Search This Blog

Showing posts with label Ransomware. Show all posts

Analyzing the New Black Basta Ransomware

 

Black Basta, a new ransomware group has been highly active since April 2022 and has already breached a dozen companies worldwide. The list of victims includes the American Dental Association and German wind turbine giant Deutsche Windtechnik. 

Modus operandi of Black Basta 

While Black Basta assaults are relatively new, some information on their methodology has been made public. The data encryptor employed by ransomware requires administrator privileges to execute, otherwise, it is harmless. 

To launch the encryption executable, the ransomware targets a legitimate Windows service. After execution, the ransomware erases shadow copies from the compromised system using vssadmin.exe. This action removes the Windows backup so that after encryption victim cannot revert the system to its previous state. 

Subsequently, Black Basta drops two files: dlaksjdoiwq.jpg and fkdjsadasd.ico in the user Temp folder. The second file is a custom icon for all files with the “.basta” extension. The icon is assigned by designing and setting a new registry key “HKEY_CLASSES_ROOT\.basta\DefaultIcon”. 

The persistence technique of the Black Basta ransomware is executed by “stealing” an existing service name, deleting the service, and then creating a new service named ‘FAX. Before the encryption routine begins, the ransomware checks the boot options using GetSystemMetrics() API and then adds HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\Fax entry in the registry to start the FAX service in safe mode. 

After completing all the customizations, the ransomware sets up the operating system to boot in safe mode using bcedit.exechecks. Due to the reboot mode change, the PC will reboot in safe mode with the ‘Fax’ service running. This service will then execute the ransomware again, but this time for the purpose of encryption. 

 Methodologies Identical to Conti group 

Researchers at MalwareHunterTeam attribute the Black Basta ransomware to the team behind Conti ransomware. This assumption is based on similarities between their leak sites, their payment sites, and the way their “support” employees talk and behave. 

Lawrence Abrams of BleepingComputer also mentioned that the threat actors behind Black Basta seem like they are exerting a lot of effort to avoid any resemblance to their previous identity. 

To prevent Black Basta ransomware from further encryptions, it must be eliminated from the operating system. Unfortunately, removal will not restore already compromised data. The sole solution is recovering it from a backup if one was created beforehand and is stored elsewhere. 

Additionally, to avoid permanent data loss, researchers recommend keeping backups in multiple different locations (e.g., remote servers, unplugged storage devices, etc.

Car Rental Giant Sixt Hit by Cyberattack, Operations Shut Down

Rental car giant Sixt, a company based in Germany announced that it has been hit by a cyberattack that resulted in large-scale inconvenience in Sixt's global operations. In April, the company closed down some parts of its IT infrastructure to restrict a cyberattack. 

Only important systems were operating, like the company website and mobile applications. Sixt said that the disturbance for employees and customers was expected, it believes that the disruption was contained to great extent. 

According to the company, it has offered business continuity to its customers, but the temporary disruptions in customer care centers and few branches can be expected for some time. "As a standard precautionary measure, access to IT systems was immediately restricted and the pre-planned recovery processes were initiated. Many central Sixt systems, in particular, the website and apps were kept up and running," said Sixt in a statement. Sixt did most of the car bookings with pen and paper last week, and systems that were not important have been shut down after the cyberattack. 

Calling customers were provided an automated notification "due to a technical problem, we are currently unavailable." No more details are available as of now, Sixt said that it has launched an inquiry into the issue, however, didn't disclose any information on how the attack happened. Sixt is requesting its customers to be patient until the issue is resolved. No ransomware group has claimed the responsibility for the attack as of now, however, the chances of ransomware are highly likely. 

According to Bleeping Computer, ransomware groups are targeting companies like Sixt because of the upcoming tourism season. Vacations are easy money for car rental companies. Ransomware groups generally operate during high traffic periods to increase the chances of damage to the targets. 

The greater the damage, the easier the ransom payment. Sixt said "impacts on the company, its operations and services have been minimized to provide business continuity for customers. However, temporary disruptions, in particular in customer care centers and selective branches, are likely to occur in the short term."

Magniber Ransomware Tricking Users via Fake Windows 10 Updates

 

Security analysts have unearthed a new ransomware campaign targeting Windows systems. Malicious actors are using fake Windows 10 updates to spread the Magniber ransomware strain. 

Since April 27, users around the world have been posting their stories on the BleepingComputer forum seeking a solution. According to the publication, these fake Windows 10 updates are being distributed under multiple names such as Win10.0_System_Upgrade_Software.msi and Security_Upgrade_Software_Win10.0.msi via platforms such as pirated sites, posing as legitimate cumulative or security updates.

Aside from these files, there also are other fake knowledge-based articles on Microsoft that can install the Magniber ransomware: 

• System.Upgrade.Win10.0-KB47287134.msi 
• System.Upgrade.Win10.0-KB82260712.msi 
• System.Upgrade.Win10.0-KB18062410.msi 
• System.Upgrade.Win10.0-KB66846525.msi

Based on the submissions to VirusTotal, this malicious campaign appears to have started on April 8th, 2022 and has seen massive distribution worldwide since then. Meanwhile, it remains unclear how the fake Windows 10 updates are being promoted and distributed from fake warez and crack sites. 

