Search This Blog
Powered by Blogger.

Blog Archive

Labels

About Me

Load More
Trendy Right Now

Popular Posts

Showing posts with label RansomHub. Show all posts
Ransomwares
Backdoor Backdoor Attacks Critical Infrastructure Cyber Attacks Healthcare Malware Attack RansomHub Ransomware attack Ransomwares

Symantec Links Betruger Backdoor Malware to RansomHub Ransomware Attacks

 

A sophisticated custom backdoor malware called Betruger has been discovered in recent ransomware campaigns, with Symantec researchers linking its use to affiliates of the RansomHub ransomware-as-a-service (RaaS) group. The new malware is considered a rare and powerful tool designed to streamline ransomware deployment by minimizing the use of multiple hacking tools during attacks. 

Identified by Symantec’s Threat Hunter Team, Betruger is described as a “multi-function backdoor” built specifically to aid ransomware operations. Its functions go far beyond traditional malware. It is capable of keylogging, network scanning, privilege escalation, credential theft, taking screenshots, and uploading data to a command-and-control (C2) server—all typical actions carried out before a ransomware payload is executed. Symantec notes that while ransomware actors often rely on open-source or legitimate software like Mimikatz or Cobalt Strike to navigate compromised systems, Betruger marks a departure from this norm. 

The tool’s development suggests an effort to reduce detection risks by limiting the number of separate malicious components introduced during an attack. “The use of custom malware other than encrypting payloads is relatively unusual in ransomware attacks,” Symantec stated. “Betruger may have been developed to reduce the number of tools dropped on a network during the pre-encryption phase.” Threat actors are disguising the malware under file names like ‘mailer.exe’ and ‘turbomailer.exe’ to pose as legitimate mailing applications and evade suspicion. While custom malware isn’t new in ransomware operations, most existing tools focus on data exfiltration. 

Notable examples include BlackMatter’s Exmatter and BlackByte’s Exbyte, both created to steal data and upload it to cloud platforms like Mega.co.nz. However, Betruger represents a more all-in-one solution tailored for streamlined attack execution. The RansomHub RaaS operation, previously known as Cyclops and Knight, surfaced in early 2024 and has quickly become a major threat actor in the cybercrime world. Unlike traditional ransomware gangs, RansomHub has focused more on data theft and extortion rather than just data encryption. Since its emergence, RansomHub has claimed several high-profile victims including Halliburton, Christie’s auction house, Frontier Communications, Rite Aid, Kawasaki’s EU division, Planned Parenthood, and Bologna Football Club. 

The group also leaked Change Healthcare’s stolen data after the BlackCat/ALPHV ransomware group’s infamous $22 million exit scam. More recently, the gang claimed responsibility for breaching BayMark Health Services, North America’s largest addiction treatment provider. BayMark serves over 75,000 patients daily across more than 400 locations in the US and Canada. According to the FBI, as of August 2024, RansomHub affiliates have compromised over 200 organizations, many of which are part of critical infrastructure sectors such as government, healthcare, and energy. 

As ransomware groups evolve and adopt more custom-built malware like Betruger, cybersecurity experts warn that defenses must adapt to meet increasingly sophisticated threats.
Read more »
TOX
Cyber Attacks CyberCrime CyberThreat DDoS DradonForce Meta's dominance RAMP RansomHub Ransomware Nerwork Rasnowmare attacks TOX

DragonForce Asserts Dominance Over RansomHub Ransomware Network

 


A series of targeted attacks involving DragonForce, a ransomware group that has reportedly been operating in the Middle East and North Africa region (MENA) are reported to have been launched against companies in the Kingdom of Saudi Arabia (KSA) amidst the escalating cyber threats throughout the region. A significant incident involving a real estate and construction company based in Riyadh, which underscored the group's commitment to targeting high-value targets within critical sectors, was one of the most significant incidents involving the group. 

In the recent past, there has been an increase in the sophistication of cyberattacks targeting major companies and vital infrastructure around the region, resulting in this recent development. In addition to demonstrating the increasing capabilities of threat actors such as DragonForce, this breach also emphasizes the need to maintain enhanced vigilance and preparedness among cybersecurity professionals and law enforcement agencies within the Kingdom of Saudi Arabia and its surrounding countries. 

