0mega

T1078Valid Accounts

Access was obtained through the compromise of global Microsoft SaaS administrator accounts that were weakly protected.

T1136Create Account: Cloud Account

After gaining initial access, the group created a new user in Active Directory (AD) named "0mega" with multiple administrator roles (e.g., Global Administrator, SharePoint Administrator) to maintain maximum control.

T1531Account Access Removal

The group systematically deleted over 220 corporate administrator accounts within a two-hour period, impairing the victim's ability to respond and recover.

T1119Automated Collection

The group collected sensitive data using the obtained permissions.

T1041Exfiltration Over C2 Channel

Data was exfiltrated from environments such as the victim's SharePoint, consistent with a double extortion tactic.

T1486Data Encrypted for Impact

The attack used AES-256 or RSA encryption on critical files after network mapping, blocking legitimate access. In some cases, the focus was solely on exfiltration and extortion without encryption.

T1490Inhibit System Recovery

The ransomware searched for and disabled connected or online backups to prevent quick data recovery without paying the ransom.