One Article Review
| Source |  RiskIQ |
|---|---|
| Identifiant | 8574837 |
| Date de publication | 2024-09-11 20:20:08 (vue: 2024-09-11 21:18:11) |
| Titre | NoName ransomware gang deploying RansomHub malware in recent attacks |
| Texte | ## Instantané Le gang de ransomware non-Aame, actif depuis au moins 2020, a récemment déployé un ransomware personnalisé appelé Scransom.Bien que relativement non sophistiqué, Scransom a été utilisé pour cibler les petites et moyennes entreprises (PME) dans le monde, les chercheurs ESET notant une connexion possible entre le non-AME et le groupe Ransomware-as-a-Service (RAAS). ## Description Noname utilise des outils personnalisés de la famille des logiciels malveillants SpaceColon, qui sont déployés après avoir accédé à l'accès au réseau via des attaques par force brute ou en exploitant des vulnérabilités plus anciennes comme Eternalblue ([CVE-2017-0144] (https://sip.security.microsoft.com/ https://sip.security.microsoft.com/Intel-Explorer / Cves / CVE-2017-0144 /)) et Zerologon ([CVE-2010-1472] (https://sip.security.microsoft.com/intel-profiles/cve-2020-1472)).CosmicBeetle a également usuré Lockbit en tirant parti du constructeur de verrouillage divulgué pour générer des ransomwares personnalisés et imiter sa marque.Dans des attaques plus récentes, NonAME a remplacé son Scarab Encryptor par Scransom. ESET a suivi le gang de non-Aame, également connu sous le nom de CosmicBeetle, depuis 2023, notant la montée en puissance de Scransom, un malware de cryptage de fichiers basé à Delphi.Malgré sa simplicité par rapport à d'autres ransomwares, Scransom continue d'évoluer, avec une interface utilisateur graphique structurée (GUI) et des modes de chiffrement partiels, dont un qui efface de façon irréversiblement des segments de fichiers.Son schéma de chiffrement est passé de AES-CTR-128 de base à une combinaison plus complexe de RSA-1024 et AES-CTR-128, et il tue également les processus pendant le chiffrement, avec un ajout récent d'un outil de tueurs de processus autonome, Sckill. Les chercheurs de l'ESET croient que Cosmicbeetle peut être devenu un affilié de RansomHub, citant des modèles d'attaque similaires et des ensembles d'outils partagés.La télémétrie ESET a révélé que CosmicBeetle a déployé EDR Killer de RansomHub \\ après que ses propres outils ne compromettent pas une cible, renforçant la connexion possible. Les attaques de non-AME \\ se concentrent en grande partie sur les PME dans divers secteurs, avec des victimes, notamment celles de la fabrication, des soins de santé et du gouvernement, en particulier dans des régions ayant des pratiques de gestion des patchs plus faibles. ### Analyse supplémentaire RansomHub, un nouveau ransomware en tant que service (RAAS), est rapidement devenu une menace majeure de ransomware.Selon Microsoft Threat Intelligence et O [Ther Security Researchers) (https://sip.security.microsoft.com/intel-explorer/articles/57d133ec), RansomHub Ransomware a évolué et renommé à partir de Ransomware de Knight, après que le gang de ransomware de Knight a vendu sonCode source en février 2024. En août 2024, [analystes Sophos identifiés] (https://sip.security.microsoft.com/intel-explorer/articles/f5878aee) une nouvelle utilité Edr-Killing associée à RansomHub.L'outil EDR-Killing est conçu pour résilier le logiciel de protection des points de terminaison et est un chargeur exécutable (également connu sous le nom de «Treat votre propre pilote vulnérable» ou outil BYOVD). ## Recommandations Pour un guide de sécurité holistique pour la défense contre les ransomwares, qui peuvent également limiter de nombreux autres attaquants motivés, reportez-vous au profil d'aperçu des menaces de Microsoft \\ sur [Ransomware à hume] (https://security.microsoft.com/thereatanalytics3/05658b6c-dc62-496d-ad3c-c6a795a33c27/analystreport). Microsoft recommande ce qui suitatténuations pour réduire l'impact des menaces de ransomware. - Appliquez immédiatement les mises à jour de sécurité pour [CVE-2020-1472] (https://msrc.microsoft.com/update-guide/vulnerabilité/CVE-2020-1472).Vérifiez le portail de gestion des menaces et de la vulnérabilité pour le statut de c |
| Notes | ★★ |
| Envoyé | Oui |
| Condensat | ### **© *malicious *possible *suspected 0144 0144/ 1024 128 1472 1472* 2017 2020 2023 2024 2024** 2147056321 2147061874 2147189839 2147202813 365/security/defender 496d access accessed across action active activities activity ad3c addition additional advanced aes affiliate after against age alert alerts all allow also analysis analysts antivirus any apply are artifacts associated attack attacker attackers attacks attacks/ attempt attempts august automated b&threatid= based basic become been behavior:win32/cve behind believe between bleeping bleepingcomputer block branding breach breaches brute builder businesses but byovd c6a795a33c27/analystreport called can center certain changes check citing classes cloud code com/en com/en/eset com/intel com/microsoft com/news/security/noname com/threatanalytics3/05658b6c com/update combination commands common compared compatibility complex components compromise computer connection content continues controllers: copyright cosmicbeetle cover creations credential criterion ctr custom customers cve d&threatid= dc62 defender defending delivered delphi deploy deployed deploying description designed despite detect detected detected* detection detects distribution doesn domain driver” during edr effective elevation emerged enable encrypting encryption encryptor encyclopedia endpoint endpoint/attack endpoint/automated endpoint/configure endpoint/edr endpoint/prevent entire equivalent erases eset eternalblue even evolve evolved evolving executable execution experience exploitation exploiting explorer/articles/57d133ec explorer/articles/f5878aee explorer/cves/cve failed family featuring february file files first focus following force for from full gaining gang generate generates government graphical group gui guide guide/vulnerability/cve hacktool:win32/sharpzerologon has have healthcare holistic https://learn https://msrc https://security https://sip https://www huge human identified identity immediate immediately impact impersonated including indicate intelligence interface investigation investigations irreversibly issues its killer