RaaS landscape widens

Ransomware-as-a-Service is a cyber-security term referring to criminal gangs that rent ransomware to other groups, either via a dedicated portal or via threads on hacking forums.

RaaS portals work by providing a ready-made ransomware code to other gangs. These gangs, often called RaaS clients or affiliates, rent the ransomware code, customize it using options provided by the RaaS, and then deploy in real-world attacks via a method of their choosing.

These methods vary between RaaS affiliate and can include email spear-phishing attacks, en-masse indisciriminate email spam campaigns, the use of compromised RDP credentials to gain access to corporate networks, or the use of vulnerabilities in networking devices to gain access to internal enterprise networks.https://9decc16ac028a02c144f7ab21dc2da2a.safeframe.googlesyndication.com/safeframe/1-0-37/html/container.html

Payments from these incidents, regardless of how the affiliates managed to infect a victim, go to the RaaS gang, who keeps a small percentage and then forwards the rest to the affiliate.

RaaS offerings have been around since 2017, and they have been widely adopted as they allow non-technical criminal gangs to spread ransomware without needing to know how to code and deal with advanced cryptography concepts.

The RaaS tiers

According to a report published today by Intel 471, there are currently around 25 RaaS offerings being advertised on the underground hacking

While there are ransomware gangs who operate without renting their “product” to other groups, the number of RaaS portals available today far exceeds what many security experts thought could be available and shows the plethora of options that criminal gangs have at their disposal if they ever choose to dip their toes in the ransomware game.

But not all RaaS offerings provide the same features. Intel 471 says it’s been tracking these services across three different tiers, depending on the RaaS’ sophistication, features, and proven history.

Tier 1 is for the most well-known ransomware operations today. To be classified as a Tier 1 RaaS, these operations had to be around for months, proven the viability of their code through a large number of attacks, and continued to operate despite public

This tier includes the likes of REvil, Netwalker, DopplePaymer, Egregor (Maze), and Ryuk.

With the exception of Ryuk, all Tier 1 operators also run dedicated “leak sites” where they name-and-shame victims as part of their well-oiled extortion cartel.

These gangs also use a wide variety of intrusion vectors, each depending on the type of affiliates they recruit. They can breach networks by exploiting bugs in networking devices (by recruiting networking experts), they can drop their ransomware payload on systems already infected by other malware (by working with other malware cartels), or they can gain access to company networks via RDP connections (by working with brute-force botnet operators or sellers or compromised RDP credentials).null

Tier 2 is for RaaS portals that have gained a reputation on the hacking underground, provide access to advanced ransomware strains, but have yet to reach the same number of affiliates and attacks as Tier 1 operators.

This list includes the likes of Avaddon, Conti, Clop, DarkSide, Mespinoza (Pysa), RagnarLocker, Ranzy (Ako), SunCrypt, and Thanos — and these are effectively the up-and-comers of the ransomware world.

raas-tier-2.png

Tier 3 is for newly launched RaaS portals or for RaaS offerings about which there’s limited to no information available. In some cases, it is unclear if any of these are still up and running or if their authors gave up after trying and failing to get their portals off the ground.null

This list currently includes the likes of CVartek.u45, Exorcist, Gothmog, Lolkek, Muchlove, Nemty, Rush, Wally, Xinof, Zeoticus, and (late arrival) ZagreuS.

raas-tier-3.png

All in all, while the underground cybercrime ecosystem is generating profits through criminal activity, it is still a market, and, just like all markets, it is governed by the same principles that guide any other market today.

A large number of service providers is the tell-tale sign of a booming economy that is far from being saturated. Saturating the RaaS market will only happen when criminals create more RaaS portals than affiliate groups are willing to sign up for or when companies bolster their security measures, making intrusion harder to carry out, drying up profits for crooks.

Source : zdnet

Regret locker 👿 soon you will regret

A new ransomware called RegretLocker uses a variety of advanced features that allows it to encrypt virtual hard drives and close open files for encryption.

RegretLocker was discovered earlier last month and is a simple ransomware in terms of appearance as it does not contain a long-winded ransom note and uses email for communication rather than a Tor payment site.

When encrypting files, it will append the innocuous-sounding .mouse extension to encrypted file names.

What it lacks in appearance, though, it makes up for in advanced features that we do not usually see in ransomware infections, as described below.

RegretLocker mounts virtual hard disks
When creating a Windows Hyper-V virtual machine, a virtual hard disk is created and stored in a VHD or VHDX file.

