Search This Blog

Showing posts with label Ransomware group. Show all posts

Unique TTPs Connect Hades Ransomware to New Threat Group

 

Researchers claim to have uncovered the origins of Hades ransomware's operators, as well as the unique tactics, methods, and procedures (TTPs) they use in their attacks. 

The Hades ransomware initially appeared in December 2020, following a series of attacks on a variety of institutions, but limited information about the culprits has been released to date. 

Gold Winter has been identified as the threat group behind the Hades ransomware, according to Secureworks' Counter Threat Unit (CTU). They also disclosed data about Gold Winter's actions that set it apart from other similar threat organizations, implying that it is a financially driven, most likely Russian-based "big game hunter" after high-value targets, primarily North American manufacture. 

The researchers stated, “Some third-party reporting attributes Hades to the Hafnium threat group, but CTU research does not support that attribution.” 

“Other reporting attributes Hades to the financially motivated Gold Drake threat group based on similarities to that group’s WastedLocker ransomware. Despite the use of similar application programming interface (API) calls, the CryptOne crypter, and some of the same commands, CTU researchers attribute Hades and WastedLocker to two distinct groups as of this publication” 

According to the researchers, the investigation of Gold Winter showed TTPs that were not found in other ransomware families, with some showing resemblance but with uncommon characteristics added.

As per the researchers, GoldWinter: 

- It names and shames victims, but it doesn't employ a centralized leak site to make stolen information public. Instead, Tor-based Hades websites appear to be personalized for each victim, including a victim-specific Tox chat ID for conversation. Tox instant messaging is a technique CTU researchers haven't seen in other ransomware families. 

- Is renowned for copying ransom notes from other high-profile families like REvil and Conti, substituting webpages with contact email addresses, and adding unique victim identifiers.

- Replaces randomly generated five-character strings for the victim ID and encrypted file extension with words—e.g., cypherpunk. 

- SocGholish malware disguised as a phoney Chrome update and single-factor authentication VPN access is used as first access vectors. 

- Deletes volume shadow copies using the “vssadmin.exe Delete Shadows/All/Quiet” command but uses a distinctive self-delete command with an unusual inclusion of a “wait for” command. 

Marcelle Lee, senior security researcher, CTU-CIC at Secureworks, tells CSO, “Typically when we see a variety of playbooks used around particular ransomware, it points to the ransomware being delivered as ransomware-as-a-service (RaaS) with different pockets of threat actors using their own methods. We do not, however, think that is the case with Hades.” It is most likely that Gold Winter operates as a private ransomware group, she added.

It is also possible that Gold Winter has been organized by another threat group to throw law enforcement and researchers off their trail, Lee continues. 

For Hades, Lee suggests adopting common ransomware defense and mitigation strategies: Implement an endpoint detection and response solution, as well as multi-factor authentication for internet-facing devices and for user apps, as well as efficient asset management. She also suggests efficient patch management and membership to customized threat intelligence to raise awareness of emerging dangers and have a tested incident plan and team.

Zeppelin Ransomware have Resumed their Operations After a Temporary Pause

 

According to BleepingComputer, the operators behind the Zeppelin ransomware-as-a-service (RaaS), aka Buran, have resumed operations following a brief outage. Zeppelin's operators, unlike other ransomware, do not steal data from victims or maintain a leak site. 

Experts from BlackBerry Cylance discovered a new version of the Vega RaaS, called Zeppelin, and it first appeared on the threat landscape in November 2019. In Europe, the United States, and Canada, the latest version was used in attacks against technology and healthcare firms. Zeppelin was discovered in November and was spread via a watering hole attack in which the PowerShell payloads were hosted on the Pastebin website. 

The Zeppelin ransomware does not infect users in Russia or other ex-USSR countries like Ukraine, Belorussia, or Kazakhstan, unlike other Vega ransomware variants. The ransomware enumerates files on all drives and network shares and attempts to encrypt them after being executed. Experts found that the encryption algorithm used is the same as that used by other Vega variants. 

