Search This Blog

Showing posts with label Information. Show all posts

In-Depth Look at Ragnar Locker Ransomware Targeting Vital Industries

 

The Ragnar group, responsible for the Ragnar Locker ransomware, has been active since 2019, targeting critical industries and using double extortion. The FBI warned in March 2022 that at least 52 entities from ten critical industry sectors had been affected. 

In August 2022, the group launched an attack on Greek gas supplier Desfa, claiming to have stolen sensitive data. Cybereason researchers examined Ragnar Locker's encryption process. Ragnar Locker performs a location check during execution. Execution is stopped if the location is any country in the Commonwealth of Independent States (CIS).

It then gathers host information, such as the computer and user names, as well as the machine GUID and Windows version. A custom hashing function concatenates and conceals this data. The combined hashes are used to name a new event. Ragnar Locker then attempts to locate existing file volumes by utilising the Windows APICreateFileW.

The encrypted list of services contained within the Ragnar Locker code is decrypted. VSS, sql, memtas, mepocs, sophos, veeam, backup, pulseway, logme, logmein, connectwise, splashtop, kaseya, vmcompute, Hyper-v, vmms, Dfs are all included. If any of these are discovered to be running services, the malware terminates them.

The malware then decrypts and prepares an embedded RSA public key for use. It decrypts the ransom note and then proceeds to delete any shadow copies of the host via vssadmin.exe and Wmic.exe.

The ransom note also states in the analysed sample, "Also, all of your sensitive and private information was gathered, and if you decide NOT to pay, we will upload it for public view!" Tor's Ragnar Locker data leak site (http [://] rgleaktxuey67yrgspmhvtnrqtgogur35lwdrup4d3igtbm3pupc4lyd [.] onion/) currently lists approximately 70 claimed victims.

The note demands a ransom of 25 bitcoins, but suggests that if contact is made within two days, this can be negotiated. However, it warns that if no contact is made within 14 days, the ransom will double, and the decryption key will be destroyed if no payment agreement is reached within 21 days. It also states that the attackers customised the ransom amount based on the victim's "network size, number of employees, annual revenue."

Ragnar Locker begins the encryption process once the ransom note is complete. The files like autoruns.inf, boot.ini, bootfront.bin, bootsect.bak, bootmgr, bootmgr.efi, bootmgfw.efi, desktop.ini, iconcache.db, ntldr, ntuser.dat, ntuser.dat.log, ntuser.ini, thumbs.db; specific processes and objects such as Windows.old, Tor Browser, Internet Explorer, Google, Opera, Opera Software, Mozilla, Mozilla Firefox, $Recycle.bin, ProgramData, All Users; and files with the extensions .db, .sys, .dll, lnk, .msi, .drv, .exe.are among those excluded.

Other files' filenames are sent to the encryption function, which encrypts them and appends the suffix '.ragnar [hashed computer name]'. Ragnar Locker creates a notepad.exe process after encryption and displays the ransom note on the user's screen.

The stolen data used in the double extortion process is continuously exfiltrated until it reaches the point of encryption. According to Loic Castel, a principal security analyst at Cybereason's Global SOC, “In general, ransomware operatives doing double extortion always require full privileges on the network they are looking to encrypt.. Between the initial access phase (when they take control of an asset, for instance through spearphishing) and the encryption phase, they have access to many machines, which they can extract data from and send through exfiltration services / external domains.”

As per the FBI alert, data exfiltration occurred nearly six weeks after the initial access and continued for about ten days before the encryption process began. Ragnar Locker primarily targets critical industry companies. 

“Ragnar Locker ransomware actors work as part of a ransomware family, frequently changing obfuscation techniques to avoid detection and prevention,” warned the FBI in its March 2022 alert.

Massive China-Linked Disinformation Campaign Taps PR Firm for Help

 

Security experts have discovered another Chinese information operation that is attempting to improve the country's image overseas by utilising a large number of fake news sites and social media assets. 

The content, which is available in 11 languages, tries to win hearts and minds over to Beijing's way of thinking by undermining criticism of the Xinjiang genocide and the deterioration of democracy in Hong Kong. 

According to Mandiant, among the Communist Party opponents targeted in the campaign are Chinese billionaire Guo Wengui and German anthropologist Adrian Zenz, who is known for his study on Uyghur oppression. The campaign's most striking feature is that it appears to leverage infrastructure owned by local public relations business Shanghai Haixun Technology, a company that promotes "positive thinking." 

According to Mandiant in a blog post, the word "positive energy" is particularly loaded in China since it is frequently used by the Xi Jinping government to refer to communications that reflect Beijing positively. As a result, Mandiant dubbed the information operations effort "HaiEnergy." 

“While we do not currently have sufficient evidence to determine the extent to which Haixun is involved in, or even aware of HaiEnergy, our analysis indicates that the campaign has at least leveraged services and infrastructure belonging to Haixun to host and distribute content,” the firm explained. 

