DEV-0970/Storm-0970 : The Threat Actors Behind Big Head and Poop69 Ransomware

EXECUTIVE SUMMARY

The CYFIRMA research team has discovered a previously unknown financially motivated Threat Actor group, which we had named ‘DEV-0970/Storm-0970’, based on old and new threat actor taxonomy. This group utilizes a ransomware builder, acquired from a Malware-as-a-Service (MaaS) operator(s), empowering the group to create and deploy multiple ransomware variants and expanding their arsenal of malicious tools. Through vigilant monitoring, valuable insights into their evolving strategies and potential impact on cybersecurity have been gained, the most noteworthy of which is the connection uncovered between Poop69 and BIGHEAD ransomware, both attributed to DEV-0970/Storm-0970. These findings shed light on the group’s methods and emphasize the imperative need for proactive cybersecurity measures to mitigate their threats. The report serves as a call to action for stakeholders to bolster their defenses against the evolving tactics employed by DEV-0970/Storm-0970.

INTRODUCTION

In May 2023, the CYFIRMA research team observed Poop69 ransomware appearing in the wild, and shortly after that, another ransomware named BIG HEAD emerged, thought to originate from the same threat actor, which has become popular recently due to its fake Windows update method. Big head ransomware exempts devices using Russian, Belarusian, Ukrainian, Kazakh, Kyrgyz, Armenian, Georgian, Tatar, and Uzbek languages from encryption, hence there is a possibility that the threat actors originate from the CIS.

An interesting correlation between the entities’ contact information emerged, which prompted the deep dive and analysis. This report focuses on the activities of a threat actor, who has been developing and deploying multiple variants of ransomware, demonstrating their ability to create and use different types of ransomware for specific targeted attacks. The following sections will provide a detailed examination of the discoveries, analysis, and suggested approaches to address the risks associated with DEV-0970/Storm-0970.

KEY FINDINGS

a. .NET Language is used in Poop69 and BIG HEAD executables.

b. Compilation timestamp of Poop69 and BIG HEAD Ransomware:

The compilation timestamp in ransomware refers to the date and time, when the ransomware’s code was compiled or built. It represents the moment when the ransomware executable or binary file was created by the attacker.

• The compilation timestamp of Poop69 is April 7, 2023.
• The compilation timestamp of BIG HEAD is April 12, 2023.

c. Entropy value of Poop69 and BIG HEAD Ransomware.

The entropy value in ransomware refers to a measure of the randomness or complexity of the data within the ransomware’s code or encrypted files. Entropy is commonly used as an indicator to analyze the level of encryption or obfuscation techniques used by ransomware.

The entropy value suggests that both samples are lightly packed, and the non-readability of most strings suggests that the sample is lightly obfuscated.

d. Contact Information for Ransomware Variants.

• Cyber Criminal Contact of Poop69 Ransomware- [email protected],
• Cyber Criminal Contact of BIG HEAD Ransomware- [email protected].

Both ransomware strains share identical contact information for the cybercriminals behind them.

e. Imports by Malware.

f. Analysis of Strings of Ransomware variants- Poop69 and BIG HEAD.

1. Below are the libraries being used by Poop69 Ransomware.

2. Libraries used by BIG HEAD Ransomware

Upon analyzing both ransomware strains, it appears they utilize identical malicious libraries.

Uses of these common malicious libraries

1. AES_Decryptor: This malicious library is likely used by ransomware to decrypt files that have been encrypted using the AES (Advanced Encryption Standard) algorithm. Ransomware typically encrypts victims’ files, making them inaccessible, until a decryption key is obtained, often through payment of a ransom. The AES_Decryptor assists in decryption, enabling the attacker to restore the victims’ files, after receiving the ransom.

2. GetTheResource: This malicious library may be employed by ransomware to retrieve critical resources or information from the compromised system. It could be responsible for collecting system information, network details, login credentials, or other data that could aid the attackers in their extortion tactics or further compromise the victim’s system. This information may be used for future attacks or sold on the dark web for profit.