“This is in contrast with the classic RaaS operations, where developers typically look for partners to breach into a victim network, to steal data, and deploy the file-encrypting malware. The two parties then split paid ransoms, with developers getting the smaller piece (up to 30%),” reported BleepingComputer. 

Advanced Intel (AdvIntel), threat detection and loss avoidance firm, discovered that the Zeppelin ransomware developers revised their operation in March. They announced a "big software upgrade" as well as a new round of sales. According to an intelligence survey, the new Zeppelin version costs $2,300 per core build, as per AdvIntel head of research Yelisey Boguslavskiy. 

Following the major update, Zeppelin's developers released a new version of the malware on April 27 that had few new features but improved the encryption's stability. They also promised that development on the malware would continue and that long-term users, known as "subscribers," would receive special care. 

“We continue to work. We provide individual conditions and a loyal approach for each subscriber, the conditions are negotiable. Write to us, and we will be able to agree on a mutually beneficial term of cooperation”, said Zeppelin ransomware. 

Zeppelin is one of the few ransomware operations on the market that does not use a pure RaaS model, and it is also one of the most common, with high-profile members of the cybercrime community recommending it.

Toshiba Unit Hacked by DarkSide

 

The DarkSide criminal gang, which was also responsible for the assault on Colonial Pipeline, which triggered widespread gas shortages and panic buying across the Southeast, hacked a Toshiba business unit earlier this month. 

Toshiba Tec said in a statement that the cyberattack affected its European subsidiaries, and the company is investigating the extent of the damage. It stated that “some details and data could have been leaked by the criminal gang,” but it did not confirm that customer information was leaked. 

"There are around 30 groups within DarkSide that are attempting to hack companies all the time, and they succeeded this time with Toshiba," said Takashi Yoshikawa, a senior malware analyst at Mitsui Bussan Secure Directions. During pandemic lockdowns, employees accessing company computer systems from home have made businesses more susceptible to cyber-attacks, he said. 

The assault seems to have been carried out by the Russian criminal group DarkSide, according to a company representative who spoke to Reuters. The attack happened on May 4, according to a spokesperson that confirmed the same to CNBC. According to the outlet, the hackers demanded a ransom, but the company refused to pay. Colonial Pipeline, on the other hand, is said to have paid a ransom of approximately $5 million within hours of the attack last week. 

The assault, which resulted in gas shortages and panic buying at US gas stations across the Southeast, likely drew more attention to DarkSide than it had hoped for, with President Biden promising to go after the group. 

According to screenshots of DarkSide's post given by the cybersecurity company, more than 740 gigabytes of data, including passports and other personal details, was compromised. On Friday, Reuters was unable to reach DarkSide's public-facing website. DarkSide's numerous websites, according to security researchers, have become inaccessible. 

Hackers encrypt data and demand payment in cryptocurrency to decrypt it, increasing the number and size of ransomware attacks. They are gradually releasing or threatening to release stolen data unless they are paid more. 

The attack software was distributed by DarkSide, according to investigators in the US Colonial case, which involves Russian speakers and avoids hacking targets in the former Soviet Union. DarkSide allows "affiliates" to hack into targets in other countries, and then manages the ransom and data release.

University of Hertfordshire Hit by Cyberattack

 

The University of Hertfordshire has become the most recent victim of a spate of digital assaults against academic institutions after a significant incident knocked all its systems offline. The assault on its network is perceived to have started before 10pm on Wednesday 14 April, and the university’s IT teams are right now attempting to restore services. 

The university Wi-Fi network was taken down along with the email system and the university’s student portal. Since the assault students have additionally reported that they have not been able to access Office 365 services, such as Teams, just as other universities paid for services such as Canvas and Zoom.

In a statement, the university said: “As a result, all online teaching will be canceled today (Thursday 15 April), and we understand that this may impact students being able to submit assignments. We want to reassure our students that no one will be disadvantaged as a consequence of this.” 

“Any in-person, on-campus teaching may still continue today, if computer access is not required, but students will have no on-site or remote access to computer facilities in the LRCs [learning resource centres], labs or the university Wi-Fi. We apologize for the inconvenience this situation has caused and will continue to keep you updated,” they added.

