Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Conti. Show all posts

U.S. Government Escalates Sanctions to Combat Rising Cybersecurity Threats

 

In a significant move to combat rising cyber threats, the U.S. government has intensified its use of sanctions against cybercriminals. This escalation comes in response to an increasing number of ransomware attacks and other cybercrimes targeting American infrastructure, businesses, and individuals. The latest sanctions target hackers and cyber groups responsible for some of the most severe breaches in recent history. 

The U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) has spearheaded these efforts. By freezing assets and prohibiting transactions with designated individuals and entities, OFAC aims to disrupt the financial networks that support these cybercriminal operations. This strategy seeks not only to punish those directly involved in cyber attacks but also to deter future incidents by raising the financial and operational costs for would-be hackers. 

One of the key targets of these sanctions is the notorious ransomware group, Conti. This group has been linked to numerous high-profile attacks, including the devastating breach of Ireland’s Health Service Executive in 2021, which disrupted healthcare services nationwide. By imposing sanctions on Conti and associated individuals, the U.S. government aims to dismantle the group’s operational capabilities and limit its reach. 

In addition to Conti, the sanctions list includes individuals connected to Evil Corp, a cybercrime syndicate known for deploying Dridex malware. This malware has been used to steal financial information and execute large-scale ransomware attacks. The sanctions against Evil Corp reflect a broader strategy to target the infrastructure and personnel behind such sophisticated cyber threats. The increase in sanctions also aligns with international efforts to tackle cybercrime. The U.S. has collaborated with allies to coordinate sanctions and share intelligence, creating a united front against global cyber threats. 

This cooperation underscores the recognition that cybercrime is a transnational issue requiring a collective response. Despite these aggressive measures, the fight against cybercrime is far from over. Cybercriminals continually evolve their tactics, finding new ways to bypass security measures and exploit vulnerabilities. The U.S. government’s approach highlights the need for ongoing vigilance, robust cybersecurity practices, and international collaboration to effectively combat these threats. 

In addition to sanctions, the U.S. government is investing in enhancing its cyber defenses. This includes increasing funding for cybersecurity initiatives, promoting public-private partnerships, and encouraging the adoption of best practices across critical sectors. These efforts aim to build resilience against cyber attacks and ensure that the country can swiftly respond to and recover from incidents when they occur. The impact of these sanctions is already being felt within the cybercriminal community. Reports indicate that some groups are experiencing difficulties in accessing funds and recruiting new members due to the increased scrutiny and financial restrictions. 

While it is too early to declare victory, these sanctions represent a significant step in disrupting the operations of major cyber threats. In conclusion, the U.S. government’s use of sanctions against cybercriminals marks a critical development in the fight against cyber threats. By targeting the financial networks that sustain these operations, the government aims to weaken and deter cybercriminals. However, the dynamic nature of cybercrime necessitates continuous adaptation and international cooperation to protect against evolving threats. 

Security Researchers Establish Connections Between 3AM Ransomware and Conti, Royal Cybercriminal Groups

 

Security researchers examining the operations of the recently surfaced 3AM ransomware group have unveiled strong connections with notorious entities like the Conti syndicate and the Royal ransomware gang.

The 3AM ransomware, also known as ThreeAM, has adopted a novel extortion strategy: publicly revealing data leaks to victims' social media followers and utilizing bots to respond to influential accounts on X (formerly Twitter), directing them to the compromised data.

Initially observed by Symantec's Threat Hunter Team in mid-September, 3AM gained attention after threat actors shifted from deploying LockBit malware. According to French cybersecurity firm Intrinsec, ThreeAM is likely affiliated with the Royal ransomware group, now rebranded as Blacksuit, consisting of former members of Team 2 within the Conti syndicate.

As Intrinsec delved into their investigation, they found substantial overlap in communication channels, infrastructure, and tactics between 3AM and the Conti syndicate. Notably, an IP address listed by Symantec as a network indicator of compromise led researchers to a PowerShell script for dropping Cobalt Strike on VirusTotal.

Further investigation uncovered a SOCKS4 proxy on TCP port 8000, a TLS certificate associated with an RDP service, and HTML content from 3AM's data leak site indexed by the Shodan platform. The servers involved were traced back to the Lithuanian hosting company, Cherry Servers, known for hosting malware despite having a low fraud risk.

