July 2022 saw a range of ransomware attacks. Existing and new ransomware groups include LockBit, Hive, Lilith, RedAlert (aka N13V), and SMBs with H0lyGh0st ransomware.
For example, one threat actor, also known as DEV-0530, used a dark website to interact with their victims. The group used the following methodology:
- First, all files were encrypted on the target device with the file extension .h0lyenc.
- A sample of the encrypted files was sent to the victim as proof.
- Payment between 1.2 and 5 bitcoin was demanded in exchange for restoring access to the encrypted files.
- The pressure was applied on victims to pay up or risk having their information published on social media.
- On their dark web portal, the threat actors claimed to “close the gap between the rich and poor” and “help the poor and starving people.”
DEV-0530 is believed to have connections with another North Korean-based group known as Plutonium (aka DarkSeoul or Andariel), a sub-group operating under the Lazarus umbrella (aka Zinc or Hidden Cobra).
Also, in July 2022, MedusaLocker, typical ransomware that encrypts victims’ data and demands ransom for the decryption key, was active. The threat actors behind the ransomware attacks use a Ransomware-as-a-Service (RaaS) business model. The developer of MedusaLocker provided other threat actors with the ransomware in exchange for a share of the ransom payments. The split seems to be 55%-60% for the treat actors who receive the payment and 40%-45% for the developer of MedusaLocker.
The MedusaLocker attacks followed a well-known pattern:
- The threat actors used phishing and spam emails to deliver the ransomware to their victims.
- Sometimes, the threat actors abused vulnerable Remote Desktop Protocol (RDP) configurations.
- The ransomware used a batch file to execute the PowerShell script invoke-ReflectivePEInjection.
- This script propagated MedusaLocker throughout the network by editing the EnableLinkedConnections value within the infected machine’s registry.
- This allowed the infected machine to detect attached hosts and networks via the Internet Control Message Protocol (ICMP)
- Shared storage was detected via the Server Message Block (SMB) Protocol.
- MedusaLocker then restarted the LanmanWorkstation service to have the registry edits take effect.
- The ransomware then killed security, accounting, and forensic software processes.
- The machine was restarted in safe mode to avoid detection by security software.
- The victim’s data was encrypted with the AES-256 encryption algorithm.
- The resulting key was then encrypted with an RSA-2048 public key.
- Persistence was established by copying an executable (svhost.exe or svhostt.exe) to the %APPDATA%\Roaming directory and scheduling a task to run the ransomware every 15 minutes.
- Standard recovery techniques were prevented by deleting local backups, disabling startup recovery options, and deleting shadow copies.
- The MedusaLocker threat actors left a ransom note with communication instructions in every folder containing an encrypted file.
- This note instructed the victims on how to make ransomware payments to a specific Bitcoin wallet address.
- The demanded amount seemed to be tailored to the victim’s perceived financial status.
Another ransomware gang that made its presence felt during July 2022 was RedAlert. This new ransomware operation encrypted Windows and Linux VMWare ESXi servers on corporate networks using the NTRUEncrypt public-key encryption algorithm. What makes RedAlert, or N13V, so dangerous is its ability to target VMware ESXi servers with command-line options to shut down any running virtual machines before encrypting files.
The RedAlert ransomware threat actors extorted payments in two ways: (1) by demanding ransom for a decryptor to regain access to encrypted files, and (2) to demand payment for preventing the leaking of stolen data. Victims who were unwilling to pay had their stolen data published on RedAlert’s data leak site for anyone to download and abuse.
Another cybergang worth mentioning is the Austria-based “private-sector offensive actor” (PSOA) Knotweed. This hacker-for-hire was observed selling hacking tools and services through various business models such as access-as-a-service, hack-for-hire, and selling the Subzero malware to third parties. Knotweed’s modus operandi seemed to abuse multiple Windows and Adobe zero-day exploits to attack European and Central American customers.
Knotweed used Subzero malware consisting of Jumplump for the persistent loader and Corelump for the main malware. Corelump made copies of legitimate Windows DLLs and overwrote sections of them with malicious code. It also modified the fields in the PE header, e.g., adding new exported functions, disabling Control Flow Guard, and modifying the image file checksum with a computed value from CheckSumMappedFile. Jumplump was dropped to disk in C:\Windows\System32\spool\drivers\color\, and COM registry keys were modified for persistence.
Jumplump loaded Corelump into memory from the JPEG file in the %TEMP% directory.
If Corelump was not present, Jumplump downloaded it again from the C2 server. Both Jumplump and the downloader shellcode are heavily obfuscated to make analysis difficult. Most instructions were followed by a jmp to another instruction/jmp combination for a convoluted control flow throughout the program.
To find out if your organization is protected against the latest malware attacks, run Cymulate’s Immediate Threats assessment. This allows you to test and verify by yourself if your organization is exposed to these attacks. It also offers suggestions for mitigations in case it turns out that your organization is indeed vulnerable. Also, IOCs are available at the Cymulate UI!