceName, AccountName, Count, TargetHosts, Processes, Timestamp
| order by Count desc
// Identify shadow copy deletion attempts
DeviceProcessEvents
| where FileName in~ ("vssadmin.exe", "wmic.exe")
| where ProcessCommandLine has_any ("delete shadows", "shadowstorage delete")
| project Timestamp,
DeviceName,
AccountName,
FileName,
ProcessCommandLine,
InitiatingProcessFileName
| order by Timestamp desc
Velociraptor VQL
-- Hunt for ransomware encryption processes and suspicious mass file operations
SELECT * FROM foreach(
SELECT Pid, Name, CommandLine, Exe, Username, CreateTime
FROM pslist()
WHERE Name =~ '(?i)(encrypt|lock|crypto|teamPCP)'
OR CommandLine =~ '(?i)-encrypt|-lock|-crypto|teamPCP'
OR Exe =~ '(?i)(temp|appdata|public).*\\.*\.exe$'
) {
SELECT Pid,
Name,
CommandLine,
Exe,
Username,
CreateTime,
count(item=FullPaths) AS FileCount,
group_by=Pid
FROM glob(globs='**/*', root=Exe)
WHERE FileCount > 50
}
-- Detect network connections associated with TeamPCP infrastructure
SELECT Connection.Pid,
Connection.RemoteAddr,
Connection.RemotePort,
Process.Name,
Process.CommandLine,
Connection.State
FROM netstat()
LEFT JOIN Process ON Connection.Pid = Process.Pid
WHERE Connection.RemotePort IN (443, 80, 445, 3389, 22)
AND Connection.State = 'ESTABLISHED'
AND (Process.Name =~ '(?i)(powershell|cmd|wmi|psexec)'
OR Process.CommandLine =~ '(?i)(download|invoke|request|curl|wget)')
-- Identify recent creation of suspicious encrypted files
SELECT FullPath,
Size,
Mode,
Mtime,
Btime,
Now() - Mtime AS AgeMinutes
FROM glob(globs=['C:/Users/**/*.locked', 'C:/Users/**/*.encrypted', 'C:/Users/**/*.teamPCP'])
WHERE AgeMinutes < 1440 // Files created in last 24 hours
ORDER BY Mtime DESC
LIMIT 500
Remediation Script (PowerShell)
# Ransomware Detection and Initial Response Script
# Version: 1.0
# Purpose: Detect indicators of industrialized ransomware activity and initiate containment
# Import required modules
Import-Module ActiveDirectory
# Configuration parameters
$LogPath = "C:\Windows\Temp\RansomwareDetection_$(Get-Date -Format 'yyyyMMdd_HHmmss').log"
$EncryptionExtensions = @('.locked', '.encrypted', '.teamPCP', '.crypt', '.enc')
$SuspiciousProcesses = @('teamPCP*', 'encrypt*', 'lock*', 'crypto*')
$CriticalServices = @('TermService', 'LanmanServer', 'W3SVC')
function Write-Log {
param([string]$Message)
$timestamp = Get-Date -Format "yyyy-MM-dd HH:mm:ss"
"[$timestamp] $Message" | Out-File -FilePath $LogPath -Append
Write-Host $Message
}
function Test-MassEncryption {
Write-Log "Checking for mass file encryption activity..."
$encryptionEvents = @()
foreach ($extension in $EncryptionExtensions) {
$files = Get-ChildItem -Path "C:\Users" -Filter "*$extension" -Recurse -ErrorAction SilentlyContinue -File |
Where-Object { $_.LastWriteTime -gt (Get-Date).AddHours(-2) }
if ($files) {
$encryptionEvents += $files
}
}
if ($encryptionEvents.Count -gt 50) {
Write-Log "CRITICAL: Detected $($encryptionEvents.Count) recently encrypted files. Potential ransomware activity."
return $true
}
return $false
}
function Test-SuspiciousProcesses {
Write-Log "Scanning for suspicious encryption processes..."
$suspiciousFound = @()
foreach ($pattern in $SuspiciousProcesses) {
$processes = Get-Process | Where-Object { $_.ProcessName -like $pattern -or $_.Path -like "*$pattern*" }
if ($processes) {
foreach ($proc in $processes) {
Write-Log "ALERT: Found suspicious process: $($proc.ProcessName) (PID: $($proc.Id), Path: $($proc.Path))"
$suspiciousFound += $proc
}
}
}
return $suspiciousFound
}
function Test-ShadowCopyStatus {
Write-Log "Checking shadow copy availability..."
$shadowCopies = Get-CimInstance -ClassName Win32_ShadowCopy
if ($shadowCopies.Count -eq 0) {
Write-Log "WARNING: No shadow copies found. Potential indicator of ransomware activity."
return $false
}
$recentShadows = $shadowCopies | Where-Object { $_.InstallDate -gt (Get-Date).AddDays(-1) }
if ($recentShadows.Count -eq 0) {
Write-Log "WARNING: No recent shadow copies found."
}
return $true
}
function Invoke-Containment {
Write-Log " initiating emergency containment procedures..."
# Disable inbound RDP
Write-Log "Disabling RDP..."
Set-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\Terminal Server" -Name "fDenyTSConnections" -Value 1
# Disable SMBv1
Write-Log "Disabling SMBv1..."
