Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label RaaS Ecosystem. Show all posts

The Rate of Rorschach Ransomware is Increasing; Here's How to Safeguard Yourself

 

Staying ahead of threat actors is a game of cat and mouse, with hackers frequently having the upper hand. LockBit was the most widely used ransomware strain in 2023. In the previous year, LockBit was recognised to be the most active global ransomware organisation and RaaS supplier in terms of the number of victims claimed on their data leak site. 

New strains of malware emerge as the threat of ransomware grows. The current ransomware strain, Rorschach, is proof of this. It is one of the most rapidly spreading variants on the ransomware market today. 

Check Point tested 22,000 files on a 6-core machine and found that all files were partially encrypted in 4.5 minutes. In comparison to LockBit, which was previously thought to be one of the fastest ransomware outbreaks, Rorschach quickly compromised a machine. 

What is the purpose of the partial encryption of the files? A novel encryption approach known as intermittent encryption encrypts only a portion of the material, rendering it unusable. 

By drastically reducing the time required to encrypt files, security software and personnel have only a limited amount of time to thwart an attack. The outcome is the same: the victim is unable to access their files. 

The speed with which encryption is performed is critical since it limits the amount of time available for a user or IT organisation to respond to a security breach. This improves the chances of a successful attack. 

Rorschach ransomware, for example, can construct a Group Policy that spreads the ransomware to all machines in the domain if it is successful, even if the attack originally targets just one system. 

So, what are the best practises for defending against ever-increasing threats? The three actions listed below are critical for defending yourself and your organisation from Rorschach assaults.

Access control 

One of the first stages in safeguarding your organisation is to ensure that each user has only the access they require. Implementing RBAC (Role-Based Access Control) or ABAC (Attribute-Based Access Control) procedures ensures that no user or compromised account can access data outside of its bounds.

With suitable controls in place, you can audit when an account does an action that exceeds its permitted permissions, and fast onboarding and offboarding enable swift responses to security events. 

Account policy

Accounts are supported by a strong password policy. This may include following industry standards such as NIST 800-63B or verifying for previously hacked account passwords. Industry requirements and breached password protection are tough to meet, but software like Specops Password Policy with Breached Password Protection can help. 

Ensuring that a user changes their password in accordance with the policy and does not use a previously hacked password guarantees that your organisation is secure.

Data backup 

Having good, thorough data backups that cover your entire infrastructure is essential, even in the event of a ransomware attack. If the worst happens, you will be able to quickly rebuild your infrastructure and ensure that you can bring back services and functioning. You can lessen the effects of a successful ransomware attack and discover what may have been compromised by swiftly recovering. 

Bottom line 

While the three measures above cannot ensure foolproof security, they can guard you against increasingly complex dangers like Rorschach. There will probably be numerous improvements in the future, even though this ransomware uses special programming to speed up encryption.

Enforcing a tighter password policy helps deter these criminals from looking for easy targets, which is what they frequently do when targeting passwords that have already been obtained. 

Additionally, you may use a free download to search your Active Directory for more than 940 million compromised credentials. Make sure no one is using credentials that have already been stolen.

Nevada Ransomware: Another Feather in the RaaS Ecosystem

Resecurity which is known for its cybersecurity services including risk management, endpoint protection, and threat intelligence for large enterprises and government agencies worldwide has discovered a new ransomware family in its study tracked as “Nevada Ransomware”. 

The threat actors who are responsible for this new malware have an affiliate platform that was first introduced on the RAMP underground community known for initial access brokers (IABs) and other malicious actors and ransomware groups. 

Recently, on 1st February, the threat actors behind this campaign updated and significantly advanced the functionality of the locker for Windows and Linux/ESXi. Along with this, the group also distributed new builds for their affiliate platforms, and the malware intelligence team studied these new developments in its report. 

Nevada Ransomware is written in the Rust language, which is similar to Hive Ransomware. The locker can be executed via a console with pre-defined flags including encrypting selected files and directories, deleting shadow copies, self-mode encryption, self-deleting, loading hidden drives, and finding and encrypting network shares. 

Furthermore, the threat actors possess the ability to escalate their attack beyond the initial point of compromise by performing post-exploitation actions for maximum damage. As per the data from the researchers, actors are constantly updating Windows and Linux/ESXi versions of the Nevada Ransomware. 

It did not stop here, Nevada Ransomware actors not only develop the ransomware but also gain unauthorized access for future exploitation. The operators who are working behind the malware are specialized in post-exploitation. 

“The Nevada Ransomware offers very attractive and competitive conditions – 85% (to partner) with a further increase to 90% assuming further progress. Notably, the actors also acquired compromised access for further development besides being ransomware developers. Based on our current assessment, they have a team performing post-exploitation to develop the initial point of compromise into full-blown network intrusion to achieve maximum damage,” said Resecurity. 

Additionally, the post also contains a translation in English and Chinese – which is an indication that the operators are also interested in attracting a worldwide audience besides the Russian-speaking. Based on the researchers' study, the threat actors are open to doing business with ex-USSR, the Islamic Republic of Iran, the European Union, and China. Previously they have been traced in hacked RDP and VPN suppliers for other ransomware networks.