New Ransomware Wave Engulfs over 200 Corporate Victims

New Ransomware Wave Engulfs over 200 Corporate Victims

Double Extortion Ransomware Groups Make Headlines

In the ever-evolving landscape of cyber threats, the number of ransomware groups adopting double extortion is a concerning trend. This rising wave of ransomware attacks has taken the form of not only locking away valuable corporate data but also threatening to expose it to the world unless their demands are met.

In the past week alone, more than three newly identified ransomware strains have come to light, causing distress for over 200 victims worldwide. Additionally, within the last month, approximately 10 new ransomware groups have emerged, employing double extortion. A few of these groups are:

The rapid emergence of new ransomware strains and the formation of new ransomware groups highlight the scalability and profitability of these criminal operations. As criminals continue to refine their techniques and exploit vulnerabilities, they find new ways to maximize their financial gains.

Below, we delve into the ransomware strains that emerged last week, showcasing the new techniques that Threat Actors (TAs) adopted. These instances show how these TAs leverage ransomware to advance their goals.

Notably, the MalasLocker ransomware takes an unconventional approach by demanding that victims make a donation instead of requesting a traditional ransom, highlighting the involvement of hacktivists. Additionally, Rhysida ransomware stands out for its unique method of delivering the ransom note in PDF format.

Rhysida Ransomware

Rhysida ransomware was discovered by the MalwareHunter Team. The Rhysida ransomware (SHA256: a864282fea5a536510ae86c77ce46f7827687783628e4f2ceb5bf2c41b8cd3c6) is 64-bit binary and targets the Windows operating system.

The figure below shows the file details.

Figure 1 – File Details

Execution

The ransomware binary can run without any command line arguments. Additionally, it offers two optional command line arguments that can be provided when executing the binary. The following optional command line arguments are accepted during execution:

ParameterDescription
-dPath of directory to encrypt
-srSelf-Remove

It uses the following command to remove itself when the “-sr” parameter is passed:

  • “cmd.exe /c start powershell.exe -WindowStyle Hidden -Command Sleep -Milliseconds 500; Remove-Item -Force -Path”

This ransomware uses multiple threads to process files and directories. It opens directories recursively and performs operations on files. It also tracks statistics related to the processed files, directories, errors, access counts, and readme files.

This data is printed on the command prompt window, as shown in the figure below.

Figure 2 – Printing Statistical Data

Encryption

The Rhysida ransomware employs a combination of RSA and AES algorithms to encrypt files.

The implementation of these cryptographic algorithms within the ransomware binary is depicted in the figure below.

Figure 3 – Encryption Algorithm

The ransomware binary excludes the following directories from encryption:

\$Recycle.bin, \Documents and Settings, \PerfLogs, \Program Files, \Program Files (x86), \ProgramData\, \Recovery, \System Volume Information.

Furthermore, the ransomware does not encrypt files with the following extensions:

.bat, .bin, .cab, .cmd, .com, .cur, .diagcab, .diagcfg, .diagpkg, .drv, .dll, .exe, .hlp, .hta, .ico, .lnk, .msi, .ocx, .ps1, .psm1, .scr, .sys, .ini, .db, .url, .iso, .cab.

Once a file is successfully encrypted, the ransomware renames it by adding the “.rhysida” extension.

The figure below illustrates the encrypted files after this modification has been made.

Figure 4 – Encrypted File

In contrast to typical ransomware behavior, the Rhysida ransomware binary deploys a distinct approach by dropping the ransom note in the form of a PDF file named “CriticalBreachDetected.pdf”. This ransom note is placed in every directory the ransomware traverses during its operation.

The figure below showcases the content of the ransom note, providing further insight into the specific details and demands presented by the attackers.

Figure 5 – Ransom Note

The ransomware then generates a background image named “bg.jpg” using the ransom note content in the “C:\\Users\\Public” directory and sets it as the desktop background. It executes the following commands for modifying the necessary registry entries to change the victim’s background.

