Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Babuk. Show all posts

Babuk is Customized by RA Ransomware Group


 

It has recently been discovered that an actor called the RA Group uses leaked Babuk source code in its attacks. The wrath of the same jas been faced by the companies in the United States and South Korea. Manufacturing, wealth management, insurance providers, and pharmaceuticals are among the compromised industries. 

Cybercriminal gang Babuk continues to cause havoc with the leaked source code it uses to launch cyberattacks against its targets. 

RA Group has been expanding its operations at the rate of 200 stores per month since April 22 as a result of an evaluation conducted by Cisco Talos this week. Several companies have been targeted in the US and South Korea by this threat, particularly in manufacturing, wealth management, insurance coverage, and pharmaceuticals. There have already been a few RA victims since it became prevalent in April. 

Four Companies Have Been Attacked by RA Ransomware

As per Cisco Talos’s research, “RA Group started leaking data on April 22, 2023, and we observed the first batch of victims on April 27, followed by the second batch on April 28, and we noticed more victims on April 29, 2023."

It is imperative to draw your attention to the fact that Babuk ransomware's complete source code was leaked online in September 2021. As a result of its success, several new threat actors have created ransomware by leveraging it to do business with them. Over the past year, 10 different ransomware families have gone down that route - a particular example would be a group of individuals who used it for developing lockers that were designed to work with VMware ESXi hypervisors. 

In addition, there have been others who have modified the code in other ways, using the fact that it is designed to exploit several known vulnerabilities to do so. As an example of this, there are vulnerabilities in Microsoft Exchange, Struts, WordPress, Atlassian Confluence, Oracle WebLogic Server, SolarWinds Orion, Liferay, and other popular web applications. 

In light of the news, it is important to remember that the report from SentinelLabs published last week revealed that there was growing evidence of ransomware groups still targeting ESXi hypervisors and that the disclosure of Babuk source code in September 2021 offered a unique insight into the development operations of a ransomware group that had previously been unavailable to threat actors. 

As part of the monitoring system, victims are also reported on a dark web blog to encourage data leakage on their behalf.

A ransom note published in the report indicates that the gang is ruthless and sells the data after three days, and in that letter, they state that "Your data is encrypted when you read this letter." In addition to copying your data onto our server, you should feel comfortable knowing that no information about you is going to be compromised or made public unless you want it to be, the note stated. Most criminals give victims weeks or months to pay up. 

The Cisco Talos team of security experts on May 15 compiled a timeline of attacks using ransomware families that were derived from the leaked Babuk source code, conducted by different actors. 

Several custom malicious code families have evolved out of the ransomware, discovered in the Babuk data breach. This is according to Timothy Morris, Chief Security Advisor at Tanium. Several software vulnerabilities are exploited by the attacker, including Exchange, Struts, WordPress, Atlassian Confluence, Oracle WebLogic Server, SolarWinds Orion, and Liferay, as well as interfering with backups and deleting volume shadow copies. Morris claims this exploit was discovered last year. 

According to RA Group’s ransom note, victims have only three days left to settle the debt; accordingly, it is using a standard double-extortion model that threatens to leak exfiltrated data if they do not pay up; however, according to the ransom note, victims have just three days remaining to settle their debt. 

Several details in the leak site divulge the identity of the victim, the name of the organization from which the data was obtained, the total size of the data downloaded, and even the official URL of the victim. As Cisco Talos has explained in its analysis of the ransomware group, this is a typical leak site among other ransomware groups of the same type. Nevertheless, RA Group is actively selling the victims' exfiltrated data through their leak site which is hosted on a secured Tor site used for selling the victims' leaked data.   

Several details are disclosed at the leak site, such as the identity of the victim, the name of the organization that provided the data, the size of the data downloaded, and even the official URL of the victim, all of which reveal the identity of the victim. Cisco Talos has explained in its analysis of this ransomware group that this is essentially a typical leak site. This is similar to those used by other ransomware groups. Despite this, the RA Group is currently selling the exfiltrated data of the victims through a leak site. This is hosted on a secure Tor site and has been used to sell the exfiltrated data of the victims.

Hack 'Sabbath': Evasive New Ransomware Discovered

 

Due to its small size and unique approaches, a small yet strong ransomware group has been executing attacks largely undiscovered. 

According to Mandiant, the operation, named UNC2190 or "Sabbath," began in September and started attacks in October. Since then, the gang claims to have infected several firms and has threatened to reveal the stolen data if their ransom demand is not met. 

As per a Mandiant blog post, the Sabbath ransomware group has attacked and extorted at least one school system in the United States. Sabbath, like other ransomware operations, is thought to depend heavily on the ransomware-as-a-service model, in which the operators engage individual "affiliate" hackers to execute the on-the-ground labour of infiltrating networks and installing the ransomware.

