Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label RaaS. Show all posts

Understanding Ransomware: A Persistent Cyber Threat

 


Ransomware is a type of malicious software designed to block access to files until a ransom is paid. Over the past 35 years, it has evolved from simple attacks into a global billion-dollar industry. In 2023 alone, ransomware victims reportedly paid approximately $1 billion, primarily in cryptocurrency, underscoring the massive scale of the problem.

The First Recorded Ransomware Attack

The first known ransomware attack occurred in 1989. Joseph Popp, a biologist, distributed infected floppy disks under the guise of software analyzing susceptibility to AIDS. Once installed, the program encrypted file names and, after 90 uses, hid directories before displaying a ransom demand. Victims were instructed to send a cashier’s check to an address in Panama to unlock their files.

This incident, later dubbed the "AIDS Trojan," marked the dawn of ransomware attacks. At the time, the term "ransomware" was unknown, and cybersecurity communities were unprepared for such threats. Popp was eventually apprehended but deemed unfit for trial due to erratic behaviour.

Evolution of Ransomware

Ransomware has undergone significant changes since its inception:

  • 2004 – The Rise of GPCode: A new variant, "GPCode," used phishing emails to target individuals. Victims were lured by fraudulent job offers and tricked into downloading infected attachments. The malware encrypted their files, demanding payment via wire transfer.
  • 2013 – Cryptocurrency and Professional Operations: By the early 2010s, ransomware operations became more sophisticated. Cybercriminals began demanding cryptocurrency payments for anonymity and irreversibility. The "CryptoLocker" ransomware, infamous for its efficiency, marked the emergence of "ransomware-as-a-service," enabling less skilled attackers to launch widespread attacks.
  • 2017 – Global Disruptions: Major attacks like WannaCry and Petya caused widespread disruptions, affecting industries worldwide and highlighting the growing menace of ransomware.

The Future of Ransomware

Ransomware is expected to evolve further, with experts predicting its annual cost could reach $265 billion by 2031. Emerging technologies like artificial intelligence (AI) are likely to play a role in creating more sophisticated malware and delivering targeted attacks more effectively.

Despite advancements, simpler attacks remain highly effective. Cybersecurity experts emphasize the importance of vigilance and proactive defense strategies. Understanding ransomware’s history and anticipating future challenges are key to mitigating this persistent cyber threat.

Knowledge and preparedness remain the best defenses against ransomware. By staying informed and implementing robust security measures, individuals and organizations can better protect themselves from this evolving menace.

Look Who’s Back: LockBit Gears Up for a Comeback With Version 4.0

 



The infamous LockBit ransomware group has announced its return with the upcoming release of LockBit 4.0, set for February 2025. This marks a big moment for the group, which has had major setbacks over the last year. A global law enforcement crackdown shut down its operations, with arrests and recovery of nearly 7,000 decryption keys. As other ransomware groups like RansomHub take the lead, it remains uncertain if LockBit can reclaim its former dominance.  


Challenges Facing LockBit’s Return

LockBit's return is definitely not in the cards, though. The group did a lot of damage to itself, mainly because law enforcement was doing their job and newer Ransomware groups were outperforming it. Probably, the development of this 4.0 version involves deep changes in its codebase since the previous variant had been compromised. Experts therefore wonder whether LockBit manages to overcome these obstacles or gets back into the crowded field of ransomware services.

Another emerging favorite is ransomware-as-a-service, where groups start to sell their tools and infrastructure to affiliates in a specific ratio of the profits being extracted by that affiliate. LockBit will find itself competing not just with opponents such as RansomHub but also with variants from the same ransomware assembled using leaked source code.


What to Expect With LockBit 4.0

The group's announcement for LockBit 4.0 has bold claims, enticing potential affiliates with promises of wealth and success. The official launch is scheduled for February 3, 2025, and keys are provided to access their dark web leak site. While specific details about the 4.0 version are unclear, cybersecurity researchers are closely monitoring its development.

The group may also change its tactics to stay off the radar of international law enforcement. In the past, LockBit has been criticized for hitting high-profile victims, including the Toronto Hospital for Sick Children in 2022. After public backlash, the group issued an apology and provided a free decryption key, an unusual move for a ransomware organization.  


The Future

LockBit's ability to stage a successful comeback will depend on its capacity to adapt to the challenges it faces. With competitors gaining ground and its credibility in question, the group's path forward is uncertain. Cybersecurity experts will be watching closely to see how LockBit 4.0 impacts the ransomware infrastructure.

For now, organizations are advised to remain vigilant, as ransomware groups continue to improvise their tactics. Implementing robust security measures and staying informed about emerging threats are critical steps in defending against such attacks.



NEW Qilin Ransomware Variant Emerges with Improved Evasion Techniques

 



A much more potent version of the Qilin ransomware has been found, according to cybersecurity experts, showing a new and revamped kind that is ready to attack core systems using advanced encryption along with improved stealth techniques.


A Rebranding with a Twist: Qilin's Evolution

The Qilin ransomware operation, which first appeared in July 2022, has now morphed into a more formidable opponent with a new version dubbed "Qilin.B." Known previously as "Agenda," the malware was rebranded and rewritten in Rust, a programming language harder to detect and often used for high-performance systems. The Qilin group is notorious for demanding multi-million dollar ransoms, focusing on high-stakes sectors such as healthcare, where operational disruptions can be particularly severe.

Qilin's latest incarnation has been a powerful tool in mass-attack campaigns. Just last year, a significant cyber attack was launched against Synnovis, a pathology firm providing services to the United Kingdom's NHS, which resulted in the cancellation of thousands of hospital and family doctor appointments. In return for collaborating on campaigns, Qilin partners are promised a large percentage of ransom payments, up to 85% — an arrangement that is structured to encourage high-paying ransomware attacks with the highest payoffs.


Improved Encryption and Obfuscation

This variant, Qilin.B, has the following methods that make their detection a hard nut to crack by the standard systems of security. According to Halcyon, a research firm specialising in cybersecurity, enhanced encryption, such as AES-256-CTR systems that support AESNI, together with RSA-4096 and OAEP padding have been seen in this particular variant. Such standards ensure that decrypting files from this threat is impossible minus the private key, as the case of preventive actions being the only way forward.

Further, the obfuscation technique is available in Qilin.B with which the developers hide the coding language of malware in order to prevent detection via signature-based detection systems. Such evasion mechanisms make the detection and quick response even more difficult by the cyber security teams in case of infections. As reported by the researchers from Halcyon, who had studied malware upgrades, increasing sophistication can be seen in ransomware tactics, specifically Qilin.B was developed to resist reverse engineering as well as delay incident response.


New Tactics to Dodge System Defences

Qilin.B disables important system services such as backup and removes volume shadow copy to prevent rollback of the infected systems. In addition, it disables restarts and self-cleans up by removing the ransomware after a successful attack to minimise digital artefacts. All these features make it more robust for defence against evolving ransomware groups that will continue to change their approach to remain at least a step ahead of security patches.


