Search This Blog
Powered by Blogger.

Blog Archive

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label RaaS. Show all posts
Sophos
Cyber Attacks Junk-Gun RaaS Ransomware Sophos

Junk Ransomware: Getting the Job Done For Hackers


Sophos detects ransomware

In an April 17 analysis from its Sophos X-Ops research team, cybersecurity firm Sophos observed an increase in low-cost, primitive ransomware—a boon for aspiring threat actors and a headache for defenders.

It's far more difficult to find something that there are only twenty copies of in the world, said Christopher Budd, director of threat research at Sophos X-Ops.

The group linked the choices to the cheap handguns that flooded the US firearms market in the 1960s and 1970s, known as junk guns.

Between June 2023 and February 2024, the Sophos team spotted 19 different types of "independently produced, inexpensive, and crudely constructed ransomware." Some missed clean graphics, while others used programming languages like C# and.NET, which "have a shallower learning curve," noted the paper.

It seems to be a fairly recent thing,"  noting that poor-quality malware has existed for decades.

Varying costs

Sophos discovered one with no price indicated, two open-source models, one for $20 (later reduced to free), and one for 0.5 BTC (about $13K).

According to a 2023 research by cybersecurity firm CrowdStrike, the cost of a Ransomware as a Service (RaaS) kit "ranges from $40 per month to several thousand dollars." RaaS models depend on affiliates purchasing ransomware and consenting to a subscription fee based on the victim's payment.

Junk-gun ransomware

Junk-gun ransomware destroys that commission: capitalism in action, in a sense.

In most instances, you don't have any kind of partner fees to pay, Budd stated.

Only three of the "junk" kinds paid a subscription fee

Ransomware groups such as LockBit have become large enough to be tracked and halted by government agencies. Junky ransomware has the potential to fly under the radar and bypass detection technology.

There is no single source of knowledge for investigators and researchers to track, the Sophos report stated.

Budd and his crew saw users asking basic inquiries in forums praising the cheap items. What is the best language for creating ransomware? Is writing in C# worthwhile? How should malware be priced and sold?

Budd describes a forum featuring inexpensive ransomware and beginner queries as a welcome place for young hackers waiting for their chance in the big leagues.

Step forward

Junk-gun ransomware presents specific problems for small enterprises, the general public, and the security industry. We saw threat actors expressly refer to assaults against smaller companies and individuals, even as they tried to figure out which types of companies to target and how much ransom to demand because such targets are often less well-defended, knowledgeable, and prepared.

At this point, junk-gun ransomware causes several challenges for the security industry. It is difficult to get samples of junk-gun ransomware, assess how widely it has been deployed in the wild, and monitor new variants. 

Threat actors may also adopt the 'brand names' of well-known ransomware families, presumably to capitalize on their reputations, which can lead to misunderstanding among experts.
Read more »
threat report
malware Malware Strains RaaS Ransomware threat report

Malware-as-a-Service The Biggest Risk to Organizations Right Now

Malware-as-a-Service

A recent Darktrace analysis states that the largest threat to enterprises in the second half of 2023 was malware-as-a-service (MaaS) infections.

Many malware strains have become cross-functionally adaptive, as noted in the 2023 End of Year Threat Report. This comprises the combination of information-stealing malware with malware loaders like remote access trojans (RATs).

The menace of malware-as-a-service 

Researchers at Darktrace discovered that "malware strains are progressively developed with a minimum of two functions and are interoperable with a greater number of existing tools" through reverse engineering and detection analysis.

Because these malicious tools may gather passwords and data without compromising files, which makes detection more difficult, they pose a special risk to enterprises.

One well-known instance of this was the information-stealing and remote access Trojan (RAT) called ViperSoftX, which was designed to obtain sensitive data such as Bitcoin wallet addresses and passwords kept in password managers or browsers.

2020 saw the first recorded sighting of ViperSoftX in the wild, however, strains discovered in 2022 and 2023 have more advanced detection evasion strategies and capabilities.

Another instance is the ransomware known as Black Basta, which spreads the Qbot banking virus to steal credentials.

Additional Transition to Ransomware-as-a-Service (RaaS)

The research also noted a move away from traditional ransomware in 2023 with an increase in RaaS assaults.

It was reported that the ransomware market expanded after law enforcement dismantled the Hive ransomware gang in January 2023. Among these was the emergence of ScamClub, a malvertising actor that sends false virus alerts to well-known news websites, and AsyncRAT, which has been targeting US infrastructure workers lately.

According to Darktrace's prediction, an increasing number of ransomware attackers are expected to utilize multi-functional malware and double and triple extortion tactics in the upcoming year.

According to the company, in 2024 the MaaS and RaaS ecosystems should continue to flourish, hence reducing the entry barrier for cybercriminals.

Attackers Incorporating AI into Phishing Schemes

According to Darktrace, last year it saw threat actors use additional creative strategies to get beyond an organization's security measures.

This includes phishing and other increasingly successful email attacks that try to trick users into downloading dangerous payloads or divulging private information.

For instance, 58% of phishing emails that Darktrace saw last year were able to get past all security measures in place, while 65% of the emails were able to effectively evade Domain-based Message Authentication (DMARC) verification checks.

According to the researchers, a lot of attackers are using generative AI technologies to automate the creation of more realistic phishing operations.



Read more »
ransomware-as-a-service (RaaS)
Cyber Attacks RaaS Ransomware ransomware-as-a-service (RaaS)

Rise in RaaS Operations and Implications for Business Security


Recently, there had been news regarding the cyber-attack in a Japanese port, that blocked the smooth transfer of goods – a hack in a Las Vegas resort which led to malfunction in slot machines and guest check-ins and a whopping $100 million loss, and loss of more than 2.5 million medical records, that were stolen by hackers.

These instances have one thing in common: they were all caused by ransomware-as-a-service (RaaS) operations. 

The emergence of RaaS signifies a significant advancement in the field of cybercrime, with global corporations and public infrastructure bearing the consequences.

Here, we will discuss what RaaS is, how it operates and why it poses such dangers.

The Origin Of RaaS

RaaS initially came to light in 2009, following the invention of cryptocurrency. In the first place, cryptocurrency made it simpler for hackers to demand ransoms in an anonymous manner, which contributed to the spread of ransomware. Second, it allowed hackers to transact with one another for software and services without having to reveal who they were or run the danger of having their accounts frozen by banks.

Reveton became the first ransomware gang to adopt the RaaS model. The group created malware that, after infecting a victim's computer, claimed the victim had committed an online federal felony. Then, if the victim didn't pay the ransom, it threatened to put them in jail. Later, for a price, this software was made available to hackers with lower technical proficiency.

How Does RaaS Work?

The operation of RaaS is similar to software as a service (SaaS). To put it briefly, the program is created and maintained by a committed group of programmers, who then charge a fee to allow others to use it. Like any other SaaS business, the RaaS developers might even provide committed tech support and customer service.

This fee provided to the RaaS providers is a part of the ransom paid to the gang, indicating that the RaaS users are responsible for infiltrating the network, however, the ransom money goes to the RaaS provider.

The ransomware can evade detection and the most recent antivirus software by using updates like patches from the RaaS provider. This allows the malware to infiltrate a network, encrypt data, and take it.