One of the risks posed by the Sabbath ransomware operation is that the group has managed to avoid detection owing to a number of variables. To begin, the organisation has altered its tools, including the including the Cobalt Strike Beacon remote control tool, to avoid detection. The scale of the operation in comparison to other ransomware brands also helped keep the operations under the radar. 

Sabbath, according to Mandiant, has its origins in a prior ransomware attack known as Arcane. Both are believed to be managed by the same UNC2190 group. However, unlike larger, more well-known ransomware groups, UNC2190's transition from Arcane to Sabbath was not quickly noticed. 

While it's not uncommon for huge ransomware gangs to rebrand their activities, Tyler McLellan, a principal analyst at Mandiant and co-author of the blog post, told SearchSecurity that a tiny, relatively unknown team like Arcane doesn't generally alter its brand. 

McLellan explained, "We've seen some of the larger groups like DarkSide and Babuk rebrand when public and government pressure was too great. In the case of the smaller groups like Sabbath, it could be rebranded over much more mundane reasons such as a payment dispute between group members and a rebranding is an attempt to start fresh minus the problem group members." 

Sabbath may have some influence over the ransomware scene, even if it is not as large as DarkSide or Babuk. As per McLellan, some of Sabbath's approaches, notably their use of several customised malware payloads, might be exploited by other ransomware crews attempting to avoid detection by security providers and law authorities. 

"As detection of ransomware intrusions improves at the early pre-ransomware stages, we expect the threat actors will continue to adapt to stay ahead of the detection curve and increase the pace to deploy ransomware faster after an initial intrusion," McLellan added.

Babuk Ransomware Full Source Code Leaked On A Russia-Speaking Hacking Forum



The complete source code for the Babuk ransomware has been leaked by a threat actor on a Russian-speaking hacking forum, this week. It allows easy access to a sophisticated ransomware strain to competitors and threat actors planning to sneak into the ransomware realm with little effort. 

The full source code of Babuk ransomware posted on the hacking forum comprises all things that one would require for a functional ransomware executable. The leaked file contains "various Visual Studio Babuk ransomware projects for VMware ESXi, NAS, and Windows encryptors," as per Xiarch Security. The leak has been confirmed to be legitimate by various ransomware experts. Apparently, the leak also includes decryption keys for the gang's past victims. 

Babuk ransomware gang made certain changes into their operations as they announced they will longer encrypt information on networks, but will rather "get to you and take your data" they said on hacker-forum. "..we will notify you about it if you do not get in touch we make an announcement." They announced in advance that their source code will be publically available as Babuk changes direction and plans to shut down. "We will do something like open-source RaaS, everyone can make their own product based on our prouduct." They further told. 

In April, earlier this year, the Babuk group attacked Washington D.C police with a ransomware attack wherein they stole over 250 gigabytes of data from the Metropolitan Police Department of the District of Columbia (MPD). It included police reports, internal memos, and PII of confidential informants, and employees. Following the attack, the gang heavily criticized MPD for huge security gaps and threatened the law enforcement agency to publish the data if the ransom demand is not met. 

MPD acknowledged the unauthorized access on their server, and it started working with the FBI to investigate the matter. Meanwhile, the U.S. law enforcement agency reviewed the activity to determine the full impact of the attack. 

Post MPD attack, there are reports of strife within the group members of Babuk. The 'Admin' wished to leak the data stolen from the MPD attack for advertising, however, the other members were against the idea as they felt it was too much even for them (the bad guys). As a result, the group disintegrates and the initial 'Admin' went on to launch the 'Ramp' cybercrime forum while others began Babuk V2, where they continue carrying out ransomware attacks with little or no difference. After a while, the original admin accused his gang members of attempting to make his new site unusual by subjecting it to a series of DDoS attacks. 

"One of the developers for Babuk ransomware group, a 17 year old person from Russia, has been diagnosed with Stage-4 Lung Cancer. He has decided to leaked the ENTIRE Babuk source code for Windows, ESXI, NAS." A user going by the Twitter handle @vxunderground tweeted.

Washington DC Police Hit by the Worst Ransomware Ever

 

In the U.S. capital, the police department experienced a major information leak after declining to satisfy the extortion demands of a Russian-speaking ransomware syndicate. As per the experts, the US police department has been hit by the worst ransomware ever. 

On Thursday 13th May, the Gang, identified as the Babuk Squad, published on the dark web, some thousands of confidential documents from the Washington Metropolitan Police Department. Hundreds of police officer intelligence documents, containing feeds from other agencies, such as the FBI and Secret Service, were discovered through a report by The Associated Press. 

Ransomware attacks have reached epidemic proportions as international gangs paralyze local and state governments, police, hospital, and private companies' computer networks. They need substantial payments for deciphering or to prevent the online leakage of stolen information. 

