Introduction
At Blackpoint, our Adversary Pursuit Group (APG) provides threat intelligence and performs research and development. While in-depth write-ups have their place, the APG understands the need for high-level resources to help communicate cyberthreats to your end clients. In this snippet of APG’s Ransomware Roundup, they provide an overview of malware, ransomware groups & variants, and other malicious tactics. The full scoop will be available for Blackpoint partners.
Ransomware Versus Malware
Malware
A broad term that refers to any malicious software designed to damage, disrupt, or gain unauthorized access to a computer system or network. Not all malware is ransomware. Malware can take many forms, including viruses, worms, trojans, and spyware. Each type of malware has its own unique characteristics and methods of operation.
Malware is typically spread through various means, such as malicious email attachments, software downloads, or infected websites. Once installed on a victim’s computer or network, malware can perform a variety of malicious activities, such as stealing data, damaging files or systems, or using infected infrastructure as part of a botnet for further attacks.
Ransomware
A type of malware that encrypts the victim’s files or locks them out of their system until a ransom is paid to the attacker.
Ransomware specifically is designed to extort money from victims by preventing access to their own data. It has become significantly common in recent years, with many high-profile attacks targeting large organizations and government agencies.
What is a ransomware group?
A group of individuals or organizations who develop and distribute ransomware, often operating as criminal enterprises, using ransomware to extort money from victims.
What is a ransomware variant?
Ransomware variants refer to the specific strains or versions of ransomware. There are many different types of ransomware, and new variants are constantly being developed and distributed by one or more cybercriminal groups. Some ransomware variants are more sophisticated than others and can be more difficult to detect and remove.
Malicious Actors’ Tactics, Techniques, and Procedures
Ransomware groups typically utilize phishing emails, software vulnerabilities, and the exploitation of weak passwords to gain access into computer systems. Various obfuscation techniques are also used to evade detection by antivirus software and other security measures.
Encryption
Once they have gained access to a system, they encrypt as many files as possible, then demand payment in exchange for the decryption key needed to restore the files. A ransom note with instructions on how to pay will often be displayed on the victim’s computer screen, and payment is requested, often, in cryptocurrency. Custom implementations of encryption algorithms are often utilized, increasing the difficulty of decrypting without the key.
Double Encryption
Some ransomware groups utilize double extortion—encrypting and exfiltrating sensitive data, threatening to release it publicly if the ransom is not paid. This increases pressure on the victim and the potential damage of the attack, as a leak can damage the victim’s reputation.
Ransomware-as-a-Service (RaaS)
Lastly, many ransomware groups operate as a RaaS model, meaning they develop and distribute ransomware to other cybercriminals who use it to conduct attacks.
Prominent Threat Actors
Lorenz
Where are they based? Russia
When did they emerge? Mid-2021
What ransomware do they use? A variant of the “Avaddon” ransomware.
Who do they target? Lorenz targets larger, English-speaking, enterprise environments and requests a ransom between $500,000-$700,000.
What are they known for?
- Double extortion tactics
- The exploitation of a vulnerability in MiVoice Connect (CVE-2022-29499)
- Implementing new features, such as leveraging .NET DLLs
Additional Resources: The Chaos of Lorenz
Wizard Spider
Where are they based? Russia
What ransomware do they use? Conti since at least late 2020.
What are they known for?
- Vowing their full support for the Russian government
- The Conti Leaks
- Undergoing a similar fall as other large ransomware groups, such as DarkSide and REvil
Who do they target? In 2021, they were responsible for more ransomware attacks on critical infrastructures than any other groups.
According to Sophos Rapid Response, Conti was #4 in the most prevalent ransomware seen, accounting for approximately 7% of attacks. RaaS affiliate groups, such as DEV0237/FIN12, deploy a variety of payloads, including Wizard Spider’s. In addition, cryptocurrency exchange Bitzlato was reportedly associated with several cybercriminal groups, including Wizard Spider.
After exploiting the Log4Shell vulnerability at the end of 2021, the group went silent in 2022.
Associated Blackpoint Resources: Examining the Conti Group, Leaks & Evolving Ransomware
HAFNIUM
Where are they based? They’re believed to be based in China
When did they emerge? They’ve been active since at least early 2020
What are they known for?