What Does RaaS Mean For Business Security?

The emerging threat of ransomware attacks signifies that it is now important for organizations to garner an understanding of ransomwares and take measures accordingly. 

Certain areas require close attention:

  • Ransomware preparedness: A good ransomware response plan could make a huge difference when it comes to tackling a ransomware incident. This can further reduce the damage done by the ransomware and speed up response time.
  • Internal network security: It is also important to prevent hackers from moving within the accessed networks. Installing safeguards, according to the principle of least privilege (PoLP), is a good way to prevent hackers from accessing further in the networks. 
  • Encrypting sensitive data: Attackers using ransomware depend more on extortion as backup processes improve. To prevent hackers from utilizing sensitive information against you, it is advisable to encrypt sensitive data such as bank records, proprietary data, and customer personal information.

Unfortunately, boosting levels of cybersecurity is now a part of the “new normal.” There is nothing more the companies can do. It is necessary to consider increased security as standard operating procedure.  

Read more »
Ransomware
Cyberattacks CyberCrime Cybersecurity Dark Web Group-IB malware Nokayawa Group RaaS Ransomware

From Concealed to Revealed: Dark Web Slip-Up Exposes Ransomware Mastermind





A group of researchers responded to an ad offering the opportunity to join up with a RaaS operation and found themselves attending a cybercriminal job interview held by an organization that is one of the most active threat actors in the affiliate market today. At least five strains of ransomware have been created by the same individual known as "farnetwork". 

A Group-IB threat researcher posing as a member of the Nokoyawa ransomware group eventually became able to unmask the criminal after giving too many specifics to a Person-IB threat researcher pretending to be one of its affiliates.

Aside from being known by the alias of jingo, it has also been identified as jsworm and farnetwork, along with razvrat, piparuka, and piparuka. Upon learning that the undercover researcher had demonstrated they could not only escalate their privileges but also use ransomware to encrypt files and finally demand hard cash to get an encryption key, farnetwork was ready to reveal more details. 

The researcher at Group-IB, during his correspondence with the researcher from Farnetwork, discovered that Farnetwork already had a foothold in various enterprise networks, and was just looking for someone to help them take the next step - namely, deploying the ransomware and collect the money collected. 

There is a deal that would allow Group IB's team to make money by extorting money from victims and then giving 65% of the money to the Nokoyawa affiliate as well as 20% to the botnet owner and 15% to the ransomware owner. 

According to Group-IB's latest report, Nokayawa was only the latest ransomware operation farnetwork had been executing, and it was only the most recent of several, it explained. After a lengthy discussion with the threat actor, the team was able to assemble enough information about farnetwork's ransomware activities for the entire year of 2019. 

During their meeting with Farnetwork, the researchers were told that the company had been the recipient of ransomware payments totalling as much as $1 million in the past, as it has previously operated with Nefilim and Karma ransomware. 

There is also evidence that the crook has experience working with NEMTY and Hive. Group-IB has reported that it was behind JSWORM, Karma, Nemty, and Nefilim ransomware strains between 2019 and 2021 according to its Report on Ransomware Group. 

In addition, the report states that the RaaS program offered by Nefilim is responsible for over 40 victims alone. Farnetwork, which had been a part of the Nokoyawa operation since 2022, had found a new home with the company by last February and was actively recruiting affiliates for the program. 

In terms of the timeline of operations and the factors that have had an impact on this market, there is no doubt that farnetwork has made a significant contribution to the RDaaS market across the globe over the past couple of years. 

The RaaS operation at Nokoyawa has since been shuttered, and Farnetwork has announced it will retire soon. However, Group-IB researchers believe that he is going to appear again with another strain of ransomware shortly.
Read more »
ransomware attacks
Crypto Extortion Threats cryptocurrency Cyber Attacks Double extortion RaaS Ransomware ransomware attacks

Ransomware Gangs are Evolving: Cryptocurrency Flaws Could be Their Next Target


Dallas City Government, in May 2023, faced a ransomware attack which resulted in the temporary halt in their operations which included hearings, trial and jury duty and the closure of the Dallas Municipal Court Building. 

The attack further impacted police activities, as overstretched resources made it more difficult to implement initiatives like summer youth programs. Threats to publish private information, court cases, prisoner identities, and official papers were made by the criminals.

One may think that cyberattack on city government would be a headline news, however, this year has seen a number of such instances that any mere attack is just another common topic of discussion. A notable exception was the vulnerability exploitation of a Moveit file transfer app in May and June 2023 that led to data theft from hundreds of organizations across the world, including British Airways, the BBC and the chemist chain Boots. 

Apparently, over the past years the ransom payments have doubled to US$1.5 million, with the big-profit organizations paying the highest price. A British cybersecurity company called Sophos discovered that the average ransomware payment increased from US$812,000 the year before. At US$2.1 million, the average payment made by UK organizations in 2023 was considerably greater than the global average.

While ten years ago this was no more than a theoretical possibility and niche threat, but ransomware has now gained a wide acknowledgment as a major threat and challenge to modern society. Its rapid evolution, which has fueled crime and done enormous harm has raised serious concerns. 

The "business model" for ransomware has evolved as, for example, malware attack vectors, negotiation tactics, and criminal enterprise structure have all advanced.

Criminals are now expected to adapt to their strategies and cause digital catastrophe for years to come. In order to combat the long-term threat, it is crucial to examine the ransomware threat and anticipate these strategies.

What is Ransomware?

In various settings, the term "ransomware" can refer to a variety of concepts. At Columbia University, Adam Young and Mordechai "Moti" Yung revealed the fundamental structure of a ransomware assault in 1996, which is as follows: 

Criminals get past the victim's cybersecurity defenses (either by using strategies like phishing emails or an insider/rogue employee). Once the victim's defenses have been breached, the thieves release the ransomware. Which has as its primary purpose locking the victim out of their data by encrypting their files with a private key, which is conceptualized as a lengthy string of characters. The perpetrator now starts the third stage of an attack by requesting a ransom for the private key.

Here, we are discussing some of the most popular developments of ransomware attacks one may want stay cautious about: 

Off-the-shelf and Double Extortion 

Ransomware-as-a-service's advent was a significant development. This phrase refers to markets on the dark web where criminals can buy and utilize "off-the-shelf" ransomware without the need for sophisticated computer knowledge, and the ransomware providers get a part of the profits.

According to research, the dark web serves as the "unregulated Wild West of the internet" and provides criminals with a secure environment in which to exchange unlawful goods and services. It is freely accessible, and there is a thriving worldwide underground economy there thanks to anonymization technologies and digital currencies. The European Union Agency for Law Enforcement estimates that just in the first nine months of 2019, there was spending of US$1 billion.

With ransomware as a service (RaaS), the entry hurdle for would-be cybercriminals was decreased in terms of both cost and expertise. In the RaaS model, vendors that create the malware provide competence, although the attackers themselves may be only moderately experienced.

Crypto Extortion Threats 

In the newer developments in ransomware attacks, attackers are now progressively finding new tactics for extortion. One of the highly discussed techniques include the cryptocurrency-specific variations, and the “consensus mechanisms” used within them.

Consensus mechanism refers to a technique used to achieve consensus, trust, and security across a decentralized computer network.