Growing Need for Cross-Platform Security

As Qilin ransomware is becoming more agile, security experts say the cybersecurity posture of organisations must be more offensive-minded. Qilin.B is rebuilt in Rust and can be executed properly across different environments-from Linux to VMware's ESXi hypervisor. The required security monitoring needs to recognize stealthy methods identified with Qilin.B, including detection of code compiled in Rust because traditional systems would fail to counter it.


Advanced Configurations and Control

Qilin.B. This is another notable configuration option from the attackers so that one can personalise his attack. Thus, this version comes along with new names for some functions, encrypted strings and other complex code, in order to take more time for defence activities and forensic analysis of an incident. According to researchers of the Halcyon company, the best behaviour-based detecting systems should be implemented and it can easily find out what malware does, without the outdated method of searching for signatures by which malware has successfully dodged, in this case.

With the advancements of Qilin.B in terms of encryption and evasion, the security firm Halcyon recommends that organisations supplement their security infrastructure with cross-platform monitoring and backup solutions which are designed to fight against ransomware attacks' newest variations. A more complete system in detecting and responding to threats will still be an asset as ransomware advances through networks well-protected.

Continuous improvement in ransomware-as-a-service (RaaS) points to the intensifying threat that organisations have to grapple with as they secure sensitive data from increasingly sophisticated adversaries. The Qilin operation exemplifies how ransomware groups continue to adapt themselves to avoid defences, so proactive and adaptive security measures are justified in industries.


Embargo Ransomware Shifts Focus to Cloud Platforms

 


In a recent security advisory, Microsoft advised that the ransomware threat actor Storm-0501 has recently switched tactics, targeting hybrid cloud environments now to compromise the entire system of victimization. It is becoming increasingly apparent that cybercriminals are finding out how difficult it is to secure hybrid cloud environments. 

In the latest case, an extremely cruel group called Storm-0501 has stepped forward in an attempt to steal from the most vulnerable organizations in the US, including schools, hospitals, and law enforcement. The group is known for its cash-grab operations. As an affiliate of different strains of ransomware as a service (RaaS), Storm-0501 has been around since 2021, as per Microsoft Threat Intelligence's new report on it.

This ransomware operates as affiliates of a variety of RaaS strains such as BlackCat/ALPHV, LockBit, and Embargo, among others. The Storm-0501 ransomware gang is well-known for its operations in on-premise networks, but now the group is focusing on extending its reach to cloud infrastructures as they look to compromise whole networks with their campaigns. 

Since Storm-0501 was first discovered in 2021, it has been associated with the Sabbath ransomware group as an affiliate. There are several notable ransomware groups, such as Hive, BlackCat, LockBit, and Hunters International, that have been involved in these operations from time to time, but it has been growing rapidly. 

There have been recent reports that the group has been using Embargo ransomware as a means of executing their operations. As a result of the group's broad range of targets within the United States, the group has selected a wide array of sectors for its attacks, including hospitals, government agencies, manufacturing companies, transportation companies, and law enforcement agencies. 

As part of their attack pattern, the group usually exploits weak credentials and privileged accounts, enabling them to steal sensitive information from compromised networks and to deploy ransomware to guarantee their success. Earlier this week, Microsoft team members shared information about a recent attack on Microsoft Entra ID (formerly Azure AD) that was performed by Storm-0501 threat actors. 

The credential-synching component of this on-premises Microsoft application is responsible for synchronizing the passwords and other sensitive data between the objects in Active Directory and Entra ID, assuming the credentials of the user are the same for both on-premises and cloud environments. This report warns that once Storm-0501 was able to migrate into the cloud at a later point in time, it was then capable of manipulating, exfiltrating, and setting up persistent backdoors to commit ransomware attacks. 

As a result of exploiting weak usernames and passwords, the attacker gains access to cloud environments via privileged accounts, which sets out to steal data as well as execute a ransomware payload on the target machine. It is Microsoft's position that the Storm-0501 is obtaining initial access to the network by stealing or buying credentials for access, or by exploiting known vulnerabilities that have already been discovered. 

It is worth noting that CVE-2022-47966 has been used in recent attacks against Zoho ManageEngine, CVE-2023-4966 has been used against Citrix NetScaler, and CVE-2023-29300 or CVE-2023-38203 may have been used against ColdFusion 2016. As the adversary moves laterally, it uses frameworks like Impacket and Cobalt Strike, steals data through Rclone binaries renamed to mimic known Windows tools, and disables security agents using PowerShell command-line functions. 

Storm-0501 is malware that has been designed to exploit stolen Microsoft Entra ID credentials (formerly known as Azure AD credentials) to move from on-premise to cloud environments, compromise synchronization accounts for persistence, and hijack sessions for recurrence. Using a Microsoft Entra Connect Sync account is an essential part of synchronizing data between on-premises AD (Active Directory) and Microsoft Entra ID (Entra ID cloud-based). 

These accounts allow a wide range of sensitive actions to be taken on behalf of the On-Premise AD account. In the case that the attacker has gained access to the credentials for the Directory Synchronization Account, he or she has the capability of changing cloud passwords through specialized tools like AADInternals, thus bypassing any additional security measures. 

An unauthorized user may exploit the Storm-0501 vulnerability if the account of a domain admin or other high-privileged user on-premises also exists in the cloud environment and is not properly protected (e.g. it does not implement multi-factor authentication). As soon as the malicious actor has gained access to the cloud infrastructure, they plant a persistent backdoor by creating a new federated domain inside of the Microsoft Entra tenant, which allows them to log in as any user that has the "Immutableid" property set to their benefit. 

A final step would be for the attackers to either install Embargo ransomware in the victim's on-premises infrastructure and cloud-based environments or keep backdoor access available for later use to the victim. In response to the growing prevalence of hybrid cloud environments, Microsoft's Threat Intel team has warned, "As organizations continue to work with multiple platforms to protect their data, securing resources across them becomes a growing challenge."

Keeper Security, vice president of security and infrastructure, said that a zero-trust framework is a highly effective means of achieving this goal for enterprise cybersecurity teams and that it can be achieved by progressively advancing towards one. Using this model, access is restricted based on the customers' roles, making sure that users only have access to the resources they need for their specific roles. 

This minimizes the possibility of malicious actors getting access to those resources," Tiquet stated in an email. "It is widely believed that weak credentials remain one of the most vulnerable entry points in hybrid cloud environments that are likely to be exploited by groups such as Storm-0501." A centralised approach to endpoint device management (EDM) is also vital to the success of the strategy, according to him. Keeping all environments patched - be it cloud-based or on-premises - is one of the best ways to prevent attackers from exploiting known vulnerabilities by ensuring a consistent level of security patching." 

In addition to my previous statement, he added that advanced monitoring tools will allow teams to detect potentially malicious threats across hybrid cloud environments before they can become breaches. SlashNext Security's field CTO Stephen Kowski provided a similar list of recommendations in a statement he sent via e-mail. Embargo, whose contact information can be found here, is a threat group that uses Rust-based malware in its ransomware-as-a-service (RaaS) operation, which accepts affiliates who access companies and deploy the payload, sharing part of the profit with the affiliate. 

As far back as August 2024, an Embargo ransomware affiliate attacked the American Radio Relay League (ARRL) and claimed to have received $1 million for a decryptor that worked once it was provided to them. The theft of sensitive data from Firstmac Limited, an Australian company that deals with mortgages, investment management and investment strategy, was reported to the cybercrime reporting agency earlier this month. When the deadline to negotiate a solution had passed, an Embargo subsidiary was discovered to have breached the company.

