Sunday, July 21, 2024

Ransomware gangs invest in custom malware to steal data • The Register

Must Read

As ransomware teams move beyond simply encrypting victims’ files and demanding payment to unlock them, instead stealing sensitive information outright, some of the more mature criminal organizations are developing custom malware for their data theft.

In a report released Wednesday by Cisco Talos, the threat intelligence unit reviewed the top 14 ransomware groups and analyzed their tactics, techniques, and procedures (TTPs). Talos selected the 14 based on the volume and impact of attacks and “atypical behavior by threat actors,” using data from the criminals’ leak sites, internal tracking, and other open-source reports.

The 14, listed here by number of victims on their respective shame sites, are the ones you’d probably expect: LockBit, ALPHV, Play, 8base, BlackBasta, BianLian, CLOP, Cactus, Medusa, Royal/Blacksuit, Rhysida, Hunters International, Akira, and Trigona.

“Over the past year, we have witnessed significant changes in the ransomware space with the emergence of multiple new ransomware groups, each with unique objectives, operational structures and victimology,” the report’s authors note.

“Diversification highlights a shift towards more targeted cybercriminal activities, as groups such as Hunters International, Cactus and Akira create specific niches, focusing on different operational objectives and stylistic choices to differentiate themselves,” they add.

Furthermore, as many gangs resort to double-extortion tactics – as we’ve seen in recent high-profile attacks on London hospitals’ pathology services provider Synnovis and auction house Christie’s, among others – some more established ransomware-as-a-service operations are developing malware tailored for data exfiltration, according to Talos.

Using this type of tactic, criminals will first break into their victims’ network, snoop around and steal valuable files, and only then encrypt the data on the network. They will also typically publish the victims’ names on their leak sites, extort (or at least attempt to extort) the organizations for huge sums of money, and then, if negotiations break down, the criminals will leak a sample of the stolen data to further increase the pressure on the victims to pay the requested ransom.

BlackByte and LockBit are among these more mature ransomware-as-a-service outfits that offer custom data exfiltration tools to their affiliates.

“BlackByte’s custom Exbyte exfiltration tool targets Windows hosts written in the Go programming language and facilitates the transfer of stolen files to an external server or cloud storage services,” said James Nutland, information security analyst at Cisco Talos. Register.

“Exbyte is used by BlackByte actors and incorporates several evasion techniques to avoid detection by security tools, such as testing whether it is running in a sandbox,” he added.

Meanwhile, LockBit, before being dismantled by international law enforcement in February, had its own StealBit malware.

“StealBit was created to maximize the overall efficiency of data exfiltration activities for LockBit affiliates, shortening the time to data theft,” Nutland said. “The tool functions similarly to legitimate applications on a host, with a graphical user interface that includes the ability to drag and drop files of the actors’ choosing.”

Typically, gangs follow a similar chain of attacks, starting with initial access and then establishing persistence in the victim’s environment. From there, they snoop around for valuable data and credentials to steal and use that access to move laterally and escalate privileges so they can dig deeper into the network. Finally, they copy the targeted data and then deploy the ransomware’s encryption code.

They typically gain initial access to the target network through a combination of social engineering, network scanning, and other publicly available research to learn about their victims and how to best gain access to their systems.

The “most prolific” criminals on the scene prioritize “gaining initial access to targeted networks, with valid accounts being the most common mechanism,” according to the research, and one of the ways criminals obtain these legitimate account credentials is through the use of information-stealing malware.

This was the case with recent incidents of data theft from Snowflake customers, and it’s worth noting that these victim organizations did not have multi-factor authentication enabled. Other security outlets have also highlighted an increase in the use of data stealers among ransomware teams over the past year.

“Information thefts are a tool often leveraged by initial access intermediaries to collect credentials and personal data from victims, which are then sold as credential dumps on the dark web,” Nutland said.

“These credentials provide ransomware affiliates, among other cybercriminals, with a potential source of easy-to-gain access to targeted systems and networks, facilitating initial compromise.”

Another trend that Cisco Talos says echoes its previous year review report (PDF), is that ransomware teams are “applying a significant focus on defense evasion tactics to increase dwell time on victims’ networks,” they tell us. These tactics include using tools to disable or modify antivirus or endpoint detection, as well as operating system features aimed at detecting ransomware payloads. ®


Please enter your comment!
Please enter your name here

Latest News

LeBron James sends a clear message after victory over South Sudan

For years, NBA fans, media and even players have been overlooked by the rest of the world. That's why...

More Articles Like This