3. Analysis of Strings of another ransomware used by the DEV-0970/Storm- 0970

The other ransomware is also written in .NET, and it’s one of the ransomware variants that have been created using Chaos Builder.

g. Common TTP used by Poop69 and BIG HEAD:

In the above figure, we have marked TTP for both Ransomware Variants in different colors where:

The shared TTPs between the two ransomware strains strongly suggest a common threat actor, who likely utilized a builder from Malware-as-a-Service (MaaS) operator(s).

ETLM INSIGHTS

Threat actor Profile: DEV-0970/Storm-0970 is a financially motivated group, specializing in ransomware attacks. They employ multiple variants like BIG HEAD and Poop69.

Threat Landscape: The Ransomware variants target Windows Operating systems, which are widely used by many organizations. There is a possibility of encountering password-stealing trojans and other malware infections along with the ransomware, further complicating the situation.

Victimology: As there are no publicly reported victims, they may have either paid the ransom or the attackers are attempting to sell the stolen data or exploit it for malicious purposes.

Impact: The files have been encrypted, rendering them inaccessible until a ransom is paid. Their activities pose a significant threat to organizations, potentially causing financial losses, data breaches, and operational disruptions.

DIAMOND MODEL

CONCLUSION

The rise of Ransomware-as-a-Service (RaaS) operators has facilitated the execution of complex ransomware operations by less experienced threat actors. These operators offer easy access to tools and resources, enabling individuals with limited expertise to engage in ransomware attacks. One significant advantage of RaaS is the ability to generate numerous ransomware variants, using a single builder. This approach helps perpetrators evade traditional signature-based detection methods, as each variant possesses unique characteristics. In the case of DEV-0970/Storm-0970, the absence of discussions regarding RaaS affiliate programs on underground forums suggests their reliance on a ransomware builder from MaaS operator(s) to create multiple variants. To effectively defend against such attacks, organization(s) must prioritize the proactive integration of contextual threat intelligence and heuristic-based detections. By staying one step ahead of adversaries, organizations can enhance their ability to detect and mitigate ransomware threats successfully.

RECOMMENDATIONS

Strategic Recommendations:

• Strengthen Security Awareness: Implement regular and comprehensive security awareness training programs for employees to educate them about the risks of phishing attacks and the importance of safe online practices.
• Establish Incident Response Plan: Develop and regularly update an incident response plan that outlines the steps to be taken in the event of a ransomware attack. This plan should include roles, responsibilities, communication protocols, and recovery procedures.

Management Recommendations:

• Implement Least Privilege Access: Enforce the principle of least privilege to restrict user permissions and limit access to critical systems and sensitive data. Regularly review and update user access privileges, based on job roles and responsibilities.
• Patch Management and Vulnerability Scanning: Maintain a proactive approach to patch management, ensuring that operating systems, applications, and software are up to date with the latest security patches. Conduct regular vulnerability scans to identify and remediate any weaknesses in the infrastructure.

Tactical Recommendations:

• Deploy Endpoint Protection: Implement robust endpoint protection solutions that include advanced threat detection and prevention capabilities. This will help detect and block malicious activities at the endpoint level, mitigating the risk of ransomware infections.
• Regular Backups and Offline Storage: Implement a comprehensive backup strategy that includes regular backups of critical data. Store backups offline or in an isolated network segment to prevent ransomware from encrypting backup files.
• Network Segmentation and Monitoring: Implement network segmentation to isolate critical systems and limit lateral movement in the event of a breach. Use intrusion detection and prevention systems, monitor network traffic for suspicious activities, such as unauthorized connections or data exfiltration.
• Incident Response Testing: Regularly conduct simulated incident response exercises to test the response plan’s effectiveness and identify improvement areas. These exercises will help train personnel, validate processes, and enhance the organization’s overall readiness to handle ransomware attacks.

APPENDIX

Indicators of Compromise

(Source: Surface Web)