Recently there has been an increase in the use of different techniques, tools, and procedures (TTPs) by attackers using the Noberus aka BlackCat ransomware, making the threat more serious than ever. On Thursday, Symantec provided new techniques, tools, and procedures (TTPs) that Noberus ransomware attackers have employed recently.
Noberus is believed to be the sequel payload to the Darkside and BlackMatter ransomware family, according to a blog post by Symantec's Threat Hunter Team. The company said that Darkside is the same virus that was used in the May 2021 ransomware assault on Colonial Pipeline.
About Coreid
Coreid operates a ransomware-as-a-service (RaaS) business, which implies it creates the malware but licenses it to affiliates in exchange for a share of the earnings.
Since Noberus was the first genuine ransomware strain to be deployed in real-world attacks and it was written in the computer language Rust, it piqued interest when it was discovered in November 2021; as a cross-platform language, Rust is notable. In accordance with Coreid, Noberus can encrypt files on the Windows, EXSI, Debian, ReadyNAS, and Synology operating systems.
The organization has chosen to utilize the ransomware known as Noberus, which is short for the BlackCat ALPHV ransomware that has been used in attacks on multiple American colleges, to escape law enforcement by using fresh ransomware strains, according to Symantec researchers.
The researchers claim that the criminal organization first started stealing money from businesses in the banking, hospitality, and retail industries using the Carbanak malware. Before the group's transition towards ransomware-as-a-service (RaaS) operation in the early 2020s, three of its members were arrested in 2018.
Noberus is a destructive ransomware
Coreid emphasized Noberus' various improvements over other ransomware, such as encrypted negotiation conversations that can only be seen by the intended victim. Cybercriminals have access to two different encryption methods and four different ways to encrypt computers, depending on their needs for speed and the size of their data heaps, thanks to Noberus.
Noberus employs a program called Exmatter to recover the stolen data. According to Symantec, Exmatter is made to take particular kinds of files from particular directories and upload them to the attacker's site even before the ransomware is activated. Exmatter, which is constantly modified and updated to exfiltrate files through FTP, SFTP, or WebDav, can produce a report of all the processed exfiltrated files and if used in a non-corporate setting, it has the potential to self-destruct.
Noberus is also capable of collecting credentials from Veeam backup software, a data protection and recovery product that many organizations use to store login information for domain controllers and cloud services, utilizing information-stealing malware called Infostealer. By using a specific SQL query, the malware known as Eamfo can connect to the SQL database containing the credentials and steal them.
Symantec reported that in December the gang introduced a 'Plus' category for allies who had extorted at least $1.5 million in attacks. The group has demonstrated that it will cut off allies who don't earn enough in ransoms, according to Symantec.
A potent data exfiltration tool for the most common file types, including.pdf,.doc,.docx,.xls,.xlsx,.png,.jpg,.jpeg,.txt, and more, was added to Coreid last month.
Similar to some other organizations, Coreid has outlined four primary entities that affiliates are not permitted to attack: the Commonwealth of Independent States, nations with ties to Russia, healthcare providers, and nonprofits.
According to Symantec, the affiliates are 'directed to avoid assaulting the education and government sectors,' but given the numerous attacks on universities around the world, they seem to be lax about this directive.