Lockbit stirkes PTI

The computer server of India’s leading news organization, Press Trust of India (PTI), was attacked late Saturday night by ransomware, disrupting news service across the country for several hours.

A ransom was demanded from PTI after the cyber attack. However, the work of the news organization started after about 12 hours of struggle by IT engineers.

A PTI spokesperson said that its servers across the country were attacked by ransomware called Lockbit at 10.00 pm on Saturday. The virus encrypted all data and applications, disrupting its news service.

The origin of the virus is not known, nor was it a deliberate attack. However, a ransom was demanded to return encrypted data after the attack.

A PTI spokesperson said that the work of the news institute was back to normal from 9 am on Sunday after a 12-hour struggle by PTI’s IT engineers. The company did not provide ransom to the attackers.

According to a recent survey by cyberspace company Sophos, ransomware attacks have increased over the years. Eighty-two percent of companies surveyed have accepted ransom attacks between January and June this year.

Only 8 percent of companies can prevent an attack before encrypting their data, compared to their global average of 24 percent. Only one-third of Indian companies said they were able to recover encrypted data from backups, while 66 percent said they would have to pay a ransom to recover data.

Abaddon RAT ! Sophisticated C2C

The new ‘Abaddon‘ remote access trojan may be the first to use Discord as a full-fledged command and control server that instructs the malware on what tasks to perform on an infected PC.

Threat actors abusing Discord for malicious activity is nothing new.

A new ‘Abaddon’ remote access trojan (RAT) could be the first malware that uses Discord as a full-fledge command and control server.

When started, Abaddon will automatically steal the following data from an infected PC:

  • Chrome cookies, saved credit cards, and credentials.
  • Steam credentials and list of installed games
  • Discord tokens and MFA information.
  • File listings
  • System information such as country, IP address, and hardware information.

Abaddon will then connect to the Discord command and control server to check for new commands to execute, as shown by the image below.

Receive a task from the Discord server

These commands will tell the malware to perform one of the following tasks:

  • Steal a file or entire directories from the computer
  • Get a list of drives
  • Open a reverse shell that allows the attacker to execute commands on the infected PC.
  • Launch in-development ransomware (more later on this).
  • Send back any collected information and clear the existing collection of data.

The malware will connect to the C2 every ten seconds for new tasks to execute.

Using a Discord C2 server, the threat actor can continually monitor their collection of infected PCs for new data and execute further commands or malware on the computer like encryption and decryption after paying ransom

With ransomware being extremely lucrative, it would not be surprising to see this feature completed in the future.

Haldiram’s renowned Snack maker. Hit by Unknown

Hackers have allegedly stolen crucial data of popular food and snack company Haldiram’s and have demanded Rs 7,50,000

The unidentified accused hacked the server of the company based in the industrial Sector 62 of Noida using a cyber malware popularly called possible Ransomware Attack.

The cyber attack took place on the intervening night of October 12 and 13 and the hackers may have stolen “entire or substantial data” of the company which runs several restaurants and outlets.

The complaint made by a Haldiram’s official said that an IT official of Haldiram’s consequently accessed the Firewall programme on the company’s servers and found some traffic generating from servers, showing certain IP addresses.

The officials of the company found out that some programme was being executed on the aforementioned servers and all the data of the company was being diverted from and going out from the servers of the company. Before disconnecting the entire connection substantial data has been exfilterated

The company said its official raised a complaint with its data security and cyber security firm, Trend Micro, and alleged that all files and sensitive data of the firm had been encrypted by the hacker, thereby, preventing its officials from interacting with their files, data, applications and systems.

It said that the hackers, to give effect to a pre-planned criminal conspiracy, have not only stolen data from the servers and systems of the company but have also contacted company officials through certain servers to illegally extort money to provide back the access to the company’s own data and to delete the stolen data from the servers and systems.

The data includes but not limited to financial, HR, sales/purchase and other data/information)

FONIX ⛓️RaaS…

FONIX is a relatively new Ransomware as a Service (RaaS) developed by crypters. The victims associated with this threat actor is small

The ransomware authors don’t require the payment of a fee to become an affiliate of the service, the operators only keep a percentage of any ransoms from their affiliate network. Belived to be quickly rampant when time passes

Fonix RaaS

The communications with the RaaS operators are carried out via email.

“Based on current intelligence, we know that FONIX affiliates do not get provided with a decryptor utility or keys at first. Instead, victims first contact the affiliate (buyer) via email as described above. The affiliate then requests a few files from the victim. These include two small files for decryption: one is to provide proof to the victim, the other is the file “cpriv.key” from the infected host. The affiliate is then required to send those files to the FONIX authors, who decrypt the files, after which they can be sent to the victims.” continues the analysis.

“Presumably, once the victim is satisfied that decryption is possible, the affiliate provides a payment address (BTC wallet). The victim then pays the affiliate, with the affiliate in turn supplying the FONIX authors with their 25% cut.”

The ransomware uses a combination of AES, Chacha, RSA, and Salsa20 to encrypt a victim’s files, it adds a .XINOF extension. Encrypting only Windows platform excluding windows OS file system

Upon executing the payload with administrative privileges, the following system changes are made:

  • Task Manager is disabled
  • Persistence is achieved via scheduled task, Startup folder inclusion, and the registry (Run AND RunOnce)
  • System file permissions are modified
  • Persistent copies of the payload have their attributed set to hidden
  • A hidden service is created for persistence (Windows 10)
  • Drive / Volume labels are changed (to “XINOF”)
  • Volume Shadow Copies are deleted (vssadmin, wmic)
  • System recovery options are manipulated/disabled (bcdedit)
  • Safeboot options are manipulated

It’s quite aggressive and low key affair. But Ransomware is a deadly threat that need to counter attacked with BCP measures and decent security hygiene