Once installed, Magniber will erase shadow volume copies and then encrypt files. When encrypting files, the ransomware will append a random 8-character extension, such as .gtearevf,. The ransomware also produces a README.html document in each folder which it encrypts. The documents then redirect users to Magniber’s Tor payment site, which is called 'My Decryptor'.

The payment site allows a victim to decrypt one file for free, contact 'support,' or determine cryptocurrency address to send coins to if they decide to pay the ransom. The ransomware demands tend to be around $2,500 or 0.068 bitcoin, Bleeping Computer reported. 

“The only 1 way to decrypt your files is to receive the private key and decryption program,” the ransom note reads. “Any attempts to restore your files with the third-party software will be fatal for your files!”

According to security researchers, no safe decryptor exists for the ransomware. Nor any weaknesses of the malware are known to reverse its infection. The ransomware presently targets regular users and students, and not corporate customers. Thus, the users need to remain vigilant, avoid downloading cracked versions, and use legit sites only. 

The ransomware was first spotted in 2017 targeting victims in South Korea. Back in 2021, the ransomware was using the PrintNightmare exploit to Target Windows user, and earlier this year in January, it was distributed via Microsoft Edge and Chrome.

Black Basta Ransomware Hits American Dental Association

 

A new ransomware gang dubbed Black Basta is exfiltrating corporate data and documents before encrypting the firm’s devices. It has quickly catapulted into operation this month and has targeted more than twelve firms in just a few weeks. 

The malicious actors then employ stolen data in double-extortion assaults and demand hefty amounts to decrypt files and prevent the publishing of the victim's stolen data. 

According to BleepingComputer, the American Dental Association was targeted by Black Basta last weekend, prompting the shutdown of some parts of its network. The ADA sent emails to its members noting that some of its systems, including ADA email and Aptify, as well as its webchat and telephone lines, have been disrupted as a result of the attack. 

Impacted systems were immediately taken down, with the ADA leveraging Gmail addresses while its email systems are offline. State dental associations, including those in Florida, New York, and Virginia, have also been hit by the ADA breach. 

The attackers claimed to have leaked 2.8GB of data, which they believe accounts for about 30% of the stolen data from the attack. The exfiltrated files include non-disclosure agreements, W2 forms, accounting spreadsheets, and ADA member data. 

The researchers first uncovered the Black Basta attacks in the second week of April, as the operation quickly began targeting firms worldwide. While not much else is known about the new ransomware gang as they have not begun marketing their operation or recruiting affiliates on hacking forums. 

Black Basta modus operandi 

The ransomware infiltrates into an existing Windows service and exploits it to launch the ransomware decryptor executable. The ransomware then changed the wallpaper to display a message stating, “Your network is encrypted by the Black Basta group. Instructions in the file readme.txt” and reboot the computer into Safe Mode with Networking. 

According to security expert Michael Gillespie, the portal Black Basta ransomware utilizes the ChaCha20 algorithm to encrypt files. Each folder on the encrypted device contains a readme.txt file that has information about the attack and a link and unique ID to log in to the negotiation chat session with the threat actors. 

Subsequently, the ransomware operators demand a ransom and threaten to leak data if payment is not made in seven days, and promise to secure data after a ransom is paid. Unfortunately, the encryption algorithm is secure and there is no way to recover files for free. The data extortion part of these attacks is conducted on the 'Black Basta Blog' or 'Basta News' Tor site, which contains a list of all victims who have not paid a ransom.

AUSTRAC Publishes New Guidance on Ransomware and Crypto Crime

 

The Australian Transaction Reports and Analysis Centre (AUSTRAC) has released two new financial guides for businesses to detect and prevent criminal abuse of digital currencies and ransomware. 

Each guide provides practical recommendation to assist businesses detect if a payment is related to a ransomware assault, or if someone is exploiting digital currencies and blockchain technology to commit crimes such as tax evasion, terror financing, scams or money laundering. 

The guideline implored businesses to be on the lookout for users who tried to obfuscate the trail of their digital assets transactions by using mixers, privacy assets, and decentralized finance (DeFi) platforms suspiciously. 

Among the particular indicators, Austrac recommends being careful when figuring out if somebody is using digital currencies for terrorism financing, for example, is when transactions to crowdfunding or online fundraising campaigns are linked to ideologically or religiously motivated violent extremism centered boards, or when a buyer account receives a number of small deposits, that are instantly transferred to private wallets. 

In the meantime, some indicators of identifying when an individual is a sufferer of a ransomware assault, according to Austrac, include when a customer increases the limit on their account after which rapidly sends funds to a third party; following a preliminary giant digital currency transfer, a customer has little or no additional digital forex exercise; and when a newly onboarded customer desires to make a direct and huge buy of digital currency, followed by a direct withdrawal to an exterior digital currency address. 

"Financial service providers need to be alert to the signs of criminal use of digital currencies, including their use in ransomware attacks," Austrac CEO Nicole Rose said in a statement. 

The guides have been released in response to the increase in cyber threats to Australia. In 2020-21, 500 ransomware attacks were reported, marking a 15% increase from the previous fiscal year, analysts at Austrac noted. 

Earlier this month, IDCare reported that over 5,000 customer details of former cryptocurrency exchange Alpha were exposed online. The details included the driver's license, passport, proof of age, and national identity card images of 232 Australians and 24 New Zealanders. 