Intrinsec's findings aligned with a report from Bridewell, connecting the IP subnet to the ALPHV/BlackCat ransomware operation. This group, not part of the Conti syndicate but allied, was identified as having ties to IcedID malware used in Conti attacks.

In addition to technical details, Intrinsec uncovered 3AM's experiment with a new extortion technique. The gang set up a Twitter account in August, using it to reply to tweets from victims and high-profile accounts, linking to the data leak site on the Tor network. Intrinsec suspected the use of a Twitter bot for a name-and-shame campaign, noting an unusually high volume of automated replies.

Despite 3AM's perceived lack of sophistication compared to Royal, the researchers cautioned against underestimating its potential for deploying numerous attacks. The article concludes with a broader context on the Conti syndicate, its dissolution, and the emergence of affiliated groups like Royal ransomware.

Researchers: 'Black Basta' Group Rakes in Over $100 Million

 

A cyber extortion group believed to be an offshoot of the infamous Russian Conti hacker organization has reportedly amassed over $100 million since its emergence last year, according to a report published on Wednesday by digital currency tracking service Elliptic and Corvus Insurance.

The group, known as "Black Basta," has allegedly extorted at least $107 million in bitcoin, with a significant portion of the laundered ransom payments flowing to the sanctioned Russian cryptocurrency exchange Garantex, as revealed in the joint report. Attempts to contact Black Basta through its dark web site were unsuccessful. Garantex, which faced U.S. Treasury sanctions in April of the previous year, expressed support for global initiatives combatting cybercrime and urged information-sharing regarding the hackers' finances, pledging to block suspicious funds.

Elliptic co-founder Tom Robinson characterized Black Basta's substantial earnings as making it "one of the most profitable ransomware strains of all time." The researchers arrived at this figure by identifying known ransom payments linked to the group, tracing the laundering of digital currency, and discovering additional payments.

Robert McArdle, a cybercrime expert from security firm TrendMicro not involved in the report, deemed the reported Black Basta figure "certainly in a believable range for their operations."

The Elliptic-Corvus report also presented evidence linking Black Basta to the now-defunct Russian group "Canti." Conti, formerly a prominent ransomware gang, gained notoriety for coercing victims through data encryption, ransom demands, and threats to publish stolen information. 

The report suggests that individuals from Conti, following the dismantling of its leak site after Russia's invasion of Ukraine and the subsequent posting of U.S. bounties on its leadership, may have reorganized and rebranded, with Black Basta potentially being a manifestation of this restructuring.

"Conti was perhaps the most successful ransomware gang we've seen," remarked Robinson. The recent findings indicate that some individuals responsible for Conti's success might be replicating it with the Black Basta ransomware, he added.

LockBit 3.0: Launch of Ransomware Bug Bounty Program

 

The "LockBit 3.0" ransomware update from the LockBit ransomware organization features the first spyware bug bounty program, new extortion methods, and Zcash cryptocurrency payment choices. After two months of beta testing, the notorious gang's ransomware-as-a-service (RaaS) operation, which has been operational since 2019, recently underwent an alteration. It appears that hackers have already employed LockBit 3.0.

Bug bounty plan for LockBit 3.0 

With the launch of LockBit 3.0, the organization launched the first bug bounty program provided by a ransomware gang, which asks security researchers to disclose bugs in exchange for incentives that can go as high as $1 million. In addition to providing bounties for vulnerabilities, LockBit also pays rewards for "great ideas" to enhance the ransomware activity and for doxing the operator of the affiliate program, identified as LockBitSupp, which had previously posted a bounty plan in April on the XSS hacking site.

"We open our bug bounty program to any security researchers, ethical and unethical hackers worldwide. The compensation ranges from $1,000 to $1,000,000," reads the page for the LockBit 3.0 bug reward. The notion of initiating the criminal operation would be against the law in many nations, however, makes this bug reward scheme a little different from those frequently utilized by respectable businesses.

LeMagIT claims that version 3.0 of LockBit includes several other improvements, such as new methods for data recovery and monetization, as well as the option for victims to choose to have their data destroyed, and the ability for victims to make payments using the Zcash cryptocurrency in addition to Bitcoin and Monero. 