Kawasaki Ransomware Attack: 500 GB Alleged Data Leaked, RansomHub Claims

Kawasaki Ransomware Attack: 500 GB Alleged Data Leaked, RansomHub Claims

In a recent ransomware attack that hit Kawasaki Motors Europe (KME), the company has confirmed that it suffered the breach causing major service disruptions as threat actors threatened to leak the data. 

“At the start of September, Kawasaki Motors Europe (KME) was the subject of a cyberattack which, although not successful, resulted in the company’s servers being temporarily isolated until a strategic recovery plan was initiated later on the same day," KME said in a statement.

RansomHub Behind Leak

RansomHub, an infamous Ransomware-as-a-Service (RaaS) has leaked 478GB of data which the group claims belongs to the KME website,  after the attack. Important business documents were exposed- dealership details, internal communications, banking records, and financial info.

Threat actors posted the exposed data on their extortion site on the dark net, suggesting that KME didn’t agree to pay the ransom demanded by RanHub.

RansomHub has become popular after its creation in February 2024, it is now one of the most efficient RaaS groups, it was responsible for 75 ransom attacks in Q2 of 2024. RansomHub’s victims include high-level targets like Planned Parenthood and Change Healthcare.

To warn about the attacks, the US Cybersecurity and Infrastructure Agency (CISA) issued an advisory, highlighting indicators of compromise (IoC) to combat the threat of potential targets.

Rising Ransom Demands 

With a significant increase in the number of RaaS, the ransom demand trend is also rising. A threat actor demands a shocking $1.5 million in return for a victim’s stolen data. In 2023, the ransomware number was a mere $200,000, which shows the dominance of ransomware groups and the harm they cause to an organization. 

How to Combat Ransomware Attacks?

Adopting a proactive cybersecurity plan can help a business address future threats and take measures to mitigate risks, reducing the threat of future attacks. 

A strong incident response plan can reduce the impact of a ransomware breach. It should have a framework for a plan of action for a possible attack, this can include a data recovery process, legal aspects, and communication protocols. 

Human error is one of the leading causes of breach, but employee training and awareness helps to identify threats and respond accordingly. 

Cybercriminals Exploit Windows Quick Assist in Latest Ransomware Campaign

 

A recent wave of cyberattacks has seen financially motivated criminals leveraging Windows Quick Assist, a built-in remote control and screen-sharing tool, to deploy Black Basta ransomware on victim networks. Microsoft has investigated these attacks since mid-April 2024, identifying the threat group behind them as Storm-1811.

The attacks typically begin with email bombing, where the target's inbox is flooded with spam emails. This overload is followed by a phone call from the attackers, who impersonate Microsoft technical support or the victim's IT help desk. They offer to help resolve the spam issue, tricking victims into granting remote access via Quick Assist.

Once access is granted, the attackers execute a scripted command to download malicious files, including Qakbot malware, remote monitoring tools like ScreenConnect and NetSupport Manager, and the Cobalt Strike framework. These tools enable the attackers to perform domain enumeration and move laterally across the network. Eventually, they deploy Black Basta ransomware using PsExec, a telnet-replacement tool.

Rapid7, a cybersecurity company that also detected these attacks, noted that attackers use batch scripts to harvest credentials from the command line using PowerShell. These credentials are often exfiltrated to the attackers' server via Secure Copy (SCP). In some cases, credentials are saved to an archive for later retrieval.

To mitigate these attacks, Microsoft advises organisations to disable or uninstall Quick Assist and similar remote tools if they are not used. Employees should be trained to recognise tech support scams and instructed to only allow remote access if they initiated the contact with IT support. Suspicious Quick Assist sessions should be immediately disconnected.

The Black Basta ransomware operation emerged after the Conti cybercrime group disbanded two years ago following multiple data breaches. Black Basta began operating as a Ransomware-as-a-Service (RaaS) in April 2022 and has since attacked numerous high-profile targets, including defence contractor Rheinmetall, technology company Capita, Hyundai's European division, and the American Dental Association.

Recent attacks linked to Black Basta include a ransomware incident at U.S. healthcare giant Ascension, which disrupted ambulance services. According to a joint advisory by CISA and the FBI, Black Basta affiliates have breached over 500 organisations across 12 out of 16 critical infrastructure sectors since April 2022, causing data breaches and encryption.

Health-ISAC, an information sharing and analysis centre, has warned of increased attacks against the healthcare sector by Black Basta. Research by Elliptic and Corvus Insurance indicates that the group has extorted at least $100 million in ransom payments from over 90 victims by November 2023.

Microsoft is enhancing Quick Assist to improve transparency and trust between users, including adding warning messages to alert users about potential scams. Rapid7 observed similar scams targeting their customers, with attackers using other remote monitoring tools like AnyDesk.

To prevent such attacks, organisations should block unapproved remote management tools and train staff to recognise and report suspicious calls and messages. Quick Assist should only be used if the interaction was initiated by contacting official support channels.

The recent misuse of Windows Quick Assist in deploying Black Basta ransomware pushes forward the vision for increased vigilance and robust cybersecurity practices to save all our digital assets from such social engineering attacks.


New Ransomware Threat Hits Hundreds of Organisations Worldwide

 


In a recent joint report by the Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI), a new ransomware gang named Black Basta has been identified as breaching over 500 organisations globally between April 2022 and May 2024. This group has targeted various sectors, including healthcare, spanning across North America, Europe, and Australia.

Black Basta, coming through as a Ransomware-as-a-Service (RaaS) operation in April 2022, has quickly gained notoriety by attacking numerous high-profile victims such as Rheinmetall, Hyundai, Capita, and the American Dental Association, among others. Believed to have connections to the former Conti cybercrime syndicate, Black Basta operates with sophistication and a steady stream of initial access to its targets.

One of the key tactics employed by Black Basta involves stealing corporate data before encrypting a company's devices. This stolen data is then used in double-extortion attacks, where victims have demanded a ransom to prevent the publishing of their sensitive information. The gang's data leak site, 'Black Basta Blog' or 'Basta News,' lists victims and progressively releases data to pressure them into paying the ransom.

Technical analysis reveals that Black Basta utilises the ChaCha20 encryption algorithm to encrypt files, rendering them inaccessible without the decryption key. Victims are left with a custom extension appended to their encrypted files (.basta), along with a ransom note providing instructions on how to negotiate with the threat actors.

Responding to this spreading threat, federal agencies advise organisations to maintain up-to-date operating systems, employ phishing-resistant Multi-Factor Authentication (MFA), and train users to identify and report phishing attempts. Moreover, securing remote access software and implementing recommended mitigations are essential steps in blocking the risks posed by Black Basta and similar ransomware attacks.

Healthcare organisations are particularly vulnerable, given their size, technological reliance, and access to sensitive patient information. CISA and the FBI have suggested adhering to the StopRansomware Guide in order to dodge potential attacks in the healthcare sector.