Experts are anticipating that as the group's tactics continue to be effective, they will expand beyond MENA in terms of geographic scale. This incident has wider implications than just the immediate victims. As a cautionary marker of the rapidly evolving threat landscape, this incident serves as a warning of the threats that may threaten global digital security systems in the future. 

Cyble, a cybersecurity firm, has confirmed that a threat actor known as DragonForce recently posted a message on the RAMP cybercrime forum announcing a new “project.” This announcement was later mirrored on DragonForce's onion-based data leak site (DLS), marking the beginning of a new operational infrastructure for DragonForce. A part of this initiative was the introduction of two new onion domains that DragonForce launched, both protected by CAPTCHA verification, which aligned with the group's traditional Tor-based deployment practices. 

Interestingly, both of these sites are prominently branded and emblazoned with RansomHub, a group that specializes in ransomware. While it is still unclear whether DragonForce has seized control of RansomHub in the past or has just infiltrated its systems, Cyble has observed that RansomHub's onion site has been unavailable since March 31. As a result of this prolonged downtime, there has been considerable speculation within the cyber security community as to whether DragonForce may be planning to acquire or hostilely take over the RansomHub infrastructure. 

In addition to this development, DragonForce recently formally announced its plans to expand its ransomware-as-a-service operations, which are aligned with DragonForce's broader strategy of expanding the company's ransomware-as-a-service operations. As part of this initiative, the group introduced an affiliate-based model in which third-party actors—or “franchisees”—can operate under DragonForce brand names. 

As part of the new model, affiliates will reportedly be provided with comprehensive backend support, which includes anti-DDoS defences, advanced encryption protocols, and specialized toolkits that allow them to manage infections across a range of environments, including ESXi, NAS, BSD, and Windows. A significant investment is being made into infrastructure to attract and empower partners, thereby enhancing the group's reach and impact as a whole. This is a deliberate attempt by the group to streamline operations and present a more organized and business-like ransomware platform to victims by including features like encryption status monitoring and persistent communication mechanisms. 

Despite the uncertainty that surrounds RansomHub's future, it is currently possible that it will become fully absorbed under the DragonForce brand or continue to operate independently, but current indicators suggest that a possible consolidation within the ransomware ecosystem may result in increased sophistication and coordination among cybercriminals. 

Despite the increased competition in the ransomware-as-a-service (RaaS) market, DragonForce is positioning itself as a prominent player by offering its affiliates one of the most attractive commission structures on the dark web. This aggressive profit-sharing model aims to attract skilled cybercriminals in an attempt to build an affiliate network that is loyal, results-driven and enables partners to keep up to 80% of ransom payments successfully extorted from victims. A key component of DragonForce's communication strategy is TOX, a Tor-based instant messaging platform that serves as the main channel for communicating with both victims and affiliates as well as serving as a secure, secure means of communicating. 

In addition to providing the public key to the group, RAMP, an underground forum used by ransomware operators and access brokers, is also available to anyone interested in further securing these exchanges. This persistent presence on the platform, especially a forum visit traced back to February 24, 2025, indicates a sustained effort by them to maintain visibility and engagement within the key cybercriminal community. In addition to serving as a recruitment hub, the DragonForce affiliate network is also highlighted in advertisements displayed on RAMP as one of the most reliable networks within the dark web. With support for multiple platforms, including Windows, Linux, and ESXi, the ransomware framework is marketed as a robust system that can deliver consistent payouts while offering extensive back-end support. 

As of January 20th, 2025, the most recent affiliate-related announcements have been posted, but the associated PGP encryption key has been generated since September 2024, further demonstrating the organization's systematic approach to security. A prior operational leak involved sensitive affiliate-facing URLs that were used for extortion from victims. DragonForce underwent significant internal reforms after this. Among these reforms was the implementation of a new vetting process that requires prospective affiliates to provide verifiable evidence of victim access, such as data volume metrics and file trees, to justify their eligibility. 

Essentially, this shift was meant to ensure that only committed and capable individuals could be onboarded, which would lead to improved operational security and integrity for the organization. Furthermore, DragonForce offers a variety of premium services to vetted affiliates, including call services, which allow direct pressure to be applied to victims, as well as advanced decryption capabilities that can be used on NTLM and Kerberos hashes. A lot of these services are especially useful when access brokers are trying to navigate post-compromise stages in environments like Active Directory that are complex. 

