Since emerging on the cybercrime landscape in February 2024, the notorious ransomware gang, Menace, has reportedly carried out attacks against at least 210 unsuspecting victims, encrypting and exfiltrating sensitive data as it wreaks havoc globally, with a significant proportion of these incidents occurring in the United States. authorities stated.
Vulnerable sectors affected included water and wastewater management, information technology, government agencies and services, healthcare and public health, emergency response, food and agriculture, financial services, industrial processes, transportation, and critical communication infrastructure.
“Authorities have identified RansomHub, a ransomware-as-a-service variant formerly known as Cyclops and Knight, as a highly effective and lucrative model that has garnered the attention of prominent affiliates from notable variants like LockBit and ALPHV.”
A notorious ransomware-as-a-service variant, descended from the notorious Cyclops and Knight operations, has gained notoriety by attracting high-profile affiliates from prominent groups such as LockBit and ALPHV (also known as BlackCat), following recent law enforcement crackdowns on cybercrime activities.
ZeroFox’s latest evaluation revealed a stark escalation in RansomHub’s ransomware activities, representing a significant proportion of total attacks tracked by the cybersecurity vendor: 2% in Q1 2024, 5.1% in Q2, and an alarming 14.2% to date in Q3?
According to the company, approximately 34% of RansomHub attacks have targeted firms in Europe, a proportion that is significantly higher than the 25% average seen across the broader threat landscape.
The group allegedly employs a double-extortion model to illicitly extract sensitive information and encryption tactics, leveraging these tactics to extort victims who are instructed to communicate with operators via a unique Tor (.onion) URL. Firms that resist paying ransoms see their sensitive information publicly disclosed on notorious cybercrime websites, often remaining there for anywhere from three to ninety days.
Attackers leverage previously identified security weaknesses to gain initial access to compromised environments, exploiting vulnerabilities affecting a range of software products, including Apache ActiveMQ, Atlassian Confluence, Citrix ADC, F5 BIG-IP, and Fortinet’s FortiOS and FortiClientEMS platforms.
Associates subsequently conduct reconnaissance and community scanning using tools such as Angry IP Scanner, Nmap, and other living-off-the-land tactics. Ransomware operators in the RansomHub gang are employing a novel tactic: exploiting vulnerabilities to disable antivirus software, thereby evading detection and amplifying their malicious attacks.
Following a preliminary foothold, the RansomHub operatives established consumer accounts for persistence purposes, reactivated dormant accounts, and leveraged Mimikatz on Windows systems to extract sensitive credentials [T1003] and subsequently elevated their privileges to system-level access. The U.S. authorities advisory reads.
Associates subsequently transitioned seamlessly within the community through various tactics utilizing established protocols such as Distant Desktop Protocol (RDP), PsExec, AnyDesk, Connectwise, N-Position, Cobalt Strike, and Metasploit, or other widely employed command-and-control tools.
Ransomware operators often employ a notable tactic in RansomHub attacks: rapid encryption acceleration through intermittent encryption, which enables them to quickly exfiltrate data via tools like PuTTY, Amazon AWS S3 buckets, HTTP POST requests, WinSCP, Rclone, Cobalt Strike, and Metasploit, among others.
The Unit 42 researchers at Palo Alto Networks have shed light on the tactics employed by the notorious ShinyHunters ransomware group, which they track as Bling Libra, revealing a marked shift from publicising pilfered information to extorting victims instead? What’s at stake: The Menace Actor of 2020.
“The research team obtains genuine credentials, sourced from publicly available repositories, allowing for initial access to a company’s Amazon Web Services (AWS) environment,” said safety experts Margaret Zimmermann and Chandni Vaya.
As a result of the permissions tied to the compromised credentials limiting the impact of the breach, Bling Libra successfully gained access to the group’s Amazon Web Services (AWS) environment, initiating reconnaissance activities. A malicious actor group leveraged tools like the Amazon Easy Storage Service (S3) Browser and WinSCP to gather intelligence on S3 bucket configurations, access and delete sensitive data.
As ransomware attacks continue to evolve, they’ve transitioned beyond simple file encryption to employ sophisticated, multifaceted extortion tactics, including triple and quadruple schemes, according to SOCRadar’s findings.
As ransomware attacks escalate in sophistication, triple extortion becomes a potent threat, potentially compromising not just data but also critical systems and operations through the exploitation of past encryption and exfiltration.
The revised text reads: “This scenario may involve conducting a distributed denial-of-service (DDoS) attack against the victim’s systems or issuing direct threats to the victim’s customers, suppliers, or other associates, ultimately aimed at causing further operational and reputational harm through the extortion scheme.”
Quadruple extortion takes a malicious step further by targeting not only the initial victim but also their business partners and associates, exploiting these connections to demand even more concessions or threaten to expose sensitive information unless the ransom is paid.
The lucrative landscape of ransomware-as-a-service (RaaS) models has precipitated a proliferation of novel ransomware strains, including Conti, Maze, LockerGoga, REvil, DarkSide, HelloKitty, and LockBit. Iranian nation-state actors have also been incentivized to collaborate with identified groups in exchange for a reduction in their illicit financial gains.
