Global Ransomware Campaign Targeting a Growing List of Companies – Night Blood

Published On : 2021-06-24
Share :
Global Ransomware Campaign Targeting a Growing List of Companies – Night Blood

Table of Contents

  1. Executive Summary
  2. Early Warning
  3. Recommendations
  4. Appendix A – About REvil Group

EXECUTIVE SUMMARY

Between 22 May – 12 June, CYFIRMA Research identified a Global Ransomware Campaign named “night blood” operated by Russian-speaking cybercriminals attributing to TA505 or its affiliates (Confidence Level: High) to launch a cyberattack against global companies and government agencies.

The two-way approach which could be leveraged by cybercriminals to maximize their return on investment:

  • Approach 1: Extort ransom from the website visitor by forcing them to download malicious plug-in & install ransomware tool kit.
  • Approach 2: Extort ransom from the company by installing the malware to scan all systems connected using weakness identified & install ransomware tool kit.

Our initial analysis disclosed close patterns of this campaign handler similar to the REvil ransomware group.

Motivation: Exfiltration of sensitive information, system, and customer information for financial gains; and demand ransom.

Analysis of captured hackers’ footprints and correlation with external threat vectors indicate that this is a potential threat, and your organization is advised to take precautionary measures as highlighted in this report.

CYFIRMA recommends using reported IOC details for measures against this campaign and threat hunting within your environment.

EARLY WARNING

TIMELINE

Following is the chronology of hacker’s conversations captured as part of this campaign.

  • PERIOD OF ANALYSIS: 22 MAY 2021 – 12 JUNE 2021.

Details listed as per chronological order

  • 22 MAY 2021

As part of CYFIRMA’s monitoring, we first noticed a discord forum, where potential 96 IP addresses were published on 22 May 2021. Subsequently, we observed the same list being published in the following 3 dark web forums. The list of IP addresses has been continuously growing since then.

Russian-speaking communities: Following are the dark web channels observed. Please note that most of these Onion sites are invitation-based forums and may not be accessible without invitation.

Discord channel [mAzGcuWz]

Dark web forums:

  • qwkghdcv4hbewzpn[.]onion
  • mvdeuosxdvaekfnk[.]onion
  • bzokhgqdruyblpzd[.]onion

Handlers:

    • maSXe
    • CluFW3
    • Конверт
    • Фантазия
    • hикталопия
    • Beam2
    • Koiv

Image of Screenshot from the dark web forum:

  • 23 MAY 2021

In caqpnvcwzxubhfqx[.]onion dark web forum, CYFIRMA observed a number of cybercriminals speaking in the Russian language while making reference to Discord channel and 3 dark web channels as “catch” and “big money”.

Later in that day, we observed another potential 89 IP Addresses were being updated in the 3 dark web forums highlighted earlier.

  •  24 – 26 MAY 2021

In caqpnvcwzxubhfqx[.]onion dark web forums cybercriminals continued to discuss weakness and exploits around web servers [IIS, Apache] and web applications.

It is suspected most of the IP Addresses i.e., publicly accessible systems listed by cybercriminals, might act as an entry point for the cybercriminals.

  • 22 MAY 2021 – 12 JUNE 2021 [NEW]

As part of CYFIRMA’s continuous monitoring, we identified:

  • Additional (new) targets associated with 194 global companies and government agencies.
  • Targets were spanning multiple geographies, including new entrants.
  • Additional IOCs (reported in the CSV).

CAMPAIGN DETAILS

CAMPAIGN NAME: “ночная кровь” also known as “night blood” was suspected to be launched on 22 May 2021.

TARGET INDUSTRIES: Manufacturing, Food & Beverages, Financials, Real Estate & Infrastructure, Rubber, Insurance, Trading Platforms, Exchange Systems, Retail, Online Stores, Electronics, Telecommunication, ICT Services, Research, Chemical & Cosmetics, Transportation & Logistics, Automobile, Healthcare, Pharmaceutical, Government.

TARGET GEOGRAPHIES: Singapore, Japan, UK, Australia, South Korea, USA, India, Thailand, Germany, Spain, Vietnam.

  • SUSPECTED HACKING GROUP: TA505 or its affiliates [Confidence Level: High].
  • MOTIVATION: The primary motive of this campaign appears to be the exfiltration of sensitive information, system, and customer information for financial gains, and demand ransom.
  • METHOD USED BY THE HACKERS: Exploit weakness in the applications, Operating System, implanting Ransomware, Malware, and Trojan, encrypt files & folders.

ADDITIONAL INSIGHTS OF “night blood”

This campaign is operated by Russian-speaking cybercriminals as Ransomware-as-a-Service (RaaS).

12 JUNE 2021

Based on the latest analysis, IP Addresses targeted by the campaign has propagated as follows:

At the first stage, cybercriminals are suspected to have released a target asset list of 2743 unique IP Addresses believed to be associated with 194 global organizations and government agencies.

Out of these, CYFIRMA observed 609 IP Addresses., a potential target list associated with multi-national organizations in Japan, Singapore, Thailand, Vietnam, Korea, Australia, and India.

CYFIRMA further noticed the target asset list growing based on its monitoring of multiple dark web forums. Cybercriminals have posted 735 new IP Addresses which they have identified as potential targets.

28 MAY 2021

The previous analysis identified that IP Addresses targeted by the campaign had propagated as follows:

At the first stage, cybercriminals are suspected to have released a target asset list of 712 unique IP Addresses believed to be associated with 89 global organizations and government agencies.

Out of these, CYFIRMA observed 147 IP Addresses., a potential target list associated with multi-national Japanese, South East Asian, Australian, and Indian organizations.

CYFIRMA further noticed the target asset list growing based on its monitoring of multiple dark web forums. Cybercriminals have posted 296 new IP Addresses which they have identified as potential targets.

The ransomware operators are following the double whammy/double extortion strategy which includes the tactics: Stealing sensitive details from the organization and encrypting of the files and folders and demanding ransom

In this campaign, and for the first time cybercriminals are seen targeting the webserver by exploiting its weakness and potentially using this as a launch-pad for cyberattacks.

DETAILED ANALYSIS – ATTACK METHOD/VECTOR ASSESSMENT

Based on CYFIRMA’s attack method and vector assessment discussed by cybercriminals, we identified that they could be planning to use a two-way approach to demand ransom and maximize their returns of investment:

Approach 1:

  1. Infect publicly accessible web server of influential organizations.
  2. Force unsuspecting website visitors to download malicious plug-ins & install ransomware tool kit.
  3. Demand ransom.

Approach 2:

  1. Infect publicly accessible web server of influential organizations.
  2. Install malware to scan all connected systems in the network using the weakness in the identified system.
  3. Install ransomware tool kit.
  4. Demand ransom.

For the full report and further technical details, pls write to [email protected]