It is important to remember that DragonForce ransomware is an independent entity and should not be confused with the Malaysian hacktivist group that operates under the same name. This group has been known for defacing websites and launching DDoS attacks, among other things. While the two organizations share a name, they are completely different in their motivations, structures, and methods, and they are not known to be affiliated with each other. 

As ongoing speculation continues regarding the nature of a potential alliance between RansomHub and DragonForce continues to surface, Cyble reports that this latest development closely follows DragonForce's announcement of a significant expansion of its ransomware service (RaaS) operations on March 18. The DragonForce Ransomware Cartel, as part of this strategic shift, introduced the franchise-style affiliate program, whereby partners can operate and launch their own ransomware campaigns under the umbrella of DragonForce Ransomware Cartel. 

Affiliates can take advantage of this model because it allows them to maintain a high degree of operational independence while still being overseen by a central management team. Backend support is provided in a comprehensive way to all participants, including dedicated admin and client panels as well as secure data hosting environments and a resilient, always-on infrastructure that is secured with anti-DDoS mechanisms that keep the system running smoothly. This structure is designed to maintain the group's overarching operational standards as well as balance affiliate autonomy with consistency and control. 

It is worth noting that DragonForce has also introduced a series of advanced technical upgrades to its ransomware payloads targeted at ESXi, NAS, BSD, and Windows platforms along with its structural expansion. In addition, several sophisticated features have been added to the security system, including real-time encryption tracking, detached execution processes, persistent user interface messages to reinforce ransom demands, and better recovery protocols to reduce disruption. In addition, the group developed the two-pass header protection technology to enhance the cryptographic robustness of the encryption engine by using external entropy sources. This technique is also integrated with the BearSSL AES-CTR encryption protocol to enhance its cryptography. 

In addition to the technological and infrastructure advances made by DragonForce, Cyble points out that DragonForce's commitment to scale its operations at a very high level of professionalism will be reflected in these advancements. By creating a more refined and affiliate-focused ransomware ecosystem, the company hopes to attract experienced cybercriminals to collaborate with them. During the past year, DragonForce has continued to grow as a more structured and formidable player within the ransomware-as-a-service ecosystem. 

However, its recent activities indicate a broader shift in cybercriminal activity, characterized by a shift towards increasing sophistication, strategic alliances, and operational maturity in the cybercriminal underground. The apparent takeover or alignment of RansomHub with the company and the dramatic advancements in infrastructure and technology, along with the emergence of a series of threats, highlight the urgent need for the cybersecurity stakeholders to reevaluate threat models and strengthen their defensive positions. 

The most effective way for organizations, particularly those in critical sectors and high-risk regions, is to implement proactive threat intelligence strategies, enforce stringent access controls, and seriously prioritize incident response preparedness in order to counter evolving threats. With a digital landscape in which adversaries adopt business-like approaches to cause greater impact, only a cohesive and anticipatory security approach can prove robust in the face of the rising tide of cyber-extortion, which is becoming more organized and sophisticated by the day.
Read more »
Ransomwares
Akira Ransomware Cyber Security Cyber Threats LockBit Malware Attack malware prevention Malwares RansomHub Ransomwares

2024’s Most Dangerous Malware: A Wake-Up Call for Cybersecurity

 

OpenText, a leader in cybersecurity insights, has released its eagerly awaited “Nastiest Malware of 2024” list, highlighting some of the most destructive and adaptive cyber threats of the year. The list illustrates how ransomware and other malicious software continue to evolve, particularly regarding their impact on critical infrastructure. As cybercriminals refine their tactics, the need to strengthen cybersecurity measures has become increasingly urgent. Organizations around the globe are projected to boost their cybersecurity spending by 14.3% in 2024, raising total investments to over $215 billion, which reflects the magnitude of the challenges posed by these threats. 

LockBit claimed the title of the most dangerous malware of the year. This ransomware-as-a-service (RaaS) entity has demonstrated its ability to evade law enforcement efforts, including those from the FBI. Its ongoing attacks on critical infrastructure showcase its resilience and technical prowess. According to the FBI, LockBit was responsible for 175 reported attacks on essential systems in 2023 alone. The group’s bold ambition to target one million businesses emphasizes its threat level and solidifies its position in the ransomware landscape. 