In particular, cryptocurrencies are progressively validating transactions through a so-called "proof-of-stake" consensus method, in which investors stake substantial amounts of money. These stakes are open to ransomware extortion by criminals.

Until now, crypto has relied on a so-called “proof-of-work” consensus mechanism where the authorization of transactions include solving a complicated math problem (the work) to authorize transactions. This strategy is not long-term viable since it leads to unnecessary large-scale energy use and duplication of effort.

A "proof-of-stake" consensus method is the alternative, which is increasingly becoming a reality. In this case, validators who have staked money and receive compensation for validating transactions approve transactions. A financial stake takes the place of the role played by ineffective work. While this solves the energy issue, it also means that substantial sums of staked money are required to validate crypto-transactions.

Read more »
Ransomware Attacks.
Backups Crypto Cyber Security Malicious actor RaaS Ransomware Attacks.

Ransomware Trends: RaaS and Cryptocurrency Impacts

Ransomware attacks have become a pressing concern for individuals, businesses, and governments worldwide. Cybercriminals are constantly evolving their tactics, and two significant trends that demand close monitoring are the rise of Ransomware-as-a-Service (RaaS) and the growing reliance on cryptocurrencies for ransom payments.

According to recent reports, ransomware attacks have become increasingly sophisticated due to the emergence of Ransomware-as-a-Service. This model allows even less experienced hackers to launch ransomware campaigns with ease. By using RaaS, malicious actors can purchase ready-to-use ransomware kits from more skilled developers, giving them access to advanced tools without the need for extensive technical knowledge. This trend has dramatically widened the scope of potential attackers, leading to a surge in ransomware incidents across the digital landscape.

The impact of Ransomware-as-a-Service is not limited to smaller-scale operations. It has enabled the creation of formidable cybercrime syndicates capable of orchestrating large-scale attacks on critical infrastructures and major corporations. As a result, businesses of all sizes must be vigilant in bolstering their cybersecurity measures to fend off these increasingly prevalent threats.

Furthermore, ransomware attackers are exploiting cryptocurrencies to anonymize their transactions and evade law enforcement. Cryptocurrencies, such as Bitcoin, have emerged as the preferred method of payment for ransoms due to their decentralized nature and pseudo-anonymous properties. Transactions carried out using cryptocurrencies are challenging to trace, making it difficult for authorities to identify and apprehend the criminals behind these attacks.

The use of cryptocurrencies in ransom payments also creates an additional layer of complexity for victims and law enforcement agencies. As transactions are conducted peer-to-peer, there is no central authority that can freeze or retrieve funds. Once the ransom is paid, it is often impossible to recover the funds, leaving victims with limited options for recourse.

One of the key aspects of tackling ransomware effectively is understanding the motivations and techniques employed by attackers. As cyber criminals adapt their strategies, organizations, and individuals must remain informed about the latest trends and statistics surrounding ransomware. By staying up-to-date, they can implement proactive measures to mitigate the risks associated with these evolving threats.

As an industry expert highlights, "The increase in Ransomware-as-a-Service offerings has democratized cybercrime, allowing more threat actors to participate and launch attacks. At the same time, the adoption of cryptocurrencies as the preferred payment method makes it imperative for organizations to invest in robust cybersecurity measures and maintain data backups to protect against potential ransomware attacks."

Collaboration between private businesses and law enforcement authorities is now essential in the face of the escalating ransomware threat. Sharing threat intelligence and best practices can be crucial to effectively battling ransomware and reducing its effects on both organizations and people.

Read more »
RaaS
Cyber Attacks CyberCrime CyberCriminal Malware Attack RaaS

Rise of Cybercrime as a Service Will be Worse

 

The proliferation of cybercrime-as-a-service has created an expansive digital gateway for individuals seeking fast and unlawful gains on the internet. Alongside attacks-as-a-service, malware-as-a-service, and fraud-as-a-service, this phenomenon has granted easy access to various illicit opportunities in the online realm. 
The evolution of cybercrime as a service aligns with the prevalent model of other as-a-service business offerings. Skilled criminals, who have developed effective malicious code, now offer their cybercrime "solutions" for rent to less sophisticated criminals lacking the means or expertise to create and carry out cyberattacks independently. 

In exchange for their services, these criminals receive a percentage of the profits generated from attacks utilizing their code. This share is on the rise, with some criminals earning between 10% and 20% of the ill-gotten gains obtained through the utilization of their malicious software. 

If you're interested in acquiring a DDoS booter rental from Russia, you can obtain one for a daily cost of $60 or lease it for a week at $400. Additionally, orders exceeding $500 are eligible for a 10 percent discount, which increases to 15 percent for orders surpassing $1,000. 

Alternatively, if you're considering a ransomware kit, you have the option of renting it for one month at a price of $1,000. While this may appear expensive to some, it's important to consider the potential return on investment. Moreover, prospective customers have the opportunity to test the product for 48 hours before making a final decision. 

This trend carries significant implications. The accessibility of these cybercrime offerings has eliminated the need for customers to possess advanced technical skills. In fact, even novices can now actively engage in cybercriminal activities and, remarkably, are being actively courted. 

Numerous online marketplaces on the dark web proudly advertise their provision of technical support, catering to individuals who require additional guidance and assistance. The cybercrime-for-hire industry has reached such a level of vitality that hacker groups are reportedly struggling to meet the growing demand. 

The thriving "as-a-service" market in cybercrime has not only captivated the attention of cybercriminals but has also piqued the interest of traditional criminals. These individuals and groups recognize the service-oriented nature of the cybercrime market and are increasingly leveraging it to their advantage. 

According to a study conducted by researchers at Cambridge, over half of the cybercriminals convicted in the UK had prior criminal records related to conventional offenses like burglary. Additionally, hackers are actively exploring avenues to introduce subscription-based offerings on the dark web.
Read more »
ransomware attacks
CISA Kaspersky LockBit 2.0 ransomware LockBit 3.0 malware MS-ISAC RaaS Ransomware ransomware attacks

LockBit 3.0 Ransomware: Inside the Million Dollar Cyberthreat


US government organizations have recently published a joint cybersecurity advisory stating the indicators of compromise (IoCs) and tactics, techniques and procedures (TTPs) linked with the malicious LockBit 3.0 ransomware. 

The alert comes through the FBI, the CISA, and the Multi-State Information Sharing & Analysis Center (MS-ISAC). 

"The LockBit 3.0 ransomware operations function as a Ransomware-as-a-Service (RaaS) model and is a continuation of previous versions of the ransomware, LockBit 2.0, and LockBit," the authorities said. Since the emergence of LockBit ransomware in 2019, the threat actors have invested in particular technical aids in order to develop and finely enhance its malware, issuing two significant updates, ie. Launching LockBit 2.0 in mid-2021, and LockBit 3.0, released in June 2022. The two versions are also termed LockBit Red and LockBit Black, respectively. 

"LockBit 3.0 accepts additional arguments for specific operations in lateral movement and rebooting into Safe Mode[…]If a LockBit affiliate does not have access to passwordless LockBit 3.0 ransomware, then a password argument is mandatory during the execution of the ransomware," according to the alert. 