  • system(“cmd.exe /c reg delete \”HKCU\\Conttol Panel\\Desktop\” /v Wallpaper /f”);
  • system(“cmd.exe /c reg delete \”HKCU\\Conttol Panel\\Desktop\” /v WallpaperStyle /f”);
  • system(“cmd.exe /c reg add \”HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\ActiveDesktop\” /v NoChangingWall”

“Paper /t REG_SZ /d 1 /f”);

  • system(

“cmd.exe /c reg add \”HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\ActiveDesktop\” /v NoChangingWall”

“Paper /t REG_SZ /d 1 /f”);

  • system(“cmd.exe /c reg add \”HKCU\\Control Panel\\Desktop\” /v Wallpaper /t REG_SZ /d \”C:\\Users\\Public\\bg.jpg\” /f”);
  • system(

“cmd.exe /c reg add \”HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\” /v Wallpaper /t REG_SZ /”

“d \”C:\\Users\\Public\\bg.jpg\” /f”);

  • system(

“cmd.exe /c reg add \”HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\” /v WallpaperStyle /t REG_SZ /d 2 /f”);

  • system(“cmd.exe /c reg add \”HKCU\\Control Panel\\Desktop\” /v WallpaperStyle /t REG_SZ /d 2 /f”);
  • system(“rundll32.exe user32.dll,UpdatePerUserSystemParameters”);

The figure below shows the background set by the ransomware.

Figure 6 – Changing Background

Currently, there are no victims posted on Rhysida ransomware’s leak site.

 The figure below shows the leak site of Rhysida ransomware.

Figure 7 – Rhysida Leak Site

8Base ransomware

Zscaler recently uncovered the 8Base ransomware, which has been actively targeting victims. The group behind this ransomware has adopted a double extortion strategy, wherein they first steal the victim’s data and then encrypt it.

If the victim refuses to pay the ransom, the attackers publish the stolen data on their leak site. The group has already disclosed information about 66 victims on its website.

The figure below shows the 8Base ransomware leak site.

Figure 8 – 8Base Leak Site

The figure below shows the guidelines given to victims on the 8Base ransomware leak site.

Figure 9 – Instruction to Victims

The leak site associated with this ransomware group contains posts that can be traced back to April 2022, indicating that the group has potentially been active for at least a year without publicly disclosing its victims.

However, it is worth noting that the group’s Telegram channel was only created in May 2023, suggesting that they may have recently begun to publicly disclose their victims.

Figure 10 – 8Base Telegram Channel

The figure below shows the ransom note of 8Base ransomware.

Figure 11 – 8Base Ransom Note

MalasLocker

A recently discovered ransomware known as MalasLocker has been observed targeting Zimbra servers. This particular ransomware group has publicly disclosed approximately 169 victims on their leak site.

Like many other ransomware groups, MalasLocker ransomware employs the double extortion technique to target its victims. However, what sets MalasLocker apart is that instead of demanding a ransom, they ask their victims to make a donation.

Figure 12 – MalasLocker Leak Site

Conclusion

Various TAs are increasingly turning to ransomware to carry out malicious attacks. One possible reason behind this trend is the accessibility of leaked source code and builders from previous ransomware groups.

These tools empower even less sophisticated TAs to engage in ransomware attacks. The recent rise in ransomware groups utilizing double extortion techniques highlights the evolving nature of ransomware as a lucrative business, attracting numerous new threat actors.

Our Recommendations 

We have listed some essential cybersecurity best practices that create the first line of control against attackers. We recommend that our readers follow the best practices given below:  

  • Define and implement a backup process and secure those backup copies by keeping them offline or on a separate network. 
  • Monitor darkweb activities for early indicators and threat mitigation.  
  • Enforce password change policies for the network and critical business applications or consider implementing multi-factor authentication for all remote network access points.
  • Reduce the attack surface by ensuring that sensitive ports are not exposed to the Internet.
  • Conduct cybersecurity awareness programs for employees, third parties, and vendors.
  • Implement a risk-based vulnerability management process for IT infrastructure to identify and prioritize critical vulnerabilities and security misconfigurations for remediation. 
  • Instruct users to avoid opening untrusted links and email attachments without verifying authenticity.
  • Deploy reputed anti-virus and internet security software packages on your company-managed devices, including PCs, laptops, and mobile devices.
  • Turn on the automatic software update features on computers, mobiles, and other connected devices.

MITRE ATT&CK® Techniques 

Tactic Technique ID Technique Name 
Execution  T1204  
T1059 
User Execution 
Command and Scripting Interpreter 
Discovery    T1057 
T1082 
T1083 
Process Discovery 
System Information Discovery 
File and Directory Discovery 
Impact   T1486  Data Encrypted for Impact  

Indicators of Compromise (IOCs) 

Indicators Indicator Type Description 
0c8e88877383ccd23a755f429006b437
69b3d913a3967153d1e91ba1a31ebed839b297ed
a864282fea5a536510ae86c77ce46f7827687783628e4f2ceb5bf2c41b8cd3c6
MD5
SHA1
SHA256 
Rhysida Windows Executable 

Comments are closed.

Scroll to Top