With law enforcement and intelligence agencies in many countries hunting ransomware gangs, it’s no surprise some veteran groups are reportedly disbanding, laying low, or abandoning their brands and starting with new names. Yet despite this attention from authorities, new players are still emerging, as two recent reports illustrate.
A report by researchers at U.S.-based Cyble identifies three new groups not believed to be associated with existing ones. The report also includes indicators of compromise for each strain. The three are:
—RedAlert, which targets both Windows and Linux VMware ESXi servers on corporate networks. The ransomware stops all running virtual machines and encrypts any file related to virtual machines, such as virtual disks, the report notes. It’s named after a string with the same name in the ransom note, but threat actors named their campaign “N13V”. RedAlert only accepts ransom payments in Monero, which is rather atypical for ransomware groups, the report says.
The threat actors behind it run the ransomware manually, meaning it is executed after a complete takeover of a victim’s system. The ransomware binary provides various options for performing pre-encryption operations such as stopping all virtual machines running on VMware ESXi, Asymmetric cryptography performance tests, etc.
The ransomware uses the NTRUEncrypt public key encryption algorithm for encryption, targeting log files (.log), swap files(.vswp), virtual disks(.vmdk), snapshot files (.vmsn) and memory files(.vmem) of VMware ESXi virtual machines. After encryption the ransomware appends a “.crypt[Random number]” extension to the file;
—Omega is suspected of targeting organizations using double extortion techniques, meaning the group behind it steals data before encrypting victims’ servers and then threatens to sell the copied data unless the victim pays for decryption keys. The indicators of compromise of this ransomware strain are unavailable in the wild;
—Lilith ransomware, which gets its name from appending the extension of encrypted files with “.lilith.” Victims are given three days to negotiate the price for the decryption software. Failing that the threat actor threatens to start leaking copied personal data.
Researchers note Lilith malware can affect many file types and render them completely unusable.
—Luna ransomware. This morning Kaspersky released a report on this new strain, which is written in Rust and runs on Windows, Linux and ESXi systems.
To fight ransomware, Cyble urges CISOs to
- conduct regular backup practices and keep those backups offline or in a separate network;
- turn on the automatic software update feature on all computers, mobile and other connected devices wherever possible and pragmatic;
- use a reputable anti-virus and internet security software package on all corporate-owned connected devices;
- educate staff to refrain from opening untrusted links and email attachments without verifying their authenticity.
According to Q2 research this month from Cyberint, the most successfully deployed ransomware, as measured by claims on threat actors’ data leak sites, was LockBit, followed by BlackCat (AlphV), Black Basta, Conti and Vice Society.
During the second quarter, Conti officially shut down its infrastructure, but researchers believe its members are supporting other groups. However, says Cyberint, it suffered what appears to have been a mortal blow when a Ukrainian security researcher infiltrated the group’s infrastructure and leaked a trove of information, including online conversations, personnel information, tools, and their product’s source code.