Akira, a relatively new player, has rapidly gained infamy for its aggressive tactics. This ransomware has been particularly active in industries such as healthcare, manufacturing, and finance, using advanced encryption methods to cause significant disruption. Its retro-inspired branding contrasts sharply with its destructive potential, making it a popular choice among cybercriminal affiliates. 

Meanwhile, RansomHub, which may have connections to the infamous Black Cat (ALPHV) group, has made headlines with its high-profile attacks, including a daring strike on Planned Parenthood that compromised sensitive patient data. 

Other significant threats include Dark Angels, recognized for its precision-targeted attacks on Fortune 50 companies, and Play Ransomware, which takes advantage of vulnerabilities in FortiOS systems and RDP servers. Redline Stealer, while not technically ransomware, this type of threat significantly endangers organizations by focusing on stealing credentials and sensitive information. Each of these threats illustrates how cybercriminals are continually pushing the limits, employing advanced tactics to stay ahead of defenses. 

Muhi Majzoub, OpenText’s EVP and Chief Product Officer, notes that the increase in ransomware targeting critical infrastructure highlights the growing risks to national security and public safety. At the same time, the heightened emphasis on cybersecurity investments is a positive indication that organizations are recognizing these threats. However, the ability of ransomware groups to adapt remains a significant worry, as these criminals continue to leverage new technologies, including artificial intelligence, to create more sophisticated attacks. 

The findings from this year reveal a harsh truth: while progress in cybersecurity is being made, the rapid pace of innovation in malware development poses an ongoing challenge. As companies enhance their vigilance and dedicate more resources to protect vital systems, the battle against cyber threats is far from finished. The changing nature of these attacks requires ongoing adaptation, collaboration, and investment to protect the essential services that support modern society.
Read more »
Security
AI Business Cyber Security India Mallox RansomHub Ransomware Security

India Faces Rising Ransomware Threat Amid Digital Growth

 


India, with rapid digital growth and reliance on technology, is in the hit list of cybercriminals. As one of the world's biggest economies, the country poses a distinct digital threat that cyber-crooks might exploit due to security holes in businesses, institutions, and personal users.

India recently saw a 51 percent surge in ransomware attacks in 2023 according to the Indian Computer Emergency Response Team, or CERT-In. Small and medium-sized businesses have been an especially vulnerable target, with more than 300 small banks being forced to close briefly in July after falling prey to a ransomware attack. For millions of Indians using digital banking for daily purchases and payments, such glitches underscore the need for further improvement in cybersecurity measures. A report from Kaspersky shows that 53% of SMBs operating in India have experienced the incidents of ransomware up till now this year, with more than 559 million cases being reported over just two months, starting from April and May this year.

Cyber Thugs are not only locking computers in businesses but extending attacks to individuals, even if it is personal electronic gadgets, stealing sensitive and highly confidential information. A well-organised group of attacks in the wave includes Mallox, RansomHub, LockBit, Kill Security, and ARCrypter. Such entities take advantage of Indian infrastructure weaknesses and focus on ransomware-as-a-service platforms that support Microsoft SQL databases. Recovery costs for affected organisations usually exceeded ₹11 crore and averaged ₹40 crore per incident in India, according to estimates for 2023. The financial sector, in particular the National Payment Corporation of India (NPCI), has been attacked very dearly, and it is crystal clear that there is an imperative need to strengthen the digital financial framework of India.

Cyber Defence Through AI

Indian organisations are now employing AI to fortify their digital defence. AI-based tools process enormous data in real time and report anomalies much more speedily than any manual system. From financial to healthcare sectors, high-security risks make AI become more integral in cybersecurity strategies in the sector. Lenovo's recent AI-enabled security initiatives exemplify how the technology has become mainstream with 71% of retailers in India adopting or planning to adopt AI-powered security.

As India pushes forward on its digital agenda, the threat of ransomware cannot be taken lightly. It will require intimate collaboration between government and private entities, investment in education in AI and cybersecurity, as well as creating safer environments for digital existence. For this, the government Cyber Commando initiative promises forward movement, but collective endeavours will be crucial to safeguarding India's burgeoning digital economy.