IDCare initially discovered the breach in late January when it noticed a post for sale on a Chinese-speaking platform for $150, before it was eventually posted to be accessed without spending a dime on another online forum called Breached.

"This event poses a serious risk to the identities of any involved. Due to the nature of the identity documents discovered, we urge anyone who had any dealings with AlphaEx to contact us," IDCare said.

US Health Provider LEHB Hit by Ransomware Attack, Network Compromised

Law Enforcement Health Benefits (LEHB), health and welfare funds for Philadelphia police offers, sheriffs, and county detectives, disclosed that the company was hit by a ransomware attack in 2021. "The Conti ransomware group has been responsible for a large number of these incidents, successfully attacking at least 16 US healthcare organizations and first responder networks during the year – as well as Ireland’s Health Service Executive and Department of Health," writes The Daily Swig. 

According to LEHB, attackers started coding files stored in the company network on 14 September 2021. An inquiry into the issue revealed that on Friday 25th, 'few affected files' containing members' data might have been excluded from the network by threat actors. Suspicious access to the US Department of Health and Human Services (HSS) breach portal hints that more than 85,000 users from LEHB may have been impacted by the incident. The compromised data includes names, DoBs, Social Security numbers, driving license info, bank account numbers, and health information. 

However, every LEHB member wasn't affected, and the data elements mentioned above were also not the same for every member. LEHB denies any case of identity theft or abuse of compromised data from the ransomware hit. However, the incident impacted members and offered credit monitoring services to those whose Social Security numbers might have been used. The health plan provider suggests its members set up 'fraud alerts' and security freezes on credit files, and ask for a free credit report. 

Cyber attack incidents are getting sophisticated as each day passes, resulting in LEHB implementing extra precautionary steps to protect its network and enhance internal procedures to detect and mitigate future cybersecurity threats. LEHB is assessing and updating its company policies and procedures to reduce the chances of ransomware incidents in the future. 

The Daily Swig reports "the healthcare sector has been particularly hard hit by ransomware since the start of the Covid-19 pandemic, with the FBI’s 2021 Internet Crime Report revealing earlier this month that of all critical infrastructure sectors, it was healthcare that faced the most ransomware attacks last year."

Hive Ransomware Employs New 'IPfuscation' Tactic to Conceal Payload

 

Threat researchers have found a new obfuscation strategy employed by the Hive ransomware gang, which utilises IPv4 addresses and a series of conversions that leads to the download of a Cobalt Strike beacon. Threat actors use code obfuscation to conceal the malicious nature of their code from human reviewers or security software to avoid discovery. 

There are a variety of techniques to create obfuscation, each with its own set of benefits and drawbacks, but a new one identified during an incident response involving Hive ransomware reveals that adversaries are coming up with new, subtler ways to accomplish their objective. 

Analysts at Sentinel Labs describe a new obfuscation technique called "IPfuscation," which is another example of how effective basic but sophisticated tactics can be in real-world malware deployment. The new approach was discovered while examining 64-bit Windows executables, each of which contained a payload that delivered Cobalt Strike. 

The payload is disguised as an array of ASCII IPv4 addresses, giving it the appearance of a harmless list of IP addresses. The list could potentially be misconstrued for hard-coded C2 communication information in malware research. A blob of shellcode arises when the file is handed to a converting function (ip2string.h) that converts the string to binary.

Following this step, the virus executes the shellcode either directly through SYSCALLs or through a callback on the user interface language enumerator (winnls.h), resulting in a normal Cobalt Strike stager. 

The following is an example from the Sentinel Labs report: The first hardcoded IP-formatted string is the ASCII string “252.72.131.228”, which has a binary representation of 0xE48348FC (big-endian), and the next “IP” to be translated is “240.232.200.0”, which has a binary representation of 0xC8E8F0. 

Disassembling these “binary representations” indicates the start of shellcode generated by common penetration testing frameworks. The analysts have uncovered additional IPfuscation variants that instead of IPv4 addresses use IPv6, UUIDs, and MAC addresses, all operating in an almost identical manner as was described above.

The conclusion here is that relying simply on static signatures to detect malicious payloads is no longer sufficient. According to the researchers, behavioural detection, AI-assisted analysis, and holistic endpoint security that combines suspicious elements from various locations have a better probability of removing IPfuscation.

Emotet Malware Campaign Masquerades the IRS for 2022 Tax Season

 

The Emotet malware botnet is taking advantage of the 2022 tax season in the United States by mailing out fraudulent emails posing as the Internal Revenue Service, which is supposed to be issuing tax forms or federal returns. 

Emotet is a malware infection spread via phishing emails with malicious macros attached to Word or Excel documents. When the user opens these documents, they will be misled into allowing macros that will install the Emotet malware on the device. Emotet will capture victims' emails to use in future reply-chain attacks, send more spam emails, and eventually install other malware that could lead to a Conti ransomware assault on the targeted network once it is implemented. 

Researchers have discovered various phishing attempts masquerading the Internet Revenue Service (IRS.gov) that use lures relevant to the 2022 US tax season, according to a recent analysis by email security firm Cofense. These emails ostensibly come from the IRS, and they claim to be sending the recipient their 2021 Tax Return, W-9 forms, and other tax documents that are often needed during tax season. 