 Additionally, the ransomware is made to only infect computers whose language preferences do not match those on an exclusion list, which includes Tatar, Arabic, and Romanian (all of which are spoken in Syria) and Moldova) (Russia). 

The ransomware is also designed to only infect devices whose language choices do not match those on an exclusion list, which includes Tatar, Arabic, and Romanian (all of which are spoken in Syria) and Moldova) (Russia). The victim’s network is being accessed through remote protocol (RDP) exploitation, drive-by compromise, phishing campaigns, exploiting valid accounts, and weaponizing of public-facing applications. 

Before starting the encryption procedure, the malware first attempts to create persistence, increase privileges, perform lateral movement, and purge log files, files in the Windows Recycle Bin folder, and shadow copies. 

"LockBit affiliates have been observed using various freeware and open source tools during their intrusions[…]These tools are used for a range of activities such as network reconnaissance, remote access and tunneling, credential dumping, and file exfiltration," the agencies said. 

One of the prime attributes of the attacks is the use of custom exfiltration tool, known as StealBit, authorized by the LockBit group to affiliates for double extortion reasons. 

The LockBit ransomware strain has been employed against at least 1,000 victims globally, according to a November report from the US Department of Justice, earning the organization over $100 million in illegal revenues. 

The Upsurge in LokBit Incidents 

Dragons, an industrial cybersecurity reported earlier this year that LockBit ransomware was the one responsible for 21% of the 189 ransomware attacks detected against critical infrastructure in Q4 2022m in an account of 40 such incidents. For a fact, a majority of food and beverage and manufacturing sectors were impacted due to these attacks. 

In its recent report, the FBI’s Internet Crime Complaint Center (IC3) ranked LockBit (149), BlackCat (114), and Hive (87) as the top three ransomware variants targeting the infrastructure sector in 2022. 

Despite LockBit's prolific attack campaign, the ransomware gang was suffered a severe setback in late September 2022 when a dissatisfied developer of LockBit revealed the building code for LockBit 3.0, sparking concerns that other criminal actors would use the situation and produce their own variations. 

The advisory comes months after antivirus company Avast offered a free decryptor in January 2023, at a time when the BianLian ransomware organization has switched its emphasis from encrypting its victims' files to straightforward data-theft extortion attempts. 

In a similar development, Kaspersky has released a free decryptor to assist victims whose data has been encrypted by a ransomware variant based on the Conti source code that emerged after Russia's incursion of Ukraine last year caused internal strife among the core members. 

"Given the sophistication of the LockBit 3.0 and Conti ransomware variants, it is easy to forget that people are running these criminal enterprises," Intel 471 noted last year. "And, as with legitimate organizations, it only takes one malcontent to unravel or disrupt a complex operation."

Read more »
Security Strategy
Cyber Security RaaS Ransomware ransomware attacks Security Strategy

Why Must Businesses be Equipped With Modern Ransomware Capabilities?


The most contemporary threat to the survival of businesses may be the "if, not when" approach surrounding ransomware. Ransomware attacks are increasingly prevalent targets for businesses of all sizes and in all sectors, and we know that 94% of enterprises had a cybersecurity issue just last year.

However, several companies still operate with archaic security measures that are incompetent in combating modern ransomware. 

It has been falsely believed that ransomware attacks are declining. In reality, Q1 of 2022 reported a 200% YoY hike in ransomware activities. Moreover, the increase in Ransomware as a Service (RaaS) offerings indicates that ransomware attacks have in fact turned into a commodity for threat actors. 

Ransomware as a Service 

The RaaS market opens a new and challenging trend for organizations and IT experts. 

With RaaS – a subscription ransomware model that charges affiliates for setting up malware – the access barriers for hackers are lower than ever. 

The unsophisticated nature of RaaS hackers is the reason why the average downtime has decreased to just 3.85 days (as compared to the average attack duration of two months in the year 2019). 

While the decrease in attack downtime sounds promising, the emergence of RaaS still indicates a fact for the business leaders, i.e. all organizations are vulnerable. Consequently, demanding the role of IT and business experts to combat the risk by implementing robust cybersecurity protocols. 

The need for the aforementioned action could be estimated by reviewing the ransomware attack cases that organizations have witnessed in recent times. 

Bernalillo County’s Ransomware Breach 

In January 2022, threat actors breached data centers in Bernalillo County, New Mexico. The largest detention facility in the county's automatic locking systems and security cameras were among the critical infrastructure disruptions that continued for several days. 

Months after subverting the ransomware agents, Bernalillo County officials finally implemented a stronger cybersecurity strategy that included endpoint detection and response (EDR) systems, multi-factor authentication (MFA) on all employee accounts, 24/7 security monitoring, and new virus-scanning software. 

Bernalillo County’s Ransomware Breach has taught security experts several lessons. The incident highlights how ransomware can cause non-financial harm to persons and businesses. Since, residents of Bernalillo County suffered severe service interruptions during the incident, while county convicts were confined to their cells for several days. 

The incident also emphasized the importance of rapid response to such situations. Cybersecurity measures such as MFA, remote monitoring, and EDR work wonders in preventing ransomware attacks, but only if implemented before the cyberattack. 

Unfortunately, a lot of business executives still hold off on putting strong cybersecurity policies in place. As a result, ultimately and inevitably, their organizations end up suffering like the residents of Bernalillo County. 

Prioritizing a Robust Security Strategy is Crucial 

Organizations must not compromise in implementing security protocols and services. In order to boost the effectiveness of cybersecurity, business and IT leaders are suggested to have access to the same evolving AI and machine learning capabilities that are utilized by modern hackers. 

An adequate tactile protection plan usually requires a third-party vendor in order to provide security insights or monitoring capabilities. However, business and IT leaders only consider Ransomware Protection as a Service (RPaaS) solutions that provide adaptive tactics for cloud-based, on-premises, and hybrid data centers. Doing so will eventually ensure the organization’s cybersecurity package scales as it grows—or, in some instances, shrink —without the need for extra software. 

Preparing For “When,” And Not “If” 

The first step to combat a ransomware threat is by accepting that any organization, big or small, could be a target sooner or later. This realization will eventually become more crucial in combatting the attacks, as one witnesses a constant rise in casual ransomware attacks via RaaS, and as international conflicts have further increased the chances of large-scale breaches and ransomware attacks. 

Although one cannot entirely evade ransomware attacks, breaches could still be dodged by taking cybersecurity measures such as a robust cyber defense, that will consequently secure an organization from any financial loss or a mission-critical service outage.  

Read more »
RaaS
APT actors Chinese Hackers Command and Control(C2) Data Breach Encryption Log4Shell PowerShell RaaS

Cheerscrypt Spyware Attributed to Chinese APT Entity

The Emperor Dragonfly Chinese hacker group, notorious for frequently switching between several ransomware families to avoid detection, has been connected to the Cheerscrypt virus. 

The attacks were linked by the cybersecurity company Sygnia to a threat actor also dubbed Bronze Starlight and DEV-0401. The hacking gang seems to be a ransomware operation, but past research suggests that the Chinese government is interested in many of its victims.

Cheerscrypt is the most recent addition to a long range of ransomware families that the gang has previously used, including LockFile, Atom Silo, Rook, Night Sky, Pandora, and LockBit 2.0 in a little over a year.