The Colonial Pipeline was shut down last week by a cyber-attack which caused gasoline stockpiling and panic buying across southeast sections of the nation's largest fuel pipeline. 

This Police data leak is "perhaps the most significant ransomware incident to date," due to the risks it poses for officers and civilians, said Brett Callow, a threat analyst and ransomware specialist at the Emsisoft security company. 

Most documents contained security details from many other law enforcement authorities regarding the inauguration of President Joe Biden, along with a connection to a militia group "embedded source." 

The two pipe bombs abandoned at the location of the Democratic Committee and the Republican National Committee before the revolt in the American Capitol on January 6 were studied by the FBI in one document. Yet another document explains the details. This involves "big data pull" from cell towers, as well as plans to "analyze purchases" of Nike shoes that a concerning individual uses. 

In response to an AP request for comments, the police department didn't initially respond but has reported earlier that personal data was compromised. 

Some of the information was subsequently leaked, exposing personal data from background checks of some officials, including information on previous use of drugs, financial conditions, and — in at least one instance — regarding past sexual assault. 

“This is going to send a shock through the law enforcement community throughout the country,” Ted Williams, a former officer at the department who is now a lawyer, told The Associated Press. 

Williams further added that it makes it harder for officers to do their work because of background checks and administrative files publicly disclosed.

“The more the crooks know about a law enforcement officer, the more the crooks try to use that for their advantage,” he said. 

Recently the Babuk community demanded $4 million to not publish the archives, but only around $100,000 was provided. The Ministry did not say whether it offered it. Any discussions will show the difficulty of the issue of ransomware, with the police forced to consider paying for criminal gangs.

Babuk Quits Ransomware Encryption, Focuses on Data-Theft Extortion

 

The Babuk ransomware group has decided to close the affiliate program and switch to an extortion model that does not rely on encrypting victim computers, according to a new message sent out today by the gang. The clarification comes after the group posted and then deleted two announcements yesterday about their intention to close the project and release the malware's source code. 

The group seems to have taken a different path than the ransomware-as-a-service (RaaS) model, in which the hackers steal data before deploying the encryption stage to use as leverage in ransom payment negotiations. 

Babak's newly announced model is nearly identical except for the data encryption part, according to a third "Hello World" message posted on their leak site. In other words, the cybercriminals will run an extortion-without-encryption operation, demanding a ransom for data stolen from compromised networks. 

“Babuk changes direction, we no longer encrypt information on networks, we will get to you and take your data, we will notify you about it if you do not get in touch we make an announcement,” stated Babuk ransomware. 

Maze ransomware began exfiltrating data in November 2019 in order to boost ransom demands. All big ransomware operations quickly adopted it. In starting of 2021, Clop ransomware exploited zero-day vulnerabilities in Accellion's File Transfer Appliance to ran a series of data-theft attacks on high-value companies without encrypting systems. The group stole a large number of files and demanded large sums of money in exchange for not leaking or trading the information. 

Several victims paid tens of millions of dollars in ransom. Babuk ransomware claims that despite being a new team on the ransomware scene, they are already well-known in the industry because they have “the best darknet pentesters.” 

The benefits of this extortion business for Babuk are currently unclear, but the group will have to exfiltrate greater amounts of data than with encryption. Babuk reports one victim from whom they claim to have copied 10 terabytes of data on their leak site. The group claims to have stolen 250GB of data from the Metropolitan Police Department (MPD) in their most recent attack. It's also possible that this will increase the group's benefit, either by requiring higher ransoms or by selling the data to competitors or other parties. 

RaaS operations have become so large in terms of affiliates that it's difficult to keep track of anything. This has recently translated into technological and management changes that have resulted in victims losing data due to faulty decryption tools or having to deal with multiple attacks by the same group.

This happened with Conti, Lockbit, and REvil and these issues affected many ransomware gangs that were dependent on their reputation of a party that respects their end of the deal to demand higher ransoms.

Hacking Group That Targeted D.C. Police Briefly Posts Internal Police Files

 

Hackers who allegedly gained access to the D.C. police department's computer network briefly posted the personnel files of at least five current and former officers, a gambit one security expert believes was intended to show that the group's threats are legitimate. 

On Monday, Babuk issued the first warning to D.C. police by uploading screenshots of files the group claimed to have stolen. The group claims to have 250 GB of data, which is enough to store 70,000 images or thousands of pages. 

According to Brett Callow, an analyst for the New Zealand-based cybersecurity firm Emsisoft, which has been monitoring the hack, the documents posted on Wednesday ran into the hundreds of pages and included names, Social Security numbers, phone numbers, financial and housing records, job histories and polygraph assessments. 

