According to the latest reports, LostTrust is thought to be the rebranding of MetaEncryptor, which is using almost identical data leak sites and encryption methods as MetaEncryptor had used in the past. There was a cyber attack by the LostTrust group in March 2023, however, the site was not widely known until September, when the group began employing a data leak site to inform people about their attacks.
Several suspicious sites listed at metaencryptor.com have been identified as being related to LostTrust ransomware due to the similarity of the data leak websites and Windows encryption programs. The cybersecurity researcher Stefano Favarato has discovered that two ransomware gangs are using the same template and bios on their websites, with the gangs touting the experience of their members having worked in network security for 15 years or more, and each trio promoting itself as network security specialists as well.
MalwareHunterTeam points out that both LostTrust and MetaEncryptor were using the SFile2 ransomware encryptor as the basis to encrypt their files, and only slight differences were found between their ransom notes, notes names, embedded public keys, and stored encrypted file extensions.
MetaEncryptor has Been Rebranded
In August 2022, MetaEncryptor was launched, and through July 2023, twelve victims were added to the data leak website as a result of this ransomware infection. After this point, no new victims were added to the site.
According to cybersecurity researcher Stefano Favarato, the 'LostTrust' gang has released a new data leak website this month, which uses the same template and bio as the one used by MetaEncryptor's data leak site created earlier this year.
The researchers were also able to find that LostTrust and MetaEncryptor are virtually identical encryptors, with some minor differences due to the ransom notes, embedded public keys, the names of the ransom notes, and the encrypted file extensions that are used.
According to MalwareHunterTeam, a cybersecurity researcher from BleepingComputer, the SFile2 ransomware encryptor is also the basis of the LostTrust and MetaEncryptor ransomware encryptors.
A scan conducted by Intezer of the LostTrust and SFile encryptors shows a significant amount of code overlap between them, which further supports this relationship between them.
There is a consensus among industry experts that LostTrust is a rebranding of MetaEncryptor, which can be attributed to the significant overlap between the two operators.
It has been revealed that further analysis of the LostTrust encryption tool has revealed that during execution, several Windows services have been disabled, and several Microsoft Exchange services have been deactivated before encryption in order to prevent any additional attacks.
Based on the ransom notes provided by the operation, members of the organization were once ethical hackers who became involved with cybercrime after being underpaid for their work.
An Encryption Algorithm Known as LostTrust
Using onlypath and enable-shares as command line arguments, you can install the encryptor without encrypting any network drives, and onlypath can also encrypt specific paths.
A console window will open when you launch the encryptor, explaining what is going on with the encryption process at the moment.
It is worth noting that the string 'METAENCRYPTING' is present in the encryptor, which indicates that it is a modified MetaEncryptor encryptor.
The LostTrust application performs several pre-defined actions to ensure all files are encrypted upon execution. This includes disabling and stopping Windows services which contain the Firebird, MSSQL, SQL, Exchange, WSBEX, PostgreSQL, BACKP, tomcat, SBS, and SharePoint strings.
As part of the encryption process, other Microsoft Exchange-related services will also be disabled and stopped by the encryptor.
There will be an impending influx of ransom notes named !LostTrustEncoded.txt that will appear in every folder on the device and contain the threat actors introducing themselves as former white hat hackers who decided to switch to crime after being extremely low-paid.
There is a unique link to the ransomware gang's Tor negotiation site within these ransom notes that provides information about what happened to the company's files and the ransomware gang's activities. There is no built-in feature on the negotiation site that allows company representatives to communicate with threat actors other than using a chat facility.
It appears that the LostTrust ransomware resurfaced recently, a suspected rebrand of the MetaEncryptor gang. Both the ransomware's tactics and encryption methods are strikingly similar. Despite remaining relatively unknown until September, it appears as though this enigmatic group developed as ethical hackers who turned into cybercriminals for financial gain. Through the ransom notes, victims can communicate with the group through a Tor negotiation site, offering a unique link to connect with them.
