Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Babuk Ransomware. Show all posts

Users get Directly Infected by AstraLocker 2.0 via Word Files

Threat researchers claim that the developers of a ransomware strain named AstraLocker just published its second major version and that its operators conduct quick attacks that throw its payload directly from email attachments. This method is particularly unique because all the intermediary stages that identify email attacks normally serve to elude detection and reduce the likelihood of triggering alarms on email security tools.

ReversingLabs, a firm that has been monitoring AstraLocker operations, claims that the attackers don't appear to be concerned with reconnaissance, the analysis of valuable files, or lateral network movement. It is carrying out a ransomware operation known as "smash and grab." 

The aim of smash and grab is to maximize profit as quickly as possible. Malware developers operate under the presumption that victims or security software will rapidly discover the malware, hence it is preferable to move right along to the finish line. 

Smash-and-grab strategy 

An OLE object with the ransomware payload is concealed in a Microsoft Word document that is the lure utilized by the developers of AstraLocker 2.0. WordDocumentDOC.exe is the filename of the embedded program. 

The user must select "Run" in the warning window that displays after opening the document in order to run the payload, thus decreasing the threat actors' chances of success. 

Researchers point out that this approach is less sophisticated than the recent Follina vulnerability which requires no user involvement or even the use of macros improperly which requires some user interaction. 
 
Encryption set up

Despite its haste to encrypt, AstraLocker still manages to do certain basic ransomware actions: It attempts to disable security software, disables any active programs that can obstruct encryption, and steers clear of virtual computers, which might suggest that it is being used by lab researchers.

The virus sets up the system for encryption using the Curve25519 method after executing an anti-analysis check to make sure it isn't executing in a virtual machine and that no debuggers are set in other ongoing processes. 

Killing applications that might compromise the encryption, erasing volume shadow copies that would facilitate victim restoration, and disabling a number of backup and antivirus services are all part of the preparation procedure. Instead of encrypting its contents, the Recycle Bin is simply emptied.

AstraLocker origins 

AstraLocker is based on Babuk's stolen source code, a dangerous but flawed ransomware strain that left the market in September 2021, according to ReversingLabs' code analysis. Furthermore, the Chaos ransomware's developers are connected to one of the Monero wallet addresses stated in the ransom text.

Supposedly, this isn't the work of a clever actor, but rather someone who is determined to launch as many devastating attacks as possible, based on the tactics that support the most recent campaign.

MS ProxyShell Vulnerabilities Exploited By Threat Actor

 

Security professionals from Cisco Talos have revealed that a fresh Babuk ransomware operation is attacking ProxyShell vulnerabilities in Microsoft Exchange Server. 
The scientists found evidence that the attackers are using a China Chopper web shell for the first intrusion and then using that to install Babuk. 

The vulnerabilities, identified as CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207, were resolved in April and May, including technical details publicly disclosed in August. An unauthenticated attacker can use the flaws to execute arbitrary code. 

Operations targeting the security vulnerabilities have indeed been underway for some months, according to Cisco experts, as well as the Tortilla threat actor, which has been operational since July 2021, has begun attacking the Exchange Server vulnerability. 

An intermediate unpacking component is downloaded via pastebin.pl (a pastebin.com clone) and afterward decoded in memory before the ultimate payload is encrypted and run. For the original attack, Cisco Talos discovered a customized EfsPotato attack that targets both the ProxyShell and PetitPotam flaws. 

When the Babuk ransomware is activated, it tries to deactivate a range of procedures on the victim server, stops backup products, and erases volume shadow service (VSS) snapshots. Following that, it encodes all files on the server and adds the file extension .babyk to them. The ransomware subsequently issues a ransom note seeking a $10,000 ransom payment from the victim in return for the decryption key. 

“Organizations should regularly update their servers and applications with the latest available patches from the vendors eliminating the vulnerabilities in their environment. Defenders should be constantly looking for suspicious events generated by detection systems for abrupt service termination, abnormally high I/O rates for drives attached to their servers, the deletion of shadow copies, or system configuration changes,” Cisco Talos said. 

Babuk, which was first disclosed in January 2021, targets both Windows and Linux computers in business situations and employs a highly sophisticated key generation process to hinder file recovery.

A New Ransomware Variant Based on Golang has Surfaced

 

Threat actors are increasingly using ransomware developed in the Go programming language; Babuk, Hive, and HelloKitty, as well as a slew of additional Golang-based threats, are among them. Google introduced "Go," a statically typed, object-oriented, cross-platform programming language. Go is comparable to C in syntax but adds memory safety, garbage collection, structural typing, and concurrency in the CSP style. Because of its domain name, golang.org, the language is often referred to as Golang, but the true name is Go. 

