This week featured a number of large-scale attacks, one of which shut down a German newspaper chain’s print edition and forced them to drop the paywall on their digital edition.
The FBI also put out a warning about a ransomware group called Daixin which was targeting health care organizations.
MapleSEC.ca focuses on readiness
It was also the week for Canada’s national security conference, MapleSEC, which leveraged a hybrid (live and digital) event for the first time. The conference theme was “Are You Ready?” If you missed it, you can still check out the on-demand replay, including the panel on ransomware on Day 1, at MapleSEC.ca.
One of the points made at MapleSEC was that there are a number of resources which are available from governments, downloadable for free. Moreover, many of these resources are adaptable to companies of any size. For example, there is a free ransomware readiness assessment from the US government to help large and small businesses conduct an analysis of their readiness.
Ransomware – Myth Meets Reality
The week held echoes of two stories: the myth of Pandora’s box and the legend of the Hydra. Pandora’s box is a myth that explains the release of evil into the world – once the box was opened, evil escaped and could not be put back in the box. The Hydra legend talks of a mystical multi-headed beast where, if one cut off a head, it would grow back.
Pandora’s Box – Ransomware attacks leverage “legitimate” commercial security tools
The threat actors behind the Black Basta ransomware are the latest to be detected using commercial tools designed for use by “ethical hackers” to detect weaknesses and allow companies to harden their defences.
The Hacker News reported on the Black Basta ransomware family using the Qakbot (aka Quackbot or Qbot) trojan to deploy the Brute Ratel C4 framework in the second stage of their attacks.
Qakbot is an “information stealer” that has been around since 2007 and is used as a downloader for deploying malware. In this case, it’s deploying Brute Ratel C4 (BRc4) which is a very sophisticated toolset designed to be used in penetration testing.
BRc4 is commercial software, licensed for use, and is very effective at helping breach cybersecurity defences. It automates tactics, techniques and procedures (TTPs), it has tools for process injection, it can upload and download files, has support for multiple command-and-control channels. It is also reputed to hide threats in memory in ways that evade endpoint (EDR) and anti-malware software.
A cracked version of BRc4 has been in circulation for about a month. While the developers have upgraded their licensing algorithm to prevent further misuse, Chetan Nayak, who lists himself as the Brute Ratel C4 author, stated in a twitter post that the theft had caused “irreparable damage.”
Because of its ability to evade detection, BRc4 is a major threat, but it is not the only example of commercial testing and simulation software being adapted for use by ransomware attackers. Cobalt Strike, which describes itself as “adversary simulation” software, has been in use for a number of years now as a component of ransomware and other attacks. Cobalt Strike is also difficult to detect; it uses what it calls Beacons to modify its network signature and to pretend to be legitimate traffic.
BRc4 uses a similar feature which it calls “Badgers” to communicate with outside servers and to exfiltrate data.
Hydra? REvil’s rise from the dead?
As in a scene from a horror movie, REvil seems have risen from dead. Almost a year ago, the gang was disbanded when an unknown person hacked their Tor payment portal and data leak blog.
Until that point, REvil had been a major force in ransomware, and achieved notoriety for conducting a supply-chain attack exploiting a zero day vulnerability in the Kaseya MSP platform. That attack featured a demand for ransom and extortion threats against huge players such as computer maker Acer, and a threat to reveal stolen blueprints for unreleased devices from Apple.
The boldness of their attacks and the severity of the threats brought incredible pressure from law enforcement in the US. Even the Russian government, thought to be friendly to many other threat actors, seized property and made arrests, taking eight key gang members into custody.
But the final nail in the coffin for the group was the loss of their portal and blog, which effectively took the gang offline. Despite attempts to increase the percentage commission to their affiliates (as high as 90 per cent), they struggled to hold existing ones and to recruit new affiliates. Their public persona, known as “Unknown,” simply disappeared. A post in the security blog Bleeping Computer declared them “gone for good.” The same post, however, did predict that they would resurface or rebrand themselves. That has appeared to have happened.
A new ransomware operation called Ransom Cartel has surfaced, with code that experts say has striking similarities to REvil. This was first noted in a December 2021 Twitter post from Malware Hunter Team
Now a new report from Palo Alto Network’s Unit 42 has identified connections between REvil and Ransom Cartel, comparing their techniques, tactics and procedures (TTPs) and the code of their software.
But there may be more than one successor to REvil. In April of 2022, security researcher R3MRUM noted another ransomware group called “BlogXX” with encryptors almost identical to those used by REvil, albeit with some modifications to their code base. This group used almost identical ransom notes and even called themselves “Sodinokibi” (an alternate name for REvil) on their Tor sites.
That’s the week in ransomware. You can leave comments or tips by rating this article. Click the check or the X and leave a note for us.