Tag: RAAS

SentinelOne is currently monitoring increased exploitation of CVE-2023-22518, a recently identified vulnerability in Atlassian’s Confluence Datacenter and Server software. We have observed multiple campaigns leveraging the bug to deploy new C3RB3R (Cerber) ransomware variants targeting both Windows and Linux hosts.

In this post, we detail the attack chain observed in these incidents and provide recent indicators to help responders and threat hunters identify and mitigate similar attacks in these ongoing campaigns.…

Read More
Unveiling the Dark Side: A Deep Dive into Active Ransomware Families  Author: Molly Dewis  Intro 

Our technical experts have written a blog series focused on Tactics, Techniques and Procedures (TTP’s) deployed by four ransomware families recently observed during NCC Group’s incident response engagements.   

In case you missed it, our last post analysed an Incident Response engagement involving the D0nut extortion group.…

Read More

The hacker collective called GhostSec has unveiled an innovative Ransomware-as-a-Service (RaaS) framework called GhostLocker. They provide comprehensive assistance to customers interested in acquiring this service through a dedicated Telegram channel. Presently, GhostSec is focusing its attacks on Israel. This move represents a surprising departure from their past activities and stated agenda.…

Read More
Introduction

On October 11, 2023, the Cybersecurity and Infrastructure Security Agency (CISA) published an advisory for AvosLocker, which was a sophisticated double extortion Ransomware-as-a-Service (RaaS) group that was last observed being active in May 2023. Our research team put this report together so the security community can learn how to counteract other threats that employ similar tactics and procedures (TTPs). …

Read More
Introduction

As a cybersecurity company, Kaspersky is constantly dealing with known and brand-new malware samples. As part of our crimeware reporting service, we provide our customers with technical reports on the evolution of existing crimeware families, as well as newly emerging ones. In this article, we share excerpts from our reports on malware that has been active for less than a year: the GoPIX stealer targeting the PIX payment system, which is gaining popularity in Brazil; the Lumar multipurpose stealer advertised on the dark web; and the Rhysida ransomware supporting old Windows versions.…

Read More

This post is also available in: 日本語 (Japanese)

Executive Summary

BlackCat operators recently announced new updates to their tooling, including a utility called Munchkin that allows attackers to propagate the BlackCat payload to remote machines and shares on a victim organization network. For the past two years, the BlackCat ransomware operators have continued to evolve and iterate their tooling as part of their ransomware-as-a-service (RaaS) business model.…

Read More

More than a week after it suffered a crippling ransomware attack, the hotel giant MGM is struggling to recover. The attack, linked to the ransomware-as-a-service (RaaS) group known as ALPHV, or BlackCat, caused slot machines and ATMs in MGM’s Las Vegas hotels to go dark and forced hotel staff to revert to pencil and paper while guests queued for hours in lines to check in and out of their rooms.  …

Read More

With contributions from Shingo Matsugaya

We delve into three of the most active ransomware families that dominated the first half of 2023: LockBit, Clop, and BlackCat.

Since 2022, our telemetry has consistently pointed to LockBit and BlackCat as two of the most detected RaaS providers.

LockBit’s level of pervasiveness is reflected in a joint cybersecurity advisory from The Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), the Multi-State Information Sharing and Analysis Center (MS-ISAC), and other international security bureaus.…

Read More

Avaddon, a notorious Ransomware-as-a-Service (RaaS) that emerged in early 2019 was known for its double-extortion tactics. It not only encrypted victims’ files but also threatened to release stolen data publicly. Avaddon’s modus operandi involved targeting a diverse range of sectors, including healthcare, government, financial services, legal, hospitality, education, and retail.…

Read More
Executive Summary

eSentire, a top global Managed Detection and Response (MDR) security services provider, intercepted and shut down three separate ransomware attacks launched by affiliates of the notorious, Russia-linked LockBit Ransomware Gang. The FBI estimates that the LockBit operators and their affiliates have collected approximately $91 million since the group’s inception, and that is just U.S.…

Read More

On August 29, 2023, U.S. law enforcement announced a multinational operation that disrupted the Qakbot botnet (also known as Qbot) and associated infrastructure. Secureworks® Counter Threat Unit™ (CTU) researchers have long maintained active monitoring of the botnet and detected the disruption activity on August 25.

During the takedown, law enforcement identified over 700,000 infected computers and seized more than $8.6 million USD in illicit profits.…

Read More

[Update] November 16, 2023: See the subheading: “Collaborative Advisory by CISA, FBI, and MS-ISAC on Rhysida Ransomware.”

[Update] February 13, 2024: “A Free Decryption Tool Released”

The digital world is an ever-evolving landscape, and with it comes the evolution of cyber threats. One such emerging threat is the Rhysida Ransomware Group, a new player in the cybercrime arena that has been making waves since its first sighting in May 2023.…

Read More

The proliferation of Ransomware-as-a-Service (Raas) and the widespread availability of leaked source code from prominent ransomware strains have elevated ransomware attacks to a significant concern for individuals and organizations alike. As more threat actors adopt this modus operandi, it becomes imperative to acquire a comprehensive understanding of the Tactics, Techniques, and Procedures (TTPs) employed by these ransomware affiliates.…

Read More