UnitedHealth Hacked, Department Leaks Huge Amounts of Data

In February 2024, UnitedHealth Group experienced a massive cyberattack that compromised the data security of Change Healthcare. This division of the corporation processes medical claims and payments. As a result, systems responsible for processing prescriptions, medical claims and electronic payments were affected. This caused major problems for healthcare providers, pharmacies and payment systems across the country.

UnitedHealth Group responded quickly to the incident. They announced their intention to work with law enforcement to investigate the attack and strengthen security measures to protect patient data. The company also began notifying affected customers and offered them free credit history monitoring and fraud protection services as a compensation.

On Wednesday, UnitedHealth Group announced that it has made significant progress in restoring various core systems that were hit in the attack. It in particular caused an outage during the company’s response and impacted more than 100 Change Healthcare IT products and services.

Government Response

Size of UnitedHealth and its importance for the national healthcare industry could not keep the government silent. The U.S. Department of Health and Human Services has opened an investigation into the incident for a violation of the Health Information Protection and Accountability Act (HIPAA). The investigation is aimed at determining whether a breach of patient protection occurred. It also seeks to ascertain whether the relevant legal requirements for confidentiality of information were met.

UnitedHealth Group’s response was quick. They announced their intention to work with law enforcement to investigate the attack. Additionally, they vowed to strengthen security measures to protect patient data. The company also began notifying affected customers and offered them free credit history monitoring and fraud protection services.

BlackCat/ALPHV Claims Responsibility

ALPHV/BlackCat ransomware gang claimed responsibility for this attack earlier this year. Hackers announced that it was able to expropriate 6 terabytes of “highly selective data” regarding Change Healthcare customers. This information covers a wide range of data, including Tricare, Medicare, CVS Caremark, MetLife, and other large companies. It highlights the potential scale of the damage.

According to their story, UnitedHealth Group paid a $22 million ransom for a decryption key and a promise not to distribute the stolen data. This is a forced measure where the company is forced to pay huge sums to regain access to its own data and prevent further dissemination of stolen information. However, questions remain open as to whether BlackCat actually held the full ransom amount as claimed. Additionally, there are concerns about what assurances there are that the data will not be distributed or used in the future.

At the end of 2023, BlackCat’s infrastructure was seized in a coordinated law enforcement action. This severely disrupted the group’s operations for a period. Though as you can see BlackCat’s continued operations in defiance of law enforcement efforts. Disruption definitely slowed them down, but did not stop the operation entirely.

What stopped though is an exit scam, that group admins managed to pull in early March 2024. Hackers defrauded their partners, quitting the business with all the money of their affiliates. The said UnitedHealth subdivision appears to be one of their last targets – at least under this name. I expect them to resurface in this form or another.

The post UnitedHealth Hack Leaks 6 TB of User Data appeared first on Gridinsoft Blog.

BianLian Exploits TeamCity vulnerabilities

Recent research uncovered a new trend in BianLian’s modus operandi. They revealed that threat actors behind the ransomware have been observed exploiting security flaws in JetBrains TeamCity software to conduct their attacks. Leveraging known vulnerabilities such as CVE-2024-27198 or CVE-2023-42793, attackers gained initial access to the environment, paving the way for further infiltration. By creating new users and executing malicious commands within the TeamCity infrastructure, threat actors orchestrated post-exploitation maneuvers and lateral movement, expanding their foothold in the victim’s network.

Backdoor Deployment via PowerShell

The original report from GuidePoint Security says that despite initial success, BianLian fell back to a PowerShell version of their backdoor. This happened due to the surprising detection from Microsoft Defender. At the same time, hackers managed to deploy the network reconnaissance tools and use them before going for a PS backdoor.

The PowerShell backdoor version, obfuscated to hinder analysis, exhibited a multi-layered encryption scheme. Still, it was possible to understand what was going on and analyze the adversaries’ actions. Malware established a tunnel connection to the command server, waving ready for further actions. And while using PS in cyberattacks is not something unusual, entire backdoors based on PS, that also incorporates high levels of obfuscation, is a new tactic.

Functionality and Capabilities of Backdoor

The PowerShell backdoor described above mainly aims at facilitating covert access and control over compromised systems. Research summary reveals several features of this malware to be aware of.

