Ransomware Roundup: 05.07.22

REvil, the miscreants behind the 2021 JBS (a meat processing company) and Kaseya attacks, seem to be back in action despite Russian authorities arresting 14 of its members. DarkReading reports that “... anti-malware firm Avast revealed that the company's software had blocked a ransomware sample that appeared to be generated using information that only previous members of the REvil group could have accessed.” Moreover, researchers found that the group’s Onion sites sprung back to life, albeit directed to a new ransomware operation.  

The ability to disable antivirus/EPP solutions is an old trick for malware and ransomware. However, researchers at Tend Micro discovered AvosLocker samples that leverage a legitimate driver file to disable some antivirus solutions.  

“... this is the first sample we observed from the US with the capability to disable a defense solution using a legitimate Avast Anti-Rootkit Driver file (asWarPot.sys),” wrote Christoper Ordonez and Alvin Nieto, the researchers who authored the report. They also suggested that the AvosLocker creators used the driver because it was readily available and “its capability to execute in kernel mode (therefore operating at a high privilege).”

The FBI has issued a warning about the BlackCat Ransomware family that “compromised at least 60 entities worldwide and is the first ransomware group to do so successfully using RUST, considered to be a more secure programming language that offers improved performance and reliable concurrent processing.”

BlackCat is noteworthy as a RaaS offering because they have been operating for a relatively short period of time (since November 2021, according to Unit 42) and they leverage an “aggressive approach to naming and shaming victims, listing more than a dozen on their leak site in a little over a month,” presumably to coerce victims into paying the ransom.  

Finally, we can score one for the defenders as hyp3rlinx, a malware vulnerability researcher, discovered an exploit that blocks some ransomware strains from performing encryption functions. In their MasVuln post, hyp3rlinx explains that " Conti looks for and executes DLLs in its current directory. Therefore, we can potentially hijack a vuln DLL (to) execute our own code, control and terminate the malware pre-encryption.”  

According to them, the advantage to this approach is that “(e)ndpoint protection systems and or (sic) antivirus can potentially be killed prior to executing malware, but this method cannot as theres (sic) nothing to kill the DLL just lives on disk waiting.”

This, of course, assumes that you will know where the ransomware file will land, but hyp3rlinx further explains, “you can add the DLLs to a specific network share containing important data as a layered approach.”

‍