Recently, Sygnia researched a Cheerscrypt ransomware operation that utilized Night Sky ransomware TTPs. The attackers then dropped a Cobalt Strike beacon linked to a C2 address formerly tied to Night Sky operations. 

The code for the Babuk ransomware, which was exposed online in June 2021, was used to develop the Cheerscrypt ransomware family, which Trend Micro first analyzed in May 2022. Cheerscrypt is one of several ransomware families used by the APT organization. The DEV-0401 group, unlike other ransomware gangs, oversees every stage of the assault chain directly, from the first access to the data theft. It does not rely on a system of affiliates.

A significant Log4Shell vulnerability in Apache Log4j was utilized by hackers in January 2022 assaults to acquire initial access to VMware Horizon servers. They subsequently dropped a PowerShell payload that was used to send an encrypted Cobalt Strike beacon. Apart from the beacon, the hackers also sent three Go-based tools: a keylogger that sent keystrokes to Alibaba Cloud, a customized version of the internet proxy tool iox, and the tunneling program NPS.

Trend Micro initially identified Cheerscrypt in May 2022, highlighting its capacity to target VMware ESXi servers as a component of a tried-and-true strategy known as double extortion to force its victims into paying the ransom or risk having their data exposed.

The hackers break into networks, take information, and encrypt devices just like other ransomware groups that target businesses. The victim is then coerced into paying a ransom through double-extortion methods using the data. The stolen data is posted on a data leak website when a ransom is not paid.

A PowerShell payload that can deliver an encrypted Cobalt Strike beacon has been dropped on VMware Horizon servers by infection chains that have exploited the major Log4Shell vulnerability in the Apache Log4j library.

Cheerscrypt and Emperor Dragonfly share initial access vectors, and lateral movement strategies, including the use of DLL side-loading to distribute the encrypted Cobalt Strike beacon. Notably, the ransomware gang is acting as a 'lone wolf' separated from the rest of the cybercrime community rather than as a RaaS (Ransomware-as-a-Service) platform for affiliates.






Read more »
User Privacy
BlackCat Cyber Attacks My SQL RaaS Ransomware Attacks. TTPs User Privacy

Noberus Ransomware Has Updated Its Methods

Recently there has been an increase in the use of different techniques, tools, and procedures (TTPs) by attackers using the Noberus aka BlackCat ransomware, making the threat more serious than ever. On Thursday, Symantec provided new techniques, tools, and procedures (TTPs) that Noberus ransomware attackers have employed recently.

Noberus is believed to be the sequel payload to the Darkside and BlackMatter ransomware family, according to a blog post by Symantec's Threat Hunter Team. The company said that Darkside is the same virus that was used in the May 2021 ransomware assault on Colonial Pipeline.

About  Coreid 

Coreid operates a ransomware-as-a-service (RaaS) business, which implies it creates the malware but licenses it to affiliates in exchange for a share of the earnings. 

Since Noberus was the first genuine ransomware strain to be deployed in real-world attacks and it was written in the computer language Rust, it piqued interest when it was discovered in November 2021; as a cross-platform language, Rust is notable. In accordance with Coreid, Noberus can encrypt files on the Windows, EXSI, Debian, ReadyNAS, and Synology operating systems.

The organization has chosen to utilize the ransomware known as Noberus, which is short for the BlackCat ALPHV ransomware that has been used in attacks on multiple American colleges, to escape law enforcement by using fresh ransomware strains, according to Symantec researchers.

The researchers claim that the criminal organization first started stealing money from businesses in the banking, hospitality, and retail industries using the Carbanak malware. Before the group's transition towards ransomware-as-a-service (RaaS) operation in the early 2020s, three of its members were arrested in 2018.

Noberus is a destructive ransomware

Coreid emphasized Noberus' various improvements over other ransomware, such as encrypted negotiation conversations that can only be seen by the intended victim. Cybercriminals have access to two different encryption methods and four different ways to encrypt computers, depending on their needs for speed and the size of their data heaps, thanks to Noberus.

Noberus employs a program called Exmatter to recover the stolen data. According to Symantec, Exmatter is made to take particular kinds of files from particular directories and upload them to the attacker's site even before the ransomware is activated. Exmatter, which is constantly modified and updated to exfiltrate files through FTP, SFTP, or WebDav, can produce a report of all the processed exfiltrated files and if used in a non-corporate setting, it has the potential to self-destruct.

Noberus is also capable of collecting credentials from Veeam backup software, a data protection and recovery product that many organizations use to store login information for domain controllers and cloud services, utilizing information-stealing malware called Infostealer. By using a specific SQL query, the malware known as Eamfo can connect to the SQL database containing the credentials and steal them.

Symantec reported that in December the gang introduced a 'Plus' category for allies who had extorted at least $1.5 million in attacks. The group has demonstrated that it will cut off allies who don't earn enough in ransoms, according to Symantec.

A potent data exfiltration tool for the most common file types, including.pdf,.doc,.docx,.xls,.xlsx,.png,.jpg,.jpeg,.txt, and more, was added to Coreid last month.

Similar to some other organizations, Coreid has outlined four primary entities that affiliates are not permitted to attack: the Commonwealth of Independent States, nations with ties to Russia, healthcare providers, and nonprofits.

According to Symantec, the affiliates are 'directed to avoid assaulting the education and government sectors,' but given the numerous attacks on universities around the world, they seem to be lax about this directive.




Read more »
TrickBot
BlackBerry Conti Ransomware Cyber Crime Encryption Intel 471 RaaS Russian Hackers TrickBot

Conti Gang Doppelganger Adopts Recycled Code 

A ransomware attack from a brand-new gang dubbed 'Monti,' which primarily exploits Conti code has come to the surface. 

The Monti ransomware was found and revealed by MalwareHunterTeam on Twitter on June 30, but Intel471 and BlackBerry independently announced their study into Monti on September 7th.

The malware's developers constitute a well-known ransomware group that has launched numerous attacks. They operate under "Wizard Spider" and could be linked with the global Trickbot cybercrime ring. 

Reportedly, the cybercrime group that has a base in Russia, supports the Russian government's goals, particularly the Ukraine conflict. 

In return for a portion of the ransom money collected, the Conti gang offers 'its members' access to its software. The group's ability to scale operations is a direct result of the aforementioned. The group resorts to the ransomware as a service (RaaS) approach to disseminate the infection.

According to Intel471, "Monti might be a rebranded version of Conti or even a new ransomware version that has been developed utilizing the disclosed source code," it was published on February. It really doesn't appear like Monti has been involved in enough activities for the security company to establish a connection to Conti." 

Since the Conti disclosures in February effectively handed Monti malicious actors a step-by-step roadmap to mimicking Conti's notoriously successful actions, BlackBerry appears to be more certain that Monti is a copycat than a legitimate successor to its namesake.

Apart from one, Monti threat actors used the Action1 Remote Monitoring and Maintenance (RMM) agent, and the majority of Indicators of Compromise (IOCs) discovered by the BlackBerry IR team in the Monti attack were also detected in prior Conti ransomware attacks. 

Experts want to highlight a useful technique that was made feasible by our awareness of the code repetition before  Monti's reuse of Conti's encryptor code. 