The backdoor incorporates functionality to resolve IP addresses based on provided parameters, establishing TCP sockets for communication with remote command-and-control (C2) servers. Also, this enables bidirectional data exchange between the compromised system and the attacker-controlled infrastructure. Here is the code recovered by analysts:

#Function to Resolve IP address
function cakest{
param($Cakes_Param_1)
IF ($Cakes_Param_1 -as [ipaddress]){
return $Cakes_Param_1
}else{
$Cakes_Resolved_IP = [System.Net.Dns]::GetHostAddresses($Cakes_Param_1)[0].IPAddressToString;
}
return $Cakes_Resolved_ IP
}

Leveraging asynchronous execution techniques, the backdoor optimizes performance and evades detection by utilizing Runspace Pools. This allows multiple PowerShell instances to run concurrently, enhancing operational efficiency during post-exploitation activities.

Also, to ensure secure communication, the backdoor establishes SSL streams between the compromised system and C2 servers, encrypting data exchanged over the network. By employing encryption, threat actors mitigate the risk of interception and detection by network monitoring tools. Overall, the C2 communication bears on this code:

function cookies{
param (
#Default IP in parameter = 127.0.0.1
[String]$Cookies_Param1 - "0x7F000001",
[Int]$Cookies_Param2 - 1080,
[Switch]$Cookies_Param3 - $false,
[String]$Cookies_Param4 - "",
[Int]$Cookies_Params - 200,
[Int]$Cookies_Param6 - 0
)

Mimicking tactics observed in advanced malware, the backdoor validates SSL certificates presented by C2 servers, verifying the authenticity of remote endpoints. This authentication mechanism enhances the resilience of the communication channel against potential interception or infiltration attempts.

How to stay safe?

The BianLian threat group continues to evolve, and in light of their recent attacks, it is important to take appropriate security measures. Fortunately, they are more or less the same even for protecting against high-profile cybercrime groups.

• First and foremost, it is recommended to regularly update and patch externally facing applications. This helps mitigate known vulnerabilities that threat actors may exploit to infiltrate your systems.
• Ensure your team is well-versed in incident response procedures. Every member of your team should have a thorough understanding of how to respond effectively to security incidents. Regular drills should be conducted to refine response strategies and minimize the impact of potential security breaches.
• Conduct penetration tests informed by threat intelligence to proactively identify and address weaknesses in your defenses. Penetration tests involve simulated attacks on your systems to uncover vulnerabilities that could be exploited by malicious actors. By using threat intelligence to inform these tests, you can focus on the most impactful threats facing your organization.

• Additionally use advanced security solutions. EDR and XDR are a must, when we talk about corporate-grade cybersecurity. They can cover large networks of computers, orchestrating the response and detecting even sophisticated attacks like the one I’ve described above.

The post BianLian Exploits TeamCity Vulnerability to Deploy Backdoors appeared first on Gridinsoft Blog.

ALPHV/BlackCat Ransomware Shuts Down

The story of ALPHV self-shutdown in fact unfolds when the leaks blog of the gang went offline. While this is not a rare occurrence for Darknet pages, rumors regarding group admins scamming their affiliates for $20 million is – a highly unpleasant stain on the image.

On Monday, March 4, 2024, negotiation sites of the gang went offline, meaning this is not just a coincidence. Lastly, all the pages associated with the cybercrime group were defaced with the FBI banner. Though, the latter appears to be just a save from their real takedown, that is now added using a Python server.

And well, why can’t this be a real FBI takedown? Especially considering that feds already did it earlier – this ended up in a rather laughable manner. It is not an unusual practice for law enforcement to pay another visit, especially when we talk about a renowned group of thugs like ALPHV is. But researchers say that NCA, one of the key anti-cybercrime authorities in Europe, deny their responsibility for the recent events around BlackCat.

Two other signs potentially indicate that ALPHV is going out of business. Their admin offers ransomware source code for sale for a hefty $5 million, and the group’s Tox chat has its status changed to “GG”. And well, both of them do not necessarily mean a shutdown, but this is a rather unusual behavior for this ransomware gang. This looks especially fishy considering slug-in-salt excuses coming from their administrators.

Is it the end of BlackCat?

Yes, BlackCat is most likely done at this point. Regardless of whose story is true, it will be rather hard to explain the comeback. Though, the FBI story is the least likely to be true, meaning that threat actors are not detained. Which eventually gives ALPHV the chance for return, just in a different form.

