On a bi-weekly basis, FortiGuard Labs gathers data on ransomware variants of interest that have been gaining traction within the OSINT community and our datasets. The Ransomware Roundup report aims to provide readers with brief insights into the evolving ransomware landscape and the Fortinet solutions that protect against those variants.…
Tag: LEAK
A ransomware victim called in the BlackBerry Incident Response (IR) team during this year’s 4th of July holiday weekend. We quickly realized we were investigating an attack by a previously unknown group, calling themselves “MONTI.” They encrypted nearly 20 user hosts along with a multi-host VMware ESXi cluster that brought down over 20 servers.…
The Cybereason Global Security Operations Center (GSOC) Team issues Threat Analysis Reports to inform on impacting threats. The Threat Analysis Reports investigate these threats and provide practical recommendations for protecting against them.…
Earlier this year, [redacted] encountered a relatively new ransomware threat actor that called themselves BianLian. We observed the actor deploying custom malware that was written in the Go programming language, which posed some initial, but not insurmountable, reverse-engineering challenges.
BianLian used subtle techniques to exploit, enumerate, and move laterally in victim networks to remain undetected and aggressively worked to counter Endpoint Detection & Response (EDR) protections during the encryption phase of their operations.…
Stealing information is fundamental to cybercriminals today to scope and gain access to systems, profile organizations, and execute bigger payday schemes like ransomware. Information stealer malware families including Prynt Stealer are often configured through a builder to facilitate the process for less sophisticated threat actors. However, Zscaler ThreatLabz researchers have uncovered the Prynt Stealer builder, also attributed with WorldWind, and DarkEye, has a secret backdoor in the code that ends up in every derivative copy and variant of these malware families.…
BlueSky ransomware is an emerging threat that researchers have been paying increasing attention to since its initial discovery in late June 2022. The ransomware has been observed being spread via trojanized downloads from questionable websites as well as in phishing emails.
Although infections at this time remain low, the ransomware’s characteristics, described below, suggest it has been carefully developed for a sustained campaign.…
New .NET-Based Ransomware Performs Targeted Attack
Read More Several organizations, big or small, have been facing threats from Threat Actors (TAs) at a greater frequency than ever before. An organization’s primary danger remains losing access to their systems and data, which is further aggravated by the threat of TAs leaking the data if ransom requests are not fulfilled or the victim reaches out to law enforcement authorities. …
GoLang-based Ransomware targets multiple industries
Read More Cyble Research Labs has observed that malware written in the programming language “Go” has recently been popular among Threat Actors (TAs). This is likely due to its cross-platform functionalities and the fact that it makes reverse engineering more difficult. We have seen many threats developed using the Go language, such as Ransomware, RAT, Stealer, etc.…
Background
Read More Over the last year Mandiant has been tracking UNC3890, a cluster of activity targeting Israeli shipping, government, energy and healthcare organizations via social engineering lures and a potential watering hole. Mandiant assesses with moderate confidence this actor is linked to Iran, which is notable given the strong focus on shipping and the ongoing naval conflict between Iran and Israel.…
Insights into Onyx Ransomware’s recent Operations
Read More Onyx ransomware was initially identified by researchers in mid-April 2022. The ransomware group uses the double extortion technique to target its victims where it exfiltrates the victim’s data, then encrypts it. If the victim cannot pay the ransom, then Threat Actors (TA) leak the victim’s data on their leak site.…
THIS POST IS ALSO AVAILABLE IN:
Read More 日本語 (Japanese)
Update HistoryDate Description of UpdatesAug. 10th 2022Adding clarifying details on activity involving active directory.Aug. 10th 2022Update made to the Cisco Response and Recommendations section related to MFA. Executive summaryOn May 24, 2022, Cisco became aware of a potential compromise.…This post is also available in: 日本語 (Japanese)
Executive SummaryBeginning in early May 2022, Unit 42 observed a threat actor deploying Cuba Ransomware using novel tools and techniques. Using our naming schema, Unit 42 tracks the threat actor as Tropical Scorpius.
Here, we start with an overview of the ransomware and focus on an evolution of behavior observed leading up to deployment of Cuba Ransomware.…
Industrial Spy is a relatively new ransomware group that emerged in April 2022. In some instances, the threat group appears to only exfiltrate and ransom data, while in other cases they encrypt, exfiltrate and ransom data. Industrial Spy started as a data extortion marketplace where criminals could buy large companies’ internal data; they promoted this marketplace using README.txt…
Introduction
Read More Hive ransomware is one of the most active financially motivated threat actors of this period, adopting the current Double Extorsion model. They started their malicious activities in June of the past year, and just in a year of activity they collected a big number of victims, demonstrating the capability to hit even critical infrastructures. …
In June 2022, LockBit revealed version 3.0 of its ransomware. In this blog entry, we discuss the findings from our own technical analysis of this variant and its behaviors, many of which are similar to those of the BlackMatter ransomware.
In March 2022, less than a year after LockBit 2.0 first emerged, researchers caught wind of an upcoming new variant of the LockBit ransomware. LockBit…
By Jim Walter & Aleksandar Milenkoski
LockBit 3.0 ransomware (aka LockBit Black) is an evolution of the prolific LockBit ransomware-as-a-service (RaaS) family, which has roots that extend back to BlackMatter and related entities. After critical bugs were discovered in LockBit 2.0 in March 2022, the authors began work on updating their encryption routines and adding several new features designed to thwart researchers.…
We look into a recent attack orchestrated by the Black Basta ransomware group that used the banking trojan QakBot as a means of entry and movement and took advantage of the PrintNightmare vulnerability to perform privileged file operations.
Since it became operational in April, Black Basta has garnered notoriety for its recent attacks on 50 organizations around the world and its use of double extortion, a modern ransomware tactic in which attackers encrypt confidential data and threaten to leak it if their demands are not met.…
ReversingLabs recently discovered instances of the AstraLocker 2.0 malware distributed directly from Microsoft Word files used in phishing attacks.
Executive SummaryReversingLabs recently discovered of a new version of the AstraLocker ransomware (AstraLocker 2.0) that was being distributed directly from Microsoft Office files used as bait in phishing attacks.…
This post is also available in: 日本語 (Japanese)
Executive SummaryHelloXD is a ransomware family performing double extortion attacks that surfaced in November 2021. During our research we observed multiple variants impacting Windows and Linux systems. Unlike other ransomware groups, this ransomware family doesn’t have an active leak site; instead it prefers to direct the impacted victim to negotiations through TOX chat and onion-based messenger instances.…
This blog post was authored by Jérôme Segura
There are many techniques threat actors use to slow down analysis or, even better, evade detection. Perhaps the most popular method is to detect virtual machines commonly used by security researchers and sandboxing solutions.
Reverse engineers are accustomed to encountering code snippets that check certain registry keys, looking for specific values indicating the presence of VMware or Virtual Box, two of the most popular pieces of virtualization software.…