The Week in Ransomware – December 16th 2022

Jean J. White

Lock over a city

To evade detection by security software, malware developers and threat actors increasingly use compromised code-signing certificates to sign their malware.

This trend was illustrated this week when Microsoft disclosed during the December Patch Tuesday that developer accounts were compromised to sign malicious, kernel-mode hardware drivers in the Windows Hardware Developer Program.

As Microsoft signed these drivers, it allowed them to be loaded into Windows and gain the highest level of privileges in the operating system.

These drivers were used as part of a toolkit consisting of STONESTOP (loader) and POORTRY (driver) malware that disabled protected security software processes and Windows services running on the computer.

Coordinated reports from Microsoft, Mandiant, Sophos, and SentinelOne indicated that multiple threat actors used malware signed using these compromised accounts, including the Hive and Cuba ransomware operations.

Microsoft also fixed a Windows Mark of the Web zero-day vulnerability that threat actors actively exploited in malware distribution campaigns, including those for Magniber Ransomware and QBot.

Other research released this week includes:

Finally, there were also quite a few cyberattacks or information about attacks this week, but only a few were confirmed to be ransomware.

The ransomware attacks include a LockBit attack on California’s Department of Finance. the Play ransomware operation claiming the attack on the Belgium city on Antwerp, and BlackCat ransomware attack on EPM, one of the largest energy suppliers in Colombia.

Contributors and those who provided new ransomware information and stories this week include: @struppigel, @VK_Intel, @billtoulas, @FourOctets, @jorntvdw, @BleepinComputer, @DanielGallagher, @demonslay335, @malwrhunterteam, @fwosar, @Seifreed, @serghei, @malwareforme, @Ionut_Ilascu, @LawrenceAbrams, @PolarToffee, @_CPResearch_, @vinopaljiri, @cybereason, @1ZRR4H, @TalosSecurity, @pcrisk, @TrendMicro, @GeeksCyber, and @Digitaleragroup

December 11th 2022

Clop ransomware uses TrueBot malware for access to networks

Security researchers have noticed a spike in devices infected with the TrueBot malware downloader created by a Russian-speaking hacking group known as Silence.

December 12th 2022

Play ransomware claims attack on Belgium city of Antwerp

The Play ransomware operation has claimed responsibility for a recent cyberattack on the Belgium city of Antwerp.

Pulling the Curtains on Azov Ransomware: Not a Skidsware but Polymorphic Wiper

One thing that sets Azov apart from your garden-variety ransomware is its modification of certain 64-bit executables to execute its own code. Before the advent of the modern-day internet, this behavior used to be the royal road for the proliferation of malware; because of this, to this day, it remains the textbook definition of “computer virus” (a fact dearly beloved by industry pedants, and equally resented by everyone else).

New STOP ransomware variants

PCrisk found new STOP ransomware variants that append the .manw and .maos extensions.

December 13th 2022

LockBit claims attack on California’s Department of Finance

The Department of Finance in California has been the target of a cyberattack now claimed by the LockBit ransomware gang.

Microsoft-signed malicious Windows drivers used in ransomware attacks

Microsoft has revoked several Microsoft hardware developer accounts after drivers signed through their profiles were used in cyberattacks, including ransomware incidents.

A Deep Dive into BianLian Ransomware

BianLian ransomware is a Golang malware that performed targeted attacks across multiple industries in 2022. The ransomware employed anti-analysis techniques consisting of API calls that would likely crash some sandboxes/automated analysis systems. The malware targets all drives identified on the machine and deletes itself after the encryption is complete.

New STOP ransomware variant

PCrisk found a new STOP ransomware variant that appends the .matu extension.

New Dharma ransomware variant

PCrisk found a new Dharma ransomware variant that appends the .hebem extension and drops a ransom note named info.txt.

New Lucknite ransomware

PCrisk found a new Lucknite ransomware that appends the .lucknite extension and drops a ransom note named README.txt.

New Chaos ransomware variant

PCrisk found a new Chaos ransomware variant that appends the .xllm extension and drops a ransom note named read_it.txt.

December 14th 2022

Microsoft patches Windows zero-day used to drop ransomware

Microsoft has fixed a security vulnerability used by threat actors to circumvent the Windows SmartScreen security feature and deliver Magniber ransomware and Qbot malware payloads.

Royal Rumble: Analysis of Royal Ransomware

The Royal ransomware group emerged in early 2022 and has gained momentum since the middle of the year. Its ransomware, which the group deploys through different TTPs, has impacted multiple organizations across the globe. The group itself is suspected of consisting of former members of other ransomware groups, based on similarities researchers have observed between Royal ransomware and other ransomware operators.

Masscan Ransomware Threat Analysis – 2022 Cyber Intelligence Report

Numerous cases of ransomware damage were reported by many Korean companies in the second half of 2022. The damage is unique in its aspect, that an attacker infiltrated a database (DB) server with a vulnerable security system, distributed ransomware, encrypted the file, and added a “.masscan” string to the file extension.

New BLOCKY ransomware

PCrisk found a new Blocky ransomware that appends the .Locked extension and drops a ransom note named READ_IT.txt.

New HentaiLocker ransomware

PCrisk found a new ransomware that appends the .HENTAI extension and drops a ransom note named UNLOCKFILES.txt.

December 16th 2022

Colombian energy supplier EPM hit by BlackCat ransomware attack

Colombian energy company Empresas Públicas de Medellín (EPM) suffered a BlackCat/ALPHV ransomware attack on Monday, disrupting the company’s operations and taking down online services.

Agenda Ransomware Uses Rust to Target More Vital Industries

This year, ransomware-as-a-service (RaaS) groups like BlackCat, Hive, and RansomExx have developed versions of their ransomware in Rust, a cross-platform language that makes it easier to tailor malware to different operating systems like Windows and Linux. In this blog entry, we shed light on Agenda (also known as Qilin), another ransomware group that has started using this language.

New STOP ransomware variants

PCrisk found new STOP ransomware variants that append the .btnw, .btos, and .bttu extensions.

Agenda Ransomware Uses Rust to Target More Vital Industries

This year, ransomware-as-a-service (RaaS) groups like BlackCat, Hive, and RansomExx have developed versions of their ransomware in Rust, a cross-platform language that makes it easier to tailor malware to different operating systems like Windows and Linux. In this blog entry, we shed light on Agenda (also known as Qilin), another ransomware group that has started using this language.

That’s it for this week! Hope everyone has a nice weekend!

Next Post

Govee Smart Air Quality Monitor review: An inexpensive tracker

At a look Expert’s Score Execs Uncomplicated to set up and use Huge and brilliant show Can cause Govee good appliances into action in response to air top quality Affordable Disadvantages Does not keep track of carbon monoxide, carbon dioxide, or VOC stages Purpose button did not function as anticipated […]
Govee Smart Air Quality Monitor

Subscribe US Now