The UK's National Cyber Security Center has been cautioning for quite a while of increased targeting of academic institutions – both schools and universities – especially from ransomware groups, and recently updated its own guidance on the subject to mirror the current high assault volumes.
 
Educational bodies are considered easy targets by cybercriminals since they regularly come up short on the resources to secure their information satisfactorily, hold a lot of personal information, and may come under more public pressure to pay a ransom. 

Jérôme Robert, director at Alsid, said universities are starting to become aware that they are prime targets. “The sheer size of the student and faculty at a university – in Hertfordshire’s case nearly 28,000 people – makes it incredibly difficult to secure and manage the IT estate,” he said. 

“Think of the huge volume of new joiners and leavers each year at universities. IT teams somehow have to manage that process of creating, deleting, and managing all those accounts. It’s a never-ending operation to keep all of that neat and tidy, and any oversights, such as old accounts not being closed down, present risk. On top of this, higher education is currently at heightened risk because of the increase of network activity and general complexity of enabling hybrid learning.” Robert added.

Maze/Egregor Ransomware Earned over $75 Million

 

Researchers at Analyst1 have noticed that the Maze/Egregor ransomware cartel has made at least $75 million in ransom payments to date. This figure is the base of their estimations, as the maximum could be conceivably more since not every victim has disclosed paying to the threat actor. While the group is crippled presently, it is the one that began numerous innovations in the ransomware space. 

“We believe this figure to be much more significant, but we can only assess the publicly acknowledged ransom payments. Many victims never publicly report when they pay a ransom,” security firm Analyst1 said in a 58-page report published this week. 

Analyst1's discoveries are in accordance with a similar report from blockchain analysis firm Chainalysis, which listed the Maze group as the third most profitable ransomware operation — behind Ryuk and Doppelpaymer. 

The now-dead ransomware Maze group was a pioneer in its times. Started in mid-2019, the group was closed down for obscure reasons before the end of last year however resurrected as Egregor ransomware. The greater part of the code, working mechanism, and different clues call attention to that Egregor is the new Maze group. The group dealt with a purported RaaS (Ransomware-as-a-Service), permitting other cybercrime actors to lease admittance to their ransomware strain. These clients, likewise called affiliates, would penetrate organizations and send the Maze groups ransomware as an approach to encrypt files and extort payments.

But, while there were a lot of ransomware groups working on similar RaaS plans, the Maze group became famous by making a “leak site” where they'd regularly list organizations they infected, which was a novelty at that point, in December 2019. 

This branding change didn't influence the group's prosperity. Indeed, both Maze and Egregor positioned as the second and third most active RaaS services on the market, representing almost a fourth of all victims recorded on leak sites a year ago. As per Analyst1's report published for the current week, this heightened period of activity additionally converted into money-related benefits, based on transactions the company was able to track on public blockchains. 

However, this achievement additionally drew attention from law enforcement, which started putting hefty assets into researching and finding the group. Right now, the Maze/Egregor group is on a hiatus, having stopped activities after French and Ukrainian authorities captured three of their members in mid-February, including a member from its core team.

Sophos Uncovered Connection Between Mount Locker and Astro Locker Team

 

Sophos published another report on a recently revealed association between the Mount Locker ransomware group and a new group, called "Astro Locker Team." Sophos as of late recognized ransomware targeting an organization’s unprotected machines that had all the hallmarks of Mount Locker ransomware. However, when they followed the link in the ransom note to the attacker's chat/support site, Sophos incident responders found themselves faced with a near-unknown group calling themselves "AstroLocker Team" or "Astro Locker Team." Astro Locker has all the earmarks of being a new ransomware family – however, appearances can be beguiling. 