The BlackBerry IR team was aware that Conti encryptor payloads do not always completely encrypt each file because we were familiar with Conti v2 and v3 encryptor payloads. Source code research reveals that Conti payloads combine a file's location, type, and size to decide which encryption techniques to employ. 

The BlackBerry IR team was able to recover completely, unencrypted strings from encrypted log files because of this information.

Conti's activities have slowed down recently, some experts have proposed that Conti's reduced activity is the consequence of a rebranding effort similar to those undertaken by various ransomware strains in the past, perhaps involving several members of the Conti gang. Other sources claim that other RaaS firms, like Karakurt and BlackByte, have engaged former Conti operators.

Whether Conti is being dubbed Monti to spoof the earlier strain or it is simply another new ransomware variety remains unclear, we will probably continue to see this new version have an impact on organizations all around the world. However, utilizing publicly accessible binaries to develop fresh ransomware or relaunch an old one would potentially offer defenders a head start as Monti develops.





Read more »
Vulnerabilities and Exploits.
Crypto Linux LockBit RaaS Ransomware Attacks. Trend Micro Vulnerabilities and Exploits.

Hackers are Actively Targeting Linux-Based Devices

Ransomware attacks against Linux have accelerated as cybercriminals try to increase their options and take advantage of an operating system that is sometimes neglected when organizations think about security. 

According to Trend Micro, hackers prefer using ransomware-as-a-service (RaaS) techniques because they enable quicker deployment and higher rewards. Additionally, they increasingly focused their attacks on Linux-based computers and employed relatively new ransomware families in high-profile strikes. Operators of ransomware also used both cutting-edge and time-tested strategies to attack cloud environments.

Linux powers significant enterprise IT infrastructure, including servers, making it a target for ransomware gangs. This is especially true when cybersecurity teams may decide to concentrate on protecting Windows networks against cybercrime due to a believed lack of threat to Linux systems compared to Windows.

For instance, LockBit, one of the most widespread and effective ransomware operations in recent memory, now provides the choice of a Linux-based variant that is made to target Linux systems and has been used to carry out assaults in the field.

Hackers are regularly extending the scope of their exploits by focusing on Linux, one of the most potent operating systems utilized in cloud platforms and servers around the world, in addition to upping the ante by utilizing MaaS methods in their attacks.

The RaaS architecture makes it simpler and quicker for cyber criminals to deploy ransomware attacks than traditional ransomware models, even those with limited technical knowledge. According to SPN data, three ransomware families—the infamous LockBit, Conti, and BlackCat families—dominated the RaaS space in terms of detections. BlackCat is a family of ransomware that was developed in the Rust programming language at the end of 2021.

Attackers using ransomware are motivated by money and would jump at new possibilities if they believe they can increase their earnings; it would seem that encrypting Linux systems and demanding payment for the key to open servers and files are becoming more and more common.

According to researchers, as ransomware perpetrators strive to maximize their profits, this strategy will only grow in popularity.

It's not only ransomware entities that are focusing more on Linux, according to Trend Micro, but there has also been a 145% increase in Linux-based cryptocurrency-mining malware attacks, wherein online criminals covertly use the processing power of infected computers and servers to mine for cryptocurrency for their own gain.
Read more »
REvil
Bitcoin Canada Crypto heist Cyber Security Double extortion FBI NetWalker RaaS REvil

Netwalker: Ex Canadian Government Employee Pleads Guilty to Cybercrimes 

 

An ex-government of Canada official pleaded guilty in a US court to crimes related to data theft stemming from his involvement with the NetWalker ransomware group. 

Sebastien Vachon-Desjardins admitted on Tuesday that he had planned to commit bank fraud and phishing scams, intentionally damaged a protected computer, and also sent another demand regarding that illegally damaged computer. 

 Plea agreement filled 

Vachon-Desjardins, 34, who had previously been sentenced to six years and eight months in prison after entering a guilty plea to five criminal offenses in Canada, was deported to the United States in March. 
Vachon-Desjardins is "one of the most prolific NetWalker Ransomware affiliates," as per his plea agreement, and was in charge of extorting millions of dollars from several businesses all over the world. Along with 21 laptops, smartphones, game consoles, and other technological devices, he will also forfeit $21.5 million. 

He has pleaded guilty to conspiracy to commit computer fraud, conspiracy to commit wire fraud, intentionally harming a protected computer, and conveying a demand related to intentionally damaging a protected computer, according to a court filing submitted this weekThe accusations carry a maximum punishment of 40 years in jail combined. The attorneys did not identify the targeted business, but they did indicate that it is based in Tampa and was assaulted on May 1, 2020. 

 NetWalker gang's collapse

In 2019, a ransomware-as-a-service operation called NetWalker first surfaced. It is thought that the malware's creators are based in Russia. Its standard procedure – a profitable strategy also known as double extortion, includes acquiring sensitive personal data, encrypting it, and then holding it hostage in exchange for cryptocurrencies, or risk having the material exposed online.

According to reports, the NetWalker gang intentionally targeted the healthcare industry during the COVID-19 pandemic to take advantage of the global disaster. To work for other RaaS groups like Sodinokibi (REvil), Suncrypt, and Ragnarlocker, Vachon-Desjardins is suspected of being connected to at least 91 attacks since April 2020 in his capacity as one of the 100 affiliates for the NetWalker gang. 

The Feds dismantled the crime gangs' servers and the dark website is used to contact ransomware victims as part of the takedown of the NetWalker gang. Then they took down Vachons-Desjardins, who, according to the FBI, made $27 million for the NetWalker gang. 

His role in cybercrime is said to have included gathering information on victims, managing the servers hosting tools for reconnaissance, privilege escalation, data theft, as well as running accounts that posted the stolen data on the data leak site and collecting payments following a successful attack. 

However, some victims did pay fees, and the plea deal connected Vachons-Desjardins to the successful extortion of roughly 1,864 Bitcoin in ransom payments, or about $21.5 million, from multiple businesses around the world.
Read more »
RaaS
Bug Bounty Conti Crypto Currency LockBit 2.0 ransomware malware NCC Group RaaS

LockBit 3.0: Launch of Ransomware Bug Bounty Program

 

The "LockBit 3.0" ransomware update from the LockBit ransomware organization features the first spyware bug bounty program, new extortion methods, and Zcash cryptocurrency payment choices. After two months of beta testing, the notorious gang's ransomware-as-a-service (RaaS) operation, which has been operational since 2019, recently underwent an alteration. It appears that hackers have already employed LockBit 3.0.

Bug bounty plan for LockBit 3.0 

With the launch of LockBit 3.0, the organization launched the first bug bounty program provided by a ransomware gang, which asks security researchers to disclose bugs in exchange for incentives that can go as high as $1 million. In addition to providing bounties for vulnerabilities, LockBit also pays rewards for "great ideas" to enhance the ransomware activity and for doxing the operator of the affiliate program, identified as LockBitSupp, which had previously posted a bounty plan in April on the XSS hacking site.

"We open our bug bounty program to any security researchers, ethical and unethical hackers worldwide. The compensation ranges from $1,000 to $1,000,000," reads the page for the LockBit 3.0 bug reward. The notion of initiating the criminal operation would be against the law in many nations, however, makes this bug reward scheme a little different from those frequently utilized by respectable businesses.