- Their activities are linked to Chinese state-sponsored hacking efforts. They utilize advanced techniques and tactics including using virtual private servers and compromising legitimate third-party services.
- They carried out a widespread campaign exploiting four Microsoft Exchange Server zero-day vulnerabilities, as well as the Log4Shell vulnerability. The Microsoft Exchange attack allowed them to gain unauthorized access to email accounts and steal sensitive information, affecting thousands of organizations worldwide.
Threat actors involved with HAFNIUM have been arrested by Russian intelligence services.
Associated Blackpoint Resources: Tarrasking for Trouble
Project Relic
Project Relic writes their attacks in Go, a language developed by Google, due to its portability, speed, and the minimal chance of being detected by static analysis of security tools. They use a custom chat application on the Tor network to negotiate ransoms. Project Relic hosts a site with full and partial data leaks if the ransom is not paid in a timely manner. They are known to use a variety of different encryption algorithms and demand payment in various cryptocurrencies, such as Bitcoin and Monero.
Additional Resources: Unearthing Project Relic
Ransomware Variants
ChileLocker
What malware family does it fall under? ARCrypter
When was it first identified? 2022
How does it work? It borrows several features from RedAlert ransomware and is typically distributed through malicious email attachments, download links, and the exploitation of vulnerabilities in outdated software.
Does it operate correctly? No. Unlike proper variants where encryption leads to a ransom note, followed by payment, and the fear that the key will not be turned over, or that another attack will follow, this variant operates incorrectly. Their encryption technique is flawed, meaning that regardless of if the victim pays the ransom or not, they will be unable to grant you your files back.
Additional Resource: ChileLocker’s Chilling Mistakes
Malware
Qakbot
What type of malware is it? A banking trojan
What is it also known as? Qbot, Quakbot, or Pinkslipbot.
How does it work? Once installed, it can steal sensitive information by logging keystrokes, capturing screenshots, and monitoring network traffic. It can also spread to other computers on the same network and create a backdoor for remote access utilizing Cobalt Strike, allowing attackers to carry out further malicious activities. It also spreads Brute Ratel agents.
How prevalent is it? Blackpoint’s SOC identified Qakbot as the possible malware utilized in OneNote attacks at the beginning of 2023. Our SOC reported 20 Qakbot attacks last year that could be confidently identified and pinpointed.
Additional Resources: With .one Foot in the Door
SecondEye
What is it designed to do? Perform advertisement fraud
How does it work?
They market their system as staff monitoring and parental control systems but do acknowledge their product can be used for illegal activities. That said, they dissolve themselves of responsibility by stating that it is the end user’s responsibility to use the software appropriately.
It is distributed through malicious websites, software bundles, and fake software updates. Once installed, SecondEye manipulates the victim’s web browser to simulate clicks on advertisements. This generates fraudulent ad revenue for the attackers, who are often part of larger criminal networks. In addition to ad fraud, SecondEye may also:
- Steal sensitive information from the victim’s computer, such as login credentials, financial data, and personal information
- Download and install additional malware, further compromising the victim’s security and privacy
Who is it ran by? Based on a combination of open-source intelligence (OSINT) and analysis, Blackpoint believes SecondEye to be ran by Iranians.
Additional Resources: Eye Spy – The Dangers of Legal Malware
.NET Remote Access Tool (RAT)
Arechclient2
What is it? A .NET RAT with numerous capabilities, including multiple stealth functions. It is not a commonly viewed choice for a RAT but has been used in drive-by downloads.
How does it work? Blackpoint observed the acquired malicious executable profiling victim systems, stealing information such as browser and crypto-wallet data, and launching a hidden secondary desktop to control browser sessions.
Arechlient2 is not a new threat. However, while malware like this is not used as a targeted means of attack, it does not reduce the risk that malicious binaries like this pose.
Additional Resource: Ratting Out Arechclient2
About Blackpoint’s Adversary Pursuit Group
The APG is a proactive unit within Blackpoint, working alongside our SOC team, to serve two primary functions: threat intelligence (TI) and research & development (R&D). They provide our security analysts, product team, partners, and the greater cybersecurity community with intel and insight to keep us all ahead of malicious actors.