It is a pretty common thing for ransomware gangs to morph into a different group after the dissemination of the original one. Either we will see the breakup of this large group on a selection of smaller ones, or its reborn with a different name, but carbon copied essence. This, or the members will find themselves in a different ransomware group – experienced employees are of a high value in the cybercrime world, too.

What is ALPHV/BlackCat?

BlackCat a.k.a ALPHV is a ransomware group that appeared back in 2021. It primarily targets corporations, encrypting and stealing data from both Linux and Windows systems. Vast networks of affiliates, along with a rather daring selection of targets quickly propelled this ransomware to the top of the charts.

Targeting of large companies, along with asking for large sums of money inevitably made ALPHV a wanted target for law enforcement. Back in December 2023, a significant portion of its Darknet sites suffered an attack from the FBI, which was nonetheless reverted. And since then, the cybercrime group did not show any sign of problems – until these days.

The post ALPHV Ransomware Shut Down, Exit Scam Supposed appeared first on Gridinsoft Blog.

LockBit Ransomware is Back After Law Enforcement Takedown.

Following the rough takedown of all the Darknet sites that belong to LockBit ransomware, the gang representatives were mostly silent until February 24, 2024. At around 21:00 GMT, the chief of the cybercrime gang released a long PGP signed message with the explanation from the hackers’ point of view. In it, they describe the supposed way they were hacked and the future of LockBit. Spoiler – not a lot will change, except for LockBitSupp promises to be less lazy.

For the way the law enforcement agencies managed to access the servers, the PHP vulnerability is named. CVE-2023-3824 vulnerability, discovered back in August 2023, allows for remote code execution and received CVSS rating of 9.8/10. Well-deserved, considering how popular PHP is; LockBitSupp even supposes that other threat actors who were hacked recently suffered from this exact vulnerability.

Also, the hacker supposes that the FBI could have access to the network for quite some time. The reason why law enforcement decided to pull the trigger is the publication of data leaked from Fulton County court, specifically documents regarding Donald Trump’s court cases.

LockBit Takedown Aftermath

So, what do we see almost a week past the takedown of LockBit? Law enforcement agencies dealt quite a damage to both the group image and hardware. The amount of leaked information, including decryption keys and data stolen from companies’ networks seriously cuts the profits of the ransomware gang. And considering the detainments in Poland and Ukraine, the leaks were not only about operational information – personal data of malware operators was also exposed to some extent.

However, this was barely enough to force the LockBit gang to stop. Sure, they are now starting from scratch, with only a few listings present on the reborn of their leak page. But they will carry on, taking the past mistakes into account. The individuals captured in Eastern Europe are unlikely to be affiliates – more probably just server administrators or money mules. LockBit’s story keeps rolling, and I’m pretty sure they have a couple of aces up their sleeves.

The post LockBit is Back With New Claims and Victims appeared first on Gridinsoft Blog.

What is mrB Ransomware?

As I’ve described in the introduction, mrB is a sample of Dharma ransomware, a malware family active since 2016. It is known for adding a long extension to every file it encrypts; it consists of the victim ID, contact email and the extension itself. At the end, the encrypted file name starts looking like this:

Media1.mp3 → Media1.mp3.id-C3B22A85.[mirror-broken@tuta[.]io].mrB

MrB ransomware encrypts a wide range of file formats, from images and documents to files of some specific software suites. After finishing the encryption, it opens a pop-up ransom note in a form of HTA file, and also spawns a readme text file. The latter appears in every folder that contains the encrypted files. Below, you can see the contents of both ransom notes.

Contents of the readme text file:

Your data has been stolen and encrypted!

email us

mirror-broken@tuta[.]io

How to Recover Encrypted Files?

Unfortunately, there are no recovery options available for mrB ransomware. The imperfections in its early Dharma samples were used to make the decryptor, though the flaws were fixed, and it is not effective nowadays. Options you can find online, like “professional hackers” or file recovery services will at best act as a medium between you and the hackers. At worst, they will take your money and disappear.

The most effective option for file recovery is a decryptor tool, dedicated to the specific ransomware family. Those are usually released when a vulnerability in the encryption mechanism is found, or when ransomware servers are seized. It may sound like it is unlikely to happen, but there were 4 such decryptors released in the first months of 2024. Be patient, do not lose hope – and you get the files back.