LockBit is producing outcomes. In May, LockBit 2.0 succeeded Conti as the leading provider of ransomware as a service. The gang's previous ransomware, LockBit 2.0, was to be blamed for 40% of the attacks that NCC Group observed in the preceding month. Moreover, according to Matt Hull, worldwide lead for strategic threat intelligence at NCC, The most prolific threat actor of 2022 is Lockbit 2.0,  In times like these, it's imperative that businesses become familiar with their strategies, methods, and processes.

It is unclear how this new extortion technique will operate or even whether it is activated because the LockBit 3.0 data leak site currently does not have any victims. With its public-facing manager actively interacting with other malicious actors and the cybersecurity community, LockBit is one of the most prolific ransomware campaigns.

New Emotet Variant Capturing Users' Credit Card Data from Google Chrome

 

The Emotet botnet is now attempting to infect potential victims with a credit card stealer module designed to capture credit card information from Google Chrome user accounts. 

After obtaining credit card information (such as name, expiration month and year, and card numbers), the malware will transfer it to command-and-control (C2) servers that are not the same as those used by the Emotet card stealer module. 

The Proofpoint Threat Insights team said, "On June 6th, Proofpoint observed a new Emotet module being dropped by the E4 botnet. To our surprise, it was a credit card stealer that was solely targeting the Chrome browser. Once card details were collected they were exfiltrated to different C2 servers than the module loader." 

This shift in behaviour follows an increase in activity in April and a move to 64-bit modules, as discovered by the Cryptolaemus security research group. One week later, Emotet began using Windows shortcut files (.LNK) to run PowerShell instructions on victims' devices, abandoning Microsoft Office macros, which were disabled by default beginning in early April 2022. 

The re-emergence of Emotet malware:

In 2014, the Emotet malware was created and used in assaults as a banking trojan. It has developed into a botnet used by the TA542 threat group (also known as Mummy Spider) to deliver second-stage payloads. 

It also enables its operators to steal user data, conduct reconnaissance on compromised networks, and migrate laterally to susceptible devices. Emotet is renowned for deploying Qbot and Trickbot malware trojan payloads on infected PCs, which are then used to spread more malware, such as Cobalt Strike beacons and ransomware like Ryuk and Conti. Emotet's infrastructure was destroyed in early 2021 as part of an international law enforcement operation that also resulted in the arrest of two people.

When Emotet research organisation Cryptolaemus, computer security firm GData, and cybersecurity firm Advanced Intel all spotted the TrickBot malware being used to deliver an Emotet loader in November 2021, the botnet returned utilising TrickBot's previously established infrastructure.

According to ESET, Emotet's activity has increased more than 100-fold since the beginning of the year, with its activity rising more than 100-fold against T3 2021.

Conti Ransomware Shuts Down and Rebrands Itself

 

The Conti ransomware group has effectively put a stop to their operation by shutting down its infrastructure and informing its team leaders that the brand no longer exists. Advanced Intel's Yelisey Boguslavskiy tweeted that the gang's internal infrastructure had been shut down.

The Tor admin panels that members used to conduct negotiations and post "news" on their data leak site are currently down, according to BleepingComputer. Despite the fact that the public-facing 'Conti News' data dump and the ransom negotiation website are still available. 

As per Bleeping Computer, "The agenda to conduct the attack on Costa Rica for the purpose of publicity instead of ransom was declared internally by the Conti leadership. Internal communications between group members suggested that the requested ransom payment was far below $1 million USD (despite unverified claims of the ransom being $10 million USD, followed by Conti’s own claims that the sum was $20 million USD)". 

Despite the fact that the Conti ransomware brand has been retired, the cybercrime organisation will continue to play a significant role in the ransomware industry for some time. Rather than rebranding as another large ransomware organisation, Conti leadership has collaborated with other minor ransomware gangs to carry out attacks. 

Smaller ransomware gangs profit from this alliance because they have access to professional Conti pentesters, negotiators, and operators. The Conti cybercrime syndicate is able to expand its mobility and ability to dodge law enforcement more effectively by subdividing into smaller "cells" that are all monitored by the central leadership.

