One Article Review
| Source |  RiskIQ |
|---|---|
| Identifiant | 8575527 |
| Date de publication | 2024-09-12 20:24:56 (vue: 2024-09-12 21:18:22) |
| Titre | #Stopransomware: ransomhub ransomware (Recyclage) |
| Texte | ## Snapshot Researchers at the Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), the Multi-State Information Sharing and Analysis Center (MS-ISAC), and the Department of Health and Human Services (HHS) have identified RansomHub ransomware as a significant threat. ## Description RansomHub, a ransomware-as-a-service variant, has targeted critical infrastructure sectors and exfiltrated data from at least 210 victims since its inception in February 2024. Affiliates of RansomHub use a double-extortion model, encrypting systems and exfiltrating data to extort victims. The ransom note dropped during encryption does not include an initial ransom demand, but provides victims with a client ID and instructions to contact the ransomware group via a unique .onion URL. The ransom note typically gives victims between three and 90 days to pay the ransom before the ransomware group publishes their data on the RansomHub Tor data leak site. RansomHub affiliates typically compromise internet-facing systems and user endpoints using methods such as phishing emails, exploitation of known vulnerabilities, and password spraying. Notably, specific CVEs have been observed in the exploitation methods, including vulnerabilities in Citrix ADC, FortiOS, Java OpenWire protocol marshaller, and Confluence Data Center and Server instances. Once inside the network, the threat actors conduct network scanning, rename the ransomware executable with innocuous file names, clear system logs, and disable antivirus products. They also create user accounts for persistence, gather credentials, and move laterally inside the network using various methods. Data exfiltration methods observed include the usage of tools such as PuTTY, Amazon AWS S3 buckets/tools, and HTTP POST requests. RansomHub ransomware leverages an Elliptic Curve Encryption algorithm to encrypt user accessible files on the system and attempts to stop specific processes to successfully encrypt files. Additionally, the ransomware deletes volume shadow copies to inhibit system recovery. The threat actors have been observed using legitimate tools such as BITSAdmin and Cobalt Strike for their operations. Mimikatz, PSExec, PowerShell, RClone, Sliver, SMBExec, WinSCP, CrackMapExec, Kerberoast, and AngryIPScanner have been utilized for various malicious activities. The article also mentions indicators of compromise, including IP addresses historically linked to QakBot, known URLs related to malicious activity, and emails associated with RansomHub from 2023-2024. The authoring organizations recommend investigating or vet ## Microsoft Analysis RansomHub, a new Ransomware-as-a-Service (RaaS), has rapidly emerged as a major ransomware threat. According to Microsoft Threat Intelligence and [other security researchers](https://sip.security.microsoft.com/intel-explorer/articles/57d133ec), RansomHub ransomware evolved and rebranded from Knight ransomware, after the Knight ransomware gang sold its source code in February 2024. In August 2024, [Sophos analysts identified](https://sip.security.microsoft.com/intel-explorer/articles/f5878aee) a new EDR-killing utility associated with RansomHub. The EDR-killing tool is designed to terminate endpoint protection software and is a loader executable (also known as a “bring your own vulnerable driver” or BYOVD tool). ## Recommendations For a holistic security guide for defending against ransomware, which can also limit many other motivated attackers, refer to Microsoft\'s threat overview profile on [human-operated ransomware](https://security.microsoft.com/threatanalytics3/05658b6c-dc62-496d-ad3c-c6a795a33c27/analystreport). Microsoft recommends the following mitigations to reduce the impact of ransomware threats. - Immediately apply security updates for [CVE-2020-1472](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2020-1472). Check the threat and vulnerability management portal for the most recent patching status. - Turn on [cloud-deli |
| Notes | ★★ |
| Envoyé | Oui |
| Condensat | ### #stopransomware: **© **antivirus** *ransom:win64/ransomhub* 1472 2020 2023 2024 2024** 210 2147056321 2147061874 2147202813 242a 365/security/defender 496d Angryipscanner Crackmepexec Havebeen Kerberoast Mimikatz Operations PowerShell Psexec Rclone SMBEXEC Sliver WINSCP abuse accessed accessible accounts action activities activity actors ad3c adc additionally addresses advanced advisories/aa24 affiliates after against age agency alert alerts algorithm all allow also amazon analysis analysts antivirus any apply are arsenal article artifacts associated attack attacker attackers attacks attempts august authoring automated aws b&threatid= based been before behind between bitsadmin block breach breaches buckets/tools bureau but byovd c6a795a33c27/analystreport can center certain changes check cisa citrix classes clear client cloud cobalt code com/en com/intel com/microsoft com/threatanalytics3/05658b6c com/update commands common compatibility components compromise conduct confluence contact content copies copyright cover create creations credentials criterion critical curve customers cve cves cybersecurity data days dc62 defender defending deletes delivered demand department deploy deploying description designed detect detected detection detects disable distribution does doesn double driver” dropped during edr effective elliptic emails emerged enable