For now, your best option in mrB ransomware file recovery is to seek for the possible backups. Social networks and email messages may act as ones – we usually ignore them for this purpose. Places like removable drives, NAS, or even your smartphone, where you could accidentally copy the files to, may keep unencrypted files. Even an older version of the file is better than nothing.

How to Remove mrB Ransomware?

One more important thing, that you should do before getting to any file recovery operations, is ransomware removal. Viruses like mrB ransomware do not cease to exist once the encryption is over. They keep idling in the background, waiting for new unencrypted files to appear. Therehence, it is essential to get rid of the infection before you can start further actions.

For ransomware removal, I’d recommend GridinSoft Anti-Malware. Effective and easy-to-use, this program will easily repel this malware and fix all the damage it dealt to the system. Just run a Full scan, wait until it finishes, and remove all the detected things. Further, with its proactive protection, you will never get infected with ransomware again.

The post MrB Ransomware (.mrB Files) – Analysis & File Decryption appeared first on Gridinsoft Blog.

LockBit Taken Down by NCA

On February 19, 2024, analysts noticed that the LockBit leak site on the Darknet went offline. Some time after, a banner stating about the takedown appeared. On that banner, the UK National Crime Agency claims about this being the result of a successful multinational law enforcement cooperation, called Operation Cronos. The text also contains the offer to visit the page the next day – on February 20 – to get more information.

That is not the first network asset takeover from law enforcement that high-end ransomware group suffers. A couple of months ago, a similar story happened to ALPHV/BlackCat, another infamous ransomware group. In their case, however, not all Onion websites were down, and they managed to get the access back. That in fact turned into a comic story, where the access to the site was more like a reversed hot potatoes game.

Nonetheless, the current takedown appears to be as serious as it can be. All the mirrors of their main Darknet site are now having the said banner. Well, it is possible for any miraculous thing to happen, but in my humble opinion, their onion infrastructure is done. Either this, or NCA will be quite ashamed for announcing details disclosure on 11:30 GMT, and failing to fulfill the promise.

International Law Enforcement Blocks LockBit Infrastructure

Shortly after the original news release, the info from LockBit affiliates arrived. VX-Undeground team shares a unique info and a screenshot taken by one of the gang members upon the attempt to log into the system.

The text states the following:

Another piece of info comes from the gang’s Tox chat. In a short message, they say about the PHP servers being taken over, while the non-PHP reserve servers being OK. Considering the use of obscene language, non-typical for LockBit representatives, the situation is rather tense, to say the least.

LockBit Decryptor Coming Soon?

What is more exciting than the info that will be published tomorrow is the thing that will follow. The takedown supposes leaking the decryption keys along with their proprietary decryptor tool. Maybe not all of them are available that easily, but accessing such a large chunk of internal info is definitely a key for exposing it all.

The fact of the leak and the decryptor being available is just miraculous for the victims. Sure enough, this will not delete the data the frauds have stolen from the network. But getting all the files back at no cost is much more important. And since it will work even for victims that failed the payment deadline, the question arises once again – why would you pay the ransom? It may be a much more reasonable option to just wait, and it looks like more and more ransomware victims stick to that opinion.

UPD 20.02 – LockBit Darknet Site Filled With Leaks and Announcements

On the designated time of 11:30 GMT on February 20, all of the LockBit’s sites that were taken over started redirecting to what used to be their leak page. Now, it is filled with the information gathered by law enforcement agencies. In particular, the information about the backend structure of the cybercrime network was revealed, demonstrating the screenshots of seized servers.

Aside from that, law enforcement added a tempting one – the info about the admin of the group, known as LockBitSupp. “The $10m question” will be answered on February 23, 2024. Some of the lower-ranked staff have already been arrested in Poland and Ukraine. Well, LockBitSupp did not lie by saying their group is multi-national.

What is even better news is the confirmation of decryption keys release, as I’ve predicted in the original text. The keys, along with recovery tools, will be available to any victim upon contacting NCA for UK residents, IC3 for US and NoMoreRansom project for others.

What is LockBit Ransomware?

LockBit is one of the most successful ransomware groups that are currently active on the ransomware market. Its efficient software and meticulous attack planning rendered them dominant over the last few years. Their ransom sums are large, attacks are rapid and methods are as unprincipled as you can ever imagine. To be brief – nothing short of leaders in the cybercrime industry.