Conti has worked with a wide range of well-known ransomware operations, according to a study published by Advanced Intel. Conti's current members, which include negotiators, intelligence analysts, pentesters, and coders, are scattered throughout several ransomware operations. Despite the fact that they will now employ the same encryptors and negotiation sites as the other ransomware operation, they remain part of the larger Conti criminal group.

Karakurt Hacking Group Linked to Conti and Diavol Ransomware Crew

 

Cybersecurity researchers from Arctic Wolf Networks published a blog post on Friday claiming that the cyber extortion group Karakurt is operationally associated with both the Conti and Diavol ransomware groups, operating as an exfiltration arm of the ransomware organizations. 

In a blog post, researchers said since its first attacks in August 2021, Karakurt hacking group has targeted more than 40 organizations in a number of industries in at least eight nations.

In conducting the in-depth research Tetra Defense, an Arctic Wolf firm, collaborated with Chainalysis and Northwave to examine the cryptocurrency wallets tied to the Karakurt hacker group, combined with their specific technique for data theft. The analysis confirmed that the group's membership overlaps with the Conti and Diavol ransomware crews. 

Tetra's report reveals the experience of a client firm that was targeted by the Conti group, and subsequently targeted again by a data theft perpetrated by the Karakurt hacking group. The analysis confirmed that the Karakurt attack employed an identical backdoor to exploit the client's systems as the earlier Conti assault. These associations debunk the Conti group’s assurance to victims that paying the ransom will shield them from future assaults.

"Such access could only be obtained through some sort of purchase, relationship, or surreptitiously gaining access to Conti group infrastructure," Tetra explained in its report. 

It is essential to distinguish the several types of cyber assault described right here, according to Tetra. In a ransomware attack, critical information is encrypted and the ransom is paid in exchange for a decryption key so that the victim can recover its data and resume operating. In a data theft, which has been the sole type of attack orchestrated by the Karakurt group, threat actors steal sensitive corporate data and demand money in exchange for not releasing it. 

The Karakurt attacks of this type — there have been more than a dozen to date, according to Tetra — also employed cryptocurrency wallets associated with Conti victim payment addresses, further strengthening the argument that the two groups' membership may overlap significantly. 

“Traditionally, we have seen the criminals honor their offers,” Nathan Little, senior vice chairman of digital forensics and incident response at Tetra stated. “Early on, when these [data theft attacks] began in 2019, it was widespread that corporations had been frightened sufficient that they’d pay, to not cover the incident, however to keep away from the results.”

Emotet Malware Campaign Masquerades the IRS for 2022 Tax Season

 

The Emotet malware botnet is taking advantage of the 2022 tax season in the United States by mailing out fraudulent emails posing as the Internal Revenue Service, which is supposed to be issuing tax forms or federal returns. 

Emotet is a malware infection spread via phishing emails with malicious macros attached to Word or Excel documents. When the user opens these documents, they will be misled into allowing macros that will install the Emotet malware on the device. Emotet will capture victims' emails to use in future reply-chain attacks, send more spam emails, and eventually install other malware that could lead to a Conti ransomware assault on the targeted network once it is implemented. 

Researchers have discovered various phishing attempts masquerading the Internet Revenue Service (IRS.gov) that use lures relevant to the 2022 US tax season, according to a recent analysis by email security firm Cofense. These emails ostensibly come from the IRS, and they claim to be sending the recipient their 2021 Tax Return, W-9 forms, and other tax documents that are often needed during tax season. 

While the subject lines and content of IRS-themed emails vary, the fundamental notion is that the IRS is contacting the company with either finished tax forms or ones that one must fill out and return. Zip files or HTML pages that lead to zip files are attached to the emails and are password-protected to avoid detection by secure email gateways. Third-party archive programs like 7-Zip, on the other hand, have no trouble extracting the files. 

A 'W-9 form.xslm' Excel file is included in the zip files, and when viewed, it prompts the user to click the "Enable Editing" and "Enable Content" buttons to see the document correctly. When a user clicks one of these buttons, malicious macros are launched, downloading and installing the Emotet virus from hacked WordPress sites. Once Emotet is loaded, it will download further payloads, which in recent campaigns have mostly been Cobalt Strike. 