While the subject lines and content of IRS-themed emails vary, the fundamental notion is that the IRS is contacting the company with either finished tax forms or ones that one must fill out and return. Zip files or HTML pages that lead to zip files are attached to the emails and are password-protected to avoid detection by secure email gateways. Third-party archive programs like 7-Zip, on the other hand, have no trouble extracting the files. 

A 'W-9 form.xslm' Excel file is included in the zip files, and when viewed, it prompts the user to click the "Enable Editing" and "Enable Content" buttons to see the document correctly. When a user clicks one of these buttons, malicious macros are launched, downloading and installing the Emotet virus from hacked WordPress sites. Once Emotet is loaded, it will download further payloads, which in recent campaigns have mostly been Cobalt Strike. 

Emotet has also dropped the SystemBC remote access Trojan, according to Cryptolaemus, an Emotet research organisation. With the Conti Ransomware gang now developing Emotet, all businesses, large and small, should be on the watch for these phishing tactics, which can escalate to ransomware assaults and data theft. It's important to remember that the IRS never sends unsolicited emails and only communicates via postal mail. As a result, if anyone receives an email from the IRS purporting to be from the IRS, flag it as spam and delete it.

CISA Updates Conti Ransomware Alert with Around 100 Domain Names

 

The US Cybersecurity and Infrastructure Security Agency (CISA) has upgraded the Conti ransomware advisory to include indications of compromise (IoCs) that comprise almost 100 domain names utilized in criminal operations. 

The advisory, which was first issued on September 22, 2021, contains facts about Conti ransomware assaults that attacked organizations in the United States, as observed by CISA and the Federal Bureau of Investigation (FBI). It's worth noting that the US Secret Service's data is included in the latest cybersecurity advisory. Internal data from the Conti ransomware operation began to surface at the end of February after the group publicly declared their support for Russia in the Ukraine invasion. 

The leak came from a Ukrainian researcher, who originally issued private messages exchanged by the members of the group and then released the source code for the ransomware, administrative panels, and other tools. Domains used in compromises with BazarBackdoor, the malware used to gain initial access to networks of high-value targets, were also found in the cache of data. Conti, according to CISA, has infiltrated over 1,000 businesses around the world, with TrickBot malware and Cobalt Strike beacons being the most common attack vectors. 

The agency has published a list of 98 domain names that have "registration and naming characteristics identical" to those used in Conti ransomware attacks. While some of the domains were used in malicious operations, the agency warns that others of them may be abandoned or may share similar features coincidentally. The list of domains linked to Conti ransomware assaults does not appear to be the same as the hundreds of domains released from BazarBackdoor infections by the Ukrainian researcher. 

Conti did not halt its activities despite the negative attention it earned recently as a result of the exposure of its internal discussions and tools. Conti has listed more than two dozen victims on its website since the beginning of March in the United States, Canada, Germany, Switzerland, the United Kingdom, Italy, Serbia, and Saudi Arabia.

New RURansom Wiper Targets Russia

 

The new RURansom malware, according to Trend Micro researchers, is not what it appears to be. Initially assumed to be a new strain of ransomware, the bug's developers appear to have reasons other than financial gain, as the name implies. 

So far, no active targets have been discovered, according to security experts. However, this could be as the wiper is targeting specific Russian companies. The malware's creators are open about their motivations for distributing it. A message is stored in the RURansom code variable that is responsible for the ransom note. 

"On February 24, President Vladimir Putin declared war on Ukraine. To counter this, I, the creator of RU_Ransom, created this malware to harm Russia. You bought this for yourself, Mr President. There is no way to decrypt your files. No payment, only damage," reads the note in Russian. 

The malware, as per Trend Micro, was written in the .NET programming language. The worm transmits by copying itself under the name "Russia-Ukraine war update" in Russian. To have the most impact, the file replicates itself to all removable media and mapped network shares. The malware encrypts the files once it has been deployed. The encryption is applied to all files and even though .bak files are not encrypted, the malware deletes them. Each file is given a unique encryption key by the encryption algorithm. There's no way to decrypt the files because the keys aren't kept anywhere, therefore the malware is classified as a wiper rather than ransomware. Some variants of the malware, according to researchers, first check if the user's IP address is in Russia. 

"In cases where the software is launched outside of Russia, these versions will stop the execution, showing a conscious effort to target only Russian-based computers," the authors claimed in the report. 

Wiper Warfare: 

This isn't the first time a wiper malware has been used in this war. Just before Russian soldiers invaded Ukraine, security experts discovered a disk-wiping malware. The wiper contains driver files that gradually corrupt the infected computer's Master Boot Record (MBR), rendering it inoperable. The attackers allegedly utilized official EaseUS Partition Master drivers to acquire raw disc access and modify the disc to render the machine inoperable, according to Crowdstrike. 

Since the malware's certificate was issued to Hermetica Digital Ltd., a legitimate Cyprus-based company, the wiper was dubbed HermeticWiper. The new malware has been dubbed 'DriveSlayer' by other researchers. CISA issued a warning about malware that was targeting Ukrainian businesses, along with tips and strategies for preparing and responding to the attack. Later, security researchers fleeing Ukraine claimed that the wiper software was used to hinder refugees fleeing Ukraine's civil war, forcing officials to resort to pen and paper.