encrypt encrypting encryption encyclopedia endpoint endpoint/attack endpoint/automated endpoint/configure endpoint/edr endpoint/prevent endpoints entire equivalent even events/cybersecurity evolved evolving executable exfiltrated exfiltrating exfiltration experience exploitation explorer/articles/3de6b9a1 explorer/articles/57d133ec explorer/articles/687fdb34 explorer/articles/f5878aee extort extortion facing fbi february federal file files first following fortios for from full gang gather gives gov/news group guide guide/vulnerability/cve hacktool:win32/sharpzerologon has have health hhs historically holistic http https://learn https://msrc https://security https://sip https://www huge human identified immediate immediately impact inception include including indicators information infrastructure inhibit initial innocuous inside instances instructions intelligence internet introduce investigating investigation investigations isac issues its java killer killing knight known lateral laterally leak learndoc learndoc#block learndoc#use learning least legitimate leverages limit linked list loader logs machine major majority malicious malware malware: management many marshaller may meet mentions methods microsoft mitigations mode model monitoring most motivated move movement mtb&threatid= multi name=hacktool:win32/sharpzerologon&threatid= name=ransom:win64/knight name=ransom:win64/ransomhub names network new non noname not notably note observed ocid=magicti once onion on on openwire operated organizations originating osint other overview own part passive password patching pay permission persistence phishing portal post prevalence prevent process processes product products profile prohibited protection protections protocol provides psexec publishes putty qakbot raas ransom ransom:win64/knight ransomhub ransomware rapidly rebranded recent recommend recommendations recommends recovery reduce reducing reduction refer reference references related remediate remediation remote rename reproduction requests researchers reserved resolve response rights rule rules running run scanning scenes sectors security server service services settings shadow sharing should sight significant significantly since site snapshot software sold some sophos source specific spraying stage: state status stop stopping strike successfully such surface sweeping system systems take tamper targeted techniques terminate thereof threat threats three tool tools tor trends trusted turn typically unique unknown unless updates url urls us/wdsi/threats/malware usage use used user using utility utilized variant variants various vet victims volume vulnerabilities vulnerability vulnerable when w |
| Tags | Ransomware Malware Tool Vulnerability Threat Patching |
| Stories | |
| Move | 
|
Les reprises de l'article (1):
| Source | RiskIQ |
|---|---|
| Identifiant | 8574837 |
| Date de publication | 2024-09-11 20:20:08 (vue: 2024-09-11 21:18:11) |
| Titre | NoName ransomware gang deploying RansomHub malware in recent attacks |
| Texte | ## Instantané Le gang de ransomware non-Aame, actif depuis au moins 2020, a récemment déployé un ransomware personnalisé appelé Scransom.Bien que relativement non sophistiqué, Scransom a été utilisé pour cibler les petites et moyennes entreprises (PME) dans le monde, les chercheurs ESET notant une connexion possible entre le non-AME et le groupe Ransomware-as-a-Service (RAAS). ## Description Noname utilise des outils personnalisés de la famille des logiciels malveillants SpaceColon, qui sont déployés après avoir accédé à l'accès au réseau via des attaques par force brute ou en exploitant des vulnérabilités plus anciennes comme Eternalblue ([CVE-2017-0144] (https://sip.security.microsoft.com/ https://sip.security.microsoft.com/Intel-Explorer / Cves / CVE-2017-0144 /)) et Zerologon ([CVE-2010-1472] (https://sip.security.microsoft.com/intel-profiles/cve-2020-1472)).CosmicBeetle a également usuré Lockbit en tirant parti du constructeur de verrouillage divulgué pour générer des ransomwares personnalisés et imiter sa marque.Dans des attaques plus récentes, NonAME a remplacé son Scarab Encryptor par Scransom. ESET a suivi le gang de non-Aame, également connu sous le nom de CosmicBeetle, depuis 2023, notant la montée en puissance de Scransom, un malware de cryptage de fichiers basé à Delphi.Malgré sa simplicité par rapport à d'autres ransomwares, Scransom continue d'évoluer, avec une interface utilisateur graphique structurée (GUI) et des modes de chiffrement partiels, dont un qui efface de façon irréversiblement des segments de fichiers.Son schéma de chiffrement est passé de AES-CTR-128 de base à une combinaison plus complexe de RSA-1024 et AES-CTR-128, et il tue également les processus pendant le chiffrement, avec un ajout récent d'un outil de tueurs de processus autonome, Sckill. Les chercheurs de l'ESET croient que Cosmicbeetle peut être devenu un affilié de RansomHub, citant des modèles d'attaque similaires et des ensembles d'outils partagés.La télémétrie ESET a révélé que CosmicBeetle a déployé EDR Killer de RansomHub \\ après que ses propres outils ne compromettent pas une cible, renforçant la connexion possible. Les attaques de non-AME \\ se concentrent en grande partie sur les PME dans divers secteurs, avec des victimes, notamment celles de la fabrication, des soins de santé et du gouvernement, en particulier dans des régions ayant des pratiques de gestion des patchs plus faibles. ### Analyse supplémentaire RansomHub, un nouveau ransomware en tant que service (RAAS), est rapidement devenu une menace majeure de ransomware.Selon