Table of Contents
Between 22 May – 12 June, CYFIRMA Research identified a Global Ransomware Campaign named “night blood” operated by Russian-speaking cybercriminals attributing to TA505 or its affiliates (Confidence Level: High) to launch a cyberattack against global companies and government agencies.
The two-way approach which could be leveraged by cybercriminals to maximize their return on investment:
Our initial analysis disclosed close patterns of this campaign handler similar to the REvil ransomware group.
Motivation: Exfiltration of sensitive information, system, and customer information for financial gains; and demand ransom.
Analysis of captured hackers’ footprints and correlation with external threat vectors indicate that this is a potential threat, and your organization is advised to take precautionary measures as highlighted in this report.
CYFIRMA recommends using reported IOC details for measures against this campaign and threat hunting within your environment.
Following is the chronology of hacker’s conversations captured as part of this campaign.
Details listed as per chronological order
As part of CYFIRMA’s monitoring, we first noticed a discord forum, where potential 96 IP addresses were published on 22 May 2021. Subsequently, we observed the same list being published in the following 3 dark web forums. The list of IP addresses has been continuously growing since then.
Russian-speaking communities: Following are the dark web channels observed. Please note that most of these Onion sites are invitation-based forums and may not be accessible without invitation.
Discord channel [mAzGcuWz]
Dark web forums:
Image of Screenshot from the dark web forum:
In caqpnvcwzxubhfqx[.]onion dark web forum, CYFIRMA observed a number of cybercriminals speaking in the Russian language while making reference to Discord channel and 3 dark web channels as “catch” and “big money”.
Later in that day, we observed another potential 89 IP Addresses were being updated in the 3 dark web forums highlighted earlier.
In caqpnvcwzxubhfqx[.]onion dark web forums cybercriminals continued to discuss weakness and exploits around web servers [IIS, Apache] and web applications.
It is suspected most of the IP Addresses i.e., publicly accessible systems listed by cybercriminals, might act as an entry point for the cybercriminals.
As part of CYFIRMA’s continuous monitoring, we identified:
CAMPAIGN NAME: “ночная кровь” also known as “night blood” was suspected to be launched on 22 May 2021.
TARGET INDUSTRIES: Manufacturing, Food & Beverages, Financials, Real Estate & Infrastructure, Rubber, Insurance, Trading Platforms, Exchange Systems, Retail, Online Stores, Electronics, Telecommunication, ICT Services, Research, Chemical & Cosmetics, Transportation & Logistics, Automobile, Healthcare, Pharmaceutical, Government.
TARGET GEOGRAPHIES: Singapore, Japan, UK, Australia, South Korea, USA, India, Thailand, Germany, Spain, Vietnam.
This campaign is operated by Russian-speaking cybercriminals as Ransomware-as-a-Service (RaaS).
12 JUNE 2021
Based on the latest analysis, IP Addresses targeted by the campaign has propagated as follows:
At the first stage, cybercriminals are suspected to have released a target asset list of 2743 unique IP Addresses believed to be associated with 194 global organizations and government agencies.
Out of these, CYFIRMA observed 609 IP Addresses., a potential target list associated with multi-national organizations in Japan, Singapore, Thailand, Vietnam, Korea, Australia, and India.
CYFIRMA further noticed the target asset list growing based on its monitoring of multiple dark web forums. Cybercriminals have posted 735 new IP Addresses which they have identified as potential targets.
28 MAY 2021
The previous analysis identified that IP Addresses targeted by the campaign had propagated as follows:
At the first stage, cybercriminals are suspected to have released a target asset list of 712 unique IP Addresses believed to be associated with 89 global organizations and government agencies.
Out of these, CYFIRMA observed 147 IP Addresses., a potential target list associated with multi-national Japanese, South East Asian, Australian, and Indian organizations.
CYFIRMA further noticed the target asset list growing based on its monitoring of multiple dark web forums. Cybercriminals have posted 296 new IP Addresses which they have identified as potential targets.
The ransomware operators are following the double whammy/double extortion strategy which includes the tactics: Stealing sensitive details from the organization and encrypting of the files and folders and demanding ransom
In this campaign, and for the first time cybercriminals are seen targeting the webserver by exploiting its weakness and potentially using this as a launch-pad for cyberattacks.
Based on CYFIRMA’s attack method and vector assessment discussed by cybercriminals, we identified that they could be planning to use a two-way approach to demand ransom and maximize their returns of investment:
For the full report and further technical details, pls write to [email protected]