Ransomware Roundup: 05.01.23

LockBit Ransomware Group Now Targets macOS

Researchers report the discovery of what may be the first iteration of macOS ransomware sample that is assessed to have emerged as early as November of 2022 and is undetected by antimalware engines on VirusTotal.  

“Apple security expert Patrick Wardle has conducted an analysis of the macOS version of LockBit and found that while it can run on Macs and it is capable of encrypting files, it currently doesn’t pose any real risk,” Security Week reported.

“While this may be the first time a large ransomware group created ransomware capable of running on macOS, it’s worth noting that this sample is far from ready for prime time. From its lack of a valid code-signing signature to its ignorance of TCC and other macOS file-system protections as it stands it poses no threat to macOS users,” Wardle explained.

Takeaway: While Windows is still the most common operating system, with about 60% of the market, MacOS has been gaining in popularity with about a 30% share, with Linux having about 3%. It has been assumed that MacOS is more secure because there are less malware-related threats in the wild, but the case is that attackers have focused on Windows because they have ROI to think about in their operations as well – it's a numbers game.

We have already seen some major ransomware operators like Conti, LockBit, RansomEXX, REvil and Hive developing Linux strains, as well as lesser known and emerging threat actors like Black Basta, IceFire, HelloKitty, BlackMatter and AvosLocker adding Linux capabilities, to name a few.

The development of macOS ransomware strains increases the addressable target range for threat actors and the level of disruption they can bring in a ransomware attack. Ransomware also creates liability and intellectual property loss issues for organizations as attackers focus on the exfiltration of sensitive data prior to delivering the ransomware payload:

• Ransomware Attacks are Stealthy: On average, a ransomware attack took 237 days to detect (about eight months) and 89 days to fully remediate (about three months) – this is when they are exfiltrating data for double extortion.

• Ransomware Remediation is Costly: The average ransomware attack response cost $4.54 million, more than the average cost of a data breach at $4.35 million – this represents an existential threat to organizations.
• Collective Business Impact is Huge: Ransom payments, damage to brand, increased premiums, legal fees, and lost revenue can far exceed remediation costs – this is why the focus needs to be on prevention and resilience.

Current solutions available in the market, while robust and effective for some threats, do not fully protect against ransomware attacks because they were built to detect malware variants in general, but were simply not designed to recognize ransomware.

Basic security hygiene is not enough though. Most attacks start at the endpoint, so endpoint security and resiliency are essential.

‍

Vice Society Ransomware Wields Custom PowerShell Tool for Data Exfiltration

The Vice Society ransomware gang has been observed using Living-off-the-Land (LotL) techniques by way of a custom PowerShell-based tool to automate data exfiltrating on targeted networks.

LotL techniques abuse legitimate network tools and binaries to further attack progression while masking the operation as normal network activity to remain undetected.

“The tool also makes use of exclusion criteria to filter out system files, backups, and folders pointing to web browsers as well as security solutions from Symantec, ESET, and Sophos.” The Hacker News reported.

“The discovery of the data exfiltration script illustrates the ongoing threat of double extortion in the ransomware landscape. It also serves as a reminder for organizations to prioritize robust security protections and stay vigilant against evolving threats.”

Vice Society is a RaaS threat group that first emerged in 2021 and has used a variety of ransomware strains including Hello Kitty/Five Hands and Zeppelin before developing a custom ransomware strain. Tactics include attempts to compromise data backup solutions and clearing security logs on compromised systems to evade detection.

Vice Society is a more recent arrival on the ransomware scene and has been scaling their operations significantly, including a disruptive attack on the second largest school district in the US.

Vice Society has advanced evasion capabilities and can disable security tools like Windows Defender and evade sandbox analysis. The group is known to exploit vulnerabilities in public-facing applications and websites, exploits like PrintNightmare, or through compromised RDP credentials. Vice Society is known to use DLL side-loading techniques and abuse tools like Cobalt Strike, Mimikatz, SystemBC and PowerShell.  

Takeaway: The focus around ransomware attacks has always been centered on the delivery of the payload and encryption of data and systems with the occasional data loss. But, since most ransomware attacks today first exfiltration – with some threat actors even like BianLian and Karakurt skipping the encryption stage altogether – we need to start looking at these operations as straight-up data exfiltration attacks with some ransomware thrown in at the end of the attack.

These are multi-staged attacks, where the threat actors are designed to infiltrate as much of the victim network as possible to exfiltrate sensitive data for extortion. In many cases, even if the victim pays a ransom, the attackers may demand an additional payment for the stolen data.  

‍Remember that delivery of the ransomware payload occurs at the end of the attack sequence, after sensitive data has already bee exfiltrated. Given how much effort goes into persistence, lateral movement, stealth, security evasion, and data exfiltration, we are simply not putting enough emphasis on these earlier stages in today’s ransomware attacks. There are days, weeks or potentially even months of detectable activity on the network prior to the final payload, and a lot of data is leaving the organization over the course of the attack.