Emotet has also dropped the SystemBC remote access Trojan, according to Cryptolaemus, an Emotet research organisation. With the Conti Ransomware gang now developing Emotet, all businesses, large and small, should be on the watch for these phishing tactics, which can escalate to ransomware assaults and data theft. It's important to remember that the IRS never sends unsolicited emails and only communicates via postal mail. As a result, if anyone receives an email from the IRS purporting to be from the IRS, flag it as spam and delete it.

A Worldwide Fraud Campaign Used Targeted Links to Rob Millions of Dollars

 

Infrastructure overlaps tied to the TrickBot botnet can be seen in large-scale phishing activity employing hundreds of domains to steal information for Naver, a Google-like web platform in South Korea. The resources employed in this assault demonstrate the magnitude of the cybercriminal effort to gather login data to carry out attacks. 

Naver, like Google, offers a wide range of services, including web search, email, news, and the NAVER Knowledge iN online Q&A platform. Its credentials, in addition to granting access to regular user accounts, can also grant access to enterprise environments due to password reuse. 

Earlier this year, security researchers from cyber intelligence firm Prevailion began its inquiry using a domain name shared by Joe Sowik, mailmangecorp[.]us, which led to a "vast network of targeted phishing infrastructure designed to gather valid login credentials for Naver." Additionally, PACT analysts discovered similarities with the WIZARD SPIDER [a.k.a. TrickBot] network while researching the hosting infrastructure utilized to serve the Naver-themed phishing pages. 

The fraudsters enticed victims with phoney surveys and incentives purporting to be from well-known brands, the lure was meant to help the criminals steal victims' personal information and credit card information. Tens of millions of people in 91 countries, including the United States, Canada, South Korea, and Italy, were shown to have been targeted by the scammers.

To entice potential victims, the cybercriminals sent out invitations to participate in a survey, along with the promise of a prize if they completed it. Advertising on both legitimate and illegitimate websites, contextual advertising, SMS and email messages, and pop-up notifications were all used in the campaign. To develop trust with the victims, lookalike domains modeled after authentic ones were registered. 542 unique domains were linked to the operation, 532 of which were utilized for Naver-themed phishing. Authorities found the operator would register a group of web addresses linked to a single IP address using an email address.

According to the researchers, two Cobalt Strike beacon variants on Virus Total were linked to 23.81.246[.]131 as part of a campaign that used CVE-2021-40444 to spread Conti ransomware, a typical TrickBot payload. The end page's content is as personalized as possible to the victim's interests, with the customized link only accessible once, making detection significantly more difficult and enabling the scheme to last longer. 

The victim is also informed to be eligible for a prize and one must supply personal information such as one's complete name, email and physical addresses, phone number, and credit card information, including expiration date and CVV for the same. Prevalion believes one explanation that justifies the conclusions is cybercriminals should use an "infrastructure-as-a-service" model for their operations.

CISA Updates Conti Ransomware Alert with Around 100 Domain Names

 

The US Cybersecurity and Infrastructure Security Agency (CISA) has upgraded the Conti ransomware advisory to include indications of compromise (IoCs) that comprise almost 100 domain names utilized in criminal operations. 

The advisory, which was first issued on September 22, 2021, contains facts about Conti ransomware assaults that attacked organizations in the United States, as observed by CISA and the Federal Bureau of Investigation (FBI). It's worth noting that the US Secret Service's data is included in the latest cybersecurity advisory. Internal data from the Conti ransomware operation began to surface at the end of February after the group publicly declared their support for Russia in the Ukraine invasion. 

The leak came from a Ukrainian researcher, who originally issued private messages exchanged by the members of the group and then released the source code for the ransomware, administrative panels, and other tools. Domains used in compromises with BazarBackdoor, the malware used to gain initial access to networks of high-value targets, were also found in the cache of data. Conti, according to CISA, has infiltrated over 1,000 businesses around the world, with TrickBot malware and Cobalt Strike beacons being the most common attack vectors. 

The agency has published a list of 98 domain names that have "registration and naming characteristics identical" to those used in Conti ransomware attacks. While some of the domains were used in malicious operations, the agency warns that others of them may be abandoned or may share similar features coincidentally. The list of domains linked to Conti ransomware assaults does not appear to be the same as the hundreds of domains released from BazarBackdoor infections by the Ukrainian researcher. 

