Dharma Ransomware Actors Detained in Ukraine

In the statement on the official website, Europol claimed searches in 30 properties in 4 cities in Ukraine, namely Kyiv, Cherkasy, Vinnytsia and Rivne. During the action, law enforcement detained the key person of the malware group, and some other actors. Searches also resulted in seizing a huge amount of data related to the criminal activity.

Detained persons are charged with compromising corporate networks in more than 70 countries around the globe and cryptocurrency laundering. Using malicious phishing, vulnerability exploitation and tactics the like, hackers were penetrating the networks. Further, they were using other tools to expand their presence in the environment and launch the ransomware attack. Overall, cybercriminals encrypted over 250 servers of different companies, which resulted in multi-million euro losses.

Europol has proven the relationship of the suspects to Dharma and Hive (which is defunct at the moment) ransomware groups. Investigation also shows that hackers are as well related to the spread of MegaCortex and LockerGoga ransomware back in late 2019. Dharma is the most active among the named ransomware, which is still an outsider of the modern threat landscape.

This operation accomplishes the list of anti-cybercrime actions that take place in Ukraine. Back in 2021, key criminals who standed behind Emotet malware were detained. Another operation that year led to the imprisonment of several cybercriminals related to the same Dharma gang. And even now, amidst the war course, local law enforcement are able to effectively cooperate with international agencies and combat cybercrime.

Europol Detains Group Members – But Why?

As usual, physical detainment of cybercriminals took quite some time, and required a team of investigators to perform property searches. This apparently became a redundant practice over the last time, as law enforcement tends to combat cybercrime in a different way.

The “Duck Hunt” operation, performed by the FBI in summer 2023, took place exclusively in the cloud. Law enforcement managed to detect and seize the entire network of tier 2 command servers of QakBot and managed to delete the malware from infected devices. Same story happened to the IPStorm botnet: the FBI beheaded the network of infected systems by seizing the command server and detaining its creator.

Is this practice effective? Yes, as it disrupts the malware operations, and makes it impossible for hackers to move on. At the same time though hackers remain free, and nothing stops them from joining other cybercrime groups. While decreasing the activity for a short period of time, this approach does not make a lot of difference in the long run.

The post Dharma Ransomware Criminals Captured in Ukraine, Europol Reports appeared first on Gridinsoft Blog.

This year, for example, a well-known group of ransomware called Conti broke up, but its members only moved forward, forming new gangs. Which groups should we beware of in 2023? We will consider some of the most important players.

LockBit

LockBit has been in existence since 2019 and operates under the RaaS model. According to GuidePoint Security, the largest group, which accounts for more than 4 out of 10 victims of ransomware programs. This group is believed to be linked to Russia, however, its creators deny any ties and claim their multi-nationality. LockBit 3.0 update was released in June and has already spread to 41 countries, according to Intel 471. The main goals are professional services, consulting and production, consumer and industrial goods, and real estate. LockBit also launched its Bug Bounty program, offering up to $1 million. This reward is offered for detecting vulnerabilities in their malware, leak sites, Tor network, or messaging service.

Black Basta

The Black Basta group first appeared this spring and, in the first two weeks, attacked at least 20 companies. The gang is supposed to consist of former members of Conti and REvil. Black Basta is campaigning using the malware QakBot, and a bank trojan used to steal victims’ financial data, including browser information, keystrokes, and credentials.

This ransomware is believed to have hit about 50 organizations in the United States over the last quarter, including the American Dental Association (ADA) and the Canadian food retailer Sobeys. More than half of the group’s targets were from the United States.

Hive

Hive, the third-most active group of ransomware this year, focuses on the industrial sector and health, energy, and agriculture organizations. According to the FBI, the hackers attacked 1,300 companies worldwide, especially in the health sector, and received about $100 million in ransom. It was reported that the United States Department of Homeland Security was responsible for the attack.

In recent weeks, the group claimed responsibility for the attack on India’s energy company Tata Power, by posting the company’s data online and at several colleges in the United States. Experts believe Hive cooperates with other ransomware groups and has its own customer support and sales departments. In addition, the group also engages in triple extortion.

ALPHV/BlackCat

ALPHV/BlackCat is one of the most complex and flexible families of extortion software based on the Rust programming language, which has existed for about a year. The band is believed to be composed of former REvil gang members and is associated with BlackMatter (DarkSide). The group also runs a RaaS model, exploiting known vulnerabilities or unprotected credentials and then launching DDoS attacks to force the victim to pay the ransom. Additionally, BlackCat hackers disclose stolen data through their own search system.

The group’s objectives are to provide critical infrastructure, including airports, fuel pipeline operators and refineries, and the United States Department of Defense. Ransom claims amount to millions; even when the victim pays, the group does not always provide the promised decryption tools.

BianLian

A relatively new player who targets organizations in Australia, North America, and the UK. The group quickly launches new Management and Control Servers (C&C) into the network, indicating that hackers plan to increase activity significantly.

Like many other ransomware programs, BianLian is based on Go, which gives it high flexibility and cross-platform. However, according to Redacted, the group comprises relatively inexperienced cybercriminals who must be equipped with the practical business aspects of extortion programs and related logistics. In addition, the group’s wide range of victims indicates that it is motivated by money rather than political

ideas.

Other New Groups

The world of ransomware is constantly changing, and several groups have been renamed: DarkSide is now called BlackMatter, DoppelPaymer has become Grief, and Rook has been renamed to Pandora. In addition, over the past year, new groups have appeared – Mindware, Cheers, RansomHouse, and DarkAngels. We will probably hear about them next year.

How to protect yourself

Your defenses should include safeguards for each of those phases:

1. Reduce the attack surface by making internal apps inaccessible to the Internet and decreasing the number of vulnerable elements.
2. Prevent compromise by employing a cloud-native proxy architecture that inspects all traffic inline and at scale, enforcing consistent security policies.
3. Prevent lateral movement by connecting users directly to applications rather than the network. This would reduce the attack surface and contain threats using deception and workload segregation.
4. Prevent data loss by inspecting all Internet-bound traffic, including encrypted channels, to prevent data theft.

The post Top famous Ransomware hack groups in 2022 appeared first on Gridinsoft Blog.

With the help of a cryptographic vulnerability, experts were able to recover the master key of the malware used to create encryption keys.

Hive uses a hybrid encryption scheme and relies on its own symmetric cipher to encrypt files, and the researchers were able to determine the way the ransomware generates and stores the master key.

Based on this premise, the experts were able to recover most of the malware’s master key, which was used as the basis for file encryption.

The technique developed by specialists allows recovering about 95% of the master key, and even in such an incomplete form it can be used to decrypt data, recovering from 82% to 98% of the victim’s files.

It is known that specialists from at least two information security companies (Bitdefender and Kaspersky) are currently analyzing the report to find out whether it will be possible to create a free decryptor for Hive based on the findings of Korean researchers.

Initially discovered in June 2021, Hive is offered in an affiliate model that uses a wide range of tactics, methods, and procedures (TTP) to extract data of interest for extortion purposes.

In an alert last August, the FBI noted that Hive is also stopping backup, cybersecurity, and file-copying applications in order to be able to encrypt all targeted files. The ransomware also targets the encryption of the Program Files directories.

Let me remind you that we said that Decryption keys for Maze, Egregor and Sekhmet ransomware were posted on the Bleeping Computer forum, and also that FonixCrypter ransomware stopped working and published a key to decrypt data.

The post Researchers found a Hive ransomware master key via cryptographic vulnerability appeared first on Gridinsoft Blog.