When comparing the Astro Locker leak site with the Mount Locker leak site, investigators noticed that all five of the organizations listed on the Astro Locker site were likewise listed as victims on the Mount Locker site. Delving in further, the size of the information leaks on each of the five matched and shared some of the same links to the spilled information. Taking a gander at the matching links all the more intently, Sophos experts saw one final association: a portion of the spilled information linked on the Mount Locker site was being facilitated on the Astro Locker onion site: http[:]//anewset****.onion.  

“In recent incidents where Sophos experts investigated and neutralized an active Mount Locker attack, we noticed various techniques that suggest these attackers are not as sophisticated as other ransomware groups like Ryuk, REvil and DoppelPaymer,” said Peter Mackenzie, manager of Sophos’s Rapid Response team. “It is possible that the Mount Locker group wants to rebrand themselves to create a new and more professional image, or it could be an attempt to kickstart a true ransomware-as-a-service (RaaS) program. Regardless, if any organizations become a victim of Astro Locker in the future, they should investigate the TTPs of both Mount Locker and Astro Locker.” 

Mackenzie contended that Mount Locker could be utilizing the Astro name to pretend the group has a significant new associate for its new RaaS program, or it very well might be a legitimate deal intended to speed up its change to turning into a RaaS operation. 

“Branding is a powerful force for ransomware groups. Good branding can come from a single threat group being skilled at hitting high-value targets and avoiding detection — such as DoppelPaymer — or by running a successful RaaS network — like Sodinokibi or Egregor. Powerful branding with ransomware groups can strike fear in targets and lead to a higher likelihood of pay-outs,” he concluded.

BCPS Hit by Conti Ransomware Gang, Hackers Demanded $40 Million Ransom

 

Several weeks ago, the Conti ransomware gang encrypted the systems at Broward County Public Schools and took steps to release sensitive personal information of students and staff except if the district paid a colossal $40 million ransom. Broward County Public Schools, the country's 6th biggest school district with an annual budget of about $4 billion, enlightened parents about a network outage on March 7 that adversely affected web-based teaching, but dependent on this new data, the incident was unmistakably much more serious. 

First reported by DataBreaches.net, the hackers took steps to disclose a huge trove of personal information, including the social security numbers of students, teachers, and employees, addresses, dates of birth, and school district financial contact information. "Upon learning of this incident, BCPS secured its network and commenced an internal investigation,” the statement continued. “A cybersecurity firm was engaged to assist. BCPS is approaching this incident with the utmost seriousness and is focused on securely restoring the affected systems as soon as possible, as well as enhancing the security of its systems." 

The hackers published screenshots of a text message from mid-March between them and a district official — clearly a negotiation for the hackers to deliver the documents back to the district. 

“The good news is that we are businessmen,” the text message from the hackers said. “We want to receive ransom for everything that needs to be kept secret, and don’t want to ruin your reputation. The amount at which we are ready to meet you and keep everything as collateral is $40,000,000.” 

After weeks of negotiations, the hackers in the end brought the proposal down to $10 million. Under district policy, that sum is the maximum it can pay without school board approval. 

Broward County's case was one of a few ransomware assaults that hit educational institutions in the past two weeks. The Clop ransomware gang was very active, with reported cases influencing the University of Maryland, Baltimore Campus (UMBC); the University of California, Merced; the University of Colorado; and the University of Miami. Jamie Hart, cyber threat intelligence analyst at Digital Shadows noticed that these assaults were led by the Clop gang and were targeted as a part of the Accellion FTA breach.

Ukrainian police arrested members of a well-known cyber ransomware group

Members of the Egregor group, which provides the service using the Ransomware-as-a-Service (RaaS) model, have been arrested by the Ukrainian police.

The arrest is the result of a joint operation of the French and Ukrainian law enforcement systems. The names of the arrested citizens were not disclosed, but it is known that they provided logistical and financial support for the service.

It is worth noting that this ransomware has been active since the fall of 2020 and works according to the Ransomware-as-a-Service (RaaS) model. That is, the authors of the malware rent it out to other criminals, who are already hacking companies, stealing data, encrypting files, and then demanding a “double ransom” from victims (for decrypting files, as well as for not disclosing the data stolen in the process of hacking).