Recent incidents, including an attack on healthcare giant Ascension, accentuate the urgency of addressing the threat posed by Black Basta. With the gang's ability to readily expand its victim pool and employ coercive tactics, organisations must remain particularly careful and implement robust cybersecurity measures to mitigate the risk of falling victim to ransomware attacks.

Considering the course of events, cybersecurity experts emphasise the importance of ardent measures, including regular backups, system updates, and employee training, to strengthen defences against ransomware threats like Black Basta. This calls for collective efforts to combat the growing menace of ransomware and protect critical infrastructure from malicious actors.


Junk Ransomware: Getting the Job Done For Hackers


Sophos detects ransomware

In an April 17 analysis from its Sophos X-Ops research team, cybersecurity firm Sophos observed an increase in low-cost, primitive ransomware—a boon for aspiring threat actors and a headache for defenders.

It's far more difficult to find something that there are only twenty copies of in the world, said Christopher Budd, director of threat research at Sophos X-Ops.

The group linked the choices to the cheap handguns that flooded the US firearms market in the 1960s and 1970s, known as junk guns.

Between June 2023 and February 2024, the Sophos team spotted 19 different types of "independently produced, inexpensive, and crudely constructed ransomware." Some missed clean graphics, while others used programming languages like C# and.NET, which "have a shallower learning curve," noted the paper.

It seems to be a fairly recent thing,"  noting that poor-quality malware has existed for decades.

Varying costs

Sophos discovered one with no price indicated, two open-source models, one for $20 (later reduced to free), and one for 0.5 BTC (about $13K).

According to a 2023 research by cybersecurity firm CrowdStrike, the cost of a Ransomware as a Service (RaaS) kit "ranges from $40 per month to several thousand dollars." RaaS models depend on affiliates purchasing ransomware and consenting to a subscription fee based on the victim's payment.

Junk-gun ransomware

Junk-gun ransomware destroys that commission: capitalism in action, in a sense.

In most instances, you don't have any kind of partner fees to pay, Budd stated.

Only three of the "junk" kinds paid a subscription fee

Ransomware groups such as LockBit have become large enough to be tracked and halted by government agencies. Junky ransomware has the potential to fly under the radar and bypass detection technology.

There is no single source of knowledge for investigators and researchers to track, the Sophos report stated.

Budd and his crew saw users asking basic inquiries in forums praising the cheap items. What is the best language for creating ransomware? Is writing in C# worthwhile? How should malware be priced and sold?

Budd describes a forum featuring inexpensive ransomware and beginner queries as a welcome place for young hackers waiting for their chance in the big leagues.

Step forward

Junk-gun ransomware presents specific problems for small enterprises, the general public, and the security industry. We saw threat actors expressly refer to assaults against smaller companies and individuals, even as they tried to figure out which types of companies to target and how much ransom to demand because such targets are often less well-defended, knowledgeable, and prepared.

At this point, junk-gun ransomware causes several challenges for the security industry. It is difficult to get samples of junk-gun ransomware, assess how widely it has been deployed in the wild, and monitor new variants. 

Threat actors may also adopt the 'brand names' of well-known ransomware families, presumably to capitalize on their reputations, which can lead to misunderstanding among experts.

Malware-as-a-Service The Biggest Risk to Organizations Right Now

Malware-as-a-Service

A recent Darktrace analysis states that the largest threat to enterprises in the second half of 2023 was malware-as-a-service (MaaS) infections.

Many malware strains have become cross-functionally adaptive, as noted in the 2023 End of Year Threat Report. This comprises the combination of information-stealing malware with malware loaders like remote access trojans (RATs).

The menace of malware-as-a-service 

Researchers at Darktrace discovered that "malware strains are progressively developed with a minimum of two functions and are interoperable with a greater number of existing tools" through reverse engineering and detection analysis.

Because these malicious tools may gather passwords and data without compromising files, which makes detection more difficult, they pose a special risk to enterprises.

One well-known instance of this was the information-stealing and remote access Trojan (RAT) called ViperSoftX, which was designed to obtain sensitive data such as Bitcoin wallet addresses and passwords kept in password managers or browsers.

2020 saw the first recorded sighting of ViperSoftX in the wild, however, strains discovered in 2022 and 2023 have more advanced detection evasion strategies and capabilities.

Another instance is the ransomware known as Black Basta, which spreads the Qbot banking virus to steal credentials.

Additional Transition to Ransomware-as-a-Service (RaaS)

The research also noted a move away from traditional ransomware in 2023 with an increase in RaaS assaults.

It was reported that the ransomware market expanded after law enforcement dismantled the Hive ransomware gang in January 2023. Among these was the emergence of ScamClub, a malvertising actor that sends false virus alerts to well-known news websites, and AsyncRAT, which has been targeting US infrastructure workers lately.

According to Darktrace's prediction, an increasing number of ransomware attackers are expected to utilize multi-functional malware and double and triple extortion tactics in the upcoming year.

According to the company, in 2024 the MaaS and RaaS ecosystems should continue to flourish, hence reducing the entry barrier for cybercriminals.

Attackers Incorporating AI into Phishing Schemes

According to Darktrace, last year it saw threat actors use additional creative strategies to get beyond an organization's security measures.

This includes phishing and other increasingly successful email attacks that try to trick users into downloading dangerous payloads or divulging private information.

For instance, 58% of phishing emails that Darktrace saw last year were able to get past all security measures in place, while 65% of the emails were able to effectively evade Domain-based Message Authentication (DMARC) verification checks.

According to the researchers, a lot of attackers are using generative AI technologies to automate the creation of more realistic phishing operations.



Rise in RaaS Operations and Implications for Business Security


Recently, there had been news regarding the cyber-attack in a Japanese port, that blocked the smooth transfer of goods – a hack in a Las Vegas resort which led to malfunction in slot machines and guest check-ins and a whopping $100 million loss, and loss of more than 2.5 million medical records, that were stolen by hackers.

These instances have one thing in common: they were all caused by ransomware-as-a-service (RaaS) operations. 

The emergence of RaaS signifies a significant advancement in the field of cybercrime, with global corporations and public infrastructure bearing the consequences.

Here, we will discuss what RaaS is, how it operates and why it poses such dangers.

The Origin Of RaaS

RaaS initially came to light in 2009, following the invention of cryptocurrency. In the first place, cryptocurrency made it simpler for hackers to demand ransoms in an anonymous manner, which contributed to the spread of ransomware. Second, it allowed hackers to transact with one another for software and services without having to reveal who they were or run the danger of having their accounts frozen by banks.

Reveton became the first ransomware gang to adopt the RaaS model. The group created malware that, after infecting a victim's computer, claimed the victim had committed an online federal felony. Then, if the victim didn't pay the ransom, it threatened to put them in jail. Later, for a price, this software was made available to hackers with lower technical proficiency.

How Does RaaS Work?

The operation of RaaS is similar to software as a service (SaaS). To put it briefly, the program is created and maintained by a committed group of programmers, who then charge a fee to allow others to use it. Like any other SaaS business, the RaaS developers might even provide committed tech support and customer service.

This fee provided to the RaaS providers is a part of the ransom paid to the gang, indicating that the RaaS users are responsible for infiltrating the network, however, the ransom money goes to the RaaS provider.