Read more »
Ransomware
Automobiles Cyber Security Kawasaki RaaS RansomHub Ransomware

Kawasaki Ransomware Attack: 500 GB Alleged Data Leaked, RansomHub Claims

Kawasaki Ransomware Attack: 500 GB Alleged Data Leaked, RansomHub Claims

In a recent ransomware attack that hit Kawasaki Motors Europe (KME), the company has confirmed that it suffered the breach causing major service disruptions as threat actors threatened to leak the data. 

“At the start of September, Kawasaki Motors Europe (KME) was the subject of a cyberattack which, although not successful, resulted in the company’s servers being temporarily isolated until a strategic recovery plan was initiated later on the same day," KME said in a statement.

RansomHub Behind Leak

RansomHub, an infamous Ransomware-as-a-Service (RaaS) has leaked 478GB of data which the group claims belongs to the KME website,  after the attack. Important business documents were exposed- dealership details, internal communications, banking records, and financial info.

Threat actors posted the exposed data on their extortion site on the dark net, suggesting that KME didn’t agree to pay the ransom demanded by RanHub.

RansomHub has become popular after its creation in February 2024, it is now one of the most efficient RaaS groups, it was responsible for 75 ransom attacks in Q2 of 2024. RansomHub’s victims include high-level targets like Planned Parenthood and Change Healthcare.

To warn about the attacks, the US Cybersecurity and Infrastructure Agency (CISA) issued an advisory, highlighting indicators of compromise (IoC) to combat the threat of potential targets.

Rising Ransom Demands 

With a significant increase in the number of RaaS, the ransom demand trend is also rising. A threat actor demands a shocking $1.5 million in return for a victim’s stolen data. In 2023, the ransomware number was a mere $200,000, which shows the dominance of ransomware groups and the harm they cause to an organization. 

How to Combat Ransomware Attacks?

Adopting a proactive cybersecurity plan can help a business address future threats and take measures to mitigate risks, reducing the threat of future attacks. 

A strong incident response plan can reduce the impact of a ransomware breach. It should have a framework for a plan of action for a possible attack, this can include a data recovery process, legal aspects, and communication protocols. 

Human error is one of the leading causes of breach, but employee training and awareness helps to identify threats and respond accordingly. 

Read more »
Stolen Data
ALPHV/BlackCat Automotive Industry Cyber Attacks Dark Web Data Leak Ramsomware RansomHub RansomHub ransomware Stolen Data

Kawasaki Motors Europe Targeted by RansomHub Ransomware Attack

 

Kawasaki Motors Europe has been targeted by a ransomware attack orchestrated by the RansomHub gang, causing significant disruption to its services. The company, responsible for distributing and selling Kawasaki’s motorcycles across Europe, swiftly responded by isolating its servers to contain the threat. IT teams collaborated with external cybersecurity experts to analyze and cleanse systems of any lingering malware. Kawasaki aims to have 90% of its server infrastructure back online shortly, ensuring that business operations, including dealerships and supply chains, remain unaffected. 

The RansomHub group, a rising cybercriminal organization, claimed responsibility for the attack and added Kawasaki to its extortion portal on the dark web. According to the threat group, 487 GB of data was stolen, and they threatened to leak this information if their demands weren’t met. The data theft’s scope, particularly whether it includes sensitive customer details, remains unclear. Despite these developments, Kawasaki has not commented on the situation or responded to inquiries from cybersecurity analysts and reporters. 

RansomHub has gained significant traction in recent months, filling the void left by the now-defunct BlackCat/ALPHV ransomware operation. This has resulted in a surge of attacks against high-profile organizations, with RansomHub’s affiliates targeting critical sectors such as healthcare, retail, and manufacturing. The group’s growing notoriety was highlighted in a joint advisory issued by the FBI, CISA, and the Department of Health and Human Services, which reported over 200 victims of the ransomware group in the U.S. alone since February. The attack on Kawasaki emphasizes the evolving threat posed by ransomware groups and the importance of proactive cybersecurity measures. 

