Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Extortion Group. Show all posts

US Authorities Charge Alleged Key Member of Russian Karakurt Ransomware Outfit

 

The U.S. Department of Justice (DOJ) released a statement this week charging a member of a Russian cybercrime group with financial fraud, extortion, and money laundering in a U.S. court. The 33-year-old Moscow-based Latvian national Deniss Zolotarjovs was extradited to the United States earlier this month after being detained by Georgian authorities in December 2023.

Court records indicate that Zolotarjovs is linked with the ransomware outfit Karakurt, which exfiltrates victim data and holds it hostage until a cryptocurrency ransom is paid. The gang runs an auction portal and leak site where they identify the victim companies and allow users to download stolen data. The group has demanded ransom in Bitcoin ranging from $25,000 to $13 million. 

Previous findings suggest that Karakurt was related to the now-defunct ransomware gang Conti. Researchers believe Karakurt was a side project of the group behind Conti, allowing them to monetise data stolen during attacks when organisations were able to halt the ransomware encryption process. Zolotarjovs allegedly used the alias "Sforza_cesarini" and was an active member of Karakurt. 

He is suspected of engaging with other members, laundering cryptocurrency, and exploiting the group's victims. According to the DOJ, he is the first alleged member of the organisation to be arrested and extradited to the United States. According to court records, Zolotarjovs is involved in attacks on at least six undisclosed US companies. 

Karakurt stole "a large volume of private client data" in one attack in 2021, which included lab results, medical information, Social Security numbers that matched names, addresses, dates of birth, and home addresses. The company negotiated a ransom payment of $250,000 down from Karakurt's initial demand of about $650,000. 

In addition to carrying out open-source research to find phone numbers, emails, or other accounts through which victims could be contacted and pressured to either pay a ransom or re-enter a chat with the ransomware group, Zolotarjovs was probably in charge of negotiating Karakurt's "cold case extortions." 

“Some of the chats indicated that Sforza’s efforts to revive cold cases were successful in extracting ransom payments,” court documents noted.

Black Basta's Ransom Money Surpasses $100 million in Less Than Two Years

 

Researchers have discovered that since the Black Basta ransomware gang first surfaced early last year, victims of its double-extortion attacks have paid the gang more than $100 million. With the haul, which included taking over $1 million from at least 17 victims and $9 million from one victim, the Russian-affiliated gang is now among the highest-ranking ransomware operators. 

Blockchain analytics startup Elliptic and cyber insurance provider Corvus claimed in a joint research post published on November 29 that Black Basta had targeted at least 329 organisations and had received payments totaling at least $107 million from over 90 victims. The researchers said that based on the number of victims in the 2022–2023 period, the gang was the fourth most active strain of ransomware. 

“It should be noted that these figures are a lower bound – there are likely to be other ransom payments made to Black Basta that our analysis is yet to identify – particularly relating to recent victims,” the researchers explained. 

In June, the Cybersecurity and Infrastructure Security Agency (CISA) released an advisory stating that LockBit, a "prolific" rival gang, had received $91 million from victims in the United States between early 2020 and mid-2023, which puts the group's earnings into perspective. This year, Black Basta has taken down major victims such as ABB, a Swiss technology company, Capita, a British outsourcing company, and Dish Network. 

The gang is thought to have split off from the Conti Group, a notorious ransomware operator that disbanded last year. It employs double-extortion techniques, stealing confidential information from victims, encrypting their networks, and threatening to release the data if a ransom isn't paid. Qakbot malware was frequently used to spread the Black Basta ransomware. 

According to the Elliptic and Corvus report, Qakbot's botnet was taken down by authorities in August, which could account for the notable decline in Black Basta attacks in the second half of the year. Elliptic researchers discovered links between Black Basta and Qakbot on the Bitcoin blockchain, with parts of ransoms paid to Black Basta being transferred to Qakbot wallets. 