‍The defense mindset here needs to shift to the left significantly where we are addressing ransomware attacks first as an effort to prevent the attackers from exfiltrating data. We should really look at these attacks as data exfiltration events with the additional threat that ransomware could be deployed, as opposed to focusing too much on the tail end of the attack when the ransomware is delivered, and the attack is already successful.

‍Resilience is key in developing a sound security posture, and organizations can limit the impact of a ransomware payload on operations with resilience planning, but once their data is compromised the attack becomes much more difficult to mitigate, as there is no guarantee the threat actors will honor any agreements even if they receive payment.‍

If the attackers have already exfiltrated the organization's most valuable data, then all those recovery efforts largely go out the window because the attack has already been successful.‍

‍

Play Ransomware Gang Automates with Custom Data-Exfiltration Tooling

Play, the ransomware gang who claimed attacks on the city of Oakland, has developed two new custom data exfiltration tools – the Grixba information stealer and a Volume Shadow Copy Service (VSS) Copying Tool - that improve efficiency in gathering sensitive information on a targeted network.

“The two tools enable attackers to enumerate users and computers in compromised networks, gather information about security, backup, and remote administration software, and easily copy files from Volume Shadow Copy Service (VSS) to bypass locked files.” Bleeping Computer reports.

“Grixba will check for anti-virus and security programs, EDR suites, backup tools, and remote administration tools. Also, the scanner checks for common office applications and DirectX, potentially to determine the type of computer being scanned... The second custom tool spotted by Symantec in Play ransomware attacks is VSS Copying Tool, which allows attackers to interact with the Volume Shadow Copy Service (VSS) via API calls.”

Takeaway: Custom automation tools like Grixba and the VSS Copying Tool make the task of identifying and exfiltrating sensitive data from victims prior to running the disruptive encryption payload all that much easier. Automation means more victims faster, which translates to more ransoms collected.

Attackers are also getting more efficient at exploitation of known vulnerabilities, and this trend is likely to continue as threat actors automate aspects of their attack sequences. We see evidence of this in the hundreds of organizations that have been hit by the Cl0p ransomware gang in just the last few weeks as they automated exploitation of a known vulnerability in the GoAnywhere software.  

We are also starting to see attacks exploiting a vulnerability in IBM Aspera Faspex, which could allow for a similar surge in victim organizations. ‍And just last week, researchers published analysis of a new semi-autonomous ransomware strain dubbed Rorschach that was noted for having some unique features like extremely fast encryption speeds, advanced security evasion, and some stealthy DLL side-loading.

Again, this week, the Vice Society ransomware gang was observed using Living-off-the-Land (LotL) techniques by way of a custom-made PowerShell-based tool to automate data exfiltration on targeted networks.

The focus around ransomware attacks has always been centered on the delivery of the payload and encryption of data and systems with the occasional data loss. But, since most ransomware attacks today first exfiltrate date, we need to start looking at these operations as straight-up data exfiltration attacks with some ransomware thrown in at the end of the attack.

These are multi-staged attacks, where the threat actors are designed to infiltrate as much of the victim network as possible to exfiltrate sensitive data for extortion. This is where tools like Grixba and the VSS Copying Tool are being leveraged long before the ransomware payload is delivered.  

Given how much effort goes into persistence, lateral movement, stealth, security evasion, and data exfiltration, we are simply not putting enough emphasis on these earlier stages in today’s ransomware attacks. If the attackers have already exfiltrated the organization's most valuable data, then all those recovery efforts are limited because the attack has already been successful.

‍Resilience is key in developing a sound security posture, and organizations can limit the impact of a ransomware payload on operations with resilience planning, but once their data is compromised the attack becomes much more difficult to mitigate, as there is no guarantee the threat actors will honor any agreements even if they receive payment.‍

As attackers continue to automate efficiencies in the attack progression to exploit known vulnerabilities for initial access, improve stealthy payload delivery and evasion techniques, and exponentially improve encryption speeds, we may be in for a busy period for ransomware attacks as we move closer to summer.

‍

March Ransomware Operation Smash Records with Nearly 500 Attacks

March will go down in the books as the most prolific period so far for the volume of ransomware attacks observed, with research indicating there were 459 successful attacks, up 91% from February volume and up 62% year-over-year.

“Clop's CVE-2023-0669 exploitation spree displaced LockBit 3.0, which had 97 recorded attacks, to second place for the second time since September 2021,” Bleeping Computer reports.

“Other ransomware groups that had relatively significant activity during March 2023 are Royal ransomware, BlackCat (ALPHV), Bianlian, Play, Blackbasta, Stormous, Medusa, and Ransomhouse.”

The record number of attacks comes as other research finds that ransomware attacks can cost organizations as much as 30 percent of their operating income, and smaller businesses can be impacted even more.

