SOC News: Article

One Article Review

Accueil - L'article:

Source	RiskIQ
Identifiant	8590809
Date de publication	2024-10-02 23:11:05 (vue: 2024-10-02 23:18:01)
Titre	Miaou, fuite de miaule et le chaos de l'attribution des ransomwares Meow, Meow Leaks, and the Chaos of Ransomware Attribution
Texte	## Snapshot Bitdefender released an overview of Meow, a group that first emerged in 2022, and Meow Leaks -- two likely related ransomware groups. ## Description Meow is classified as a ransomware group linked to the Conti malware family and operates under the Ransomware as a Service (RaaS) model. Meow primarily targets organizations in the U.S., U.K., Nigeria, and Italy, leveraging vulnerabilities and zero-days to deploy ransomware that appends the ".meow" extension to encrypted files. Though its operations were hampered by the release of a decryptor in 2023, Meow continues to pose a risk to organizations. There is ongoing debate over whether Meow is distinct from Meow Leaks, a group that surfaced in 2023. While Meow focuses on ransomware and encryption, Meow Leaks is primarily involved in data exfiltration, selling stolen information on the dark web. Meow Leaks\' victims are spread across multiple countries and sectors, including government, healthcare, education, and finance. Bitdefender assesses this shift in operational focus from encryption to pure data theft reflects a broader trend among ransomware groups, as exfiltration-only attacks offer reduced operational costs and increased profit potential. Meow Leaks denies any connection to Meow Corp or the Conti family, yet its tactics involve unauthorized data access and extortion without encryption. Researchers are still investigating the extent of collaboration between these groups, given the similarities in their extortion methods and goals. ## Microsoft Analysis Ransomware attackers often profit simply by cutting off access to critical systems and causing system downtime. Although that simple technique often motivates victims to pay, it is not the only way attackers can monetize their access to compromised networks. Exfiltration of data and “double extortion,” which refers to attackers threatening to leak data if a ransom has not been paid, has also become a common tactic among many RaaS affiliate programs-many of them offering a unified leak site for their affiliates. Attackers can also exfiltrate data and demand ransom without deploying a payload in extortion-only attacks. With double extortion, attackers do not need to deploy ransomware and cause downtime to extort money. Some attackers have moved beyond the need to deploy ransomware payloads and are shifting to extortion models or performing the destructive objectives of their attacks by directly deleting cloud resources. To learn more, read Microsoft\'s threat overview on [human-operated ransomware](https://security.microsoft.com/intel-explorer/articles/952e5e3d). ## Recommendations Microsoft recommends the following mitigations to reduce the impact of this threat. Check the recommendations card for the deployment status of monitored mitigations. - Read our [ransomware as a service blog](https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself/#defending-against-ransomware) for advice on developing a holistic security posture to prevent ransomware, including credential hygiene and hardening recommendations. - Turn on [cloud-delivered protection](https://learn.microsoft.com/microsoft-365/security/defender-endpoint/configure-block-at-first-sight-microsoft-defender-antivirus) in Microsoft Defender Antivirus or the equivalent for your antivirus product to cover rapidly evolving attacker tools and techniques. Cloud-based machine learning protections block a huge majority of new and unknown variants. - Turn on [tamper protection](https://learn.microsoft.com/microsoft-365/security/defender-endpoint/prevent-changes-to-security-settings-with-tamper-protection) features to prevent attackers from stopping security services. - Run [endpoint detection and response (EDR) in block mode](https://learn.microsoft.com/microsoft-365/security/defender-endpoint/edr-in-block-mode) , so that Defender for Endpoint can block malicious artifacts, even when
Notes	★★
Envoyé	Oui
Condensat	### © 2022 2023 2024 2024 365/security/defender access accessed across action advanced advice affiliate affiliates against age alert alerts all allow also although among analysis antivirus any appends are artifacts assesses attack attacker attackers attacks attribution attribution/ automated based become been behind between beyond bitdefender block blog breach breaches broader can card cause causing changes chaos check classes classified cloud collaboration com/blog/businessinsights/meow com/en com/intel com/microsoft com/security/blog/2022/05/09/ransomware commands common components compromised connection content conti continues copyright corp costs countries cover creations credential criterion critical customers cutting cybercrime dark data days debate decryptor defender deleting delivered demand denies deploy deploying deployment description destructive detect detected detection detects developing directly distinct distribution doesn double downtime economy edr education effective emerged enable encrypted encryption encyclopedia endpoint endpoint/attack endpoint/automated endpoint/configure endpoint/edr endpoint/prevent entire equivalent even evolving executable exfiltrate exfiltration explorer/articles/952e5e3d extension extent extort extortion family files finance first focus focuses following from full gig given goals government group groups hampered hardening has have healthcare holistic how https://learn https://security https://www huge human hygiene immediate impact including increased information investigating investigation investigations involve involved italy its lateral leak leaks learn learning leveraging likely linked list machine majority malicious malware malware: many meet meow methods microsoft mitigations mode model models monetize money monitored more motivates moved movement mtb multiple name=ransom:win32/conti name=ransom:win32/conticrypt need networks new nigeria non not objectives off offer offering often ongoing only on operated operates operational operations organizations originating our over overview paid part passive pay payload payloads performing permission pose post posture potential prevalence prevent primarily process product profit programs prohibited protect protection protections psexec pure raas ransom ransom:win32/conti ransom:win32/conticrypt ransomware rapidly read recommendations recommends reduce reduced reducing reduction reference#block reference#use references refers reflects rel related release released remediate remediation reproduction researchers reserved resolve resources response rights risk rules running run scenes sectors security selling service services settings shift shifting sight significantly similarities simple simply site snapshot some spread stage: status stolen stopping surface surfaced sweeping system systems tactic tactics take tamper targets technique techniques theft them thereof these though threat threatening threats tools trend trusted turn two unauthorized under understanding unified unknown unless us/microsoft us/wdsi/threats/malware use used variants victims volume vulnerabilities way web when whether which without wmi works written yet your yourself/#defending zero features for in to “double
Tags	Ransomware Malware Tool Vulnerability Threat Prediction Medical Cloud
Stories
Move