Cuba Ransomware Hacked Microsoft Exchange Servers

 

To get early access to business networks and encrypt devices, the Cuba ransomware campaign is exploiting Microsoft Exchange vulnerabilities. The ransomware group is known as UNC2596, and the ransomware itself is known as COLDDRAW, according to cybersecurity firm Mandiant. 

Cuba is the most popular name for malware. Cuba is a ransomware campaign that began in late 2019, and while it started slowly, it gained traction in 2020 and 2021. In December 2021, the FBI issued a Cuba ransomware notice, stating that the group has infiltrated 49 critical infrastructure firms in the United States. Researchers indicate that the Cuba operation predominantly targets the United States, followed by Canada, according to a new analysis by Mandiant. Since August 2021, the Cuba ransomware gang has been using Microsoft Exchange vulnerabilities to launch web shells, RATs, and backdoors to gain a foothold on the target network. 

"Mandiant has also identified the exploitation of Microsoft Exchange vulnerabilities, including ProxyShell and ProxyLogon, as another access point leveraged by UNC2596 likely as early as August 2021," explains Mandiant in a new report. 

Cobalt Strike or the NetSupport Manager remote access tool is among the backdoors planted, although the organisation also utilises their own 'Bughatch', 'Wedgecut', 'eck.exe', as well as Burntcigar' tools. 
  • Wedgecut comes in the form of an executable named “check.exe,” which is a reconnaissance tool that enumerates the Active Directory through PowerShell.
  • Bughatch is a downloader that fetches PowerShell scripts and files from the C&C server. To evade detection, it loads in memory from a remote URL.
  • Burntcigar is a utility that can terminate processes at the kernel level by exploiting a flaw in an Avast driver, which is included with the tool for a “bring your own vulnerable driver” attack.
Finally, Termite is a memory-only dropper that downloads and loads the payloads mentioned earlier. However, this tool has been seen in campaigns by a variety of threat groups, indicating that it is not exclusively utilised by Cuba threat actors. 

Threat actors use stolen account credentials obtained with the widely available Mimikatz and Wicker tools to elevate access. They then use Wedgecut to undertake network reconnaissance before using RDP, SMB, PsExec, and Cobalt Strike to move laterally. Bughatch is then loaded by Termite, followed by Burntcigar, which disables security tools and creates the foundation for data exfiltration and file encryption. For the exfiltration process, the Cuba gang does not use cloud services, instead transfers everything to its own private infrastructure. 

Changing Operations 

Cuba ransomware teamed up with spammers behind the Hancitor malware in May 2021 to get access to corporate networks via DocuSign phishing emails. Since then, Cuba's operations have shifted to focus on vulnerabilities in public-facing services, such as the Microsoft Exchange ProxyShell and ProxyLogon flaws. Because security updates to fix the exploited vulnerabilities have been available for months, this move makes the assaults more potent but also easier to prevent. 

Once there are no more valuable targets running unpatched Microsoft Exchange servers, the Cuba operation will likely shift its focus to other vulnerabilities. This means that adopting accessible security updates as soon as they are released by software providers is critical in maintaining a strong security posture against even the most sophisticated threat actors.

The Potential Damage to Russia from Cybercrime in 2022 was Estimated at 2.2 Million Dollars

 

RTM Group experts believe that the damage from criminal actions using computer technology in Russia this year will continue to grow and may reach 165 billion rubles. 

The growth will be facilitated by the low level of cyber-literacy of the population, as well as people's desire to save money in conditions of rising prices and uncertainty.

In 2021, the total amount of damage from cybercrimes exceeded 150 billion rubles ($2 million). In total, 518 thousand cyber crimes were committed last year, which is almost 2 times more than in 2019. 

According to Yevgeny Tsarev, the manager of RTM Group, the number of successful cyber attacks in 2021 increased by one-third (+35%). And in 2022 the growth of cybercrime will continue and will reach at least 30% due to the development of social engineering schemes and the use of new technologies. By the end of the year, the total damage may exceed 165 billion rubles ($2.2 million). 

Phone calls to a potential victim have become the most common way of fraud, and viruses and phishing attacks are the most popular way of stealing funds. At the same time, RTM Group experts admit that only a small part of those who suffered from the actions of criminals goes to court as they realize that money can not be refunded anyway. 

Experts agreed that fraudsters will become even more active and the growth of cyberattacks will continue since the criminal procedure law is not currently adapted to this kind of crime. In addition, law enforcement agencies do not have enough qualified personnel to carry out investigations. 

According to experts, "people now live in a state of uncertainty of prospects on the one hand, and constantly rising prices on the other," which leads to a desire to save money. And this is abused by scammers in the mail, in social networks and by phone. 

In addition, according to Kaspersky Lab experts, ransomware hackers attacked 16 thousand Russian companies in 2021, while attacks are becoming less massive and more targeted. The company clarified that in 2021 alone, 49 new ransomware families and more than 14 thousand of their modifications were discovered around the world. Before encryption, hackers steal data from companies and threaten to release it to the public unless they are paid.

Pay to Play PrivateLoader Disseminates Smokeloader, Redline &Vidar malware

 

An investigation at a pay-per-install loader has revealed its role in the distribution of famous malware variants including Smokeloader and Vidar. 