It is obvious that LockBit will eventually become a target for law enforcement, sooner or later. They were attacked before, but in a more mild form, that led to the temporal downtime or the urgent shift to a different software. Still, they were recognizing their mistakes and opening the entire bug bounty programs (!!) for people who can find issues in their software. This, along with continuous modernization of their software and updates to the online infrastructure is what made LockBit the image of unbreakable. And that is why the fact of the takedown set the community abuzz.

The post LockBit Ransomware Taken Down by NCA appeared first on Gridinsoft Blog.

What is SYSDF Ransomware?

SYSDF ransomware is a yet another example of Dharma ransomware, a malware family active since 2016. First detected on February 16, it appends its unique SYSDF extension to the files, along with the complex mask with the attack information. The latter includes victim ID and the contact email the victim is supposed to reach the hackers on. Following the encryption, the files start looking like the following:

Image1.png → Image1.png.id-C3B22A85.[Dec24hepl@aol.com].SYSDF

Upon finishing the encryption, malware creates its specific README!.txt files in each folder that includes encrypted files, and also on the desktop. Additionally, malware spawns and opens a file named info.hta, so it acts as notification for a victim. Below, you can see the messages from both ransom notes.

Text in the README!.txt ransom note:

Your data has been stolen and encrypted!

email us

Dec24hepl@aol.com or Dec24hepl@cyberfear.com

How to Recover .SYSDF Files?

Unfortunately, there are no options for Dharma ransomware decryption available at the moment. The majority of file recovery services of “certified hackers” you can meet online will in fact only arrange negotiations with cybercriminals. Paying them is not a great idea, as this motivates them to continue the attacks. Losing the files is unpleasant, that is for sure, but as statistics shows, there are quite a few opportunities to get them back.

Try searching for backups or file duplicates, stored away from the affected system or network. Even a past version of the file is better than nothing at all. Aside from the backups, there is quite a hope on ransomware decryptors that exploit vulnerabilities in the encryption mechanism and allow you to get the files back for free. For January and February 2024, 4 decryptors for different ransomware families were published. Patience is key here, and considering the latest trends, this becomes a more and more popular option.

How to Remove Ransomware?

But before you do any file recovery operations, it is important to remove the malware beforehand. It did not disappear after finishing the encryption: SYSDF is still active, seeking for the new files to cipher. And be sure, it will do this as soon as you get a fresh unencrypted file to the disk.

For ransomware removal, I’d recommend GridinSoft Anti-Malware. Its advanced detection techniques along with live database updates allow it to detect even the most recent malware samples. Run a Full scan, wait until it is over, remove the detected stuff – and your system will be ready to any further actions, free of malware.

The post SYSDF Ransomware (.SYSDF Files) – Malware Analysis & Removal appeared first on Gridinsoft Blog.

White Phoenix Decryptor by CyberArk Goes Online

CyberArk, a public information security company that previously developed White Phoenix decrypter, has recently published a simplified web version. The older one, available on GitHub in the form of a source code, was a bit of a complication. It does not require installation or additional actions on the victim’s part. Instead, it lets you decrypt a file in two clicks by loading it into a browser window.

The web version appears to be a rather convenient solution, as all you need to do to decrypt a file is to upload it to the site and click “recover”. On the other hand, the service has some limitations, including a 10 MB file size limit and the ability to download only one file at a time. In addition, when recovering confidential information, experts recommend using the standalone version for security reasons.

What is White Phoenix?

White Phoenix is an open-source ransomware decryptor created by CyberArk. It targets ransomware operations that use intermittent encryption. The tool can analyze the encrypted files and try to recover the original data using various algorithms and techniques.

As the devs say, this decryptor can restore up to 50% of the file content, depending on the type and size of the file and the encryption method used by the ransomware. White Phoenix supports various file types, such as PDF, Word, Excel, ZIP, and PowerPoint. It can also handle virtual machines (VMs) and disk images, often targeted by ransomware. Standalone version White Phoenix is a Python project on GitHub that users can download and run on their machines.

For the decryptable ransomware strains, authors name BlackCat/ALPHV, Play, Qilin/Agenda, BianLian, and DarkBit. As I’ve mentioned above, the key point here is the use of intermittent encryption. Such an approach allows to drastically increase the encryption operation, without weakening the cipher itself. White Phoenix concatenates unencrypted parts and reverses hex encoding and CMAP scrambling. However, depending on the file type and ransomware, the decryptor may not work well. So, certain file strings must be readable for the decryptor to work correctly. Even if White Phoenix cannot help restore entire systems, it could still help retrieve some data from valuable files.