L'article ne semble pas avoir été repris aprés sa publication.

L'article ressemble à 1 autre(s) article(s):

Src	Date (GMT)	Titre	Description	Tags	Stories	Notes
	2024-10-03 18:06:19	(Déjà vu) L'acteur de menace considérait comme une nouvelle variante Medusalocker depuis 2022 Threat actor believed to be spreading new MedusaLocker variant since 2022 (lien direct)	## Instantané Cisco Talos a identifié un acteur de menace motivé financièrement actif depuis 2022, déployant récemment une variante de ransomware Medusalocker connue sous le nom de "babylockerkz". ## Description Ce groupe a ciblé les organisations dans le monde, avec un accent particulier sur l'Europe jusqu'à la mi-2023, après quoi ils ont déplacé leurs attaques en Amérique du Sud.La variante Ransomware, BabyLockerKZ, est remarquable pour ses fonctionnalités uniques, y compris des chemins PDB spécifiques et des outils d'attaque régulièrement stockés dans les mêmes emplacements système. L'attaquant utilise principalement des outils accessibles au public, tels que Mimikatz et les scanners de réseau, ainsi que «Checker», qui facilite le vol d'identification et le mouvement latéral dans des réseaux compromis.Cet outil aide l'acteur à automatiser le processus d'attaque, offrant une interface graphique pour rationaliser les opérations.Babylockerkz a quelques caractéristiques distinctives par rapport à Medusalocker traditionnel, tels que des clés de registre uniques et des mécanismes de chiffrement supplémentaires. La télémétrie Cisco Talos \\ 'montre que le volume d'attaque du groupe a augmenté de manière significative au début de 2023, avec jusqu'à 200 IP compromises par mois avant le début de l'activité en 2024. La société évalue que les tactiques agressives de l'acteur \\ sontet le volume soutenu d'attaques suggèrent une opération professionnelle, potentiellement liée à un courtier d'accès initial (IAB) ou à un affilié de ransomware. ## Recommandations Microsoft recommande les atténuations suivantes pour réduire l'impact de cette menace.Vérifiez la carte de recommandations pour l'état de déploiement des atténuations surveillées. - Lisez notre [Ransomware en tant que blog de service] (https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-udentSanding-the-cybercrim-gig-ecoony-and-Comment-protect-vous-soi / # défendant-against-ransomware) pour des conseils sur le développement d'une posture de sécurité holistique pour prévenir les ransomwares, y compris l'hygiène des informations d'identification et les recommandations de durcissement. - Allumez [Protection en cloud-étirement] (https://learn.microsoft.com/microsoft-365/security/defender-endpoint/configure-lock-at-first-sight-microsoft-defender-astivirus) dans Microsoft Defender Antivirusou l'équivalent pour que votre produit antivirus couvre rapidement des outils et techniques d'attaquant en évolution.Les protections d'apprentissage automatique basées sur le cloud bloquent une énorme majorité de variantes nouvelles et inconnues. - Allumez [Protection de stimulation] (https://learn.microsoft.com/microsoft-365/security/defender-endpoint/prevent-changes-to-security-settings-with-tamper-protection) des fonctionnalités pour empêcher les attaquants de s'arrêter de s'arrêter de s'arrêter de s'arrêter de s'arrêter de s'arrêter de s'arrêter de s'arrêter de s'arrêter de s'arrêter de s'arrêter de s'arrêter de s'arrêter de s'arrêter de s'arrêter de s'arrêter de s'arrêter de s'arrêter de s'arrêter d'arrêterServices de sécurité. - Exécuter [Détection et réponse de point de terminaison (EDR) en mode bloc] (https://learn.microsoft.com/microsoft-365/security/defender-endpoint/edr-in-block-modeBloquer des artefacts malveillants, même lorsque votre antivirus non microsoft ne détecte pas la menace ou lorsque Microsoft Defender Antivirus fonctionne en mode passif.EDR en mode bloc fonctionne dans les coulisses pour corriger les artefacts malveillants détectés après la lutte. - Activer [Investigation and Remediation] (https://learn.microsoft.com/microsoft-365/security/defender-endpoint/automated-investigations) en mode automatisé complet pour permettre au défenseur de final de prendre des mesures immédiates sur des alertes pour résoudre les brèches, réduisant considérablement le volume d'alerte. Les cli	Ransomware Malware Tool Threat		★★