Ship’s Chronicle: 16 November 2023 “Tales from the Cyber Seas: Navigating the Treacherous Waters of Ransomware”


 “Tales from the Cyber Seas: Navigating the Treacherous Waters of Ransomware”



Ahoy, me hearties! Welcome aboard the S.S. Cyber Corsair, where we navigate the stormy seas of cyber threats and tales of digital plunder. Today, we hoist the Jolly Roger to talk about a menace that's as fearsome as a kraken lurking in the depths of the cyber sea - Ransomware.

The Tale of Ransomware: A Pirate's Overview

Ransomware, the dreaded digital scallywag, has been making waves across the seven seas of cyberspace. In recent times, these cyber buccaneers have been more cunning than ever, targeting the very tools we rely on to spot their sneaky approaches. A report from Sophos reveals that in 82% of incidents, these cyber-crooks wiped or disabled logs to shroud their movements in mystery​​.

But what be ransomware, ye might ask? It's a form of malware that locks ye out of your own treasures - files and systems - and demands a ransom to unlock them. And this threat be evolving faster than a sloop with a tailwind. In October alone, Malwarebytes reported 318 new victims posted on ransomware leak sites, with the top active gangs being LockBit, NoEscape, and PLAY​​.

Our tale gets murkier. Cybersecurity sleuths at WithSecure observed almost half (29 out of 60) of the ransomware groups they tracked in 2023 began their nefarious operations this very year​​. The seas be teeming with new players like ALPHLock, Hunters International, and GhostLocker, each bringing their own brand of terror.

But fear not! For every wicked pirate, there's a savvy corsair ready to defend the cyber realm. In this chronicle, we'll be dissecting the tactics of these digital marauders and hoisting the colors of defense against them.

So, grab your cutlasses and spyglasses, and let's delve deeper into the murky waters of ransomware. Be sure to keep a weather eye on the horizon for more tales of LockBit, ALPHV, ALPHLock, Hunters International, and GhostLocker - each a chapter in our saga of cyber skirmishes.

The Tale of AlphaLock: Training Pirates of the Cyber Seas

In the murky waters of the cyber realm, a new entity has surfaced - AlphaLock. This group, more akin to a sly fox than a raging bull, has donned the guise of a "pentesting training organization." But don't let their smooth talk fool ye; beneath this facade lies a crafty business model aimed at monetizing their dark arts.

The Jolly Roger of AlphaLock

AlphaLock ain't your ordinary band of hackers. They've made waves with their brazen approach and a marketing savvy that'd make even Blackbeard envious. With a song and a dance routine (aye, ye heard right!), a sleek user interface (in dark mode, no less!), and a clear business model, they're unlike any cybercrime group we've seen in 2023.

A Business Model in Two Parts

  • Bazooka Code Pentest Training: The first part of their scheme involves training a crew of hackers through online courses, dubbed "Bazooka Code." Here, they claim to be training "pentesters," though the true nature of these courses be murkier than the waters of the Bermuda Triangle. This approach allows them to cloak their true intentions under the guise of legitimacy.

  • The ALPentest Hacking Marketplace: The second piece of this puzzle is their ALPentest Hacking Marketplace. Here, they deploy their freshly trained hackers to a marketplace where other threat actors can purchase "pentesting services" aimed at specific targets. It's a cunning use of their trainees, creating an economy of cyber malice.

Set Sail with Caution!

So there ye have it, shipmates - a glimpse into the cunning world of AlphaLock. They may masquerade as trainers of pentesters, but make no mistake, these be pirates of the cyber realm, through and through. As we navigate these treacherous waters, let this tale be a reminder to keep a vigilant eye and a steady hand on the helm.

Sources:

The Tale of Hunters International: A New Threat on the Horizon


From the Ashes of Hive Ransomware: In a covert operation spannin' seven months, the FBI, in cahoots with law enforcement from Germany and the Netherlands, successfully dismantled the Hive ransomware group. This formidable bunch, responsible for targeting over 1,500 victims since June 2021 and baggin' more than $100 million in ransoms, met their match. Yet, the dismantling of Hive's infrastructure, though a significant blow, didn't spell the end of their legacy.

