- Threat-a-licious -
Top 5 Ransomware Threats You Need to Know About (March 2024)
At SISA, we understand the ever-evolving nature of cyber threats and the importance of staying one step ahead to protect your organization’s sensitive data and assets. Our dedicated team of experts is constantly monitoring various platforms, gathering intelligence, and analyzing the latest cyber threats to provide valuable insights into the latest cyber risks that can impact organizations.
This monthly post provides a condensed overview of the threats encountered throughout the month.
Our team brings to you five significant ransomware threats that have recently been active with their targeted attacks worldwide including Phobos ransomware targeting government and vital infrastructure sectors, GhostSec and Stormous collaborating for ransomware campaign, ShadowSyndicate scanning servers vulnerable to CVE-2024-23334, LockBit ransomware developing advanced encryption tool, RansomHouse ransomware group introducing advanced tool for VMware ESXi attacks.
Read on to discover more…
1. A joint advisory issued on Phobos ransomware threat
U.S. cybersecurity and intelligence agencies have issued alerts regarding Phobos ransomware attacks targeting government and vital infrastructure sectors, highlighting the involvement of various iterations such as Elking, Eight, Devos, Backmydata, and Faust ransomware due to shared Tactics, Techniques, and Procedures (TTPs). Operated within a ransomware-as-a-service (RaaS) framework, Phobos ransomware actors meticulously target entities ranging from municipal governments to critical infrastructure, amassing substantial ransoms.
The modus operandi includes sophisticated phishing campaigns, internet protocol scanning for vulnerabilities in Remote Desktop Protocol (RDP) ports, and the use of open-source tools like Angry IP Scanner and SmokeLoader for reconnaissance and payload dissemination. Employing a standardized triphasic model, the ransomware encrypts files and deploys additional malware, ensuring persistence through firewall modifications, evasion tactics, and exploitation of Windows API functions. Data exfiltration utilizes tools like WinSCP and Mega.io, with backups being systematically eliminated post-encryption to deter file recovery. Each Phobos ransomware executable is uniquely identified, further complicating mitigation efforts.
2. GhostSec and Stormous collaborate on targeted ransomware campaign
GhostSec, affiliated with The Five Families coalition, has emerged as a prominent player in the ransomware landscape, notably with the GhostLocker variant. Collaborating with the Stormous ransomware group, GhostSec conducts double extortion attacks targeting various business verticals across multiple countries, encrypting data, and threatening to release it unless a ransom is paid. The latest iteration, GhostLocker 2.0, written in Go, features enhanced encryption capabilities and introduces a new ransom note with specific contact deadlines.
Additionally, GhostSec offers a ransomware-as-a-service (RaaS) program called STMX_GhostLocker, providing affiliates with tools to track operations, configure payloads, and exfiltrate data pre-encryption. Leveraging tools like GhostSec Deep Scan and GhostPresser for WordPress sites, the group demonstrates a commitment to evolving tactics. Their attacks span industries and countries worldwide, affecting sectors such as technology, education, government, transportation, energy, legal services, and telecommunications.
3. ShadowSyndicate scans for servers vulnerable to CVE-2024-23334
ShadowSyndicate, a ransomware actor, has been actively scanning for servers vulnerable to CVE-2024-23334, a directory traversal flaw in the aiohttp Python library, potentially impacting over 44,000 internet-exposed instances. This vulnerability, patched in aiohttp version 3.9.2, allows unauthorized access to files outside the server’s static root directory. Aiohttp, an open-source library built on Python’s asynchronous I/O framework, is widely used by technology companies, web developers, and backend engineers to manage simultaneous HTTP requests efficiently.
Exploitation of CVE-2024-23334 involves identifying servers running vulnerable aiohttp versions and using a proof of concept (PoC) exploit to access sensitive files. Although exploitation attempts have been detected since February 2024, it remains unclear whether these activities have led to actual breaches. It has been observed that the majority of exposed aiohttp instances are located in the United States, followed by Germany, Spain, the UK, Italy, France, Russia, and China.
4. LockBit ransomware quietly develops advanced encryption tool
Following a collaborative effort with the UK’s National Crime Agency, an analysis of the latest LockBit ransomware iteration, LockBit-NG-Dev, revealed significant departures from previous versions. Unlike its predecessors built in C/C++, this variant is written in .NET and compiled with CoreRT, featuring MPRESS for obfuscation. LockBit-NG-Dev includes a configuration file in JSON format containing execution parameters such as date ranges, ransom note details, unique IDs, RSA public keys, and operational flags.
While lacking some features like self-propagation and printing ransom notes on victim printers, LockBit-NG-Dev is in its final development stages and offers the most expected functionalities. It supports three encryption modes (AES+RSA), custom file or directory exclusion capabilities, and randomizes file names to hinder restoration efforts. Additionally, the malware includes a self-delete mechanism that overwrites its own file contents with null bytes.
5. RansomHouse gang introduces advanced tool for VMware ESXi attacks
The RansomHouse ransomware group has introduced a new tool named ‘MrAgent,’ aimed at automating the deployment of its data encrypter across multiple VMware ESXi hypervisors. Operating as a ransomware-as-a-service (RaaS) entity since December 2021, RansomHouse employs double extortion tactics, focusing its attacks on large-sized organizations. ESXi servers are targeted due to their role in managing critical applications like databases and email servers, making attacks highly disruptive.
Security analysts have identified MrAgent’s sophisticated functionality tailored for streamlined assaults on ESXi infrastructure. The tool automates ransomware deployment across multiple hypervisors, compromising all managed virtual machines (VMs), and supports customizable configurations obtained from the command and control (C2) server. MrAgent reduces the likelihood of detection by disabling firewalls and terminating non-root SSH sessions, underscoring the severity of security implications.
Key recommendations to combat cyber risks:
- Implement a robust backup strategy for critical data and ensure backups are stored offline or in a secure, isolated environment.
- Keep all software, operating systems, and applications up to date with the latest security patches to address known vulnerabilities that threat actors may exploit.
- Utilize endpoint protection platforms, firewalls, intrusion detection/prevention systems, and email security solutions to detect and block malicious activities.
- Strengthen RDP access by using strong, unique passwords, enabling multi-factor authentication (MFA), restricting access to known IP addresses, and implementing network-level authentication.
- Employ network monitoring tools to detect anomalous behavior and indicators of compromise (IOCs) associated with ransomware activity.
- Enforce the principle of least privilege by restricting user permissions to only the resources necessary for their role.
- Train employees to recognize phishing emails and avoid clicking on suspicious links or downloading attachments from unknown sources.
- Implement network segmentation to isolate critical systems from less critical ones, limiting the spread of ransomware.
- Implement file integrity monitoring to detect unauthorized changes to files, which could indicate a ransomware infection.
- Have an incident response plan in place to quickly respond to and recover from ransomware attacks, including steps for containment and data restoration.
To get updates on the critical vulnerabilities being exploited by threat actors, subscribe to SISA Daily Threat Watch – our daily actionable threat advisories or check out SISA Weekly Threat Watch on our website.
For a deeper understanding of how you can prevent these threats from affecting your organization, request a call to get in touch with our experts.