Intel 471 issued a report on PrivateLoader on Tuesday, analyzing cyberattacks that have used the loader since May 2021. The pay-per-install (PPI) malware service has been around for a time, but it's unclear who is responsible for its creation. Additional payloads are deployed on a target machine using loaders. 

PrivateLoader is a variation that is supplied to criminal customers on an installation basis, with payment based on the number of victims captured. PrivateLoader is managed by a collection of command-and-control (C2) servers and an AdminLTE 3-based administrator panel. 

Adding new users, configuring the loader to install a payload, picking target regions and nations, setting up payload download links, encryption, and selecting browser extensions for infecting target devices are all available through the front-end panel. 

The loader is mainly distributed through websites that sell pirated software. Cracked copies of popular software, which are occasionally included with key generators, are illegal versions of software that have been modified to avoid licencing or payment. On websites, download buttons for cracked software are included with JavaScript, which releases the payload in a.ZIP archive. 

The package contained a malicious executable, according to the cybersecurity firm's findings. A false GCleaner load reseller, PrivateLoader, and Redline are among the malware that is triggered by .exe file. 

Since at least May 2021, the PrivateLoader module has been used to run Smokeloader, Redline, and Vidar. Smokeloader is the most well-known of these malware families. Smokeloader is a distinct loader that can also be utilized for data theft and reconnaissance; Redline specializes in credential theft, whereas Vidar is spyware that can steal data from a variety of data types, including passwords, documents, and digital wallet details. 

A distribution link for Smokeloader also signals a possible connection to the Qbot banking Trojan. The Kronos banking Trojan and the Dridex botnet have both been disseminated using PrivateLoader bots. 

Although PrivateLoader isn't particularly linked to the distribution of ransomware, a loader associated with it, known as Discoloader, has been used in assaults aimed at spreading the malware. 

The researchers stated, "PPI services have been a pillar of cybercrime for decades. Just like the wider population, criminals are going to flock to software that provides them with a wide array of options to easily achieve their goals. By highlighting the versatility of this malware, we hope to give defenders the chance to develop unique strategies in thwarting malware attacks empowered by PrivateLoader."

The Reaction of Russian Hackers to the Arrests of REvil Became Known


Russian hackers have made their own security issues a priority after the arrests of other cybercriminals, including from the REvil group. Dmitry Volkov, CEO, and founder of Group-IB spoke about this reaction of the darknet to the events taking place. "Security and anonymity have become priorities after the precedents with the shutdown of REvil servers, the arrests of members of the group, as well as the detention in Russia of criminals who helped to cash out the incomes of cybercriminals. Another catalyst for this was the release of the fight against ransomware to the state level,” Mr. Volkov said. 

At the same time, partner programs that distribute ransomware on the dark web have become more closed. Now only those who are personally acquainted with its organizer can take part in such a project. According to Group-IB analysts, all this is happening against the background of the consolidation of the darknet around ransomware and the groups involved in it. 

"The entire criminal underground unites around ransomware. Everyone found a job: both those who sell access to hacked companies, those who attack them, and those who negotiate for ransom or post stolen data on the darknet. New groups will constantly appear in this market, reassembled from previous associations," Mr. Volkov is sure. 

According to Group-IB, the main list of victims at the country level, as well as the industry preferences of hackers remained unchanged. Globally, almost half of ransomware attacks are in the US (49.2 percent in 2021). Canada (5.6 percent) and France (5.2 percent) followed closely behind. Manufacturing enterprises are most often attacked (9.6 percent of attacks), the real estate sector (9.5 percent), and the transport industry (8.2 percent). 

"This became apparent after the ransomware attack on a hospital in Germany, which killed a person, and also after the attack on the Colonial Pipeline, which attracted the attention of US authorities. At the same time, individual groups, of course, can violate these unspoken prohibitions,” Mr. Volkov concluded.

Black Cat Ransomware Linked with Gangs DarkSide/BlackMatter

The Black Cat Ransomware gang, aka ALPHV, confirmed that they were earlier associated with the infamous BlackMatter/DarkSide ransomware campaign. ALPHV/Black Cat is the latest ransomware operation launched last year in November and built in the Rust programming language, which is rare for ransomware attacks. The ransomware can be customized, via different encryption methods and options that allow attacks on a variety of corporate organizations. 

The ransomware group identifies itself as ALPHV, however, MalwareHunterTeam, a cybersecurity firm, calls the ransomware as Black Cat, because a black cat image is shown on the target's Tor payment page. The ransomware campaigns often run as Ransomware as a Service (RaaS,) where the core team develops ransomware attacks and manages servers, and adverts ( affiliates) are hired to compromise corporate networks and organize attack campaigns. In this sort of assignment, the core team earns around 10-30% of ransomware payment, and the affiliate earns the rest. 

The earnings depend on how much ransom is brought by different affiliates in the campaign. The past has experienced many RaaS operations, where top-level hacking groups, when shut down by the government, resurface with a new name. These include- GandCrab to Revil, Maze to Egregor, and DarkSide to BlackMatter. Few believe that Conti resurfaced as Ruk, however, experts believe these two operate separately under the TrickBot group and are not affiliated with each other. 