The ransomware can evade detection and the most recent antivirus software by using updates like patches from the RaaS provider. This allows the malware to infiltrate a network, encrypt data, and take it.

What Does RaaS Mean For Business Security?

The emerging threat of ransomware attacks signifies that it is now important for organizations to garner an understanding of ransomwares and take measures accordingly. 

Certain areas require close attention:

  • Ransomware preparedness: A good ransomware response plan could make a huge difference when it comes to tackling a ransomware incident. This can further reduce the damage done by the ransomware and speed up response time.
  • Internal network security: It is also important to prevent hackers from moving within the accessed networks. Installing safeguards, according to the principle of least privilege (PoLP), is a good way to prevent hackers from accessing further in the networks. 
  • Encrypting sensitive data: Attackers using ransomware depend more on extortion as backup processes improve. To prevent hackers from utilizing sensitive information against you, it is advisable to encrypt sensitive data such as bank records, proprietary data, and customer personal information.

Unfortunately, boosting levels of cybersecurity is now a part of the “new normal.” There is nothing more the companies can do. It is necessary to consider increased security as standard operating procedure.  

From Concealed to Revealed: Dark Web Slip-Up Exposes Ransomware Mastermind





A group of researchers responded to an ad offering the opportunity to join up with a RaaS operation and found themselves attending a cybercriminal job interview held by an organization that is one of the most active threat actors in the affiliate market today. At least five strains of ransomware have been created by the same individual known as "farnetwork". 

A Group-IB threat researcher posing as a member of the Nokoyawa ransomware group eventually became able to unmask the criminal after giving too many specifics to a Person-IB threat researcher pretending to be one of its affiliates.

Aside from being known by the alias of jingo, it has also been identified as jsworm and farnetwork, along with razvrat, piparuka, and piparuka. Upon learning that the undercover researcher had demonstrated they could not only escalate their privileges but also use ransomware to encrypt files and finally demand hard cash to get an encryption key, farnetwork was ready to reveal more details. 

The researcher at Group-IB, during his correspondence with the researcher from Farnetwork, discovered that Farnetwork already had a foothold in various enterprise networks, and was just looking for someone to help them take the next step - namely, deploying the ransomware and collect the money collected. 

There is a deal that would allow Group IB's team to make money by extorting money from victims and then giving 65% of the money to the Nokoyawa affiliate as well as 20% to the botnet owner and 15% to the ransomware owner. 

According to Group-IB's latest report, Nokayawa was only the latest ransomware operation farnetwork had been executing, and it was only the most recent of several, it explained. After a lengthy discussion with the threat actor, the team was able to assemble enough information about farnetwork's ransomware activities for the entire year of 2019. 

During their meeting with Farnetwork, the researchers were told that the company had been the recipient of ransomware payments totalling as much as $1 million in the past, as it has previously operated with Nefilim and Karma ransomware. 

There is also evidence that the crook has experience working with NEMTY and Hive. Group-IB has reported that it was behind JSWORM, Karma, Nemty, and Nefilim ransomware strains between 2019 and 2021 according to its Report on Ransomware Group. 

In addition, the report states that the RaaS program offered by Nefilim is responsible for over 40 victims alone. Farnetwork, which had been a part of the Nokoyawa operation since 2022, had found a new home with the company by last February and was actively recruiting affiliates for the program. 

In terms of the timeline of operations and the factors that have had an impact on this market, there is no doubt that farnetwork has made a significant contribution to the RDaaS market across the globe over the past couple of years. 

The RaaS operation at Nokoyawa has since been shuttered, and Farnetwork has announced it will retire soon. However, Group-IB researchers believe that he is going to appear again with another strain of ransomware shortly.

Ransomware Gangs are Evolving: Cryptocurrency Flaws Could be Their Next Target


Dallas City Government, in May 2023, faced a ransomware attack which resulted in the temporary halt in their operations which included hearings, trial and jury duty and the closure of the Dallas Municipal Court Building. 

The attack further impacted police activities, as overstretched resources made it more difficult to implement initiatives like summer youth programs. Threats to publish private information, court cases, prisoner identities, and official papers were made by the criminals.

One may think that cyberattack on city government would be a headline news, however, this year has seen a number of such instances that any mere attack is just another common topic of discussion. A notable exception was the vulnerability exploitation of a Moveit file transfer app in May and June 2023 that led to data theft from hundreds of organizations across the world, including British Airways, the BBC and the chemist chain Boots. 

Apparently, over the past years the ransom payments have doubled to US$1.5 million, with the big-profit organizations paying the highest price. A British cybersecurity company called Sophos discovered that the average ransomware payment increased from US$812,000 the year before. At US$2.1 million, the average payment made by UK organizations in 2023 was considerably greater than the global average.

While ten years ago this was no more than a theoretical possibility and niche threat, but ransomware has now gained a wide acknowledgment as a major threat and challenge to modern society. Its rapid evolution, which has fueled crime and done enormous harm has raised serious concerns. 

The "business model" for ransomware has evolved as, for example, malware attack vectors, negotiation tactics, and criminal enterprise structure have all advanced.

Criminals are now expected to adapt to their strategies and cause digital catastrophe for years to come. In order to combat the long-term threat, it is crucial to examine the ransomware threat and anticipate these strategies.

What is Ransomware?

In various settings, the term "ransomware" can refer to a variety of concepts. At Columbia University, Adam Young and Mordechai "Moti" Yung revealed the fundamental structure of a ransomware assault in 1996, which is as follows: 

Criminals get past the victim's cybersecurity defenses (either by using strategies like phishing emails or an insider/rogue employee). Once the victim's defenses have been breached, the thieves release the ransomware. Which has as its primary purpose locking the victim out of their data by encrypting their files with a private key, which is conceptualized as a lengthy string of characters. The perpetrator now starts the third stage of an attack by requesting a ransom for the private key.

Here, we are discussing some of the most popular developments of ransomware attacks one may want stay cautious about: 

Off-the-shelf and Double Extortion 

Ransomware-as-a-service's advent was a significant development. This phrase refers to markets on the dark web where criminals can buy and utilize "off-the-shelf" ransomware without the need for sophisticated computer knowledge, and the ransomware providers get a part of the profits.

According to research, the dark web serves as the "unregulated Wild West of the internet" and provides criminals with a secure environment in which to exchange unlawful goods and services. It is freely accessible, and there is a thriving worldwide underground economy there thanks to anonymization technologies and digital currencies. The European Union Agency for Law Enforcement estimates that just in the first nine months of 2019, there was spending of US$1 billion.

With ransomware as a service (RaaS), the entry hurdle for would-be cybercriminals was decreased in terms of both cost and expertise. In the RaaS model, vendors that create the malware provide competence, although the attackers themselves may be only moderately experienced.

Crypto Extortion Threats 

In the newer developments in ransomware attacks, attackers are now progressively finding new tactics for extortion. One of the highly discussed techniques include the cryptocurrency-specific variations, and the “consensus mechanisms” used within them.

Consensus mechanism refers to a technique used to achieve consensus, trust, and security across a decentralized computer network.

In particular, cryptocurrencies are progressively validating transactions through a so-called "proof-of-stake" consensus method, in which investors stake substantial amounts of money. These stakes are open to ransomware extortion by criminals.

