East Security selected the following as the major ransomware trends for the second quarter of 2024: ▲RaaS services appearing one after another ▲Emergence of Junk Gun ▲Continued ransomware attacks ▲Disclosure of ransomware attack patterns targeting ESXi.
According to East Security, the notorious ransomware attack groups LockBit and Black Cat have seen their influence significantly weakened due to reasons such as cooperation with international law enforcement agencies and betrayal of trust with partners. The two organizations were the most influential groups in the RaaS (Ransomware as a Service) industry, but contrary to expectations, various RaaS such as RansomHub, KillSec, Cash ransomware, and Eldorado have emerged one after another.
Among the newly launched RaaS services, RansomHub RaaS is a multi-platform (Windows, Linux, ESXi) service written in Go and C++. East Security stated that RansomHub RaaS appears to offer high commissions to its partners in order to attract many affiliates. In fact, it is growing at a very fast rate, and some say that RansomHub is a rebranded version of the Knight ransomware, citing similarities in code and obfuscation technology.
Meanwhile, the hacker group KillSec has released KillSec RaaS. This service uses the Tor network (1) and advertises that it provides various conveniences for users, such as statistics, chat, and build functions. In addition, it has announced that DDoS, call functions, and information theft functions will be updated in the future.
Security firm Sophos has released a low-priced, low-level ‘Junk Gun’ ransomware. Unlike existing partner-based subscription RaaS, these ransomware are independently operated and are characterized by their low prices. Sophos released information on 19 types of Junk Gun ransomware collected from June 23 to February 24, and said that although they are less sophisticated and technologically advanced than existing RaaS, they are welcomed by many novice hackers because they take all the profits if the attack is successful, with an average price of $400.
Also, a Linux variant of the Cerber ransomware is being distributed that exploits the CVE-2023-22518 vulnerability. This vulnerability exists in Atlassian Confluence Data Center and servers, and attackers exploit this vulnerability to create administrator accounts and execute ransomware through web shells. Although a patch for the CVE-2023-22518 vulnerability has been released, security professionals need to quickly patch the vulnerability as attacks continue to target unpatched systems.
A campaign that tricks users into downloading fake software has also been discovered. When searching for specific software on search engines, the attackers display advertisement pages disguised as legitimate Putty and WinSCP program download pages, tricking users into downloading the fake software. This installation package contains a malicious python311.dll file along with the legitimate exe file, and when the user runs the setup file, the malicious dll is executed through DLL sideloading and ultimately attempts to distribute ransomware. This attack method is similar to the attack campaign that distributed BlackCat/ALPHV ransomware, but detailed information about the ransomware has not been disclosed.
As ransomware attacks targeting VMware ESXi systems continue, security experts have revealed ransomware attack patterns targeting ESXi systems. According to them, the initial attack is mainly attempted through phishing, downloading malicious files, and vulnerabilities. If the initial attack is successful, brute force attacks or other methods are used to attempt to escalate privileges to access the ESXi host or vCenter, after which the backup system is destroyed or encrypted and data is stolen.
After exfiltrating data, the ransomware is said to be executed to encrypt the “/vmfs/volumes” subdirectory of the ESXi file system and spread the ransomware to non-virtualized workstations and servers.
East Security ESRC stated, “Ransomware attacks exploiting security vulnerabilities are constantly occurring. We urge you to prevent ransomware attacks exploiting security vulnerabilities in advance as much as possible by regularly updating major software.”
editor@itworld.co.kr
Source: www.itworld.co.kr