Meanwhile few affiliates team up with a single RaaS campaign, it is also common for affiliates to work with multiple hacking groups. "While the BlackCat ransomware operators claim that they were only DarkSide/BlackMatter affiliates who launched their own ransomware operation, some security researchers are not buying it. Emsisoft threat analyst Brett Callow believes BlackMatter replaced their dev team after Emsisoft exploited a weakness allowing victims to recover their files for free and losing the ransomware gang millions of dollars in ransoms," reports Bleeping Computer.

Swissport Ransomware Attack Delays Flights, Disturbs Operations

 

Swissport International, a supplier of aviation services, was struck by a ransomware attack that disrupted its operations. 

Swissport International Ltd. is an aviation services firm controlled by an international group of investors that provides airport ground, lounge hospitality, and cargo handling services. On behalf of 850 aviation clients, the corporation manages over 282 million passengers and 4.8 million tonnes of cargo each year. Swissport employs over 66,000 people at 307 locations across 50 countries and has combined operating revenue of EUR 2.8 billion. 

Swissport International was the victim of a ransomware assault that disrupted company operations and prompted aircraft delays. As per the German website Spiegel, the ransomware attack only affected a minor section of the corporation's global IT infrastructure, and a company spokesperson verified that the security breach occurred at 6 a.m. on Thursday. 

The attack has been substantially contained, according to the company, which is attempting to rectify the situation as swiftly as possible. 

A spokeswoman for Zurich Airport added, “Due to system problems at our airport partner Swissport, 22 flights were delayed by 3 to 20 minutes yesterday.”

The company spokesman added, “The attack has now been contained and everything is being done to solve the problem as quickly as possible and limit the impact on flight operations. Swissport can continue to provide ground services for airlines safely, but there may be delays in some cases.” 

On Friday afternoon, the Swissport website was unavailable. The organisation has not yet revealed information regarding the attack, such as the ransomware family that attacked its systems or if the attack resulted in a data leak. The attack on their leak sites was not claimed by any ransomware group. 

Other recent attacks in Europe have affected key infrastructure, such as the one that crippled Oiltanking GmbH, a German petrol distributor that supplies Shell gas stations across the country. The oil provider Mabanaft GmbH was also impacted by the attack, according to the media. The Marquard & Bahls group owns both companies. As per local media, the attacks could have compromised the country's fuel supplies. 

A cyberattack was launched this week on some of the main oil terminals in Western Europe's largest ports. The Amsterdam-Rotterdam-Antwerp oil trading centre, as well as the SEA-Tank Terminal in Antwerp, are among the affected port infrastructure.

Walmart Dissects New 'Sugar' Ransomware

 

The cyber threat researchers’ team at retail giant Walmart has found a new variant of ransomware named Sugar, which is available to threat actors as a ransomware-as-a-service (RaaS). 

Ransomware as a Service (RaaS) is a way for threat actors to make a lot of money from ransomware while reducing their own efforts. According to the data, this new variant of ransomware was initially dictated in November 2021, but the organization had no technical details before. 

The Sugar ransomware format is written in Delphi and also borrows objects from the other families of ransomware. Furthermore, unlike the other ransomware families, the new variant Sugar primarily targets individual computers instead of entire enterprises networks, but it is equally dangerous, especially since it is offered as a RaaS. Walmart said in its findings that the threat actors are using crypter which is one of the most interesting features of Sugar. 

The crypter is being used because it has code reuse from the ransomware itself which makes it significantly more interesting than your typical crypter. It also employs a modified version of the RC4 encryption. Because of that, the team of researchers thinks there are possibilities that the Sugar ransomware and its crypter are controlled by the same threat group, or the crypter is being offered to affiliates as part of the service. 

“The malware is written in Delphi but the interesting part […] was the reuse of the same routine from the crypter as part of the string decoding in the malware, this would lead us to believe that they have the same dev and the crypter is probably part of the build process or some service the main actor offers to their affiliates,” Walmart’s researchers noted. 

Why is Ransomware as a Service so dangerous? 

In just a few years Ransomware as a Service (RaaS) has become very prevalent among cybercriminals since its first attack, Cryptolocker, was identified in 2013. Researchers said that 3-4 new ransomware families are now being distributed through RaaS channels. 

It has been observed that the number of cases has been increased in recent years and at large numbers, networks are being compromised, which is a highly alarming behavior that indicates the involvement of professional malicious actors.

Iranian APT MuddyWater Targets Turkish Public and Government Entities

 

Cisco Talos discovered a brand new malicious campaign of MuddyWater threat group which is targeting Turkish public and Turkish government entities, including the Scientific And Technological Research Council of Turkey — Tubitak. 

According to the technical details, the campaign includes the use of malicious excel documents (XLS maldocs) and executables stored on a file hosting domain "snapfile[.]org", PDFs to serve as the initial infection vector. These PDFs were designed in such a way as to look like legitimate documents sent from the Turkish Health and other officials. 

"This campaign utilizes malicious PDFs, XLS files, and Windows executables to deploy malicious PowerShell-based downloaders acting as initial footholds into the target's enterprise," Cisco Talos researchers Asheer Malhotra and Vitor Ventura reported. 

Famous for its attacks in the Middle East region, MuddyWater Advanced Persistent Threat (APT) is also known as Static Kitten, Seedworm, Mercury. The group has been active since at least 2017. However, the group attacked many entities in Central and Southwest Asia, as well as against numerous government and privately-owned organizations from Asia, Europe, and North America. 

