Last Week in Ransomware: Week of June 21st

Michael Raymond

Updated: 6/28/2021

Ransomware in the News

When Darkside launched their ransomware attack on American infrastructure they got a lot of attention from US law enforcement which ultimately led to their shutdown in May, however, this hasn’t stopped other groups impersonating them and sending fake Darkside extortion emails to companies throughout the energy and food sectors.

In a recent study by Cybereason, they found that 80% of organizations that paid a ransom were ultimately hit by a second attack with half being hit by the same group yet again. It’s easy to see why paying the ransom would be tempting when the FBI reported a $225% increase in total losses for ransomware in 2020, however, if Cybereasons study is to be believed paying the ransom isn’t the long-term solution.

In positive news, Ukrainian police raided 21 residences in connection with the Clop ransomware gang which resulted in six arrests.

And in a move that will make you worry the next time you take your computer into the IT guy for repair, South Korean police arrested a computer repairman who made and distributed ransomware and it’s believed that the scheme resulted in over $300,000 in ransomware payments.

In the recent summit between Biden and Putin, they discussed cyber threats including ransomware with Biden pushing the notion that certain sectors vital to a country should be off-limits what will become these talks and the real-world actions taken only time can tell.

Ransomware Research

Recent research shows that the GOLD WINTER group may be operating Hades ransomware and focusing on the big game or high-value targets otherwise ignored by more opportunistic ransomware groups. The absence of Hades on forums and marketplaces has led Secureworks to conclude it’s private ransomware. And the Tor-based websites used for Hades seem to indicate that it’s customized for each victim. The ransomware uses two initial access vectors. The first being stolen credentials used to access a VPN without two-factor authentication and the other being SocGholish, which is malware that operates using fake browser updates. The blog post goes into great detail on the Hades ransomware and the groups using it.

Prodaft has also released an extensive report on the LockBit ransomware. Lockbit is a relatively new ransomware program that has been gaining popularity in the past few months operating using ransomware as a service model. 

Red Team Ransomware 

Ransom0 is a well-maintained and open-source Python-based ransomware hosted on GitHub. It does all the standard things that you would expect of ransomware including finding files, encrypting them, as well as sending data, and having a way to decrypt the data. This has a high potential for use by a red team or other security audit team to test participants’ responses to a ransomware attack.

This is a basic ransomware program that’s freely and openly available on GitHub and written purely in Rust. It uses a number of anti-reversing techniques and standard AES encryption. Spin up a virtual environment and test out how well your system fairs against a Rust-based ransomware.

Blue Team Protections

The group behind the Avaddon ransomware has appeared to vanish after getting too much scrutiny from law enforcement agencies in the US and Australia potentially leaving some victims high and dry without a way to regain access to their files. If your files have been hit with Avaddon that encrypts using AES-256 and RSA-2048 then this Emsisoft decrypter should do the trick for you free of charge. 

The AWS self-service security assessment tool organized by the team at Amazon Web Services allows customers to quickly run to security audits using the open-source projects “Prowler” and “ScoutSuite”.

KilledProcessCanary is a simple program that spawns a number of processes that monitor each other. It works on the hypothesis that certain ransomware programs will stop services when they begin the encryption process. When this is detected it fires off a Canary DNS token to notify you. This certainly shouldn’t be your first line of defense, but it could potentially help you catch a ransomware attack before every single file is encrypted.

Upcoming Security Conferences

CyberSecurity Festival (June 16, 23, 30)

The cybersecurity festival is a series of presentations and panel sessions hosted by industry experts that aim to educate attendees on basic cybersecurity issues. The registration is free so why not attend.

The Cyber Strategy Retreat 2021(July 14-15)

The Cyber Strategy Retreat aims to facilitate collaboration between business, technology, and Risk Management leadership. The retreat focuses on going above and beyond compliance-driven programs and tackling cybersecurity risks, such as ransomware, to the fullest extent possible.

International Conference on Cyber Security 2021 (July 19 – 22)

The International Conference on Cybersecurity or ICCS is hosted by the FBI and Fordham University and focuses on bringing together government, private sector, and academia to discuss current cyber threats such as ransomware. 

BLACK HAT USA 2021 (July 31 – Aug 5)

Black hat is one of the largest annual security conferences. It’s the corporate version of Defcon and as such is a great opportunity to get face time with security professionals such as the Varonis team. Be sure to stop by our booth!