Microsoft Threat Intelligence et O [Ther Security Researchers) (https://sip.security.microsoft.com/intel-explorer/articles/57d133ec), RansomHub Ransomware a évolué et renommé à partir de Ransomware de Knight, après que le gang de ransomware de Knight a vendu sonCode source en février 2024. En août 2024, [analystes Sophos identifiés] (https://sip.security.microsoft.com/intel-explorer/articles/f5878aee) une nouvelle utilité Edr-Killing associée à RansomHub.L'outil EDR-Killing est conçu pour résilier le logiciel de protection des points de terminaison et est un chargeur exécutable (également connu sous le nom de «Treat votre propre pilote vulnérable» ou outil BYOVD). ## Recommandations Pour un guide de sécurité holistique pour la défense contre les ransomwares, qui peuvent également limiter de nombreux autres attaquants motivés, reportez-vous au profil d'aperçu des menaces de Microsoft \\ sur [Ransomware à hume] (https://security.microsoft.com/thereatanalytics3/05658b6c-dc62-496d-ad3c-c6a795a33c27/analystreport). Microsoft recommande ce qui suitatténuations pour réduire l'impact des menaces de ransomware. - Appliquez immédiatement les mises à jour de sécurité pour [CVE-2020-1472] (https://msrc.microsoft.com/update-guide/vulnerabilité/CVE-2020-1472).Vérifiez le portail de gestion des menaces et de la vulnérabilité pour le statut de c |
| Notes | ★★ |
| Envoyé | Oui |
| Condensat | ### **© *malicious *possible *suspected 0144 0144/ 1024 128 1472 1472* 2017 2020 2023 2024 2024** 2147056321 2147061874 2147189839 2147202813 365/security/defender 496d access accessed across action active activities activity ad3c addition additional advanced aes affiliate after against age alert alerts all allow also analysis analysts antivirus any apply are artifacts associated attack attacker attackers attacks attacks/ attempt attempts august automated b&threatid= based basic become been behavior:win32/cve behind believe between bleeping bleepingcomputer block branding breach breaches brute builder businesses but byovd c6a795a33c27/analystreport called can center certain changes check citing classes cloud code com/en com/en/eset com/intel com/microsoft com/news/security/noname com/threatanalytics3/05658b6c com/update combination commands common compared compatibility complex components compromise computer connection content continues controllers: copyright cosmicbeetle cover creations credential criterion ctr custom customers cve d&threatid= dc62 defender defending delivered delphi deploy deployed deploying description designed despite detect detected detected* detection detects distribution doesn domain driver” during edr effective elevation emerged enable encrypting encryption encryptor encyclopedia endpoint endpoint/attack endpoint/automated endpoint/configure endpoint/edr endpoint/prevent entire equivalent erases eset eternalblue even evolve evolved evolving executable execution experience exploitation exploiting explorer/articles/57d133ec explorer/articles/f5878aee explorer/cves/cve failed family featuring february file files first focus following force for from full gaining gang generate generates government graphical group gui guide guide/vulnerability/cve hacktool:win32/sharpzerologon has have healthcare holistic https://learn https://msrc https://security https://sip https://www huge human identified identity immediate immediately impact impersonated including indicate intelligence interface investigation investigations irreversibly issues its killer killing kills knight known largely lateral leaked learndoc learndoc#block learndoc#use learning least leveraging like limit list loader lockbit machine major majority malicious malware malware: management manufacturing many may medium meet microsoft mimic mitigations mode modes more most motivated movement mtb&threatid= name=behavior:win32/cve name=hacktool:win32/sharpzerologon&threatid= name=ransom:win64/knight name=ransom:win64/ransomhub netlogon network network: new non noname noting ocid=magicti older one on on operated organizations originating other overview own part partial particularly passive patch patching patterns period permission portal possible post practices prevalence prevent privilege probation process processes product profile profiles/cve prohibited protection protections psexec raas ransom ransom:win64/knight ransom:win64/ransomhub ransomhub ransomhub/ ransomware ransomwaregang rapidly rebranded recent recently recommendations recommends reduce reducing reduction refer reference references regions relatively remediate remediation replaced reproduction research research/cosmicbeetle researchers reserved resolve response revealed rights rise rsa rule rules running run scarab scenes scheme sckill scransom sectors security segments server service services settings shared shifted should sight significantly similar simplicity since site sized small smbs snapshot software sold some sophos source spacecolon stage: standalone status steps stopping strengthening structured surface sweeping systems take tamper target techniques telemetry terminate theft ther thereof those though threat threats through titles tool tools toolsets tracked trusted turn unknown unless unsophisticated up: updates us/wdsi/threats/malware use used user uses utility variants various victims volume vulnerabilities vulnerability vulnerable weaker welivesecurity when which without wmi works worldwide written your zerologon according in r |
| Tags | Ransomware Malware Tool Vulnerability Threat Patching Medical |
| Stories | |
| Move |
|
L'article ne semble pas avoir été repris sur un précédent.