Hunters International Emerges: With the Hive dismantled, the remnants of their dark trade - the ransomware code and infrastructure - didn't just vanish into the briny deep. Nay, they were passed on to another ambitious group, Hunters International. This passing of the torch, or rather, the code, gave rise to a new threat actor equipped with a ready-made criminal enterprise.

A Pirate's Transition: Hunters International, unlike its predecessor, focuses more on data exfiltration than encryption. They've made it clear that they ain't just Hive rebranded; they're an independent group using Hive's tools for their own ends. This strategic shift marks a new chapter in the ransomware saga, with an emphasis on snatching data rather than just locking it away.

Simplifying the Code: The newly adopted ransomware code has undergone some simplification. The command line parameters have been cut down, and the encryption key storage process streamlined. The malware, now written in the Rust language, follows a more prevalent approach in the ransomware industry, embedding the decryption key within the encrypted files rather than storing it separately.

Double-Extortion Tactic: Hunters International seems to be adopting a double-extortion tactic, not just encrypting data but also stealing it. This approach complicates the defense against them, as even a functional backup may not fully address the issue of the stolen data.

Building a Reputation: As a new player, Hunters International faces the challenge of proving its mettle to attract high-caliber affiliates. With just a handful of victims at the time of reporting, their future impact remains uncertain, but their eagerness to show their capabilities suggests they may become a formidable force in the ransomware-as-a-service model.

Beware the New Predator of the Cyber Seas

So, there ye have it, hearties - the tale of Hunters International. They may not be as infamous as Hive just yet, but their focus on data exfiltration and adoption of Hive's tools makes 'em a threat not to be taken lightly. Keep a sharp lookout and your cyber defenses strong, for the seas of the internet are ever treacherous and full of unseen dangers.

For a deeper dive into the murky waters of Hunters International, cast yer eyes on these reports:

The Tale of GhostLocker: A Work in Progress on the High Seas of Ransomware


GhostLocker's Emergence: GhostLocker was unfurled to the cyber seas by GhostSec, primarily targeting established telecommunications, surveillance systems, and IoT devices. Marketed as a formidable, enterprise-grade locker, GhostLocker's initial price for the first 15 affiliates was pegged at $999, hinting at a future hike to $4,999.

A Pirate's Gadgetry: GhostLocker boasts an arsenal fit for a modern digital pirate:

  • Military-grade encryption

  • Evasion of major antivirus solutions using a polymorphic stub

  • Protection against reverse engineering

  • Self-deletion and service disruption capabilities

  • Automatic privilege escalation and a persistence mechanism

  • A "Watchdog" process and delayed encryption

Under Development: Despite its grand entrance, GhostLocker seems to be still in the shipyard, lacking basic file encryption abilities as per Rapid7's analysis. This RaaS encryptor, crafted using Python and distributed as a PyInstaller executable, is indeed a curious vessel still finding its sea legs.

The Ransom Note: The ransom note, dropped only in the 'Documents' folder, is more of a taunt than a demand, labeled 'Imao' ('Laughing My Ass Off'). It's handwritten, with syntax errors that betray its human origin. The note directs victims to an end-to-end encrypted messaging platform, Session, for negotiations - a modern twist to the classic ransom demand.

A Technological Evolution: In its latest iteration, GhostLocker utilizes Nuitka for compiling its Python program into a C binary, making it trickier for cybersecurity corsairs to investigate and thwart.

Beware the Ghost of the Cyber Seas

GhostLocker, while still a fledgling in the vast ocean of ransomware, shows the signs of a menacing future. Its focus on stealth, evasion, and a blend of old and new extortion tactics marks it as a potential threat to keep a wary eye on.

For a deeper dive into the ghostly depths of GhostLocker, visit this port of call:

The Tale of ALPHV/BlackCat: A Malvertising Marauder


Cunning Use of Google Ads: ALPHV/BlackCat has been spottin' using Google search ads to spread their nefarious ransomware. They cleverly disguise these ads as legitimate offers for popular software tools, luring unsuspecting business professionals to malicious sites. Once there, a Python-based malware payload paves the way for further infection.