These virtual hard disk files contain a raw disk image, including a drive’s partition table and partitions, and like regular disk drives, can range in size from a few gigabytes to terabytes.

When a ransomware encrypts files on a computer, it is not efficient to encrypt a large file as it slows down the entire encryption process’s speed.

RegretLocker uses an interesting technique of mounting a virtual disk file so each of its files can be encrypted individually.

RegretLocker uses the Windows Virtual Storage API OpenVirtualDisk, AttachVirtualDisk, and GetVirtualDiskPhysicalPath functions to mount virtual disks.

Once the virtual drive is mounted as a physical disk in Windows, the ransomware can encrypt each one individually, which increases the speed of encryption.

The code used by RegretLocker to mount a VHD is believed to have been taken from a recently published research by security researcher smelly__vx.

In addition to using the Virtual Storage API, RegretLocker also utilizes the Windows Restart Manager API to terminate processes or Windows services that keep a file open during encryption.

When using this API, if the name of a process contains ‘vnc’, ‘ssh’, ‘mstsc’, ‘System’, or ‘svchost.exe’, the ransomware will not terminate it. This exception list is likely used to prevent the termination of critical programs or those used by the threat actor to access the compromised system.

The Windows Restart Manager feature is only used by a few ransomware such as REvil (Sodinokibi), Ryuk, Conti, ThunderX/Ako, Medusa Locker, SamSam, and LockerGoga.

RegretLocker is not very active at this point, but it is a new family that we need to keep an eye on.

Maze shutting down finally 💫

The Maze cybercrime gang is shutting down its operations that began its operation in may 2019 after rising to become one of the most prominent players performing ransomware attacks.

A double-extortion tactic introduced by Maze to exfilterates the data before encryption

Once encrypted, they demand ransom . If victim fails to pay they publish those data in maze site which started to be in limelight

This double-extortion technique was quickly adopted by other large ransomware operations, including REvil, Clop, DoppelPaymer, who released their own data leak sites. This double-extortion technique has now become a standard tactic used by almost all ransomware operations.

Maze continued to evolve ransomware operations by forming a ransomware cartel with Ragnar Locker and LockBit, to share information and tactics.

During their year and a half cybercrime spree, Maze has been responsible for attacks on notable victims, including Southwire, City of Pensacola, Canon, LG Electronics, Xerox, and many more.

Maze started to shut down six weeks ago
In a similar manner as GandCrab did in 2019.lastly Barnes and Noble ransomware attack.

This threat actor stated that they take part in ransomware attacks by compromising networks and stealing Windows domain credentials. The compromised networks are then passed to affiliates who deploy the ransomware.

Maze has started to remove victims that they had listed on their data leak site. All that is left on the site are two victims and those who previously and had all of their data published.The cleaning up of the data leak site indicates that the ransomware operation’s shutdown is imminent.

It is not uncommon for ransomware operations to release the master decryption keys when they shut down their operation, as was done with Crysis, TeslaCrypt, and Shade.

Maze affiliates have switched over to a new ransomware operation called Egregor which began operating in the middle of September, just as Maze started shutting down their encryption operation.

This is believed to be the same underlying software as both Maze and Sekhmet as they utilize the same ransom notes, similar payment site naming, and share much of the same code.

This was also confirmed by a ransomware threat actor who stated that Maze, Sekhmet, and Egregor were the same software.when a ransomware operation shuts down, it does not mean the threat actors involved retire as well. They just move to the next ransomware operation.

Sopra Steria …. Ryuked.. Services down

IT services provider Sopra Steria has confirmed that it was hit by a “new version” of the Ryuk ransomware that was “previously unknown to antivirus software providers and security agencies”.

The French-headquartered company detected the cyberattack on 20 October and made it public the following day.

Rreports pointed to hackers using Ryuk ransomware to target Sopra Steria’s Active Directory infrastructure. This saw some IT systems encrypted and payment demanded to unlock them.

Sopra Steria said it has made the virus signature of the new Ryuk ransomware strain available to “all antivirus software providers” so that they can update their defences.

Sopra Steria said that the ransomware attack was launched “a few days before it was detected”, which meant the virus was contained to a “limited part of the Group’s infrastructure”.

It has been revealed that Ryuk operators exploited the Netlogon vulnerability CVE 2020-1472 which hits the domain controllers and exfilterates the data. Microsoft released the patch for this Exploit in August

The company, which provides IT outsourcing services to the NHS and Home Office, said it has not identified any leaked data or damage to client networks.

It may take few weeks for services to up across geographies.