Conti did not halt its activities despite the negative attention it earned recently as a result of the exposure of its internal discussions and tools. Conti has listed more than two dozen victims on its website since the beginning of March in the United States, Canada, Germany, Switzerland, the United Kingdom, Italy, Serbia, and Saudi Arabia.

The Emotet Malware is Alive and Using TrickBot to Rebuild its Botnet

 

The malicious Emotet botnet, which made a comeback in November 2021 after a 10-month break, is showing indications of steady expansion once again, collecting a colony of over 100,000 infected hosts to carry out its destructive actions. 

In a new round of attacks, Emotet, a Banking Trojan which has evolved into a formidable modular threat, has reappeared with improved features. It has infected devices to carry out additional spam campaigns and install various payloads like the QakBot (Qbot) and Trickbot malware. These payloads would subsequently be utilized to give threat actors, such as Ryuk, Conti, ProLock, Egregor, and others, early access to deploy ransomware. 

"While Emotet has not yet reached the same magnitude as before, the botnet is displaying a strong resurrection with a total of around 130,000 unique bots scattered over 179 countries since November 2021," Lumen's Black Lotus Labs researchers wrote in a report. On April 25th, 2021, German law enforcement used the network to send an Emotet module that removed the malware from afflicted devices. 

The TrickBot malware has begun to dump an Emotet loader on affected devices, according to Emotet research group Cryptolaemus, GData, and Advanced Intel. While Emotet used to deploy TrickBot, the threat actors now use a mechanism called "Operation Reacharound" by the Cryptolaemus group, which rebuilds the botnet utilizing TrickBot's current infrastructure. 

Apart from command-and-control (C2) lists and RSA keys, which change from version to version, Emotet's main payload hasn't changed much, but the list of phrases used to establish a process name for its bot has been renewed. Along with new binaries, words like engine, finish, magnify, resapi, query, skip, and many more are utilized and modified. Researchers may be able to construct signatures to detect Emotet infections on machines once these lists have been secured, but signature-based detection is more challenging if the list changes. 

Abuse.ch has published a list of the new Emotet botnet's command and control servers and strongly advises network administrators to ban the linked IP addresses. Another new feature is the ability to collect extra system information from compromised workstations in addition to a list of running processes. The number of bots and associated dispersion are crucial indicators of Emotet's success in reconstructing its once-vast infrastructure.

TrickBot Group Likely Moving Operations to Switch to New Malware

 

TrickBot, the notorious Windows crimeware-as-a-service (CaaS) solution used by several threat actors to distribute next-stage payloads like ransomware, looks to be in the midst of a transition, with no new activity since the beginning of the year. 

Researchers at Intel 471 stated in a study provided with The Hacker News that the slowdown in malware activities is partially due to a huge shift by Trickbot's operators, including working with the operators of Emotet. Even as the malware's command-and-control (C2) infrastructure continued to serve additional plugins and web injects to infected nodes in the botnet, the last round of TrickBot attacks was recorded on December 28, 2021. 

Surprisingly, the drop in campaign volume has coincided with the TrickBot gang collaborating closely with the operators of Emotet, which resurfaced late last year after a 10-month break due to law enforcement efforts to combat the malware. The attacks, which began in November 2021, comprised an infection sequence that utilized TrickBot to download and execute Emotet binaries, whereas Emotet binaries were frequently used to drop TrickBot samples previous to the shutdown. 

The researchers stated, "It's likely that the TrickBot operators have phased TrickBot malware out of their operations in favour of other platforms, such as Emotet. TrickBot, after all, is relatively old malware that hasn't been updated in a major way." 

Additionally, immediately after Emotet's comeback in November 2021, Intel 471 discovered instances of TrickBot sending Qbot installs to the infected systems, highlighting the possibility of a behind-the-scenes shake-up to relocate to other platforms. With TrickBot becoming more visible to law enforcement in 2021, it's not unexpected that the threat actor behind it is actively working to change tactics and modify their protective mechanisms. 

"Perhaps a combination of unwanted attention to TrickBot and the availability of newer, improved malware platforms has convinced the operators of TrickBot to abandon it. We suspect that the malware control infrastructure (C2) is being maintained because there is still some monetization value in the remaining bots," the researchers added.

According to a separate investigation published last week by Advanced Intelligence (AdvIntel), the Conti ransomware group is thought to have acqui-hired several elite TrickBot developers to deactivate the malware and replace it with improved variations like BazarBackdoor.