“In total, we identified 72 websites (59 domains and 14 subdomains) hosted by Haixun, which were used to target audiences in North America, Europe, the Middle East and Asia.” 

The campaign has solely relied on Haixun's internet infrastructure to post information and host websites. In reality, those sites share significant commonalities, indicating a coordinated strategy, including: 
  • Nearly all the English language sites are built with a Chinese-language HTML template
  • Several of the sites that include a domain and subdomain are disguised to appear as different, independent sites
  • Many of the sites link directly to other sites in the network
  • The same articles are often published across multiple sites
If Haixun is actively involved in this effort, it would be a continuation of a pattern in which threat actors utilise "info ops for hire" organisations to perform their dirty work, according to Mandiant. The one advantage is that it does not appear to have paid off on this occasion.

“We note that despite the capabilities and global reach advertised by Haixun, there is at least some evidence to suggest HaiEnergy failed to generate substantial engagement,” the report concluded.

“Most notably, despite a significantly large number of followers, the political posts promoted by inauthentic accounts we attribute to this campaign failed to gain much traction outside of the campaign itself.”

Hackers Target National Portal of India Via ‘Unprecedented’ Phishing Method

 

On Thursday, cyber-security experts announced the discovery of an "unprecedented, sophisticated" phishing method that has been extorting people from official websites worldwide, including the Indian government's portal https://india.gov.in. 

According to AI-driven cyber-security startup CloudSEK, threat actors have been targeting the Indian government's webpage by using a fake URL to deceive users into entering sensitive information such as credit card numbers, expiration months, and CVV codes. 

In a most advanced phishing technique known as Browser-in-the-Browser (BitB) attack, hackers imitate the browser window of the Indian government website, most typically SSO (single sign-on) pages, with a unique login. BitB attacks impersonate reputable websites in order to steal user passwords and other sensitive data such as personally identifying information (PII). The new URL that emerges as a result of the BitB attack looks to be legitimate. 

"The bad actors have also replicated the original page's user interface. Once their victims click into the phishing page, a pop-up appears on the phoney window claiming that their systems have been blocked, posing as a notification from the Home Affairs Enforcement and Police," the researchers asserted. 

The users are then alerted that their excessive usage of pornographic websites is banned under Indian law, and they are asked to pay a Rs 30,000 fee in order to unlock their computers.

"They are given a form to fill out in order to pay the fine, which asks them to divulge personal information, including their credit card information. The victims become panicked because the warning has a sense of urgency and appears to be time-bound," the researchers stated. 

The information entered by the victims into the form is sent to the attacker's server. Once the attackers have obtained the card information, it may be sold to other purchasers in a bigger network of cyber criminals, or the victim may be extorted for more funds. 

When users attempt to connect to a website, they may click on a malicious link that appears as an SSO login pop-up window. Users are requested to check in to the website using their SSO credentials when they visit the provided URL. The victims are then sent to a fraudulent webpage that appears just like the SSO page. The attack often triggers single sign-on windows and presents bogus web pages that are identical to the legitimate page. 

"Combine SSO with MFA (multi-factor authentication) for secure login across accounts, check for suspicious logins and account takeovers and avoid clicking on email links from unknown sources," the researchers suggested.

Japanese City Worker Loses USB Containing Resident's Personal Data

 

A Japanese city has been compelled to apologise after a contractor admitted to losing a USB memory stick holding the personal data of over 500,000 inhabitants following an alcohol-fueled night out. 

Amagasaki, western Japan, officials claimed the man – an unidentified employee of a private contractor hired to administer Covid-19 compensation payments to local homes – had taken the flash drive from the city's offices to transfer the data to a contact centre in neighbouring Osaka. 

After spending Tuesday evening drinking at a restaurant, he realised on his way home that the bag holding the drive, as well as the personal information of all 460,000 Amagasaki residents, had gone missing. The next morning, he reported the loss to the police. 

According to the Asahi Shimbun, the information contained the residents' names, residences, and dates of birth, as well as data on their residence tax payments and the bank account numbers of those receiving child benefits and other welfare payments. There have been no complaints of data leaks because all of the information is encrypted and password secured. 

“We deeply regret that we have profoundly harmed the public’s trust in the administration of the city,” an Amagasaki official told reporters. The city told in a statement that it would “ensure security management when handling electronic data. We will work to regain our residents’ trust by heightening awareness of the importance of protecting personal information.” 

Not a new affair 

Last month, a man in Abu was handed £279,000/US$343,000 in Covid-19 relief payments meant for 463 low-income people. Local officials said this week that they had recovered all of the money via internet payment services after the individual claimed he had gambled it all away. 

The Amagasaki event highlights worries about some Japanese organisations' ongoing usage of obsolete technologies. According to media reports last week, dozens of businesses and government agencies were rushing to transition away from Internet Explorer before Microsoft retired the browser at midnight on Wednesday. 

According to Nikkei Asia, a sense of "panic" seized businesses and government organisations who were slow to abandon their dependency on IE before Microsoft formally ceased support services, leaving surviving users susceptible to flaws and hacks.