Set-SmbServerConfiguration -EnableSMB1Protocol $false -Force
# Stop critical non-essential services
Write-Log "Stopping critical services..."
foreach ($service in $CriticalServices) {
if (Get-Service -Name $service -ErrorAction SilentlyContinue) {
Stop-Service -Name $service -Force -ErrorAction SilentlyContinue
Set-Service -Name $service -StartupType Disabled -ErrorAction SilentlyContinue
Write-Log "Stopped and disabled service: $service"
}
}
# Block suspicious processes
Write-Log "Creating firewall rules to block ransomware processes..."
foreach ($pattern in $SuspiciousProcesses) {
New-NetFirewallRule -DisplayName "Block Ransomware Process $pattern" -Direction Outbound -Program "*$pattern*" -Action Block -ErrorAction SilentlyContinue
}
}
function Get-RansomwareIndicators {
Write-Log "Collecting ransomware indicators for IR..."
$indicators = @{
Timestamp = Get-Date
Hostname = $env:COMPUTERNAME
SuspiciousProcesses = @()
EncryptedFiles = 0
NetworkConnections = @()
RecentEvents = @()
}
# Get suspicious processes
$indicators.SuspiciousProcesses = Get-Process |
Where-Object { $_.ProcessName -match 'encrypt|lock|crypto|teamPCP' -or $_.CommandLine -match 'encrypt|lock|crypto|teamPCP' } |
Select-Object Id, ProcessName, Path, CommandLine, StartTime
# Count encrypted files
foreach ($extension in $EncryptionExtensions) {
$count = (Get-ChildItem -Path "C:\Users" -Filter "*$extension" -Recurse -ErrorAction SilentlyContinue -File |
Where-Object { $_.LastWriteTime -gt (Get-Date).AddHours(-24) }).Count
$indicators.EncryptedFiles += $count
}
# Get recent suspicious event logs
$indicators.RecentEvents = Get-WinEvent -FilterHashtable @{
LogName = 'Security', 'System', 'Application'
StartTime = (Get-Date).AddHours(-2)
} -MaxEvents 100 -ErrorAction SilentlyContinue |
Where-Object { $_.Message -match 'shadow copy|vssadmin|encryption|teamPCP' }
return $indicators
}
# Main execution
Write-Log "Starting ransomware detection and initial response..."
Write-Log "Hostname: $env:COMPUTERNAME"
Write-Log "User: $env:USERNAME"
$massEncryptionDetected = Test-MassEncryption
$suspiciousProcesses = Test-SuspiciousProcesses
$shadowCopyStatus = Test-ShadowCopyStatus
if ($massEncryptionDetected -or $suspiciousProcesses.Count -gt 0) {
Write-Log "CRITICAL: Ransomware indicators detected. Initiating containment."
# Collect indicators before containment
$indicators = Get-RansomwareIndicators
$indicators | ConvertTo-Json | Out-File -FilePath "$LogPath.indicators."
# Initiate containment
Invoke-Containment
Write-Log "CRITICAL: IMMEDIATE INCIDENT RESPONSE REQUIRED. Contact security team."
Write-Log "Indicators saved to: $LogPath.indicators."
} else {
Write-Log "No critical ransomware indicators detected at this time."
}
Write-Log "Script execution completed. Log saved to: $LogPath"
Remediation
Immediate Response Actions
-
Isolate Affected Systems:
- Disconnect infected systems from the network immediately
- Disable all network interfaces including wireless adapters
- Power off virtual machines if infrastructure is compromised
- Do NOT reboot systems until forensic image is acquired
-
Preserve Evidence:
- Acquire forensic images of affected systems using write-blocking hardware
- Capture volatile memory first (RAM) using appropriate tools
- Document system state, running processes, network connections, and open files
- Preserve Windows Event Logs, IIS logs, and application logs
-
Password Reset:
- Force password reset for all accounts, especially privileged ones
- Revoke all existing Kerberos tickets
- Reset service account credentials used by affected systems
- Implement MFA where not already deployed
System Recovery Steps
-
Identify Patient Zero:
- Review logs to determine initial infection vector
- Analyze firewall and proxy logs for suspicious ingress connections
- Check VPN/RDP logs for unauthorized access
- Review email logs for potential phishing delivery
-
Rebuild from Known Good:
- Do NOT trust backups from infected systems—verify integrity before restoration
- Rebuild systems from clean media (gold images)
- Apply all security patches before reconnecting to network
- Restore data from offline, immutable backups only
-
Vulnerability Remediation:
- Patch all systems with the latest security updates
- Disable unused services and protocols (RDP, SMBv1)
- Implement network segmentation to limit lateral movement
- Configure aggressive account lockout policies
-
Monitoring Enhancements:
- Deploy EDR/XDR solutions across all endpoints
- Implement behavioral analytics for anomaly detection
- Configure SIEM alerts for ransomware indicators
- Establish 24/7 monitoring during recovery period
Long-Term Security Improvements
-
Backup Strategy:
- Implement 3-2-1 backup rule (3 copies, 2 media types, 1 offsite)
- Ensure backups are immutable and air-gapped where possible
- Test restoration procedures quarterly
- Encrypt backups both in transit and at rest
-
Access Controls:
- Implement just-in-time (JIT) access for administrative privileges
- Enforce least privilege across all systems
- Deploy Privileged Access Management (PAM) solution
- Regular access reviews and recertification
-
Security Architecture:
- Implement zero trust network architecture principles
- Deploy network micro-segmentation
- Configure application allow-listing
- Implement secure remote access with MFA
Official Resources
- CISA Ransomware Guide: https://www.cisa.gov/stopransomware
- FBI Flash Alerts: https://www.ic3.gov/Media/Y2022/PSA221221
- NIST Cybersecurity Framework: https://www.nist.gov/cyberframework
- No More Ransom Project: https://www.nomoreransom.org/
Related Resources
Security Arsenal Incident Response Services AlertMonitor Platform Book a SOC Assessment incident-response Intel Hub
Is your security operations ready?
Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.