“These transactions indicate that approximately 10% of the ransom amount was forwarded on to Qakbot, in cases where they were involved in providing access to the victim,” the researchers added. “Our analysis of Black Basta’s crypto transactions also provides new evidence of their links to Conti Group. In particular, we have traced Bitcoin worth several million dollars from Conti-linked wallets to those associated with the Black Basta operator.”

Ransomware Gang BianLian Switches to Extortion as its Primary Goal

 

The BianLian gang has abandoned its strategy of encrypting files and demanding a ransom in favour of outright extortion. 

Avast, a cybersecurity company, released a free decryptor for BianLian victims in January, which appears to have persuaded the criminals that extortion was the only viable option rather than the ransomware business. 

Threat analysts for cybersecurity firm Redacted stated in a report that BianLian is increasingly choosing to forgo encrypting victims' data and instead concentrate on persuading victims to pay solely using an extortion demand in exchange for BianLian's silence, as opposed to the typical double-extortion model of encrypting files and threatening to leak data. 

Several ransomware organisations are starting to depend less on data encryption and more on extortion. Yet, it appears that that Avast tool served as the catalyst for this gang's action.

The BianLian group boasted that it generated unique keys for each victim in a message posted on its leak site when the security company released the decryptor. They also claimed that Avast's decryption tool was based on a build of the malware from the summer of 2022 and that it would fatally corrupt files encrypted by other builds. 

Since then, the message has been deleted, and BianLian has modified some of its strategies. That includes abandoning the practise of holding the data ransom and the attackers' practise of revealing victim information on their leak site while hiding their identities in an effort to further persuade the victims to pay. 

Concealing victim data

Before the decryptor tool became accessible, they had this strategy in their toolbox, but "the group's use of the technique has exploded with the release of the programme," Redacted researchers Lauren Fievisohn, Brad Pittack, and Danny Quist, director of special projects, noted. 

BianLian contributed 16% of the postings to the group's leak site between July 2022 and mid-January by posting concealed details. Masked victim details were present in 53% of the postings in the two months following the decryptor's publication. Even faster, often within 48 hours of the compromise, they are posting the masked details on the leak site.

In order to put more pressure on the groups, the group is also doing research and increasingly customising its messages to the victims. Several of the messages made mention of the legal and regulatory concerns that businesses would face if a data breach became public, with the rules mentioned appearing to be those that apply to the victim's country of residence.

"With this shift in tactics, a more reliable leak site, and an increase in the speed of leaking victim data, it appears that the previous underlying issues of BianLian's inability to run the business side of a ransomware campaign appear to have been addressed," the researchers added. "Unfortunately, these improvements in their business acumen are likely the result of gaining more experience through their successful compromise of victim organizations." 

Expanding influence

The BianLian gang first appeared in July 2022 and quickly established itself as a serious danger, notably to the IT, engineering, and healthcare sectors, with healthcare accounting for 14 percent of the group's victims (9 percent). As on March 13, the criminals' leak site named 118 victims, according to Redacted. The US accounts for about 71 percent of those victims. 

The malware is built in Go, one of the more recent languages that hackers are using, along with Rust, to escape endpoint security software, avoid detection, and conduct numerous calculations at once. 

The ransomware gang is maintaining its consistency with regard to initial access and lateral movement within a victim's network even though some of its strategies have changed. The bespoke Go-based backdoor has undergone certain modifications, but its fundamental functioning has not changed, according to the research. 

The researchers wrote that Redacted, which has been tracking BianLian since last year, is also getting a view of the close relationship between the backdoor deployment and the command-and-control (C2) server, which suggests that "by the time a BianLian C2 is discovered, it is likely that the group has already established a solid foothold into a victim's network." 

Each C2 server is active for roughly two weeks when it is brought online by the threat group, which deploys almost 30 new C2 servers each month.

Hive Ransomware Operators Extort $100m from Over 1,300 Firms Worldwide

 

The operators behind the Hive ransomware-as-a-service (RaaS) model have launched assaults against over 1,300 firms across the globe and received approximately $100 million in ransom payments as of November 2022, US government agencies stated in an alert. 