January 2024 is Rich on Decryptors

Updated CyberArk decryptor adds one more case in a pretty interesting trend. At the beginning of January 2024, decryptors for Tortilla and Black Basta ransomware were released. Even though White Phoenix is not a new release but rather a new feature, it adds to a number of victims who can ease their file recovery procedure. Popularity means a lot for software developers, so making a decryptor more public among other things means more possibilities in further development.

Safety Tips

While the number of decryptors for different ransomware types keeps rising every month, the vast majority of victims are out of their focus. For that reason, the best option here is to avoid ransomware infections at all. Fortunately, this threat is well-researched and the counteraction methods are known and effective.

• Avoid shady software sources. Torrents, warez sites and just pages that offer cracked software may contain packages with malware, spyware, or viruses. Using them is a russian roulette for your safety, and also violates the law. Price tag for licensed software appears rather small when compared to the cost of recovery after malware attack.
• Be careful with email messages. You should not open or reply to email messages from unknown or suspicious senders. Phishing remains the most effective method to trick people into dangerous activity. This way, crooks can ask for your personal or financial information, offer you a prize or reward, or claim to be from a government or official agency.
• Do not run applications from an unknown source. Those utilities or “programs for testing” may be different from what they look like. Even when someone you trust offers you to use one, it is important to treat these programs with additional caution.
• Apply disk encryption. When dealing with sensitive data, it is not unreasonable to use disk encryption. It prevents unauthorized access to the data, as well as makes it harder for intruders to encrypt it.
• Use effective anti-malware software. This is the primary rule for each user. GridinSoft Anti-Malware will act as an additional safety layer, when preventive measures fail or absent for some reason. Also, it can clean up your system if it has already been infected.

The post White Phoenix Decryptor by CyberArk Updated With Web Interface appeared first on Gridinsoft Blog.

Kasseika Ransomware Deploys BYOVD Attacks

A new ransomware operation known as “Kasseika” has recently been discovered. This threat actor uses Bring Your Own Vulnerable Driver tactics to disable antivirus software before encrypting files. Kasseika exploits the Martini driver (Martini.sys/viragt64.sys), part of TG Soft’s VirtIT Agent System, to disable antivirus products protecting the targeted system.

According to analysts who first discovered and studied Kasseika in December 2023, the ransomware shares many attack chains and source code similarities with BlackMatter. Although BlackMatter’s source code has never been publicly leaked since its shutdown in late 2021, investigators believe that Kasseika was likely built by former members of the group or experienced ransomware actors who purchased its code.

What is BYOVD?

BYOVD, which stands for Bring Your Own Vulnerable Driver, is a technique attackers use to compromise a targeted system. In this method, attackers rely on exploiting a vulnerable driver that arrives at the system together with the payload. Since the drivers are trusted by security software, they are not detected or blocked.

These drivers are typically kernel-mode drivers, which allow attackers to escalate privileges to the highest level of access and control over system resources. Such a trick enables attackers to disable endpoint security software and evade detection. Once the security defenses are compromised, attackers can engage in malicious activities without hindrance.

Kasseika Ransomware Attack Chain

Cyber attackers often use a phishing email to gain initial access to a network. Next, they use remote administration tools (RATs) to move around the network and gain privileged access. These attackers typically use Microsoft’s Sysinternals PsExec command-line utility to carry out their attacks. To find a process called “Martini.exe” and stop it, adversaries execute a malicious batch script. This ensures that only one process instance is running on the machine.

Defense evasion

After the initial preparations, the attackers download and run a driver called “Martini.sys” from a remote server. This driver can disable up to 991 security-related elements. It’s important to note that “Martini.sys” is a legitimate, signed driver named “viragt64.sys”. Now, it has been added to Microsoft’s vulnerable driver blocklist. If the malware cannot find “Martini.sys,” it will terminate itself and not proceed with the attack. So the entire attack relies on the presence of this specific driver – a rather indiscreet approach, if you ask me.