LeMagIT claims that version 3.0 of LockBit includes several other improvements, such as new methods for data recovery and monetization, as well as the option for victims to choose to have their data destroyed, and the ability for victims to make payments using the Zcash cryptocurrency in addition to Bitcoin and Monero. 

LockBit is producing outcomes. In May, LockBit 2.0 succeeded Conti as the leading provider of ransomware as a service. The gang's previous ransomware, LockBit 2.0, was to be blamed for 40% of the attacks that NCC Group observed in the preceding month. Moreover, according to Matt Hull, worldwide lead for strategic threat intelligence at NCC, The most prolific threat actor of 2022 is Lockbit 2.0,  In times like these, it's imperative that businesses become familiar with their strategies, methods, and processes.

It is unclear how this new extortion technique will operate or even whether it is activated because the LockBit 3.0 data leak site currently does not have any victims. With its public-facing manager actively interacting with other malicious actors and the cybersecurity community, LockBit is one of the most prolific ransomware campaigns.
Read more »
RATs
APT Group Chinese Actors Cobalt Strike Command and Control(C2) Cyber Attacks LockBit 2.0 ransomware Microsoft Night Sky RaaS RATs

Chinese APT Utilizes Ransomware to Cover Cyberespionage

 

A China-based advanced persistent threat (APT) group called Bronze Starlight has been active since the start of 2021. It appears to be using double-extortion attacks and ransomware as cover for routine, state-sponsored cyberespionage and intellectual property theft. 

The distribution of post-intrusion ransomware, including LockFile, Atom Silo, Rook, Night Sky, Pandora, and LockBit 2.0, is a feature of Bronze Starlight. Microsoft also labeled it as part of the DEV-0401 emerging threat cluster, highlighting its involvement in all phases of the ransomware attack cycle, from initial access to the payload dissemination.

China's Correlation

The threat actor has always loaded Cobalt Strike Beacon and then released ransomware on compromised computers using a malware loader known as the HUI Loader, which is solely utilized by  Chinese-based organizations. This method has not been noticed by other threat actors, according to Secureworks researchers.

Researchers from Secureworks believe that Bronze Starlight is more likely motivated by cyberespionage and intellectual property (IP) theft than financial gain due to the short lifespan of each ransomware family, victimology, and access to tools used by Chinese state hacktivists (including known vulnerabilities and the HUI Loader). HUI Loader has been used to distribute malware such as Cobalt Strike, QuasarRAT, PlugX, and SodaMaster as well as remote access trojans (RATs) at least since 2015.

Attacks carried out by the actor are distinguished by the use of vulnerabilities influencing Exchange Server, Zoho ManageEngine ADSelfService Plus, Atlassian Confluence, and Apache Log4j. This contrasts with other RaaS groups that obtain access from initial access brokers (IABs) to enter a network. 

The similarity between Ransomware 

Additionally, a familiar actor is apparent from the similarities found between LockFile, Atom Silo, Rook, Night Sky, and Pandora, the latter three of which were developed from the Babuk ransomware, the source code of which was leaked in September 2021. 

The researchers write that the use of HUI Loader to load Cobalt Strike Beacon, the configuration data for Cobalt Strike Beacon, the C2 network, and the code overlap "indicate that the same threat group is linked with these 5 ransomware families."

The use of the HUI Loader to launch next-stage encrypted payloads like PlugX and Cobalt Strike Beacons, which are used to disseminate the ransomware, is another instance of detected tradecraft. However, this technique requires first getting privileged Domain Administrator credentials. 

The main victims are American and Brazilian pharmaceutical firms, a U.S. media outlet with branches in China and Hong Kong, Lithuanian and Japanese electronic component designers and manufacturers, a U.S. legal company, and the aerospace & defense unit of an Indian conglomerate. 

To achieve this, ransomware operations not only give the threat actor a way to phish data as a result of the double extortion, but they also give them a chance to erase forensic proof of its destructive actions and distract them from data theft.
Read more »
RaaS
Conti Ransomware Cyber Attacks Dark Web Emotet Encrypted Files Microsoft Qakbot RaaS

Costa Rica's New Government is Under Attack by a Conti Ransomware Gang

 

The Conti ransomware organization, which has hacked some Costa Rican government computer systems, has increased its threat, claiming that its ultimate goal is to overthrow the government. The Russian-speaking Conti gang tried to intensify the pressure to pay a ransom by boosting its demand to $20 million, perhaps capitalizing on the fact that President Rodrigo Chaves had just been in office for a week. 

"We are aiming to overthrow the government by a cyber attack, and we have already demonstrated all of our strength and power," the group stated on its official website. "In your government, we have insiders. We're also attempting to obtain access to your other systems, and you have no choice but to pay us." Chaves said the organization had infiltrated up to 27 institutions at various levels of government, declaring that the country was "at war" with the Conti ransomware gang but giving no indication that the ransom would be paid. 

"I appeal to every Costa Rican to go to your government and organize rallies to demand that they pay us as soon as possible if your existing government is unable to fix the situation?" A different statement on Conti's dark web page stated, "Perhaps it's worth replacing." Over the weekend, the ransomware issued a warning that it will remove the decryption keys in a week, making it impossible for Costa Rica to restore access to the ransomware-encrypted files. 

The lethal April 19 attack prompted the new administration to proclaim a state of emergency, and the gang has exposed troves of data acquired from infected systems before encryption. Conti linked the attack to an affiliate actor nicknamed "UNC1756," a play on the name given to uncategorized threat groups by threat intelligence firm Mandiant. 

If it was any other ransomware gang, according to Aaron Turner, vice president of SaaS posture at Vectra, an AI cybersecurity firm, the threat would be unnoticeable. "However, because it's Conti, and Conti has publicly connected themselves with Putin's Russia's military activities, this threat should demand a second look," he said. 

He believes that if the US supports 'enemy' troops in Russia's neighborhood, there is a strong urge for retaliation. "Fortunately for Costa Rica, Conti isn't the most sophisticated gang of ransomware operators," he said. "Costa Rica is also lucky in that Russia's invasion of Ukraine went so badly that there are likely inadequate military forces on the other side of the planet to launch a combined cyberattack and conventional strike." While the prospect of overthrow is intriguing from an academic standpoint, Turner believes the chances of Conti orchestrating a coup are extremely remote. 

Affiliates are hacker organizations that rent access to pre-developed ransomware tools to coordinate assaults on corporate networks as part of the so-called ransomware-as-a-service (RaaS) gig economy, and then share the profits with the operators. Conti has continued to target companies all over the world after suffering a large data breach of its own earlier this year amid its public support for Russia in its current war against Ukraine. 

Conti is the "most prolific ransomware-associated cybercriminal activity organization operational today," according to Microsoft's security team, which records the cybercriminal gang under the cluster DEV-0193. "DEV-0193 has hired developers from other malware operations that have shut down for varied reasons, including legal actions. The addition of developers from Emotet, Qakbot, and IcedID to the DEV-0193 umbrella is very noteworthy." 