DECAF is a new ransomware strain discovered by Morphisec Labs, which was incorporated in Go 1.17. In late September, the first version, which includes symbols and a test assertion, was discovered. The attackers rapidly stripped the original alpha version, inserted more functionality, and posted this stub version to test its detection score. They had a fully weaponized version on a customer site inside a week. 

Go 1.17 is the most recent release, six months following Go 1.16. The majority of the modifications are made to the toolchain, runtime, and libraries. Go 1.17 includes three small enhancements to the language, they are: 

 • Conversions from slice to array pointer: An expression s of type []T may now be converted to array pointer type *[N]T. If a is the result of such a conversion, then corresponding indices that are in range refer to the same underlying elements: &a[i] == &s[i] for 0 <= i < N. The conversion panics if len(s) is less than N. 

 • unsafe. Add: unsafe. Add(ptr, len) adds len to ptr and returns the updated pointer unsafe. Pointer(uintptr(ptr) + uintptr(len)). 

 • unsafe.Slice: For expression ptr of type *T, unsafe. Slice(ptr, len) returns a slice of type []T whose underlying array starts at ptr and whose length and capacity are len. 

The data required for the ransomware's malicious activity is set up during the initialization stage. The malware begins by interpreting the --path command-line argument, which indicates the root directory where the ransomware will begin encrypting data recursively. The malware's next task is to determine which directories it should encrypt.

It checks if --path is set, and if it isn't, it runs FileUtils.ListDriverRootPaths(). Researchers discovered that ListDriverRootPaths iterates over all potential drives, looking for drives with a type other than DRIVE_CDROM. The malware's final action in this is to construct a WMI object for later use.

Babuk Ransomware Full Source Code Leaked On A Russia-Speaking Hacking Forum



The complete source code for the Babuk ransomware has been leaked by a threat actor on a Russian-speaking hacking forum, this week. It allows easy access to a sophisticated ransomware strain to competitors and threat actors planning to sneak into the ransomware realm with little effort. 

The full source code of Babuk ransomware posted on the hacking forum comprises all things that one would require for a functional ransomware executable. The leaked file contains "various Visual Studio Babuk ransomware projects for VMware ESXi, NAS, and Windows encryptors," as per Xiarch Security. The leak has been confirmed to be legitimate by various ransomware experts. Apparently, the leak also includes decryption keys for the gang's past victims. 

Babuk ransomware gang made certain changes into their operations as they announced they will longer encrypt information on networks, but will rather "get to you and take your data" they said on hacker-forum. "..we will notify you about it if you do not get in touch we make an announcement." They announced in advance that their source code will be publically available as Babuk changes direction and plans to shut down. "We will do something like open-source RaaS, everyone can make their own product based on our prouduct." They further told. 

In April, earlier this year, the Babuk group attacked Washington D.C police with a ransomware attack wherein they stole over 250 gigabytes of data from the Metropolitan Police Department of the District of Columbia (MPD). It included police reports, internal memos, and PII of confidential informants, and employees. Following the attack, the gang heavily criticized MPD for huge security gaps and threatened the law enforcement agency to publish the data if the ransom demand is not met. 

MPD acknowledged the unauthorized access on their server, and it started working with the FBI to investigate the matter. Meanwhile, the U.S. law enforcement agency reviewed the activity to determine the full impact of the attack. 

Post MPD attack, there are reports of strife within the group members of Babuk. The 'Admin' wished to leak the data stolen from the MPD attack for advertising, however, the other members were against the idea as they felt it was too much even for them (the bad guys). As a result, the group disintegrates and the initial 'Admin' went on to launch the 'Ramp' cybercrime forum while others began Babuk V2, where they continue carrying out ransomware attacks with little or no difference. After a while, the original admin accused his gang members of attempting to make his new site unusual by subjecting it to a series of DDoS attacks. 

"One of the developers for Babuk ransomware group, a 17 year old person from Russia, has been diagnosed with Stage-4 Lung Cancer. He has decided to leaked the ENTIRE Babuk source code for Windows, ESXI, NAS." A user going by the Twitter handle @vxunderground tweeted.

Babuk Ransomware Gang is Back Into Action

 

Although they are declaring their retirement from the firm, the Babuk ransomware operators seem to have reverted into old habits with a new attack on corporate networks. 

Following the announcement by the ransomware operators - Babuk, that their affiliate program has been closed and that they are moving to data theft extortion, the groups seem to have resorted to their old corporate systems encryption methods.

The hackers are currently using a fresh version of their file-encrypting malware and have relocated the operations to a new leak website that identifies a handful of victims. 

At the beginning of the year, the Babuk ransomware group came into recognization, although the gang claimed that their attack began mid-October 2020, aiming businesses worldwide to demand ransoms somewhere between $60,000 and $85,000 in crypt-monetary Bitcoin. There were certain instances wherein victims were required to pay hundreds of thousands to decrypt their data. 