Until now, crypto has relied on a so-called “proof-of-work” consensus mechanism where the authorization of transactions include solving a complicated math problem (the work) to authorize transactions. This strategy is not long-term viable since it leads to unnecessary large-scale energy use and duplication of effort.

A "proof-of-stake" consensus method is the alternative, which is increasingly becoming a reality. In this case, validators who have staked money and receive compensation for validating transactions approve transactions. A financial stake takes the place of the role played by ineffective work. While this solves the energy issue, it also means that substantial sums of staked money are required to validate crypto-transactions.

Ransomware Trends: RaaS and Cryptocurrency Impacts

Ransomware attacks have become a pressing concern for individuals, businesses, and governments worldwide. Cybercriminals are constantly evolving their tactics, and two significant trends that demand close monitoring are the rise of Ransomware-as-a-Service (RaaS) and the growing reliance on cryptocurrencies for ransom payments.

According to recent reports, ransomware attacks have become increasingly sophisticated due to the emergence of Ransomware-as-a-Service. This model allows even less experienced hackers to launch ransomware campaigns with ease. By using RaaS, malicious actors can purchase ready-to-use ransomware kits from more skilled developers, giving them access to advanced tools without the need for extensive technical knowledge. This trend has dramatically widened the scope of potential attackers, leading to a surge in ransomware incidents across the digital landscape.

The impact of Ransomware-as-a-Service is not limited to smaller-scale operations. It has enabled the creation of formidable cybercrime syndicates capable of orchestrating large-scale attacks on critical infrastructures and major corporations. As a result, businesses of all sizes must be vigilant in bolstering their cybersecurity measures to fend off these increasingly prevalent threats.

Furthermore, ransomware attackers are exploiting cryptocurrencies to anonymize their transactions and evade law enforcement. Cryptocurrencies, such as Bitcoin, have emerged as the preferred method of payment for ransoms due to their decentralized nature and pseudo-anonymous properties. Transactions carried out using cryptocurrencies are challenging to trace, making it difficult for authorities to identify and apprehend the criminals behind these attacks.

The use of cryptocurrencies in ransom payments also creates an additional layer of complexity for victims and law enforcement agencies. As transactions are conducted peer-to-peer, there is no central authority that can freeze or retrieve funds. Once the ransom is paid, it is often impossible to recover the funds, leaving victims with limited options for recourse.

One of the key aspects of tackling ransomware effectively is understanding the motivations and techniques employed by attackers. As cyber criminals adapt their strategies, organizations, and individuals must remain informed about the latest trends and statistics surrounding ransomware. By staying up-to-date, they can implement proactive measures to mitigate the risks associated with these evolving threats.

As an industry expert highlights, "The increase in Ransomware-as-a-Service offerings has democratized cybercrime, allowing more threat actors to participate and launch attacks. At the same time, the adoption of cryptocurrencies as the preferred payment method makes it imperative for organizations to invest in robust cybersecurity measures and maintain data backups to protect against potential ransomware attacks."

Collaboration between private businesses and law enforcement authorities is now essential in the face of the escalating ransomware threat. Sharing threat intelligence and best practices can be crucial to effectively battling ransomware and reducing its effects on both organizations and people.

Rise of Cybercrime as a Service Will be Worse

 

The proliferation of cybercrime-as-a-service has created an expansive digital gateway for individuals seeking fast and unlawful gains on the internet. Alongside attacks-as-a-service, malware-as-a-service, and fraud-as-a-service, this phenomenon has granted easy access to various illicit opportunities in the online realm. 
The evolution of cybercrime as a service aligns with the prevalent model of other as-a-service business offerings. Skilled criminals, who have developed effective malicious code, now offer their cybercrime "solutions" for rent to less sophisticated criminals lacking the means or expertise to create and carry out cyberattacks independently. 

In exchange for their services, these criminals receive a percentage of the profits generated from attacks utilizing their code. This share is on the rise, with some criminals earning between 10% and 20% of the ill-gotten gains obtained through the utilization of their malicious software. 

If you're interested in acquiring a DDoS booter rental from Russia, you can obtain one for a daily cost of $60 or lease it for a week at $400. Additionally, orders exceeding $500 are eligible for a 10 percent discount, which increases to 15 percent for orders surpassing $1,000. 

Alternatively, if you're considering a ransomware kit, you have the option of renting it for one month at a price of $1,000. While this may appear expensive to some, it's important to consider the potential return on investment. Moreover, prospective customers have the opportunity to test the product for 48 hours before making a final decision. 

This trend carries significant implications. The accessibility of these cybercrime offerings has eliminated the need for customers to possess advanced technical skills. In fact, even novices can now actively engage in cybercriminal activities and, remarkably, are being actively courted. 

Numerous online marketplaces on the dark web proudly advertise their provision of technical support, catering to individuals who require additional guidance and assistance. The cybercrime-for-hire industry has reached such a level of vitality that hacker groups are reportedly struggling to meet the growing demand. 

The thriving "as-a-service" market in cybercrime has not only captivated the attention of cybercriminals but has also piqued the interest of traditional criminals. These individuals and groups recognize the service-oriented nature of the cybercrime market and are increasingly leveraging it to their advantage. 

According to a study conducted by researchers at Cambridge, over half of the cybercriminals convicted in the UK had prior criminal records related to conventional offenses like burglary. Additionally, hackers are actively exploring avenues to introduce subscription-based offerings on the dark web.

LockBit 3.0 Ransomware: Inside the Million Dollar Cyberthreat


US government organizations have recently published a joint cybersecurity advisory stating the indicators of compromise (IoCs) and tactics, techniques and procedures (TTPs) linked with the malicious LockBit 3.0 ransomware. 

The alert comes through the FBI, the CISA, and the Multi-State Information Sharing & Analysis Center (MS-ISAC). 

"The LockBit 3.0 ransomware operations function as a Ransomware-as-a-Service (RaaS) model and is a continuation of previous versions of the ransomware, LockBit 2.0, and LockBit," the authorities said. Since the emergence of LockBit ransomware in 2019, the threat actors have invested in particular technical aids in order to develop and finely enhance its malware, issuing two significant updates, ie. Launching LockBit 2.0 in mid-2021, and LockBit 3.0, released in June 2022. The two versions are also termed LockBit Red and LockBit Black, respectively. 

"LockBit 3.0 accepts additional arguments for specific operations in lateral movement and rebooting into Safe Mode[…]If a LockBit affiliate does not have access to passwordless LockBit 3.0 ransomware, then a password argument is mandatory during the execution of the ransomware," according to the alert. 

 Additionally, the ransomware is made to only infect computers whose language preferences do not match those on an exclusion list, which includes Tatar, Arabic, and Romanian (all of which are spoken in Syria) and Moldova) (Russia). 

The ransomware is also designed to only infect devices whose language choices do not match those on an exclusion list, which includes Tatar, Arabic, and Romanian (all of which are spoken in Syria) and Moldova) (Russia). The victim’s network is being accessed through remote protocol (RDP) exploitation, drive-by compromise, phishing campaigns, exploiting valid accounts, and weaponizing of public-facing applications. 