If the victims pay a ransom, the group that organized the hack keeps most of the funds, and the developers of Egregor receive only a small share. The attackers laundered funds through the Bitcoin cryptocurrency.

Those arrested are suspected, among other things, of providing such financial schemes.

According to Allan Liska, a cybersecurity researcher at Recorded Future, Recorded Future has discovered that the Egregor infrastructure, including the site and the management and control infrastructure, has been offline since at least Friday (February 12).

The French side joined the investigation after the Egregor software was used in attacks on the computer game developer Ubisoft and the logistics organization Gefco in 2020.

Although the Egregor system based on the RaaS model was launched in September 2020, a number of cybersecurity experts believe that the service operators are the well-known cyber ransomware group Maze.

DDoS Campaign Exposed by the Security Firm Radware

 

Security firm Radware uncovered the threat actors' campaign named 'distributed denial-of-service' (DDoS). This campaign was launched to target the same set of victims from September 2020 after the companies failed to pay the initial ransom between five and ten bitcoins ($160,000 and $320,000) as demanded by the threat actors.

According to the reports, an anonymous group of hackers attacked the victims in August or September 2020 for the first time. In December 2020 and January, threat actors sent additional ransom extortion emails to the organizations after the victims failed to pay the initial ransom. Threat actors attacked the organizations with a DDoS strike immediately after the organizations received the second set of intimidating messages.

The latest DDoS strike surpassed 200Gbps and continued for more than nine hours without any disruption. As per the reports of Radware, the latest ransom note reads, “maybe you forgot us, but we didn’t forget you. We were busy working on more profitable projects, but now we are back”.

Radware security experts are convinced that the series of attacks were managed by the same ransomware group due to the identical infrastructure in the strike and the messages received from the ransomware group. Also, the organizations that received the latest letters were not leaked in the media last year therefore only the original ransomware group would have known that the companies have been targeted last year.

Radware security experts have noticed the change in the threat actor’s strategy, in previous strikes threat actors targeted the organizations for few weeks and then passed on. “The 2020-2021 global ransom DDoS campaign represents a strategic shift from these tactics. DDoS extortion has now become an integral part of the threat landscape for organizations across nearly every industry since the middle of 2020”, the report explained.

This group of threat actors does not hold back in returning to the targets that originally ignored their warnings, this is the massive fundamental change in the tactics of threat actors. According to Radware, the companies should be prepared for another letter and strike in the upcoming months.

Ransomware Group Published More Than 4,000 SEPA's Files Online

 

Scottish Environment Protection Agency (SEPA) once again fell victim to the threat actors. Hackers published more than 4,000 files on their website after the regulator denied to pay the ransom, it is noteworthy that these hackers were also responsible for attacking SEPA on a Christmas Eve.

Last month, Cybersecurity experts discovered that threat actors have stolen nearly 1.2 GB of data which suggested threat actors may have accessed and stolen 4,000 files. Threat actors locked their emails and contacts centre and were demanding a ransom to unlock it. SEPA said they have to start from scratch and build a whole new system following a ‘significant cyber-attack’. 

Agency is still able to provide essential services regarding food forecasting and warnings, as well as regulation and monitoring services. The Conti ransomware group asserted responsibility for the attack but SEPA hasn’t validated the claims of the Conti ransomware group. Published information includes personal information associated with SEPA employees and information associated with commercial work with international allies.

Terry A’Hearn, chief executive of SEPA stated that “we’ve been clear that we won’t use public finance to pay serious and organized criminals’ intent on disrupting public services and extorting public funds. We have made our legal obligations and duty of care on the sensitive handling of data a high priority and, following Police Scotland advice, are confirming that data stolen has been illegally published online”. 

“We’re working quickly with multi-agency partners to recover and analyze data then, as identifications are confirmed, contact and support affected organizations and individuals”, he further added.

Ransomware groups are quite successful in their tactics of stealing data and threatening the firm to publish online if a ransom isn’t paid in exchange for the decryption key. Every month ransomware gangs are making hundreds of thousands of dollars in bitcoin per attack.