For businesses like Kawasaki, robust security protocols, regular updates, and swift incident response are critical in mitigating the risk of data breaches. The company’s efforts to cleanse infected servers highlight the importance of collaboration between internal IT teams and external cybersecurity experts in recovering from attacks. To protect against future breaches, organizations must invest in advanced threat detection technologies, ensure comprehensive patch management, and prioritize employee cybersecurity training. 

With cybercriminal groups like RansomHub becoming increasingly organized and opportunistic, adopting a layered defense strategy is vital for reducing exposure to such attacks. Kawasaki’s situation serves as a reminder of the growing challenges organizations face in safeguarding sensitive data from evolving cyber threats and the need for constant vigilance in a rapidly changing digital landscape.
Read more »
Techhnology
Kaspersky Malicious Payload Phishing Attacks RansomHub Ransomware Techhnology

RansomHub Ransomware: Exploiting Trusted Tools to Evade Detection

RansomHub Ransomware: Exploiting Trusted Tools to Evade Detection

Ransomware groups continue to innovate and adapt their tactics to bypass security measures. One such group, RansomHub, reported by Malwarebytes, has recently garnered attention for its sophisticated approach to disabling Endpoint Detection and Response (EDR) systems. By leveraging Kaspersky’s TDSSKiller, a legitimate rootkit removal tool, RansomHub has managed to execute its malicious payloads undetected, posing a significant threat to organizations worldwide.

The Rise of RansomHub

RansomHub is a relatively new player in the ransomware scene, but it has quickly made a name for itself with its advanced techniques and targeted attacks. Unlike traditional ransomware groups that rely on brute force methods or simple phishing campaigns, RansomHub employs a more nuanced strategy. By using legitimate software tools in unexpected ways, they can evade detection and maximize the impact of their attacks.

The Role of Kaspersky’s TDSSKiller

Kaspersky’s TDSSKiller is a well-known tool in the cybersecurity community, designed to detect and remove rootkits from infected systems. Rootkits are a type of malware that can hide the presence of other malicious software, making them particularly dangerous. TDSSKiller is widely trusted and used by security professionals to clean compromised systems.

However, RansomHub has found a way to exploit this tool for malicious purposes. By incorporating TDSSKiller into their attack chain, they can disable EDR software that would otherwise detect and block their ransomware. This tactic is particularly insidious because it uses a trusted tool to carry out malicious actions, making it harder for security teams to identify and respond to the threat.

The Attack Chain

RansomHub’s attack chain typically begins with a phishing email or a compromised website that delivers the initial payload. Once the ransomware is on the target system, it uses a variety of techniques to escalate privileges and gain control over the machine. This is where TDSSKiller comes into play.

By running TDSSKiller, the ransomware can disable EDR software and other security measures that would normally detect and block the attack. With these defenses out of the way, RansomHub can then proceed to encrypt the victim’s files and demand a ransom for their release. In some cases, they also use a credential-harvesting tool called LaZagne to extract sensitive information, further increasing the pressure on the victim to pay the ransom.

Threats Posed by Tools

The use of legitimate tools like TDSSKiller in ransomware attacks highlights a significant challenge for the cybersecurity community. Traditional security measures are often designed to detect and block known malware and suspicious behavior. However, when attackers use trusted tools unexpectedly, these measures can be less effective.

This tactic also underscores the importance of a multi-layered approach to cybersecurity. Relying solely on EDR software or other endpoint protection measures is no longer sufficient. Organizations must implement a comprehensive security strategy that includes network monitoring, threat intelligence, and user education to detect and respond to these advanced threats.

Read more »
RansomHub
Cyber campaign Cyberattackers CyberCrime cybercriminals Cybersecurity CyberThreat NoName Hackers Ransomaware RansomHub

NoName Hackers Use RansomHub in Recent Cyber Campaigns

 


Despite active attacks by gangs such as the NoName ransomware group, which has targeted small and medium-sized businesses worldwide for the past three years, the group has continued to grow by using custom malware and evolving its attack methods. A recent link pointing to NoName has led to the conclusion that the group is no longer independent, but is now affiliated with RansomHub. As a result of this development, cyber security levels worldwide are in danger, especially for small and medium-sized businesses. 