Conti is one of the most wanted cybercriminal gangs in the world, with the US State Department offering up to $10 million in incentives for any information leading to the identity of its senior members.
Read more »
VMware
Cyberattack data wipers Google Honeypot Installation IBM Malicious actor malware python RaaS Ransomware Attacks. VMware

JupyterLab Web Notebooks Targeted by Unique Python-Based Ransomware

 

The first-ever Python-based ransomware virus specifically tailored to target vulnerable Jupyter notebooks has been revealed by researchers. It is a web-based immersive computing platform which allows editing and running programs via a browser. Python isn't widely used for malware development, instead, notably, thieves prefer languages like Go, DLang, Nim, and Rust. Nonetheless, this isn't the first time Python has been used in a ransomware attack. Sophos disclosed Python ransomware, particularly targeting VMware ESXi systems in October 2021. 

Jupyter Notebook is a web-based data visualization platform that is open source. In data science, computers, machine learning, and modular software are used to model data. Over 40 programming languages are supported by the project, which is used by Microsoft, IBM, and Google, as well as other universities. According to Assaf Morag, a data analyst at Aqua Security, "the attackers got early access via misconfigured environments, then executed a ransomware script it encrypts every file on a particular path on the server and eliminates itself after execution to disguise the operation." 

The Python ransomware is aimed at those who have unintentionally made one's systems susceptible. To watch the malware's activities, the researchers set up a honeypot with an exposed Jupyter notebook application. The ransomware operator logged in to the server, opened a terminal, downloaded a set of malicious tools, including encryptors, and then manually generated a Python script. While the assault came to a halt before completing the mission, Team Nautilus was able to gather enough data to mimic the remainder of the attack in a lab setting. The encryptor would replicate and encrypt files, then remove any unencrypted data before deleting itself. 

"There are over 11,000 servers with Jupyter Notebooks which are internet-facing," Aqua researcher Assaf Morag stated. "Users can execute a brute force attack and perhaps obtain access to some of them — one would be amazed how easy it can be to predict these passwords." We believe the attack either timed out on the honeypot or the ransomware is still being evaluated before being used in real-world attacks." Unlike other conventional ransomware-as-a-service (RaaS) schemes, Aqua Security described the attack as "simple and straightforward," adding since no ransom note was displayed on the process, raising the possibility the threat actor was experimenting with the modus operandi or the honeypot scheduled out before it could be completed. 

Regardless, the researchers believe it is ransomware rather than a wiper weapon based on what they have. "Wipers typically exfiltrate data and delete it or simply wipe it," Morag continued. "We haven't observed any attempts to move the data outside the server, and the data wasn't just erased, it was encrypted with a password," says the researcher. This is even additional evidence this is a ransomware attack instead of a wiper."

Although evidence discovered during the incident study leads to a Russian actor, citing similarities with prior crypto mining assaults focused on Jupyter notebooks, the attacker's identity remains unknown.
Read more »
Ukraine
C&C Conti Ransomware malware RaaS Russian Hacker Ukraine

Ukrainian Security Researcher  Source Code for New Conti Malware Has Been Exposed

 

The source code of a fresh version of the Conti ransomware has been disclosed by a Ukrainian security researcher. This is the latest in a string of leaks sparked by the criminal group's support for Russia. Conti is a ransomware gang based in Russia which uses a ransomware-as-a-service (RaaS) business model. While some ransomware demands are in the millions of dollars, Coveware thinks the average Conti demand is just over $765,000. 

The renowned Conti ransomware organization published a statement soon after Russia launched its incursion of Ukraine, warning this was prepared to strike the key infrastructure of Russia's adversaries in revenge for any assaults on Russia. 

In response, an anonymous user created the "Conti Leaks" Twitter account and began distributing materials supposedly stolen from the cybercrime ring. The first set of disclosures included correspondence sent within the Conti organization in the preceding year. More chat logs, credentials, email addresses, C&C server information, and source code for the Conti ransomware and other malware were included in the second phase. 

After a period of inactivity of more than two weeks, the Twitter account resurfaced over the weekend, releasing what looks to be the source code for a newer version of Conti. Previously, some speculated that the leaker was a Ukrainian security researcher, while others speculated that he was a rogue employee of the Conti group. Messages were leaked and shared. 

The discharge of ransomware source code, particularly for advanced operations such as Conti, can have catastrophic consequences for corporate networks and consumers. This is due to the fact other threat actors frequently exploit the disclosed raw code to create their own ransomware attacks. In the past, a researcher released the source code for ransomware called 'Hidden Tear,' which was soon adopted by several threat actors to begin various operations.
Read more »
TrickBot
BazarLoader Conti Ransomware DNS Flaw IMAP Linux malware PowerShell RaaS TLS TrickBot

AnchorDNS Loophole of a TrickBot Spyware Upgraded to AnchorMail

 

Even after the TrickBot infrastructure was shut down, the malware's operators continued to improve and retool its arsenal in preparation for attacks which ended in the distribution of the Conti ransomware. The new, improved edition of the criminal gang's AnchorDNS backdoor was called AnchorMail by IBM Security X-Force, which discovered it. 

According to IBM's malware reverse researcher Charlotte Hammond, AnchorMail "uses an email-based [command-and-control] server with which it connects using SMTP and IMAP protocols over TLS." "AnchorMail's behavior is essentially similar to vs its AnchorDNS predecessor, excluding the redesigned C2 communication method." 

The Trickbot Group, also known as ITG23 on X-Force, is a cybercriminal group best known for creating the Trickbot financial Trojan. Originally discovered in 2016, it was used to aid online banking fraud, initially. The gang adapted to the ransomware economy by gaining a footing for ransomware assaults utilizing its Trickbot and Bazarloader payloads, a tight partnership with both the Conti ransomware-as-a-service provider (RaaS). 

ITG23 is also known for creating the Anchor malware framework, which includes the AnchorDNS variant. In 2018 various high-profile targets were being infected with Trickbot or Bazarbackdoor, another ITG23 backdoor. AnchorDNS is known for using the DNS protocol to communicate with its Command and Control (C2) server. The improved backdoor, dubbed AnchorMail or Delegatz by IBM Security X-Force researchers, now communicates with an email-based C2 server through SMTP and IMAP protocols via TLS. AnchorMail's functionality is essentially similar to its AnchorDNS predecessor for most of its part, with the exception of the redesigned C2 communication mechanism. 

The uncovering of this updated Anchor variant adds an extra inconspicuous backdoor during ransomware assaults, demonstrating the group's drive to continually improve its malware. AnchorMail provides a scheduled job for persistence after execution, which is set to execute every 10 minutes. It then gathers basic system data, registers with its C2, and enters a loop of monitoring for and executing commands received. 

The command structure of the backdoor and AnchorDNS appear to be fairly similar, and both forms appear to accept the same set of control codes, which allow a variety of various possibilities for processing orders and payloads received from the C2. The commands include the ability to run binaries, DLLs, and shellcode downloaded from a remote server, as well as launch PowerShell commands and erase themselves from infected PCs. 

"The revelation of this new Anchor version adds a new covert gateway used during ransomware assaults, AnchorMail has only been seen to target Windows PCs so far. However, given the AnchorDNS has been adapted to Linux, a Linux-based version of AnchorMail appears inevitable," said Charlotte Hammond, BM's malware reverse engineer.
Read more »
Subscribe to: Posts (Atom)