Summary: A recent report by Rapid7 reveals a surge in ransomware groups, with 21 new or rebranded entities emerging since January 2024, alongside established gangs like LockBit. The report highlights a shift in tactics, including the exploitation of zero-days and a focus on smaller companies as primary targets for ransomware attacks.…
Tag: RAAS
Short Summary
Read More The rise of DeathGrip ransomware, a Ransomware-as-a-Service (RaaS) model, highlights the decreasing barrier to entry for cybercriminals. With tools like LockBit 3.0 and Yashma/Chaos readily available, even those with minimal skills can launch sophisticated attacks. DeathGrip promotes its services through Telegram, offering features such as advanced encryption, security evasion techniques, and system manipulation capabilities.…
“`html Short Summary:
Hunters International, a ransomware group that emerged in October 2023, has quickly become the 10th most active ransomware group in 2024. They operate as a Ransomware-as-a-Service (RaaS) provider, facilitating attacks by less sophisticated actors. Their tactics include data exfiltration, sophisticated encryption techniques, and targeting various sectors opportunistically, while avoiding Russian-influenced regions.…
Threat Actor: RADAR | RADAR Victim: Change Healthcare | Change Healthcare Price: $22 million Exfiltrated Data Type: Healthcare data
Key Points :
ALPHV group received a $22 million ransom from Change Healthcare. The data-exfiltrating affiliate was left unpaid and turned to RansomHub for payment.Threat Actor: RADAR | RADAR Victim: Long Island Plastic Surgery (LIPSG) | Long Island Plastic Surgery Price: Reduced ransom (exact amount not specified) Exfiltrated Data Type: Medical data
Key Points :
ALPHV allegedly received a reduced ransom from LIPSG.…“`html Short Summary:
The article discusses Mandiant’s detection of multiple intrusions involving the QAKBOT botnet and the subsequent deployment of BASTA ransomware by the threat cluster UNC4393. The group has shown a significant operational tempo, with over 40 intrusions across various industries, including healthcare. The article details the evolution of UNC4393’s tactics, malware usage, and its shift from readily available tools to custom malware development.…
The Eldorado ransomware group, which reportedly emerged in March, operates a new Ransomware-as-a-Service (RaaS) platform featuring locker variants specifically designed for VMware ESXi and Windows systems. However, this group, which is thought to be of Russian origin, might have older ties.
This post delves into the origins, tactics, and impact of Eldorado, providing a comprehensive overview of this notorious cybercriminal organization.…
Key Takeaways Cyble Research and Intelligence Labs (CRIL) came across an intriguing shortcut (.LNK) file masquerading as a legitimate Office document.
When the user executes the LNK file, it triggers the infection process, which runs a PowerShell command to drop and execute a .NET loader, ultimately delivering the final payload to the victim’s machine. …
Read More Summary: The shift to hybrid work models has increased reliance on Remote Monitoring and Management (RMM) tools, which, while beneficial for IT management, also pose significant security risks. This article explores how threat actors exploit RMM tools and offers strategies for organizations to protect themselves from these attacks.…
Threat Actor: Stormous | Stormous Victim: Various targets | Various targets Price: $1500 Exfiltrated Data Type: Encrypted files
Key Points :
Enhanced Features: New version includes improved encryption speed and effectiveness. Compatibility: Works on both x86 and x64 Windows platforms. C2 Dashboard Access: Provides lifetime access to a control panel via the Tor network.…Summary: A recent Europol report highlights the fragmentation of the ransomware-as-a-service (RaaS) landscape following the disruption of major groups, complicating attribution and defense strategies. The report notes a shift towards independent operations among affiliates, utilizing modified tools, while small and medium-sized businesses are increasingly targeted due to their perceived vulnerabilities.…
What is Black Basta ransomware?
Read More Black Basta is a malware that falls under the category of ransomware-as-a-service (RaaS). This software is operated by the cybercrime group known as Storm-1811. First detected in 2022, Black Basta has gained attention for its tactics.
The strategy of Black Basta involves double extortion.…
Summary: The Qilin ransomware group has targeted the healthcare sector, demanding a $50 million ransom from Synnovis, impacting several NHS hospitals. Known for its Ransomware-as-a-Service model, Qilin has evolved its tactics and tools since its emergence in 2022, compromising over 150 organizations globally.
Threat Actor: Qilin | Qilin Victim: Synnovis | Synnovis
Key Point :
Qilin exploits vulnerabilities in Fortinet devices and Veeam Backup & Replication software for initial access.…Summary: The Scattered Spider cybercrime group is using RansomHub and Qilin ransomware variants in its attacks, indicating a potential power shift among hacking groups.
Threat Actor: Scattered Spider | Scattered Spider Victim: Various victims, including Las Vegas casinos | Las Vegas casinos
Key Point :
The Scattered Spider cybercrime group, also known as Octo Tempest, is considered one of the most sophisticated and threatening groups currently in operation.…
Executive SummaryNew evidence shows FIN7 is using multiple pseudonyms to mask the group’s true identity and sustain its criminal operations in the underground market
FIN7’s campaigns demonstrate the group’s adoption of automated SQL injection attacks for exploiting public-facing applications
AvNeutralizer (aka AuKill), a highly specialized tool developed by FIN7 to tamper with security solutions, has been marketed in the criminal underground and used by multiple ransomware groups
SentinelLabs has discovered a new version of AvNeutralizer that utilizes a technique previously unseen in the wild to tamper with security solutions, leveraging the Windows built-in driver ProcLaunchMon.sys…
Read More Nefilim is a Ransomware-as-a-Service (RaaS) operation that emerged in March 2020 and is believed to have evolved from the Nemty ransomware family. This attribution is due to the fact that Nefilim arose at the time when Nemty’s operators decided to quit the RaaS business model to concentrate their efforts on more selective attacks with more dedicated resources.…
Summary: A new variant of the Mallox ransomware is targeting Linux systems, encrypting victim’s data and demanding a ransom for its release.
Threat Actor: Mallox ransomware | Mallox ransomware Victim: Linux systems | Linux systems
Key Point :
The new variant of Mallox ransomware targets Linux systems and uses custom encryption and a builder web panel.…Summary: The content discusses a new ransomware-as-a-service called Eldorado that targets Windows and VMware ESXi VMs.
Threat Actor: Eldorado | Eldorado Victim: Various organizations in the U.S. | Eldorado victims
Key Point :
Eldorado is a new ransomware-as-a-service (RaaS) that emerged in March and targets Windows and VMware ESXi VMs.…Summary: The content discusses the average ransom demands in the first half of 2024 and highlights the highest ransom demands made by threat actors.
Threat Actor: Various threat actors
Victim: Regional Cancer Center (RCC), Synnovis, London Drugs
Key Point :
The average extortion demand per ransomware attack in the first half of 2024 was over $5.2 million.…Key Points
In June 2024, ReliaQuest responded to detections from an endpoint detection and response (EDR) tool signaling the beginning of a ransomware attack by the “Medusa” ransomware group that resulted in the encryption of various hosts in a customer environment. Since 2022, the Ransomware-as-a-Service (RaaS) group Medusa has targeted organizations in the technology, education, manufacturing, and healthcare sectors by taking advantage of unpatched vulnerabilities and hijacking legitimate accounts.…Halcyon has encountered a new ransomware organization our researchers are tracking as Volcano Demon following several attacks in the past two weeks.
The following encryptor sample dubbed LukaLocker was identified encrypting victim files with the .nba file extension. In addition, multiple attack tools were identified with IOCs noted in the table below.…