MEGAsync Forensics and Intrusion Attribution

This blog post describes how forensic analysis of MEGAsync's Statecache SQLite database can reveal locally-synced and remotely-available files used for exfiltration; the investigators used a custom tool (mega-statecache.py) to enumerate nodes, recover evidence of past exfiltrations, identify additional victims, and attribute the activity to a LockBit affiliate, demonstrating that ransomware actors continue to use legitimate cloud services for data theft.