Active since June 2021, the malicious ransomware model has been employed in assaults against enterprises and critical infrastructure entities, including healthcare, government, communications, IT, and manufacturing organizations. 

"Hive ransomware has targeted a wide range of businesses and critical infrastructure sectors, including government facilities, communications, critical manufacturing, information technology, and — especially — Healthcare and Public Health (HPH)," read the joint advisory by the FBI, the US Cybersecurity and Infrastructure Security Agency, and the Department of Health and Human Services.

Modus Operandi 

Hive's RaaS campaign involves a mix of operators, who design and manage the malware, and affiliates, who are responsible for launching the assaults on victim networks by often purchasing initial access from initial access brokers (IABs). 

In most scenarios, securing a foothold involves the exploitation of ProxyShell vulnerabilities in Microsoft Exchange Server, followed by the detection and termination of processes linked to antimalware, backups, file copying, and deleting Windows event logs. 

Subsequently, the ransomware designs a file with the .key extension in the root directory – this file, which is unique to the system it was created on, is required for decryption. A ransom note is dropped into each exploited directory, warning targets not to tamper with the .key file, as that would restrict them from data recovery, and also asks victims to contact the hackers via live chat on a website accessible via the Tor browser. 

The ransomware actor also threatens victims that, if a ransom is not paid, data would be leaked publicly on the Tor site ‘HiveLeaks’. Threat analysts also detected crooks employing anonymous file-sharing sites to publish siphoned data. 

"Hive actors have been known to reinfect — with either Hive ransomware or another ransomware variant — the networks of victim organizations who have restored their network without making a ransom payment," the advisory further reads. 

According to the recent report published by cybersecurity firm Malwarebytes, the ransomware targeted seven victims in August 2022, 14 in September, and two other organizations in October, marking a fall in the operations from July, when the gang targeted 26 victims.

Karakurt Hacking Group Linked to Conti and Diavol Ransomware Crew

 

Cybersecurity researchers from Arctic Wolf Networks published a blog post on Friday claiming that the cyber extortion group Karakurt is operationally associated with both the Conti and Diavol ransomware groups, operating as an exfiltration arm of the ransomware organizations. 

In a blog post, researchers said since its first attacks in August 2021, Karakurt hacking group has targeted more than 40 organizations in a number of industries in at least eight nations.

In conducting the in-depth research Tetra Defense, an Arctic Wolf firm, collaborated with Chainalysis and Northwave to examine the cryptocurrency wallets tied to the Karakurt hacker group, combined with their specific technique for data theft. The analysis confirmed that the group's membership overlaps with the Conti and Diavol ransomware crews. 

Tetra's report reveals the experience of a client firm that was targeted by the Conti group, and subsequently targeted again by a data theft perpetrated by the Karakurt hacking group. The analysis confirmed that the Karakurt attack employed an identical backdoor to exploit the client's systems as the earlier Conti assault. These associations debunk the Conti group’s assurance to victims that paying the ransom will shield them from future assaults.

"Such access could only be obtained through some sort of purchase, relationship, or surreptitiously gaining access to Conti group infrastructure," Tetra explained in its report. 

It is essential to distinguish the several types of cyber assault described right here, according to Tetra. In a ransomware attack, critical information is encrypted and the ransom is paid in exchange for a decryption key so that the victim can recover its data and resume operating. In a data theft, which has been the sole type of attack orchestrated by the Karakurt group, threat actors steal sensitive corporate data and demand money in exchange for not releasing it. 

The Karakurt attacks of this type — there have been more than a dozen to date, according to Tetra — also employed cryptocurrency wallets associated with Conti victim payment addresses, further strengthening the argument that the two groups' membership may overlap significantly. 

“Traditionally, we have seen the criminals honor their offers,” Nathan Little, senior vice chairman of digital forensics and incident response at Tetra stated. “Early on, when these [data theft attacks] began in 2019, it was widespread that corporations had been frightened sufficient that they’d pay, to not cover the incident, however to keep away from the results.”