Ransomware Thrives in Shook-Up Criminal Underworld | #ransomware | #cybercrime

See Also: Forrester Top 35 Global Breaches Report: Balance Defense with Defensibility

Threat intelligence firm Cyble said in a Wednesday report that 40% of hacking incidents that came to light in April and May involved ransomware or a supply-chain attack (see: Supply Chain Attacks Really Are Surging).

Of the 401 victims claimed in May, 64 were traced to ransomware groups SafePay, Qlin, Play and Akira. Half of these attacks were against U.S. organizations, followed by nearly two dozen each in Germany and Canada, and about a dozen each in Spain, the U.K., Italy and Brazil.

Such measurements are imperfect since ransomware groups don’t post the names of victims who paid extortion money. Ransomware groups also regularly lie and fail to list every non-paying victim. Nevertheless, such counts provide a metric for which groups appear to be most active.

The attacks claimed by each of the four groups have surged since the formerly high-flying ransomware-as-a-service operation RansomHub disappeared on April 1, possibly due to its infrastructure being seized by rival DragonForce.

“With major ransomware groups like RansomHub gone, RaaS operators are vying to capitalize on the influx of affiliates searching for new platforms,” also driven by the total number of ransomware groups in operation dropping by one-third since March 1, said ReliaQuest.

“To attract this talent, we’ll likely see RaaS platforms introduce innovative capabilities or revise profit-sharing models,” it said. “This competition is expected to create a more fragmented yet increasingly sophisticated ransomware ecosystem.”

One major affiliate of late is “DevMan,” an individual or group that claimed 13 victims in May, and which runs its own data-leak site, Cyble said. The affiliate appears to have previously worked with RansomHub, Qilin, Apos and DragonForce, and to more recently begun using either someone else’s rebranded – or else its own – crypto-locking malware against targets, including network-attached storage appliances.

“In a recent attack on media in Thailand, the group claimed that all systems and NAS devices were encrypted using their own customized encryptor, applying the .devman1 file extension,” Cyble said.

Some members of the English-speaking cybercrime collective tracked as Scattered Spider are also former RansomHub affiliates, and now appear to be working with DragonForce, although the exact nature of their relationship isn’t clear. After an apparent five-month sabbatical, Scattered Spider was tied to high-profile hits on Britain’s retail sector in April that involved DragonForce ransomware.

“While the DragonForce ransomware group claimed responsibility, it’s believed that Scattered Spider facilitated initial access for these incidents, highly likely signaling a strategic partnership to regain momentum,” ReliaQuest said.

This week, Google Threat Intelligence Group reported seeing signs that members of Scattered Spider have pivoted from the U.K. targets to U.S. insurers, leading to “multiple intrusions.”

Unusual Attack Involved Fog

Other recent attacks of note include Fog ransomware-wielding attackers in May hitting an Asian financial institution in an “atypical” manner, wielding “highly unusual” tools as part of a never-before-seen attack chain, said security researchers at Symantec’s threat-hunting team in a recent report.

How attackers gained access to the victim’s network isn’t clear, but once they did so, they infected multiple systems, including two Exchange servers, and lingered for about two weeks inside the network before crypto-locking systems with Fog, researchers said.

As part of the attack, hackers used legitimate employee monitoring software called Syteca – formerly known as Ekran – that includes the ability to record keystrokes and on-screen behavior, researchers found. The attackers then attempted to delete the software, potentially to minimize their digital forensic footprint.

More unusual moves included deploying such open source penetration testing tools as GC2, Adaptix and Stowaway, “which are not commonly used during ransomware attacks,” and using a service to establish persistence inside the network, but only after unleashing ransomware, researchers said.

“These factors mean it could be possible that this company may in fact have been targeted for espionage purposes, with the ransomware attack merely a decoy, or perhaps also deployed in an attempt by the attackers to make some money while also carrying out their espionage activity,” they said. Ransomware can serve as a smokescreen for other activity, such as cyberespionage or destructive attacks (see: Anubis Ransomware Adds Wiper Capability, for Unclear Reasons).

New Players

Threat researchers are also tracking a number of ransomware groups that have recently launched, as well as debuted their own data-leak sites. Cyble said they include:

• Dire Wolf: The group has lately posted a handful of victims – including organizations in Asia, Australia and Italy;
• DataCarry: The organization has been “actively targeting European companies” and listed some victims;
• J: Following attacks in March, the group launched a data-leak site where it listed as victims “multiple organizations across South America, Australia, Europe, the U.S. and Asia”;
• Silent Team: The design of the group’s new data-leak site “mimics that of Hunters International,” and has listed as victims an American engineering firm and an aerospace manufacturer based in Canada;
• Gunra: This group – its name has been provisionally assigned by security researchers tracking its behavior – has so far listed three victims in total from Egypt, Japan and Panama.

REvil’s Legacy Lives On

Another up-and-coming group is Bert, which appeared to launch in mid-March with attacks targeting Windows systems, before expanding its attacks to hit Linux systems starting in May, apparently oftentimes via phishing attacks, said security researcher Rakesh Krishnan in a recent blog post.

On its data-leak site, Bert lists the greatest number of claimed victims in the United States, followed by the United Kingdom, Malaysia, Taiwan, Colombia and Turkey.

Krishnan recently found and published six samples of the group’s Windows .exe malware and two of its .elf Linux encryptors. He said the latter is notable for having about an 80% crossover with REvil – aka Sodinokibi – ransomware, which launched in 2020 from the ashes of GandCrab.

REvil appeared to have been disrupted by Russian law enforcement in January 2022, attempted a reboot, and then to have become fully defunct by the end of the year. While REvil’s code never leaked, Secureworks in 2021 reported that the LV ransomware group appeared to be using REvil’s code. Researchers said that while the group may have purchased the code, their investigation suggested that the group instead pirated it, and “likely used a hex editor to remove potentially identifying characteristics from the binary to conceal that LV is a repurposed version of REvil.”

Other groups have also used the REvil code, including DarkSide and then BlackMatter, suggesting they may have been spinoffs. How Bert came to possess the code isn’t clear.

Ransomware groups may come and go in name, but many of the individual affiliates and operators remain the same.