SFile (Escal) Ransomware Modified for Linux Attacks

 

The SFile ransomware, also known as Escal, has been ported to work and encrypt data on Linux-based operating systems by its developers. 

Attacks with this new Linux edition were discovered late last year, according to a report published last week by Chinese security firm Rising, which was substantiated by The Record with MalwareHunterTeam, one of the developers of the ID-Ransomware project. 

In February 2020, the SFile (Escal) ransomware was first observed in assaults. The first versions were exclusively designed to encrypt Windows systems. The ransomware has been deployed in targeted assaults against corporate and government networks for the previous two years. 

SFile is typically used in these attacks to encrypt data and leave a ransom note instructing victims to contact the attackers via one of three emails and negotiate a ransom for the decryption key. 

A SFile Linux variation was discovered late last year, following a typical trend in the ransomware ecosystem where groups have developed Linux versions of their payloads, with an encryption strategy identical to its original Windows variant but with a few modifications. 

The option to encrypt data depending on a time range, according to MalwareHunterTeam, was the most intriguing of these—as a way to encrypt current files, which may be more important for some victims and are often not included in recent backups. However, the SFile ransomware is one of the few instances where the victim's name appears in the extension appended to each encrypted file. 

Several Chinese firms were among the most recent victims of SFile assaults. According to the Rising report, one of these victims was Chinese IT business Nuctech, which was sanctioned by the US in late 2020 for giving air travel passenger information to the Chinese government—the company's name was identified in encrypted files in a sample discovered by Rising researchers. 

Despite the presence of a Linux variant, the number of SFile attacks is still limited in comparison to the operation of more well-known ransomware families like Conti, LockBit, Grief, and STOP.

Report: PYSA Emerges as Top Ransomware Actor in November

 

As per NCC Group, a UK-based risk mitigation organisation, PYSA and Lockbit were the most significant ransomware attacks in November 2021.

Lockbit has been a leading ransomware threat since August of this year, with Conti dominating the landscape as well. Conti's popularity began to fade in November, and PYSA took its place. The total number of organisations infected with PYSA climbed by 50% last month. 

The number of hacked governmental institutions has also increased by 400 per cent, according to the NCC Group. PYSA is for 'Protect Your System Amigo,' and it has been active since late 2019, mostly targeting the education, healthcare, and government sectors.

In March 2021, the FBI issued a warning about PYSA. PYSA was thought to only target Windows systems until September 2021, but the evidence was discovered that the ransomware was getting prepared to target Linux PCs as well. 

NCC Group noted, “PYSA is a malware capable of exfiltrating data and encrypting users’ critical files and data, which typically targets large or high-value finance, government and healthcare organizations.” 

In November, the total number of ransomware assaults was 1.9 per cent higher than in October, with firms in North America and Europe being hit the hardest. According to the NCC Group, ransomware affected 154 companies in North America last month (140 in the United States and 14 in Canada). A total of 96 European victims have been identified, the majority of whom are from the United Kingdom (32), France (14), Italy, and Germany (11 each). 

“The industrial sector continued to be the most targeted sector in November. Meanwhile, automotive, housing, entertainment, and retail businesses overtook technology this month, with attacks targeting the sector decreasing by 38.1%,” NCC Group stated. 

The cybersecurity firm also saw the Everest ransomware group providing paid access to their victims' infrastructure in November. Other groups are also anticipated to forego a ransom demand in the future and instead grant access to the compromised infrastructure.

Conti Ransomware Exploits Log4j Flaw to Hack VMware vCenter Servers

 

The critical Log4Shell exploit is being used by the Conti ransomware operation to obtain quick access to internal VMware vCenter Server instances and encrypt virtual machines. The group wasted no time in adopting the new attack vector, becoming the first "top-tier" operation to exploit the Log4j flaw. 

On December 9, a proof-of-concept (PoC) exploit for CVE-2021-44228, also known as Log4Shell, was made public. A day later, numerous actors began scanning the internet in search of vulnerable systems. Cryptocurrency miners, botnets, and a new ransomware strain called Khonsari were among the first to leverage the flaw. 