Executing payload

After executing “Martini.exe”, the ransomware payload “smartscreen_protected.exe” encrypts all the files using ChaCha20 and RSA algorithms. It also terminates all the processes and services accessing Windows Restart Manager. Once the encryption is completed, a ransom note is left in every directory that has been encrypted. In addition, the system’s wallpaper is modified to display a note demanding payment of 50 bitcoins to a wallet address within 72 hours. Failure to comply with this demand will result in an additional fee of $500,000 every 24 hours after the deadline has passed.

Clearing traces

The victims must post a screenshot of the successful payment to a Telegram group controlled by the attacker to receive a decryptor. The Kasseika ransomware also clears the system’s event logs using the wevtutil.exe binary to remove any traces of its activity. This technique operates discreetly, making it more challenging for security tools to identify and respond to malicious activities.

Safety Recommendations

Organizations should implement a multi-layered approach to protect against Kasseika and other malware. Here are key recommendations:

• Enhance email security. To improve the security of your emails, it is essential to implement strong email filters that can detect and block phishing attempts. Additionally, educating your employees on identifying phishing and other cyber threats is essential. Regular training sessions can help them recognize phishing emails and malicious websites, significantly reducing the risk of infection.
• Implement EDR zero-trust. Implementing EDR within a zero-trust security framework involves continuous monitoring and verification of endpoints and enforcing strict access controls to minimize the risk of lateral movement within the network. This integration enhances security posture and protects against cyber threats as well as ransomware.
• Update and patch regularly. As software vulnerabilities are a primary concern in enterprise cybersecurity, installing patches is the best option for covering that weak spot. Cost spent on installing the update is nothing compared to the ransom amounts and reputation damage. Keep track of the latest news and patches released by the vendors of the software you use to be sure you don’t have loose things to tighten up.

The post Kasseika Ransomware Exploits Vulnerable Antivirus Drivers appeared first on Gridinsoft Blog.

LockBit Ransomware in action

The LockBit ransomware, known for its damaging impacts, has been observed to be distributed through Word files disguised as resumes. Also, this method was first noted in 2022 and has become a prevalent tactic for distributing this ransomware.

The primary tactic involves embedding harmful macros within Word documents. These documents, once opened, trigger the download of additional code from external URLs, which subsequently executes the LockBit ransomware. The filenames of these malicious Word files often resemble typical names or phrases associated with job applications.

Below is a list of the names of Word files that were found spreading malware:

• [[[231227_Yang**]]].docx
• 231227_Lee**.docx
• 231227Yu**,docx
• Kim**.docx
• SeonWoo**.docx
• Working meticulously! A leader in communication!.docx
• Candidate with a kind attitude and a big smile.docx
• I will work with an enthusiastic attitude.docx

When a user opens one of these Word files, the document connects to an external URL to download another document containing a malicious macro. Once this macro is executed, it triggers the deployment of the LockBit ransomware through PowerShell commands.

The downloaded document files contain obfuscated macro code which is similar to the cases of VBA macro identified in 2022. Ultimately, PowerShell is executed to download and run LockBit ransomware.

After finishing the encryption, ransomware alters the desktop so the user sees a notification. In addition, the ransomware creates a ransom note in each folder that states that all data in the system has been encrypted and stolen. The user is then threatened that the data will be leaked on the Internet if they refuse to pay the ransom.

Recommendations

Security professionals are advised to blacklist IP addresses associated with LockBit 3.0 ransomware.

• hxxps://viviendas8[.]com/bb/qhrx1h.dotm
• hxxps://learndash.825testsites[.]com/b/fgi5k8.dotm
• hxxps://neverlandserver.nn[.]pe/b/ck0zcn.dotm

Despite blocking these addresses, we recommend following these tips:

• Be wary of opening Word documents from unknown or unsolicited sources, especially those purporting to be resumes. Also, avoid allowing execution of macros or other exploitable Microsoft Office elements.
• Also, organizations should prioritize cybersecurity awareness training for their employees, emphasizing the risks associated with opening unsolicited email attachments.
• Regularly backup critical files to minimize the damage in case of a ransomware attack. Ideally, there should be an offline backup, inaccessible to the attackers.
• Utilize network monitoring tools to proactively detect suspicious activities and potential indicators of compromise. NDR solutions are capable of providing a comprehensive view of the event within the perimeter and protecting from pretty much any threat.

The post LockBit Ransomware Uses Resume Word Files to Spread appeared first on Gridinsoft Blog.