The Washington DC Metropolitan Police Department is one of their most prominent victims (MPD). This attack probably led the threat actor to announce their withdrawal from the Ransomware organization only to embrace another extortion model that did not contain encryption. 

The group also declared plans to share its malware to let other cybercriminals begin a ransomware-as-a-service operation. The threat actors kept their promise and published their builder, a tool that creates customized ransomware. 

Kevin Beaumont, a security researcher, discovered it on VirusTotal and communicated the information for detection and decryption in the infosec community. The gang took the name PayLoad Bin after its shutdown in April, although its leak site displays minimal activity. 

Meanwhile, on the dark web, a new leak site with Babuk Ransomware tags surfaced. This site includes less than five victims who refused to pay for the ransom and were targeted with a second virus variant. Babuk does not seem to have abandoned the encryption-based extortion game. They just published the older virus version and built a new one to re-enter the ransomware company. 

Pieter Arntz, a security researcher at Malwarebytes, said “Another fact that may be of consequence, somehow, is that researchers found several defects in Babuk’s encryption and decryption code. These flaws show up when an attack involves ESXi servers and they are severe enough to result in a total loss of data for the victim,”

New Evil Corp Ransomware Disguised as PayloadBin to Avoid Sanctions

 

The new PayloadBIN ransomware has been linked to the Evil Corp cybercrime gang, which rebranded to avoid US Treasury Department restrictions issued by the Office of Foreign Assets Control (OFAC). The Evil Corp gang, also known as the Indrik Spider and the Dridex gang, began as a ZeuS botnet affiliate. They eventually organized a group dedicated to disseminating the Dridex banking virus and downloader via phishing emails. 

According to the FBI, Dridex was used to steal more than $100 million from banks in more than 40 nations. Following that, the software was utilized as a loader to install the BitPaymer ransomware on victims' computers. Two Russian nationals, Maksim Yakubets and Igor Turashev were indicted by a US grand jury in December 2019 for allegedly running Evil Corp. 

Yakubets was functioning "as Evil Corp's head and is answerable for overseeing the group's illicit cyber activities," the Treasury Department claimed at the time, after assisting with money laundering and the GameOver/Zeus botnet and malware operation. It said Yukabets had been working for Russia's Federal Security Service, or FSB, since at least 2017, and that it had previously sanctioned the FSB for assaults against US targets. It also announced a $5 million reward for information leading to his apprehension. 

The Babuk gang said that they would stop using ransomware encryption and instead focus on data theft and extortion after breaching the Metropolitan Police Department in Washington, DC, and taking unencrypted data. The Babuk data leak site had a graphic makeover at the end of May, and the ransomware gang rebranded as 'payload bin.' 

On Thursday, BleepingComputer discovered PayloadBIN, a new ransomware strain linked to the rebranding of Babuk Locker. When the ransomware is installed, the ransomware will append the . PAYLOADBIN extension to encrypted files. The ransom message is also known as 'PAYLOADBIN-README.txt,' and it claims that the victim's "networks are LOCKED with PAYLOADBIN ransomware." 

BleepingComputer suspected Babuk of lying about their plans to move away from ransomware and relaunched under a new name after discovering the sample. After examining the new ransomware, both Emsisoft's Fabian Wosar and ID Ransomware's Michael Gillespie confirmed that it is a rebranding of Evil Corp's prior ransomware operations.

Threat Actor Targets Outsourcing Firm Serco Via Babuk Ransomware

The outsourcing company responsible for NHS Test and Trace system in the UK confirmed this week that it was targeted by the threat actors running the recently-discovered Babuk ransomware. 

Serco, a British services business manages over 500 contracts globally and employs nearly 50,000 people. It operates in sectors like transport, justice, health, citizen services, immigration, and defense. The firm confirmed to Sky News that it had suffered an attack but Test and Trace were not affected by the attack. Serco’s spokesperson said its European systems were detached from those in the UK, therefore the UK system is unaffected by the attack.

If the Test and Trace system would have been affected by an attack then it would add to an increasing number of incidents that have influenced the system since its launch in May 2020. Sky News learned about the incident after noticing a sample of the Babuk ransomware uploaded to VirusTotal. Threat actors attached the ransom note addressing Serco: “We’ve been surfing inside your network for about three weeks and copied more than 1TB of your data”. 

“Your partners such as NATO or Belgian Army or anyone else won’t be happy that their secret documents are in free access in the internet”, it further reads. As per the reports of security vendor Cyberint, the cybercriminal group doesn’t target schools, hospitals, or companies with annual revenue of less than $4m. Cybercriminal group also asserts to steer clear of any non-profit charities with the exception of LGBTQ+ organizations or those linked with Black Lives Matter.

The NHS and Trace system has faced a lot of criticism in the recent past for slow test results and unproductive contact tracing and the government’s move to bring in the private sector to operate it instead of showing confidence in the local health authorities has also annoyed many health experts.