By December 15, state-backed hackers and initial access brokers, who sell network access to ransomware gangs, had joined the list of threat actors using Log4Shell. Conti, one of today's largest and most prolific ransomware groups with tens of full-time members, seems to have developed an early interest in Log4Shell, viewing it as a potential attack channel on Sunday, December 12. 

The group began seeking fresh victims the next day, with the intention of lateral migration to VMware vCenter networks, as per Advanced Intelligence (AdvIntel), a cybercrime and hostile disruption firm. Log4Shell has impacted dozens of vendors, who have rushed to patch their products or provide workarounds and mitigations for customers. VMware is one among them, with 40 products listed as vulnerable. 

While the firm has suggested mitigations or fixes, a patch for the affected vCenter versions has yet to be released. Although vCenter servers are not generally accessible to the internet, there are a few scenarios in which an attacker may exploit the flaw.

“A malicious actor with network access to an impacted VMware product may exploit this issue to gain full control of the target system and/or perform a denial of service attack” – Vmware 

Log4Shell to move laterally 

"This is the first time this vulnerability entered the radar of a major ransomware group," according to a report shared with BleepingComputer. 

“The current exploitation led to multiple use cases through which the Conti group tested the possibilities of utilizing the Log4J exploit” - AdvIntel 

While most defenders are aimed at stopping Log4Shell attacks on Internet-connected devices, the Conti ransomware operation demonstrates how the vulnerability can be leveraged to attack internal systems that aren't as well-protected. 

Conti ransomware affiliates had already invaded the target networks and exploited vulnerable Log4j machines to obtain access to vCenter servers, according to the researchers. This indicates that Conti ransomware members used a different initial access vector to infect a network (RDP, VPN, email phishing) and are now utilising Log4Shell to move laterally on the network. 

Conti, the successor to the notorious Ryuk ransomware, is a Russian-speaking group that has been in the ransomware business for a long time. Hundreds of attacks have been carried out by the group, with its data leak site alone reporting over 600 victim firms who did not pay a ransom. Other firms who paid the actor to have their data decrypted are also included. The group has extorted more than $150 million from its victims in the last six months, according to AdvIntel.

LockFile Ransomware Circumvents Protection Using Intermittent File Encryption

 

A new ransomware threat known as LockFile has been affecting organizations all around the world since July. It surfaced with its own set of tactics for getting beyond ransomware security by using a sophisticated approach known as "intermittent encryption." 

The operators of ransomware, called LockFile, have been found exploiting recently disclosed vulnerabilities like ProxyShell and PetitPotam to attack Windows servers and install file-encrypting malware that scrambles just every alternate 16 bytes of a file, allowing it to circumvent ransomware defenses. 

Mark Loman, Sophos director of engineering, said in a statement, "Partial encryption is generally used by ransomware operators to speed up the encryption process, and we've seen it implemented by BlackMatter, DarkSide, and LockBit 2.0 ransomware.” 

"What sets LockFile apart is that, unlike the others, it doesn't encrypt the first few blocks. Instead, LockFile encrypts every other 16 bytes of a document." 

"This means that a file such as a text document remains partially readable and looks statistically like the original. This trick can be successful against ransomware protection software that relies on inspecting content using statistical analysis to detect encryption," Loman added. 

Sophos' LockFile analysis is based on evidence published to VirusTotal on August 22, 2021. Once installed, the virus uses the Windows Management Interface (WMI) to terminate important services linked with virtualization software and databases before encrypting critical files and objects and displaying a ransomware message that looks similar to LockBit 2.0's. 

The ransom message further asks the victim to contact "contact@contipauper.com," which Sophos believes they are referencing a rival ransomware organization named Conti. 
 
Furthermore, after successfully encrypting all of the documents on the laptop, the ransomware erases itself from the system, indicating "there is no ransomware binary for incident responders or antivirus software to identify or clear up." 

Loman warned that the takeaway for defenders is that the cyberthreat landscape never sits still, and adversaries will rapidly grasp any chance or weapon available to conduct a successful attack. 

The disclosures come as the U.S FBI published a Flash report outlining the tactics of a new Ransomware-as-a-Service (RaaS) group known as Hive, which consists of many actors who use multiple mechanisms to attack business networks, steal data, encrypt data on the networks, and attempt to collect a ransom in exchange for access to the decryption keys.