Malvertising Campaigns: This isn't the first time ALPHV/BlackCat has been observed using such tactics. They've previously placed malicious ads for software like WinSCP in search results, demonstrating a savvy use of malvertising to ensnare their victims.

A Rising Tide of Browser-Based Attacks: Researchers have noted a shift in the ransomware landscape, with browser-based attacks now surpassing email-based attacks. This method's popularity is evident in the “massive spike” in Google ad-based malvertising detected earlier this year, indicating a potential growth in malvertising-as-a-service.

Notorious Attacks: The ALPHV/BlackCat gang has been linked to significant breaches, including the McLaren Health Care data breach, affecting nearly 2.2 million people. They're also believed to be behind attacks on MGM Resorts International and Caesars Entertainment, causing substantial financial damage.

Recommendations for Defense: To combat these threats, ESentire recommends reducing the types of script files allowed on networks, enhancing endpoint monitoring, and implementing rigorous telemetry logging protocols. This strategy is crucial, especially for devices and services that lack endpoint agent support.

Beware the BlackCat's Prowl

ALPHV/BlackCat's cunning use of malvertising and sophisticated attack methods make it a formidable adversary on the cyber seas. Stay vigilant, mates, and fortify your defenses to ward off these digital corsairs.

For more insights into the devious deeds of ALPHV/BlackCat, visit this port:

The Tale of LockBit: A Formidable Force in the Cyber Seas


A Sophisticated Cybercrime Entity: LockBit stands out as one of the most sophisticated cybercrime groups, linked to pro-Russian networks. With adept infiltration tactics and a methodical approach, it's become a formidable force. Unlike many of its kind, LockBit boasts an actual administrative network to manage its attacks and ransom negotiations.

A Torrent of High-Profile Attacks: In 2023, LockBit has set its sights on several high-profile targets. Recently, it claimed to have snatched "a huge amount of sensitive data" from aircraft manufacturer Boeing. The group's boldness was also on display in the Royal Mail cyberattack and other notable breaches in the UK, including a law firm, a fire alarm production company, and the Food and Drink Federation.

The Evolution of LockBit: Formerly known as ABCD ransomware, LockBit has evolved into a crypto-class ransomware. Its variants include:

  • The original LockBit, notable for its swift encryption process

  • LockBit 2.0, which enhanced its ability to decode strings and codes faster

  • LockBit 3.0, introducing a ransomware bug bounty program

  • LockBit Green, targeting Windows environments

  • LockBit for Mac, a macOS version still under development

The ICBC Attack: LockBit was believed to be behind a disruptive ransomware attack on the U.S. arm of the Industrial and Commercial Bank of China (ICBC), which affected trades in the U.S. Treasury market. This attack is part of an ongoing trend of increasing brazenness by ransomware groups, demonstrating that no target is off-limits.

Impact and Responses: U.S. authorities are working to curb the funding routes of ransomware gangs, but the challenge remains significant. LockBit has been responsible for attacks on 1,700 U.S. organizations since 2020. The ICBC attack highlights the vulnerability of large organizations' systems and is likely to prompt increased scrutiny of cybersecurity controls.

Beware the LockBit Menace

LockBit's relentless and sophisticated attacks underscore the critical need for robust cybersecurity measures across industries. The group's global reach and evolving tactics make it a formidable adversary in the digital realm.

For a deeper dive into the dark waters of LockBit's exploits, visit these ports:

And so, we've navigated through the treacherous waters of ransomware, encountering some of the most cunning and dangerous digital pirates of our age. From the deceptive AlphaLock to the relentless LockBit, these tales serve as a stark reminder of the perils lurking in the cyber seas.

Remember, the best defense against these marauders is vigilance and preparedness. Keep yer cybersecurity cannons primed and yer data treasures well-guarded. May your sails be full of wind and your voyages free of cyber storms.

Stay alert and steady on the course, for the cyber seas are ever-changing, and new threats are always on the horizon. Till our next adventure, keep yer eyes on the stars and yer hands on the wheel. Fair winds and following seas!


Comments