Between 22-26 May, CYFIRMA Researchers identified a Global Ransomware Campaign named “Night Blood” operated by Russian-speaking cybercriminals attributing to TA505 or its affiliates (Confidence Level: Moderate), to launch a cyberattack against global companies and government agencies.
Cybercriminals are suspected to have released a target asset list of 712 unique IP Addresses believed to be associated with 89 global organizations and government agencies.
Researchers uncovered two approaches that could be leveraged by cybercriminals:
Our initial analysis shows close patterns of this campaign handlers similar to REvil ransomware group.
Motivation: Exfiltration of sensitive information, system, and customer information for financial gains; and demand ransom.
Analysis of captured hackers’ footprints and correlation with external threat vectors indicate that this is a potential threat, and organizations are advised to take precautionary measures as highlighted in this report.
CYFIRMA recommends using reported IOC details for measures against this campaign and threat hunting within the environment.
Following is the chronology of hacker’s conversations captured as part of this campaign.
PERIOD OF ANALYSIS: 22-26 May 2021.
As part of CYFIRMA’s monitoring, we first noticed a discord forum, where potential 96 IP addresses were published on 22 May 2021. Subsequently, we observed the same list being published in the following 3 dark web forums. The list of IP addresses has been continuously growing since then.
Russian-speaking communities: Following are the dark web channels observed. Please note that most of these Onion sites are invitation-based forums and may not be easily accessible.
Discord channel <Masked>
Dark web forums:
Image of Screenshot from the dark web forum
In <masked> dark web forum, CYFIRMA observed a number of cybercriminals speaking in the Russian language while making reference to Discord channel and 3 dark web channels as “catch” and “big money”.
Later in that day, we observed another potential 89 IP Addresses were being updated in the 3 dark web forums highlighted earlier.
In <masked> dark web forums cybercriminals continued to discuss weakness and exploits around web servers [IIS, Apache] and web applications.
It is suspected most of the IP Addresses i.e., publicly accessible systems listed by cybercriminals, might act as an entry point for the cybercriminals.
METHOD USED BY THE HACKERS: The following methods were discussed by the hackers:
ADDITIONAL INSIGHTS OF “NIGHT BLOOD”
This campaign is provided by Russian-speaking cybercriminals as Ransomware-as-a-Service (RaaS). IP Addresses targeted by the campaign has propagated as follows:
At the first stage, cybercriminals are suspected to have released a target asset list of 712 unique IP Addresses believed to be associated with 89 global organizations and government agencies.
Out of these, CYFIRMA observed 147 IP Addresses, a potential target list associated with multi-national Japanese, South East Asian, Australian, and Indian organizations.
CYFIRMA further noticed the target asset list growing based on its monitoring of multiple dark web forums. Cybercriminals have posted 296 new IP Addresses which they have identified as potential targets.
The ransomware operators are following the double whammy/double extortion strategy which includes the below tactics:
In this campaign, and for the first time, cybercriminals are seen targeting the webservers by exploiting its weakness and potentially using this as a launch pad for cyberattacks.
Based on CYFIRMA’s attack method and vector assessment discussed by cybercriminals, we identified that they could be planning to use a two-way approach to demand ransom:
Following are further details of the possible approach which could be leveraged by cybercriminals:
Suspected malware file name: exe, bitap-se.deb, hook-l.deb, winkernalw.exe.
Suspected hashes: As summarized in the IOC table (masked).
This malware will attach a malicious plug-in [hash: cb70d21d0f4201467009dcac4359ccf0] to the webserver. When visiting the infected website, a downloader plug-in [Plug-in name: SafSecur, hash: dfefe1af44873b730638853a91e3a143] will be offered to all visitors to accept before they can access the site.
In our analysis of malicious plug-in as soon as it is installed, it would connect to potential Command & Control (C2) servers159.26.224, 220.127.116.11, 18.104.22.168, 22.214.171.124 through web request to download new variant of REvil Ransomware using file [File name: ExtraEarningReport.docx]
Similar to REvil, the ransomware can exfiltrate sensitive information, encrypt files and folders, and demand ransom. Further details can be referred to in the REvil ransomware technical details.
Suspected malware file name: exe, mngt.deb, wexplorerplu.exe, unneti.exe.
Suspected hashes: As summarized in the IOC table (masked).
This malware can scan all connected systems in the network, identify weaknesses, and load collected network information to potential Command & Control (C2) servers. [166.173.169,126.96.36.199, 188.8.131.52, 184.108.40.206, 220.127.116.11].
The installed malware on the webserver could now source the ransomware tool kit from potential Command & Control (C2) servers [243.123.211, 18.104.22.168, 22.214.171.124, 126.96.36.199, 188.8.131.52] and could exploit the package [Suspected file name: xdope.exe, gtwek.deb]. This package is leveraged to break into vulnerable internal systems and install the ransomware.
CYFIRMA observed a new variant of REvil Ransomware using file [File name:docx].
Similar to REvil, the ransomware goes onto exfiltrate sensitive information, encrypt files and folders, and demand ransom. Further details can be referred to in the REvil ransomware technical details.
Russian hacker groups have been observed to be actively targeting multiple organizations in the past. Their primary intent is to possibly exfiltrate sensitive details for sale in the grey market or to competitors for financial gains.
Based on our findings, that campaign seems to be under the potential reconnaissance phase. We strongly recommend your organization and its subsidiaries be well prepared against the potential cyber-attack to be carried out by suspected Russian Threat Actor: TA505 and its affiliates.
Implement a unified threat management strategy program – including malware detection, deep learning neural networks, and anti-exploit technology connected with vulnerability and risk mitigation.
Adopt a holistic ransomware protection strategy that includes employee education, and DR plans will add a layer of security to systems and safeguard organization data, revenue, and reputation.
Strengthen patch management policy – regularly update systems with suitable security patches to ensure cybercriminals cannot take the edge of known flaws, gain access to networks, distribute ransomware.
Adopt audit patching processes and evaluate technologies and policies that can make them more effective, leveraging automation whenever feasible.
Manage employee behavior through cybersecurity education and training programs, then schedule frequent drills to test and monitor the programs’ efficiency.
Ensure preparedness for handling ransomware attacks by constructing a pre-incident preparation strategy, that includes – backup, asset management, and the restriction of user privileges.
Build and undertake safeguarding measures by monitoring/blocking the IOCs and strengthen defences based on tactical intelligence provided.
Patch/upgrade all applications/software regularly with the latest versions – operating system, web server, application server.
It is recommended that the systems publicly accessible over the internet are protected with a strong security policy and the following techniques could be implemented to avoid automated brute force attacks: