CYFIRMA Research and Advisory Team would like to highlight ransomware trends and insights gathered while monitoring various forums. This includes multiple – industries, geography, and technology
– which could be relevant to your organization.
Type: Ransomware.
Target Technologies: MS Windows.
Target Industries: Business Services, Construction, Law, Manufacturing. Target Geography: Canada, United States.
CYFIRMA Research and Advisory Team has found ransomware known as Rancoz while monitoring various underground forums as part of our Threat Discovery Process.
Rancoz ransomware was first identified in mid-2023 and has seen a significant increase in its distribution in recent times.
The ransomware shares some code similarities with Vice Society’s custom ransomware, but there is no concrete evidence of a direct connection with any specific group or actor.
Upon execution, Rancoz ransomware scans all local drives and attempts to encrypt relevant file types. Command-line parameters can be used for targeted encryption, while the default behavior is to encrypt all local and accessible volumes. Encrypted files carry the “.rec_rans” file extension.
When the ransomware runs, it displays a visible command window, providing updates on the encryption process and related routines, including volume enumeration and error messages.
Rancoz payloads accept the following command-line parameters:
For file encryption, Rancoz uses a combination of NTRUEncrypt (asymmetric encryption) and the ChaChapoly cipher (symmetric encryption). The encryption process employs multiple threads, facilitated by the CreateThread() API, to work on data blocks that are subsequently written back to the affected files. Rancoz ransomware payloads also include lists of file extensions and folder names to exclude from the encryption process.
The following commands are executed when running Rancoz ransomware payloads.
This command is used to delete all Volume Shadow Copies (VSS) quietly, eliminating potential data recovery options after encryption.
This command deletes all values (/va) within the “Default” registry key for Terminal Server Client, potentially affecting user-specific RDP settings.
This command deletes the “Servers” registry key under Terminal Server Client settings, potentially impacting stored remote desktop server configurations for the user.
This command clears Windows Event Logs by iterating through the list of event logs obtained from ‘wevtutil.exe el.’ The impact is the deletion of event log data, which can hinder forensic analysis and system monitoring.
Rancoz ransomware goes further by altering the desktop background of infected hosts, making changes to the registry to display their provided “noise.bmp.”
Following the encryption process, affected files are recognizable with the “.rec_rans” extension. To instruct victims on the recovery process, a ransom note titled “HOW_TO_RECOVERY_FILES.txt” is left behind, guiding them to communicate with the attackers through the TOR-based web portal.
Screenshot of files encrypted by Rancoz Ransomware (Source: Surface Web)
Desktop wallpaper changed by Rancoz ransomware (Source:surface web)
Screenshot of a Ransom note of Rancoz (Source: surface web)
While the submission location may not directly correlate with the infection location, it’s worth noting that Rancoz ransomware samples have been submitted to public file scanning services from various countries, including the United States, India, France, and Lithuania.
Researchers believe that there is a possible connection between Rancoz, Buddy ransomware, and other unidentified ransomware, suggesting a common attacker or malware developer.
Rancoz and Buddy ransomware samples share a common compilation date and time. However, Buddy ransomware employs a distinct file extension for encrypted files, “.buddyransome,” not similar to Rancoz. Interestingly, both ransomware variants use identical ransom note names (along with similar grammatical errors), which adds to the connection between them.
Furthermore, Buddy ransomware, like Rancoz, alters the desktop wallpaper, albeit with varying content. However, they both start with the same opening text in their modified wallpapers.
Ransom note of Buddy Ransomware (Source: Surface Web)
Desktop wallpaper modified by Buddy Ransomware. (Source: Surface Web)
The unidentified ransomware sample drops a ransom note that closely resembles Rancoz’s. The key difference is Rancoz’s inclusion of a TOR site link, which is lacking in this unknown ransomware. Moreover, they utilize distinct contact email addresses.
This unidentified ransomware will change the wallpaper, which is like Rancoz and Buddy ransomware.
Rancoz ransom note (left) and unidentified ransomware ransom note (right) (Source: Surface Web)
Desktop wallpaper modified by unidentified ransomware. (Source: surface web)
Countries targeted by Rancoz Ransomware.
Following are the TTPs based on the MITRE Attack Framework.
Sr. No | Tactics | Techniques/Sub-Techniques |
1 | TA0002: Execution | T1059: Command and Scripting Interpreter |
T1129: Shared Modules | ||
2 | TA0005: Defense Evasion | T1027: Obfuscated Files or Information |
T1036: Masquerading | ||
T1070.001: Indicator Removal: Clear Windows Event Logs | ||
T1070.004: Indicator Removal: File Deletion | ||
T1222: File and Directory Permissions Modification | ||
T1564.003: Hide Artifacts: Hidden Window | ||
3 | TA0007: Discovery | T1012: Query Registry |
T1082: System Information Discovery | ||
T1083: File and Directory Discovery | ||
4 | TA0011: Command and Control | T1090: Proxy |
5 | TA0040: Impact | T1486: Data Encrypted for Impact |
T1490: Inhibit System Recovery |
title: Shadow Copies Deletion Using Operating Systems Utilities tags:
– attack.defense_evasion
– attack.impact
– attack.t1070
– attack.t1490 logsource:
category: process_creation product: windows
detection: selection1_img:
– Image|endswith:
– ‘\powershell.exe’
– ‘\pwsh.exe’
– ‘\wmic.exe’
– ‘\vssadmin.exe’
– ‘\diskshadow.exe’
– OriginalFileName:
– ‘PowerShell.EXE’
– ‘pwsh.dll’
– ‘wmic.exe’
– ‘VSSADMIN.EXE’
– ‘diskshadow.exe’ selection1_cli:
CommandLine|contains|all:
– ‘shadow’ # will match “delete shadows” and “shadowcopy delete” and “shadowstorage”
– ‘delete’ selection2_img:
– Image|endswith: ‘\wbadmin.exe’
– OriginalFileName: ‘WBADMIN.EXE’ selection2_cli:
CommandLine|contains|all:
– ‘delete’
– ‘catalog’
– ‘quiet’ # will match -quiet or /quiet selection3_img:
– Image|endswith: ‘\vssadmin.exe’
– OriginalFileName: ‘VSSADMIN.EXE’ selection3_cli:
CommandLine|contains|all:
– ‘resize’
– ‘shadowstorage’ CommandLine|contains:
– ‘unbounded’
– ‘/MaxSize=’
condition: (all of selection1*) or (all of selection2*) or (all of selection3*) fields:
– CommandLine
– ParentCommandLine falsepositives:
– Legitimate Administrator deletes Shadow Copies using operating systems utilities for legitimate reason
– LANDesk LDClient Ivanti-PSModule (PS EncodedCommand) level: high
(Source: Surface web)
Type: Information Stealer
Objective: Stealing Sensitive Information, Remote Access
Target Technology: Windows OS, Discord
This week “Lumma Stealer” is trending.
Researchers have uncovered a concerning security threat involving the distribution of Lumma Stealer, an information-stealing malware, through Discord, a widely used chat platform for online gamers, content creators, and streamers. The researchers observed that threat actors are exploiting Discord’s content delivery network (CDN) to host and propagate Lumma Stealer. Furthermore, they are leveraging Discord’s application programming interface (API) to develop bots that can communicate with the malware, providing remote control capabilities. These bots are also responsible for transmitting pilfered data to private Discord servers or channels.
Lumma Stealer, a recently identified malware written in C programming language designed to steal user credentials, has been deployed by threat actors through Discord’s content delivery network (CDN). Initially detected in August 2022, Lumma Stealer gained attention earlier this year when operators targeted YouTube users through spear-phishing emails.
Currently, Lumma Stealer is available as a service in underground forums, with prices starting at USD$250 per month. The basic plan permits users to view and upload logs, along with access to log analysis tools. The professional plan includes the same features and adds access to traffic analysis tools. The corporate plan, priced at four times the base cost, offers proactive defense bypass services. The most expensive plan, priced at US$20,000, provides users with access to the source code and the right to sell the info stealer.
Fig 1: Lumma Stealer service plans available in underground forums.
Lumma Stealer operators employ random Discord accounts to send direct messages to victims, and they also target connections of compromised Discord accounts. The attackers use deceptive tactics, posing as individuals seeking help for a project and offering US$10 or a Discord Nitro boost in exchange for the victims’ assistance. Discord Nitro boosts are premium features that users can buy for specific servers. The attackers leverage this enticing offer to persuade victims to play a game and provide a review, a task promised to take only four to five minutes. If the victim agrees, they are prompted to download a file, initiating the malware delivery process.
Fig 2: An example of a Discord direct message sent to would-be victims, prompting them to download and execute a file containing Lumma Stealer
Researchers observed the victim accessing the fraudulent Discord message via Google Chrome on a work computer. Upon selecting the malicious link, it triggered multiple downloads of the malicious file “4_iMagicInventory_1_2_s.exe” that contains the Lumma Stealer malware.
Fig 3: The Lumma Stealer file was downloaded multiple times when the URL sent via the Discord direct message was accessed.
Upon execution, the file establishes a connection with the malicious domain gapi-node[.]io, aiming to exfiltrate cryptocurrency wallets and browser data.
From the ETLM perspective, CYFIRMA suggests that Lumma Stealer is anticipated to continue its adaptive evolution, incorporating more sophisticated features, and Its impact is not limited, as it can potentially compromise the security of users across various sectors who use Windows Operating Systems and communication platforms like Discord. It may extend its reach and impact more widely, necessitating proactive measures to counter evolving threats in the digital landscape. Organizations relying on Discord for collaboration and communication may face challenges if the platform becomes associated with security vulnerabilities. This could prompt organizations to reconsider their choice of communication platforms, affecting established workflows and collaboration processes.
Kindly refer to the IOCs Section to exercise controls on your security systems.
Void Rabisu aka UNC2596 Launched Attacks on Women Leaders Attending the WPL Summit
Summary:
In a recent development, the researcher has revealed a recent malicious campaign piloted by the threat actor known as Void Rabisu. Void Rabisu, also known as Storm- 0978, Tropical Scorpius, and UNC2596, operates as a hybrid threat actor engaging in financially motivated and espionage-driven cyberattacks. Initially associated with Cuba ransomware, their shift towards geopolitical targets, including the Ukrainian government and military, demonstrates a broader agenda. In the recently detected campaign, the threat actor specifically targeted female political leaders and attendees of the Women Political Leaders (WPL) Summit held in Brussels in June 2023. Void Rabisu introduced an updated version of its RomCom backdoor, referred to as RomCom 4.0. The backdoor was concealed within a fake WPL Summit website, which advocates for gender equality in politics. In this deceptive way, visitors to the fake website were led to a OneDrive folder containing compressed files and an executable suspected to be malware. This tactic is similar to a previous campaign by Void Rabisu in June, where they utilized major events like the Ukrainian World Congress and the July 2023 NATO summit to deploy a zero-day exploit targeting a vulnerability in Office and Windows HTML, as reported by Microsoft. Additionally, researchers revealed a new technique employed by Void Rabisu in their recent campaigns, involving a TLS- enforcing mechanism by RomCon command-and-control servers. This hinders the automated detection of RomCom infrastructure, exemplifying the group’s evolving tactics.
Relevancy & Insights:
Though there is no strong available evidence or footprints pointing to Void Rabisu being backed by a nation-state, it looks like the group initially operated as a ransomware group with financial motivation and turned into a cyber-espionage group with the tremendous geopolitical shifts resulting from the Ukrainian war, that might have pulled them into cyber espionage endeavors.
ETLM Assessment:
Almost a year after Void Rabisu shifted its focus from ransomware to cyberespionage, the threat actor continued to enhance its primary tool, the ROMCOM backdoor. This backdoor is constantly being updated to bypass security measures set up by the targets with other dangerous features. Void Rabisu has already targeted participants in three notable conferences: the Munich Security Conference, the Masters of Digital Conference, and the WPL Summit. It is highly likely, even expected, that Void Rabisu will extend its targeting to include other conferences and special interest groups in the future. Previously, the threat actor focused on targeting individuals in the Ukrainian region, particularly those who support Ukraine in an ongoing war with Russia. This suggests a likelihood of further attacks on summits attended by leaders from the union.
Recommendations:
Indicators of Compromise
Kindly refer to the IOCs (Indicators of Compromise) Section to exercise controls on your security systems.
A low-level cyber war in the Middle East ensues, threat of spillover imminent
ETLM Assessment:
Israel will seek to eliminate the threat posed by the Palestinian militant group for good, but that will require extensive bombing, followed by boots-on-the-ground fighting in the Palestinian territory itself. This will cause very high collateral damage and civilian casualties in the Gaza strip which could draw in other adversaries, including Hezbollah, al-Qaeda or even Iran. The cyberspace part of the conflict is likely just in its beginning and we are likely to see a spike in the activity of Iranian APTs attacking countries that support Israel. Russia might throw its weight behind some of the activity as well, as intensification of the conflict suits its interest, driving attention from its war in Ukraine, and consuming resources that could otherwise help its western neighbour.
Crypto mining operations in the US suspected as a front for Chinese espionage or a staging area for sabotage
ETLM Assessment:
The potential for spying in this case could be best described as an example of the Chinese government leveraging its power over the economy, in order to coerce Chinese companies into assisting Chinese intelligence, which is a topic we reported on earlier. Chinese firms have been enlisted to process data for their country’s spy agencies. By co-opting Chinese companies’ data-processing capabilities, Chinese intelligence agencies can rapidly sift through massive amounts of information to find key data points. The state hackers thus can focus on gaining access to targeted networks and exfiltrate data, while one part of private sectors is obligated by law to help process the data, and any processed intelligence can then be transferred via Chinese intelligence to the political leadership for further development and decision making. Previously, Chinese hackers were mainly focusing on defense industrial base, successfully compromising the networks of contractors to the Pentagon’s U.S. Transportation Command 20 times in a single year, while many other incursions have probably never been found. Some researchers are also worried China is trying to position itself in a way it could try to paralyze U.S. critical infrastructure in case of eruption of conflict between the two countries.
Quality Service and Installation (QSI) is Impacted by BlackCat Ransomware
Summary:
From the External Threat Landscape Management (ETLM) Perspective, CYFIRMA observed in the dark forum that a company from The United States of America, (www[.]qsibanking[.]com), was compromised by BlackCat Ransomware. Quality Service and Installation (QSI) is a 27-year-old service and installation provider of ATMs, and Traditional and Electrical Security Equipment. The data that has been compromised remains unreleased on the leak site, suggesting the possibility of ongoing negotiations between the victim and the ransomware group. The compromised data includes details related to Finance, Clients, a substantial SQL database (5TB in size), ongoing Developments, Personal information, and various other sensitive data. The following banks have been impacted: Wesbanco Bank, First Financial Bank, Stock Yards Bank & Trust Company, German American Bank, STATE EMPLOYEES CU OF MARYLAND, INC (SECU), First Financial Bank, National Association, Union Savings Bank, National Cooperative Bank, Civista Bank, and Mvb Bank.
The following screenshot was observed published on the dark web:
Source: Dark Web
Relevancy & Insights:
ETLM Assessment:
CYFIRMA’s continued assessment is that BlackCat Ransomware will continue to prioritize American enterprises and affiliated companies housing significant amounts of Personally Identifiable Information (PII). BlackCat Ransomware’s recent targeting of Quality Service and Installation (QSI), indicates the financial industry is of interest to them, and therefore, US financial firms are at heightened risk of attack by Blackcat Ransomware.
Summary:
Relevancy & Insights:
Impact:
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
Affected Products: http[:]//jvn[.]jp/en/jp/JVN80476432/index.html
Recommendations:
Monitoring and Detection: Implement monitoring and detection mechanisms to identify unusual system behavior that might indicate an attempted exploitation of this vulnerability.
TOP 5 AFFECTED PRODUCTS OF THE WEEK
This week, CYFIRMA researchers have observed significant impacts on various products, due to a range of vulnerabilities. The following are the top 5 most affected products.
Belgian public institution websites hit by DDoS cyberattack.
Summary:
Relevancy & Insights:
Several government websites in Belgium were rendered inaccessible due to a substantial cyberattack, likely orchestrated by pro-Russian hackers, as a reaction to Belgium’s backing of Ukraine.
ETLM Assessment:
CYFIRMA assesses that pro-Russian threat actors will continue to target Belgium and other NATO countries in an effort to cause reputational damage and general disruption. As military support for the war in Ukraine continues, and the increase in more sophisticated hardware is transferred e.g., F16, advanced missiles, and combat vehicles, we anticipate a rise in threat actors conducting such attacks, making national institutions consistently appealing targets.
CarSwitch Data Advertised in Leak Site
Summary:
CYFIRMA Research team observed a potential data leak related to CarSwitch,
{www[.]carswitch[.]com}. CarSwitch, founded in 2016, is an online marketplace for used cars in the U.A.E and Saudi Arabia that handles the entire process for the seller and buyer. The breached data includes names, emails, phone numbers, payment methods, seller information, and various other sensitive details.
Source: Underground forums
Relevancy & Insights:
Cyber offenders driven by financial incentives persistently seek out vulnerable and poorly secured systems and software programs. A significant portion of these illicit actors operates within concealed online communities, where they participate in discussions concerning cybercrime and the trade of stolen digital assets. Diverging from other financially motivated collectives like ransomware or extortion groups, who often publicize their attacks, these cybercriminals prefer to maintain a discreet presence. They obtain unauthorized entry and make off with valuable information by capitalizing on unpatched systems or weaknesses in software and hardware. Subsequently, they promote the stolen data on clandestine forums, where it is either resold or repurposed by other malicious entities for their own unlawful intentions.
ETLM Assessment:
CYFIRMA assesses United Arab Emirates companies that lack sufficient security measures and infrastructure will continue to remain vulnerable to cyber-attacks. The UAE is a key focus for financially motivated cyber criminals.
CYFIRMA Research team observed a potential data leak related to the Taiba Hospital,
{www[.]taibahospital[.]com}. Taiba Hospital, as part of the network of hospitals and physician clinics in Kuwait, is known for providing a range of medical services and facilities to cater to various healthcare needs. The compromised data includes sensitive information stored in SQL format, and the overall data volume amounts to 2 gigabytes.
Source: Underground forums
STRATEGIC RECOMMENDATIONS
MANAGEMENT RECOMMENDATIONS
TACTICAL RECOMMENDATIONS