A new affiliate has now joined extortion group RansomHub, an up-and-coming online criminal extortion group, and its main claim to fame so far has been impersonating LockBit ransomware-as-a-service, which is based out of the Netherlands. It has been well-documented that NoName exploits vulnerabilities that date back many years. 

Over the last three years, it has been well documented that the NoName ransomware gang, also known as CosmicBeetle, has been creating waves worldwide by targeting small and medium-sized businesses. Recent observations have shown that the gang is making use of a new type of malware called RansomHub to carry out its crimes. For gaining access to networks, the gang uses a variety of custom tools, including those from the Spacecolon malware family, which it acquired from cybercriminals. 

A number of the tools that are used to distribute these tools use brute force methods to deploy them and exploit known vulnerabilities such as EternalBlue (CVE-2017-0144) and ZeroLogon (CVE-2020-1473). In recent attacks, the NoName gang has been using the ScRansom ransomware to encrypt documents and digital files, replacing the Scarab encryptor that it had previously used. Additionally, the gang has already begun experimenting with the leaked LockBit 3.0 ransomware builder, creating a similar site for leaking data and issuing similar ransom notes based on the design of the released code. 

A cybersecurity company called ESET has been tracking the activities of the NoName gang since 2023, which is almost four years ago. Even though ScRansom is less sophisticated than other ransomware threats, but still poses a significant threat to the operating system, it has been observed to develop and become more sophisticated over time. Several aspects of ScRansom are complex, including AES-CTR-128 encryption and RSA-1024 decryption, causing problems when decrypting the files sometimes. It has been reported that victims received multiple decryption keys but are still unable to recover all the files they lost. ScRansom allows attackers to take advantage of different speed modes for partial encryption, allowing them flexibility. 

A 'ERASE' mode can be also operated to replace the contents of the file with a constant value, thereby ensuring that the contents cannot be recovered. With ScRansom, file encryption is possible across all drives and the operator can decide what file extensions to encrypt, and what folders they want to encrypt. ScRansom kills several processes and services on the Windows host before the encryptor fires. These include Windows Defender, the Volume Shadow Copy service, SVCHost, RDPclip, and LSASS, as well as processes related to VMware tools. There are several encryption schemes used by ScRansom to protect the public key, and one of them is AES-CTR-128 which is combined with RSA-1024 to generate an extra AES key for security reasons. 

As a result of the multi-step process, there are times when errors occur in this process that can lead to the failure of the decryption process. As a result of executing the ransomware on the same device a second time, or in a network with multiple systems running different versions of the virus, new sets of unique keys will be generated for every victim, making the entire decryption process rather difficult to perform. Furthermore, in addition to brute force attacks that are used by the NoName gang to gain access to networks, several other vulnerabilities are exploited by them that are common in SMB environments. CVE-2017-0144 (also known as EternalBlue), CVE-2023-27532 (a vulnerability in Veeam Backup & Replication), CVE-2021-42278 and CVE-2021-42287 (AD privilege escalation vulnerabilities) through noPac, CVE-2022-42475 (a vulnerability in FortiOS SSL-VPN), and CVE-2020-1472 (also known as Zerologon) are some of the vulnerabilities. 

With ScRansom's file encryption capabilities, it can encrypt files on all types of drives, including fixed, remote, removable, and cloud storage, and allows users to personalize the list of file extensions they wish to encrypt. When ESET researchers were investigating a ransomware attack that began with a failed ScRansom deployment in early June, they discovered that the threat actor executed on the same machine less than a week later. 

The EDR killer tool, which provides privilege escalation and the ability to disable security agents by deploying legitimate and vulnerable drivers on targeted computers, was a tool that was released by RansomHub shortly after. The compromised computer was ransomware-encrypted two days later, on June 10, by the hackers who used the RansomHub ransomware. There was an interesting way of extracting the EDR killer described by the researchers, one that was characteristic of CosmicBeetle rather than RansomHub's affiliates. 
 
It was noted that there has been no leak in the past of the RansomHub code and its builder, so ESET researchers were "pretty confident" that CosmicBeetle was enrolled as a new RansomHub affiliate. Even though ESET does not claim to have any affiliation with RansomHub, they do state that the Ransom Encrypter is being actively developed by their engineers.
Read more »
Subscribe to: Posts (Atom)