“While losses to cyberattacks impact the current fiscal year, they can also linger and impact current and future years as costs. These include legal fees, settlements, and brand damage the effects of which can take time to materialize,” Beta News reports.”

“Organizations are finally waking up to the fact that the impact of ransomware and other cyber attacks is more than just a moment in time. The financial implications are far-reaching and create barriers for companies to continue operations after these attacks.”

Takeaway: While some research has indicated that there was a bit of a lull in ransomware attack volumes in 2022 following the start of the Ukraine conflict, 2023 attack volume thus far shows that ransomware attacks are not abating. Ransomware is still the number one threat to organizations, and the financial impact can be devastating.

One of the reasons for the spike is that threat actors are taking advantage of unpatched vulnerabilities and automating more aspects of their attacks. Hundreds of organizations have been hit by the Cl0p ransomware gang as they exploit a known vulnerability in the GoAnywhere software.  

We are also seeing attacks exploiting a vulnerability in IBM Aspera Faspex, which could allow for a similar spike in attacks. ‍Last week, researchers published analysis of a new semi-autonomous ransomware strain dubbed Rorschach that was noted for having some unique features like fast encryption speed, stealthy DLL side-loading, and advanced security evasion.

This week, the Vice Society ransomware gang was observed using Living-off-the-Land (LotL) techniques with a custom PowerShell-based tool that automates data exfiltration on targeted networks, and the Play ransomware gang developed two new custom data exfiltration tools.

Automation means ransomware operators hit more victims faster, which translates to more ransoms collected and more fiscal pain for the victim organizations.

Case in point, this week Dorel Industries confirmed that it was the victim of a “security incident” (assessed to be a ransomware attack) that the company anticipates will result in Q1-2023 revenue losses estimated at $12-15 million, according to a statement.

Being ready to respond to a ransomware attack is just part of the equation. Resilience must be built into that response protocol so organizations can limit the impact of a ransomware payload on operations.

But the focus cannot be on post-payload response only. There needs to be more focus on the data exfiltration aspect of these attacks, as once sensitive data goes out the door, the attack becomes much more difficult to mitigate. Even if the ransomware payload is identified, isolated, and remediated, the victim organization is still faced with extortion attempts and the risk that the data could be further exposed.

A solid resilience strategy that includes data exfiltration defenses will ease the potential financial losses victim organizations face and eliminate the need to pay a ransom demand to unlock systems or cooperate with the attackers to secure stolen data.

‍

Ransomware Operators Leverage AuKill Tool to Disable Security Solutions

A new attack tool called AuKill is being leveraged by threat actors that abuses MS Process Explorer driver to disable EDR (Endpoint Detection and Response) solutions to deploy stealthy backdoors and deliver ransomware payloads.

These “Bring Your Own Vulnerable Driver” (BYOVD) attacks drop drivers with kernel privileges that are signed with a valid digital certificate, making this technique difficult to detect.

AuKill bears resemblance to a similar open-source tool called Backstab used by the LockBit gang that also abuses the MS Process Explorer driver to bypass security solutions.

"The tool was used during at least three ransomware incidents since the beginning of 2023 to sabotage the target's protection and deploy the ransomware," Bleeping Computer reports.

"In January and February, attackers deployed Medusa Locker ransomware after using the tool; in February, an attacker used AuKill just prior to deploying Lockbit ransomware."

Takeaway: Tools like AuKill and Backstab aren’t the only ways to bypass endpoint protections. Unfortunately, bypassing security controls and endpoint protection solutions like EDR is fairly easy and has been going on for a long time.  

There are numerous examples of hard-coded AV/NGAV/EDR/XDR bypasses that lets an attack slip by without an alert being triggered. Attackers have also been observed using universal unhooking techniques to bypass security tools. Universal unhooking basically blinds endpoint protection tools to the malicious activity, rendering them ineffective for detecting the attack.

Code hooking is a technique used by legitimate software, including endpoint protection tools, to gain needed visibility into activity on the network. Universal unhooking techniques hijack execution flow and allow attackers to deploy a rootkit, for example, then obfuscate subsequent processes and network connections.

Organizations require both a robust prevention and an agile resilience strategy to defend against today’s more complex ransomware attacks. This includes endpoint protection solutions despite the fact that they can be bypassed or unhooked in certain instances.  

It also includes good patch management, offsite data backups, identity and access controls, employee awareness training, and organizational procedure and resilience testing for ransomware readiness plans to be successful.

‍

Halcyon.ai is the industry’s first dedicated, adaptive security platform that combines multiple advanced proprietary prevention engines along with AI models focused specifically on stopping ransomware – talk to a Halcyon expert today to find out more. And check out the Recent Ransomware Attacks resource site to get near real-time tracking of ransomware attacks, threat actor groups and their victims.