In a statement, the hacking group Babuk warned police to "get in touch as soon as possible and pay us, otherwise, we will publish the data." Officials in Washington, D.C., have not commented about whether they are in contact with the group. One of the former officers identified in the leak was contacted by NBC News, who confirmed the information was accurate. The officer's identity was not revealed. 

One of the records reviewed by The Washington Post is marked “background investigation document” and “confidential”. The 576-page file includes details of when an officer was going through a background check to be hired in 2017. It contains the officer's financial and banking details, as well as a photocopy of the officer's driver's license, social media posts, a private cell phone number, and answers to questions about past marijuana usage. 

The records were taken down later on Wednesday, according to Callow. However, the group issued a new alert on its dark Web site sometime Thursday, stating only that the police “now determine if the leak will be or not.” The threat was also removed later. 

This week, D.C. police said they were "aware of unauthorized access on our server" and were trying to "determine the full impact." The FBI was called in to assist with the investigation. Babuk has threatened to reveal confidential sources and reports with titles like "known shooters," "most violent person," "RAP feuds," "gang conflict report," and "strategic crime briefings," among others. 

Acting D.C. police chief Robert J. Contee III sent an email to more than 3,600 officers on Wednesday night, reporting that the hacking group had stolen human resource files containing officers' personal information. Officers are told how to get free copies of their credit reports in the email. Officers may also put "fraud notices" on their credit reports, requiring someone who wants to access the data to seek additional permissions. 

According to Adam Scott Wandt, an assistant professor of public policy in the cybersecurity programme at John Jay College of Criminal Justice, “The data leak could reveal informants, putting their lives in danger. This criminal organization poses a very serious and dangerous threat.” Wandt stated, "The amount of harm that can be done is simply enormous. It has the potential to obstruct ongoing investigations. Imagine looking up your name on Google and seeing a data dump that reveals you're being investigated for fraud or drug dealing.” 

The D.C. police department, according to Callow, "has no good choices." The data will be released if they do not pay. If they pay, all they have to do now is trust the criminals to delete the stolen information. “However, why would they?” 

According to a study released by Emsisoft, 2,354 agencies and businesses were targeted last year in ransomware attacks. There were 113 local, state, and federal governments, 560 healthcare facilities, and 1,681 educational institutions included in the list. The groups also gain access to private networks, shut down systems, and then demand payment to restore services. In 2019, a cyberattack crippled Baltimore's ability to process payments and conduct online real estate transactions. According to the Baltimore Sun, the attack cost the city $18 million in lost revenue as well as money spent to repair systems and boost security.

D.C. cops are being targeted by a new type of extortion scheme in which data is stolen and bribes are demanded to keep it from being published, stated cybersecurity experts. According to Callow, the group appears to have raw knowledge based on Wednesday's postings of real data files.

Serco Affirms Babuk Ransomware Attack

 

Outsourcing giant Serco has affirmed that parts of its infrastructure in mainland Europe have been hit by a double extortion ransomware assault from the new Babuk group, however, the parts of its operation relating to the NHS Test and Trace program are unaffected. “Serco’s mainland European business has been subject to a cyber-attack,” a Serco representative said. “The attack was isolated to our continental European business, which accounts for less than 3% of our overall business. It has not impacted our other business or operations.” 

The incident comes after security firms and insurers progressively have stressed that digital extortionists gain from other assailants' techniques, outsource a portion of their operations and depend on connections to infiltrate victim networks. Albeit the NHS Test and Trace program was unaffected by the incident, ThreatConnect EMEA vice-president Miles Tappin said the vulnerabilities in Serco's wider systems were of incredible concern, and the Babuk assault uncovered “inherent weaknesses of the system”. 

“Like many actors new to the world of ransomware, the actor behind Babuk ransomware has been learning on the job while drawing insights from other criminal groups,” said Allan Liska, an intelligence analyst at the threat intelligence company Recorded Future. In the ransom note, Babuk's operators professed to have approached Serco's systems for three weeks and to have as of now exfiltrated a terabyte of information. The cybercriminals made explicit references to Serco partners, including Nato and the Belgian Army, and threatened Serco with consequences under the General Data Protection Regulation (GDPR). 

The attacker has demanded $60,000 to $85,000 in ransoms, however, that is “likely to increase over time as the threat actor becomes more experienced in ransomware operations,” as indicated by a private analysis from PricewaterhouseCoopers got by CyberScoop. Babuk is a long way from sophistication. Its code has contained mistakes that held it back from executing on some targeted computers, as indicated by PwC. “We assess that, due to a disregard for error checking, Babuk would fail to execute altogether in some environments,” the analysis says. 

However, while Babuk is as yet a moderately low-level threat to associations, as indicated by Liska, that could change on the off chance that they can bring in more cash from assaults and put resources into new capabilities.