Besides, the group also targets telecommunications, cryptocurrency, oil, and airline industries. The cyber research unit has identified that the group uses a typical TTP and there's heavy use of scripting in their infection chains and that they also use languages like PowerShell and Visual Basic coupled with the frequent use of living-off-the-land binaries (LoLBins). 

Additionally, the unit has also discovered the use of flags or tokens in attacks. These flags and tokens are signals for their successful infection mission. Flags and Tokens are hidden inside the malicious files or within the email itself, and it signals the malicious group when the target opens the bait and runs the macro included within it. 

“Canary tokens are tokens that can be embedded in objects like documents, web pages, and emails. When that object is opened, an HTTP request to canarytokens.com is generated, alerting the token’s owner that the object was opened”, researchers added. 

The study said that the Campaigns carried out by the threat group aim to achieve three outcomes: Espionage, Intellectual property theft, and Ransomware attacks.

REvil Ransomware Operations Seem Unaffected by Recent Arrests

 

According to threat intelligence firm ReversingLabs, the REvil (Sodinokibi) ransomware cooperative's operation has not reduced despite Russia's recent arrest of numerous suspected members of the group. 

The Russian law enforcement agency FSB declared the takedown of the REvil organisation "at the request of US authorities" two weeks ago, yet the ransomware-as-a-service (RaaS) business is still running. 

After years of being accused of permitting malicious hackers to flourish within its borders as long as no Russian citizens or organisations are harmed, Russia appeared to be sending a distinct signal with the arrest of 14 members of the REvil group, even if some witnessed it as a political move amidst rising tensions along the Ukraine border. 

The high-profile arrests of affiliates, however, did not halt REvil operations, as ReversingLabs points out. In reality, the group is operating at the same speed as it was before the arrests. 

Europol reported the arrests of seven people engaged in the spread of REvil and GandCrab ransomware assaults in November 2021 (during seven months), at a time when ReversingLabs was seeing an average of 47 new REvil implants per day (326 per week). 

This was greater than September (43 new implants per day - 307 per week) and October (22 new daily implants - 150 per week), but far lower than July (87 per day - 608 per week) when the group went offline. Following the arrests in Russia, the number of REvil implants observed jumped from 24 per day (169 per week) to an average of 26 per day (180 per week). 

“While it's true that more time may be needed to assess the full impact of the arrests on REvil’s activity, the data so far would suggest that it is ‘business as usual’ for the ransomware gang,” ReversingLabs noted. ReversingLabs senior threat researcher Andrew Yeates stated.

“Threat groups exploit regionalised regulation and distributed organizational structure with sovereign state safe housing, all while leveraging a ‘no-rule’ borderless attack strategy. That makes it ever harder for national and international criminal policing organizations to put an end to threat groups such as REvil.” 

While synchronised action against REvil infrastructure may have had short-term repercussions on the RaaS's prevalence, much stronger action is required to truly stop the cybercrime ring's operations, especially given the group's corporation-like structure, where affiliates launch attacks and receive payments. 

As a result, removing simply affiliates does not affect the core of the RaaS, allowing it to continue operating. Affiliates, on the other hand, can either rebuild the enterprise or relocate to a new RaaS if only the core is removed, and this is relevant for other comparable cybercriminal groups as well.

LockBit Ransomware Variant is Now Targeting VMware ESXI Servers

 

LockBit ransomware has always been a key weapon for malicious actors targeting Windows, but cybersecurity researchers at Trend Micro spotted LockBit Linux-ESXi Locker version 1.0 being advertised on an underground platform, meaning the sneaky ransomware is now targeting VMware ESXi virtual machines.

According to Trend Micro, the LockBit operators are advertising a new Linux version since October 2021. The move focuses on expanding the audience of potential targets, including all the organizations that are shifting to virtualization environments. Additionally, the ransomware can encrypt a wide range of servers and files – and drive up the pressure for a victim to give in and pay a ransom for the decryption key.

"The release of this variant is in line with how modern ransomware groups have been shifting their efforts to target and encrypt Linux hosts such as ESXi servers," stated Junestherry Dela Cruz, threats analyst at Trend Micro. "An ESXi server typically hosts multiple VMs, which in turn hold important data or services for an organization. The successful encryption by ransomware of ESXi servers could therefore have a large impact on targeted companies." 

According to the researchers, Linux encryptors are nothing new as similar encryptors have been discovered in the past from HelloKitty, BlackMatter, REvil, AvosLocker, and the Hive ransomware operations. Like other Linux encryptors, LockBit offers a command-line interface allowing affiliates to enable and disable various features to tailor their attacks.

However, what makes the LockBit Linux encryptor stand out is the wide use of both VMware ESXi and VMware vCenter command-line utilities to check what virtual machines are running and to shut them down so they are not compromised while being encrypted.

To mitigate the risks, Trend Micro advised organizations to keep systems up to date with the latest security patches to prevent intrusions, especially as LockBit is known to exploit vulnerable servers to help it spread. Those behind LockBit attacks have also been known to exploit stolen usernames and passwords, so if it's known that a password has been part of a data breach, it should be changed.

Additionally, multi-factor authentication can be applied across the entire ecosystem in order to provide an additional layer of defense against cyber assaults.