Summary:
The Howling Scorpius ransomware group, known for its Akira ransomware-as-a-service, has emerged as a significant threat since early 2023. Utilizing a double extortion strategy, they target small to medium-sized businesses across various sectors globally, particularly in North America, Europe, and Australia. Their ongoing enhancements to ransomware tools and techniques pose increasing risks to organizations.
#HowlingScorpius #AkiraRansomware #RansomwareThreat
The Howling Scorpius ransomware group, known for its Akira ransomware-as-a-service, has emerged as a significant threat since early 2023. Utilizing a double extortion strategy, they target small to medium-sized businesses across various sectors globally, particularly in North America, Europe, and Australia. Their ongoing enhancements to ransomware tools and techniques pose increasing risks to organizations.
#HowlingScorpius #AkiraRansomware #RansomwareThreat
Keypoints:
- Howling Scorpius ransomware group emerged in early 2023.
- Employs a double extortion strategy to maximize pressure on victims.
- Targets small to medium-sized businesses across multiple sectors.
- Utilizes encryptors for both Windows and Linux operating systems.
- Maintains a Tor-based leak site for exfiltrating stolen data.
- Affiliates exploit vulnerabilities in VPN services and conduct spear phishing campaigns for initial access.
- Employs credential access techniques using tools like Mimikatz and LaZagne.
- Utilizes various methods for persistence, discovery, and lateral movement within networks.
- Ransomware variants include Akira and Megazord, with distinct characteristics and encryption methods.
- Recent updates indicate ongoing development and enhancement of ransomware capabilities.
MITRE Techniques
- Initial Access (T1071): Exploits vulnerable VPN services and conducts spear phishing campaigns.
- Credential Access (T1003): Uses Mimikatz and LaZagne for credential extraction.
- Persistence (T1136): Creates new domain accounts for persistent access.
- Lateral Movement (T1021): Utilizes RDP and SMB for lateral movement within networks.
- Exfiltration (T1041): Exfiltrates data using tools like WinRAR and FTP.
- Defense Evasion (T1562): Disables security tools and uses VMs to bypass security measures.
IoC:
[file hash] 08207409e1d789aea68419b04354184490ce46339be071c6c185c75ab9d08cba
[file hash] 2727c73f3069457e9ad2197b3cda25aec864a2ab8da3c2790264d06e13d45c3d
[file hash] 2db4a15475f382e34875b37d7b27c3935c7567622141bc203fde7fe602bc8643
[file hash] 56f1014eb2d145c957f9bc0843f4e506735d7821e16355bcfbb6150b1b5f39db
[file hash] 58e9cd249d947f829a6021cf6ab16c2ca8e83317dbe07a294e2035bb904d0cf3
[file hash] 678ec8734367c7547794a604cc65e74a0f42320d85a6dce20c214e3b4536bb33
[file hash] 1ba1ccfacffbb6be9480380f5535a30d3eee1dd7787f3c649ebf8ea2a6a5de51
[file hash] 9f873c29a38dd265decb6517a2a1f3b5d4f90ccd42eb61039086ea0b5e74827e
[file hash] 1b6af2fbbc636180dd7bae825486ccc45e42aefbb304d5f83fafca4d637c13cc
[file hash] cc970bd2673e46c7e0df5430ab617bc2a9214b4d5c2c44252af681a08ff526a8
Full Research: https://unit42.paloaltonetworks.com/threat-assessment-howling-scorpius-akira-ransomware/