Before starting the encryption procedure, the malware first attempts to create persistence, increase privileges, perform lateral movement, and purge log files, files in the Windows Recycle Bin folder, and shadow copies. 

"LockBit affiliates have been observed using various freeware and open source tools during their intrusions[…]These tools are used for a range of activities such as network reconnaissance, remote access and tunneling, credential dumping, and file exfiltration," the agencies said. 

One of the prime attributes of the attacks is the use of custom exfiltration tool, known as StealBit, authorized by the LockBit group to affiliates for double extortion reasons. 

The LockBit ransomware strain has been employed against at least 1,000 victims globally, according to a November report from the US Department of Justice, earning the organization over $100 million in illegal revenues. 

The Upsurge in LokBit Incidents 

Dragons, an industrial cybersecurity reported earlier this year that LockBit ransomware was the one responsible for 21% of the 189 ransomware attacks detected against critical infrastructure in Q4 2022m in an account of 40 such incidents. For a fact, a majority of food and beverage and manufacturing sectors were impacted due to these attacks. 

In its recent report, the FBI’s Internet Crime Complaint Center (IC3) ranked LockBit (149), BlackCat (114), and Hive (87) as the top three ransomware variants targeting the infrastructure sector in 2022. 

Despite LockBit's prolific attack campaign, the ransomware gang was suffered a severe setback in late September 2022 when a dissatisfied developer of LockBit revealed the building code for LockBit 3.0, sparking concerns that other criminal actors would use the situation and produce their own variations. 

The advisory comes months after antivirus company Avast offered a free decryptor in January 2023, at a time when the BianLian ransomware organization has switched its emphasis from encrypting its victims' files to straightforward data-theft extortion attempts. 

In a similar development, Kaspersky has released a free decryptor to assist victims whose data has been encrypted by a ransomware variant based on the Conti source code that emerged after Russia's incursion of Ukraine last year caused internal strife among the core members. 

"Given the sophistication of the LockBit 3.0 and Conti ransomware variants, it is easy to forget that people are running these criminal enterprises," Intel 471 noted last year. "And, as with legitimate organizations, it only takes one malcontent to unravel or disrupt a complex operation."

Why Must Businesses be Equipped With Modern Ransomware Capabilities?


The most contemporary threat to the survival of businesses may be the "if, not when" approach surrounding ransomware. Ransomware attacks are increasingly prevalent targets for businesses of all sizes and in all sectors, and we know that 94% of enterprises had a cybersecurity issue just last year.

However, several companies still operate with archaic security measures that are incompetent in combating modern ransomware. 

It has been falsely believed that ransomware attacks are declining. In reality, Q1 of 2022 reported a 200% YoY hike in ransomware activities. Moreover, the increase in Ransomware as a Service (RaaS) offerings indicates that ransomware attacks have in fact turned into a commodity for threat actors. 

Ransomware as a Service 

The RaaS market opens a new and challenging trend for organizations and IT experts. 

With RaaS – a subscription ransomware model that charges affiliates for setting up malware – the access barriers for hackers are lower than ever. 

The unsophisticated nature of RaaS hackers is the reason why the average downtime has decreased to just 3.85 days (as compared to the average attack duration of two months in the year 2019). 

While the decrease in attack downtime sounds promising, the emergence of RaaS still indicates a fact for the business leaders, i.e. all organizations are vulnerable. Consequently, demanding the role of IT and business experts to combat the risk by implementing robust cybersecurity protocols. 

The need for the aforementioned action could be estimated by reviewing the ransomware attack cases that organizations have witnessed in recent times. 

Bernalillo County’s Ransomware Breach 

In January 2022, threat actors breached data centers in Bernalillo County, New Mexico. The largest detention facility in the county's automatic locking systems and security cameras were among the critical infrastructure disruptions that continued for several days. 

Months after subverting the ransomware agents, Bernalillo County officials finally implemented a stronger cybersecurity strategy that included endpoint detection and response (EDR) systems, multi-factor authentication (MFA) on all employee accounts, 24/7 security monitoring, and new virus-scanning software. 

Bernalillo County’s Ransomware Breach has taught security experts several lessons. The incident highlights how ransomware can cause non-financial harm to persons and businesses. Since, residents of Bernalillo County suffered severe service interruptions during the incident, while county convicts were confined to their cells for several days. 

The incident also emphasized the importance of rapid response to such situations. Cybersecurity measures such as MFA, remote monitoring, and EDR work wonders in preventing ransomware attacks, but only if implemented before the cyberattack. 

Unfortunately, a lot of business executives still hold off on putting strong cybersecurity policies in place. As a result, ultimately and inevitably, their organizations end up suffering like the residents of Bernalillo County. 

Prioritizing a Robust Security Strategy is Crucial 

Organizations must not compromise in implementing security protocols and services. In order to boost the effectiveness of cybersecurity, business and IT leaders are suggested to have access to the same evolving AI and machine learning capabilities that are utilized by modern hackers. 

An adequate tactile protection plan usually requires a third-party vendor in order to provide security insights or monitoring capabilities. However, business and IT leaders only consider Ransomware Protection as a Service (RPaaS) solutions that provide adaptive tactics for cloud-based, on-premises, and hybrid data centers. Doing so will eventually ensure the organization’s cybersecurity package scales as it grows—or, in some instances, shrink —without the need for extra software. 

Preparing For “When,” And Not “If” 

The first step to combat a ransomware threat is by accepting that any organization, big or small, could be a target sooner or later. This realization will eventually become more crucial in combatting the attacks, as one witnesses a constant rise in casual ransomware attacks via RaaS, and as international conflicts have further increased the chances of large-scale breaches and ransomware attacks. 

Although one cannot entirely evade ransomware attacks, breaches could still be dodged by taking cybersecurity measures such as a robust cyber defense, that will consequently secure an organization from any financial loss or a mission-critical service outage.  

Cheerscrypt Spyware Attributed to Chinese APT Entity

The Emperor Dragonfly Chinese hacker group, notorious for frequently switching between several ransomware families to avoid detection, has been connected to the Cheerscrypt virus. 

The attacks were linked by the cybersecurity company Sygnia to a threat actor also dubbed Bronze Starlight and DEV-0401. The hacking gang seems to be a ransomware operation, but past research suggests that the Chinese government is interested in many of its victims.

Cheerscrypt is the most recent addition to a long range of ransomware families that the gang has previously used, including LockFile, Atom Silo, Rook, Night Sky, Pandora, and LockBit 2.0 in a little over a year.

Recently, Sygnia researched a Cheerscrypt ransomware operation that utilized Night Sky ransomware TTPs. The attackers then dropped a Cobalt Strike beacon linked to a C2 address formerly tied to Night Sky operations. 

The code for the Babuk ransomware, which was exposed online in June 2021, was used to develop the Cheerscrypt ransomware family, which Trend Micro first analyzed in May 2022. Cheerscrypt is one of several ransomware families used by the APT organization. The DEV-0401 group, unlike other ransomware gangs, oversees every stage of the assault chain directly, from the first access to the data theft. It does not rely on a system of affiliates.