killing kills knight known largely lateral leaked learndoc learndoc#block learndoc#use learning least leveraging like limit list loader lockbit machine major majority malicious malware malware: management manufacturing many may medium meet microsoft mimic mitigations mode modes more most motivated movement mtb&threatid= name=behavior:win32/cve name=hacktool:win32/sharpzerologon&threatid= name=ransom:win64/knight name=ransom:win64/ransomhub netlogon network network: new non noname noting ocid=magicti older one on on operated organizations originating other overview own part partial particularly passive patch patching patterns period permission portal possible post practices prevalence prevent privilege probation process processes product profile profiles/cve prohibited protection protections psexec raas ransom ransom:win64/knight ransom:win64/ransomhub ransomhub ransomhub/ ransomware ransomwaregang rapidly rebranded recent recently recommendations recommends reduce reducing reduction refer reference references regions relatively remediate remediation replaced reproduction research research/cosmicbeetle researchers reserved resolve response revealed rights rise rsa rule rules running run scarab scenes scheme sckill scransom sectors security segments server service services settings shared shifted should sight significantly similar simplicity since site sized small smbs snapshot software sold some sophos source spacecolon stage: standalone status steps stopping strengthening structured surface sweeping systems take tamper target techniques telemetry terminate theft ther thereof those though threat threats through titles tool tools toolsets tracked trusted turn unknown unless unsophisticated up: updates us/wdsi/threats/malware use used user uses utility variants various victims volume vulnerabilities vulnerability vulnerable weaker welivesecurity when which without wmi works worldwide written your zerologon according in r |
| Tags | Ransomware Malware Tool Vulnerability Threat Patching Medical |
| Stories | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ressemble à 1 autre(s) article(s):
| Src | Date (GMT) | Titre | Description | Tags | Stories | Notes |
|
2024-09-12 20:24:56 | (Déjà vu) #Stopransomware: ransomhub ransomware (lien direct) | ## Snapshot Researchers at the Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), the Multi-State Information Sharing and Analysis Center (MS-ISAC), and the Department of Health and Human Services (HHS) have identified RansomHub ransomware as a significant threat. ## Description RansomHub, a ransomware-as-a-service variant, has targeted critical infrastructure sectors and exfiltrated data from at least 210 victims since its inception in February 2024. Affiliates of RansomHub use a double-extortion model, encrypting systems and exfiltrating data to extort victims. The ransom note dropped during encryption does not include an initial ransom demand, but provides victims with a client ID and instructions to contact the ransomware group via a unique .onion URL. The ransom note typically gives victims between three and 90 days to pay the ransom before the ransomware group publishes their data on the RansomHub Tor data leak site. RansomHub affiliates typically compromise internet-facing systems and user endpoints using methods such as phishing emails, exploitation of known vulnerabilities, and password spraying. Notably, specific CVEs have been observed in the exploitation methods, including vulnerabilities in Citrix ADC, FortiOS, Java OpenWire protocol marshaller, and Confluence Data Center and Server instances. Once inside the network, the threat actors conduct network scanning, rename the ransomware executable with innocuous file names, clear system logs, and disable antivirus products. They also create user accounts for persistence, gather credentials, and move laterally inside the network using various methods. Data exfiltration methods observed include the usage of tools such as PuTTY, Amazon AWS S3 buckets/tools, and HTTP POST requests. RansomHub ransomware leverages an Elliptic Curve Encryption algorithm to encrypt user accessible files on the system and attempts to stop specific processes to successfully encrypt files. Additionally, the ransomware deletes volume shadow copies to inhibit system recovery. The threat actors have been observed using legitimate tools such as BITSAdmin and Cobalt Strike for their operations. Mimikatz, PSExec, PowerShell, RClone, Sliver, SMBExec, WinSCP, CrackMapExec, Kerberoast, and AngryIPScanner have been utilized for various malicious activities. The article also mentions indicators of compromise, including IP addresses historically linked to QakBot, known URLs related to malicious activity, and emails associated with RansomHub from 2023-2024. The authoring organizations recommend investigating or vet ## Microsoft Analysis RansomHub, a new Ransomware-as-a-Service (RaaS), has rapidly emerged as a major ransomware threat. According to Microsoft Threat Intelligence and [other security researchers](https://sip.security.microsoft.com/intel-explorer/articles/57d133ec), RansomHub ransomware evolved and rebranded from Knight ransomware, after the Knight ransomware gang sold its source code in February 2024. In August 2024, [Sophos analysts identified](https://sip.security.microsoft.com/intel-explorer/articles/f5878aee) a new EDR-killing utility associated with RansomHub. The EDR-killing tool is designed to terminate endpoint protection software and is a loader executable (also known as a “bring your own vulnerable driver” or BYOVD tool). ## Recommendations For a holistic security guide for defending against ransomware, which can also limit many other motivated attackers, refer to Microsoft\'s threat overview profile on [human-operated ransomware](https://security.microsoft.com/threatanalytics3/05658b6c-dc62-496d-ad3c-c6a795a33c27/analystreport). Microsoft recommends the following mitigations to reduce the impact of ransomware threats. - Immediately apply security updates for [CVE-2020-1472](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2020-1472). Check the threat and vulnerability management portal for the most recent patching status. - Turn on [cloud-deli | Ransomware Malware Tool Vulnerability Threat Patching | ★★ |