A significant Log4Shell vulnerability in Apache Log4j was utilized by hackers in January 2022 assaults to acquire initial access to VMware Horizon servers. They subsequently dropped a PowerShell payload that was used to send an encrypted Cobalt Strike beacon. Apart from the beacon, the hackers also sent three Go-based tools: a keylogger that sent keystrokes to Alibaba Cloud, a customized version of the internet proxy tool iox, and the tunneling program NPS.

Trend Micro initially identified Cheerscrypt in May 2022, highlighting its capacity to target VMware ESXi servers as a component of a tried-and-true strategy known as double extortion to force its victims into paying the ransom or risk having their data exposed.

The hackers break into networks, take information, and encrypt devices just like other ransomware groups that target businesses. The victim is then coerced into paying a ransom through double-extortion methods using the data. The stolen data is posted on a data leak website when a ransom is not paid.

A PowerShell payload that can deliver an encrypted Cobalt Strike beacon has been dropped on VMware Horizon servers by infection chains that have exploited the major Log4Shell vulnerability in the Apache Log4j library.

Cheerscrypt and Emperor Dragonfly share initial access vectors, and lateral movement strategies, including the use of DLL side-loading to distribute the encrypted Cobalt Strike beacon. Notably, the ransomware gang is acting as a 'lone wolf' separated from the rest of the cybercrime community rather than as a RaaS (Ransomware-as-a-Service) platform for affiliates.






Noberus Ransomware Has Updated Its Methods

Recently there has been an increase in the use of different techniques, tools, and procedures (TTPs) by attackers using the Noberus aka BlackCat ransomware, making the threat more serious than ever. On Thursday, Symantec provided new techniques, tools, and procedures (TTPs) that Noberus ransomware attackers have employed recently.

Noberus is believed to be the sequel payload to the Darkside and BlackMatter ransomware family, according to a blog post by Symantec's Threat Hunter Team. The company said that Darkside is the same virus that was used in the May 2021 ransomware assault on Colonial Pipeline.

About  Coreid 

Coreid operates a ransomware-as-a-service (RaaS) business, which implies it creates the malware but licenses it to affiliates in exchange for a share of the earnings. 

Since Noberus was the first genuine ransomware strain to be deployed in real-world attacks and it was written in the computer language Rust, it piqued interest when it was discovered in November 2021; as a cross-platform language, Rust is notable. In accordance with Coreid, Noberus can encrypt files on the Windows, EXSI, Debian, ReadyNAS, and Synology operating systems.

The organization has chosen to utilize the ransomware known as Noberus, which is short for the BlackCat ALPHV ransomware that has been used in attacks on multiple American colleges, to escape law enforcement by using fresh ransomware strains, according to Symantec researchers.

The researchers claim that the criminal organization first started stealing money from businesses in the banking, hospitality, and retail industries using the Carbanak malware. Before the group's transition towards ransomware-as-a-service (RaaS) operation in the early 2020s, three of its members were arrested in 2018.

Noberus is a destructive ransomware

Coreid emphasized Noberus' various improvements over other ransomware, such as encrypted negotiation conversations that can only be seen by the intended victim. Cybercriminals have access to two different encryption methods and four different ways to encrypt computers, depending on their needs for speed and the size of their data heaps, thanks to Noberus.

Noberus employs a program called Exmatter to recover the stolen data. According to Symantec, Exmatter is made to take particular kinds of files from particular directories and upload them to the attacker's site even before the ransomware is activated. Exmatter, which is constantly modified and updated to exfiltrate files through FTP, SFTP, or WebDav, can produce a report of all the processed exfiltrated files and if used in a non-corporate setting, it has the potential to self-destruct.

Noberus is also capable of collecting credentials from Veeam backup software, a data protection and recovery product that many organizations use to store login information for domain controllers and cloud services, utilizing information-stealing malware called Infostealer. By using a specific SQL query, the malware known as Eamfo can connect to the SQL database containing the credentials and steal them.

Symantec reported that in December the gang introduced a 'Plus' category for allies who had extorted at least $1.5 million in attacks. The group has demonstrated that it will cut off allies who don't earn enough in ransoms, according to Symantec.

A potent data exfiltration tool for the most common file types, including.pdf,.doc,.docx,.xls,.xlsx,.png,.jpg,.jpeg,.txt, and more, was added to Coreid last month.

Similar to some other organizations, Coreid has outlined four primary entities that affiliates are not permitted to attack: the Commonwealth of Independent States, nations with ties to Russia, healthcare providers, and nonprofits.

According to Symantec, the affiliates are 'directed to avoid assaulting the education and government sectors,' but given the numerous attacks on universities around the world, they seem to be lax about this directive.




Conti Gang Doppelganger Adopts Recycled Code 

A ransomware attack from a brand-new gang dubbed 'Monti,' which primarily exploits Conti code has come to the surface. 

The Monti ransomware was found and revealed by MalwareHunterTeam on Twitter on June 30, but Intel471 and BlackBerry independently announced their study into Monti on September 7th.

The malware's developers constitute a well-known ransomware group that has launched numerous attacks. They operate under "Wizard Spider" and could be linked with the global Trickbot cybercrime ring. 

Reportedly, the cybercrime group that has a base in Russia, supports the Russian government's goals, particularly the Ukraine conflict. 

In return for a portion of the ransom money collected, the Conti gang offers 'its members' access to its software. The group's ability to scale operations is a direct result of the aforementioned. The group resorts to the ransomware as a service (RaaS) approach to disseminate the infection.

According to Intel471, "Monti might be a rebranded version of Conti or even a new ransomware version that has been developed utilizing the disclosed source code," it was published on February. It really doesn't appear like Monti has been involved in enough activities for the security company to establish a connection to Conti." 

Since the Conti disclosures in February effectively handed Monti malicious actors a step-by-step roadmap to mimicking Conti's notoriously successful actions, BlackBerry appears to be more certain that Monti is a copycat than a legitimate successor to its namesake.

Apart from one, Monti threat actors used the Action1 Remote Monitoring and Maintenance (RMM) agent, and the majority of Indicators of Compromise (IOCs) discovered by the BlackBerry IR team in the Monti attack were also detected in prior Conti ransomware attacks. 

Experts want to highlight a useful technique that was made feasible by our awareness of the code repetition before  Monti's reuse of Conti's encryptor code. 

The BlackBerry IR team was aware that Conti encryptor payloads do not always completely encrypt each file because we were familiar with Conti v2 and v3 encryptor payloads. Source code research reveals that Conti payloads combine a file's location, type, and size to decide which encryption techniques to employ. 

The BlackBerry IR team was able to recover completely, unencrypted strings from encrypted log files because of this information.

Conti's activities have slowed down recently, some experts have proposed that Conti's reduced activity is the consequence of a rebranding effort similar to those undertaken by various ransomware strains in the past, perhaps involving several members of the Conti gang. Other sources claim that other RaaS firms, like Karakurt and BlackByte, have engaged former Conti operators.

Whether Conti is being dubbed Monti to spoof the earlier strain or it is simply another new ransomware variety remains unclear, we will probably continue to see this new version have an impact on organizations all around the world. However, utilizing publicly accessible binaries to develop fresh ransomware or relaunch an old one would potentially offer defenders a head start as Monti develops.