Ransomware Roundup: 06.17.22

This week’s round up…

‍

• Italian City of Palermo most likely the target of a ransomware attack
• HelloXD says Hello World
• BlackCat marches on
• Maybe don’t advertise your ransomware on Instagram?
• Burn out in the uphill climb against ransomware
• Confluence under attack
  ‍

Italian City of Palermo most likely the target of a ransomware attack

‍

Last week, Bill Toulas at Bleeping Computer reported on a disruption in services of Palermo, a city in Italy. Residents (of which Palermo is home to 1.3 million) were – and reportedly still are - unable to access digital services, but questions remained at the time of publication if the outage was a result of a DDoS or a ransomware attack.  

‍

“Italy recently received threats from the Killnet group, a pro-Russian hacktivist who attacks countries that support Ukraine with resource-depleting cyberattacks known as DDoS (distributed denial of service),” Toulas wrote in the article. “While some were quick to point the finger at Killnet, the cyberattack on Palermo bears the signs of a ransomware attack rather than a DDoS.”

‍

This week, Alicia Hope at CPO Magazine reported that Vice Society – a known ransomware operator – claimed responsibility.

‍

“The Italian website Cybersecurity360.it reported that hackers accessed sensitive documents such as birth, marriage, family, and residence status certificates. Camassa said SISPI had taken the necessary measures to mitigate data violations,” Hope reported.

‍

HelloXD says Hello World

‍

Palo Alto’s Unit 42 researchers released a report on the HelloXD strain of ransomware, which is noteworthy because the operator has not resorted to double extortion techniques and the payload seems to have “very similar core functionality to the leaked Babuk/Babyk source code.”

‍

“HelloXD is a ransomware family performing double extortion attacks that surfaced in November 2021. During our research we observed multiple variants impacting Windows and Linux systems,” the researchers wrote in the report. “Unlike other ransomware groups, this ransomware family doesn’t have an active leak site; instead it prefers to direct the impacted victim to negotiations through TOX chat and onion-based messenger instances.”

‍

BlackCat marches on

‍

The BlackCat ransomware came to widespread awareness in November of 2021 as one of the first strains to leverage the Rust programming language. Rust is known to be fast and cross-platform – meaning that the malware can be run on Microsoft Windows, Apple MacOS or Linux – which provides obvious advantages to malicious actors.

‍

The Microsoft 365 Defender Threat Intelligence Team released a report that digs into further details surrounding this threat, including increased adoption as the team “observed two of the most prolific affiliate groups associated with ransomware deployments have switched to deploying BlackCat.”

‍

It is worth noting that the ransomware strain is a product of a Ransomware as a Service (RaaS) group, which means that the developers of the malware usually are not responsible for performing the breaches. As a result, attackers can switch their payloads of choice much as a legitimate company would change software vendors.

‍

“Microsoft tracks one of these affiliate groups as DEV-0237. Also known as FIN12, DEV-0237 is notable for its distribution of Hive, Conti, and Ryuk ransomware. We’ve observed that this group added BlackCat to their list of distributed payloads beginning March 2022. Their switch to BlackCat from their last used payload (Hive) is suspected to be due to the public discourse around the latter’s decryption methodologies,” the researchers wrote.

‍

In further example to the increased proliferation of the ransomware strain, Damien Black at Cyber News reported that the University of Pisa fell victim to the BlackCat and was “issued a ransom note for Saturday’s attack, giving the university administration until June 16 to pay $4.5 million.”

‍

Ransomware gang reveals tool for victims to search for their own data

‍

Brian Krebs reported on a tool developed by the BlackCat RaaS group that allows victims to search for their stolen data, which would be laudable if not for the theft and extortion bits.

‍

“The latest innovation in ratcheting up the heat comes from the ALPHV/BlackCat ransomware group, which has traditionally published any stolen victim data on the Dark Web. Today, however, the group began publishing individual victim websites on the public Internet, with the leaked data made available in an easily searchable form,” Krebbs reported.

‍

Maybe don’t advertise your ransomware on Twitter?

Lorenzo Franceschi-Bicchierai at Vice reported on a facepalm inducing moment of either hubris or idiocy this week when a ransomware operator touted their wares on social media site Instagram. The malware research group vx-underground revealed the advertisement and warned against such … hubris (editor’s note: the editorial staff at Halcyon struggled to find the appropriate term here).

‍

“The hacker’s Instagram account has more than 20,000 followers. As of this writing, the ad is gone from the account’s Stories, which instead include a shot of — presumably — the hacker driving a BMW and holding what appears to be a joint in his hand, which does not look like it’s lit,” Franceschi-Bicchierai reported.

‍

The ransomware author has since deleted their Instagram account.

‍

Burn out in the uphill climb against ransomware

We can add additional human costs to the struggle against ransomware as Owen Hughes of ZDNet reports the stress that cybersecurity professionals are under is taking its toll. “More than 90% of cybersecurity professionals are stressed in their roles, with a ‘significant proportion’ of professionals conceding that this is negatively impacting their ability to do their jobs,” Hughes quoted a report from cyber security firm Deep Instinct.

The report cites multiple causes for the increased strain, including the increased velocity of ransomware attacks and changes in the network perimeter elicited by the move to remote work. “Cyber criminals have benefitted from the move to remote working, with ransomware incidents having increased significantly during the past two years,” Owens again quoted the report. These findings are especially worrying given organizations’ struggle to fill cybersecurity positions.

‍

Confluence under attack

‍

A vulnerability in the server-hosted version of Atlassian’s very popular documentation solution, Confluence, is under active attack reports Jaikumar Vijayan at Dark Reading.

‍

“Researchers from Sophos have observed several attacks over the past two weeks in which attackers used automated exploits against vulnerable Confluence instances running on Windows and Linux servers. In at least two of the Windows-related incidents, adversaries exploited the Atlassian vulnerability to drop Cerber ransomware on the victim networks, the security vendor said in a report Thursday,” Vijayan wrote in the article.

‍

It's important to note that the cloud-hosted version of Confluence is not mentioned in this report, but the vulnerability possibly gives attackers access to very sensitive data.

‍

Thanks to the reporters and researchers

‍

Shout out to the following people for their original reporting and research referenced in this week’s Ransomware Roundup.

Bill Toulas at Bleeping Computer  for their reporting on Italian city of Palermo shuts down all systems to fend off cyberattack.

• LinkedIn
• Twitter

Alicia Hope at CPO Magazine  for their reporting on Ransomware Attack Disrupted Municipal Services in the Italian City of Palermo.  

• CPO Magazine Bio

Daniel Bunce at Unit 42  for their reporting on Exposing HelloXD Ransomware and x4k.

• LinkedIn

Doel Santos at Unit 42  for their reporting on Exposing HelloXD Ransomware and x4k.

• LinkedIn

Microsoft 365 Defender Threat Intelligence Team at Microsoft  for their reporting on The many lives of BlackCat ransomware - Microsoft Security Blog.

• LinkedIn
• Twitter

Damien Black at Cybernews  for their reporting on University of Pisa held to ransom for 4.5m euros.

• LinkedIn

Brian Krebs at Krebs on Security  for their reporting on Ransomware Group Debuts Searchable Victim Data.

• LinkedIn
• Twitter

Lorenzo Franceschi-Bicchierai at Vice  for their reporting on Hacker Advertises ‘Crappy’ Ransomware on Instagram.

• LinkedIn
• Twitter

Owen Hughes at ZDNet  for their reporting on The unrelenting threat of ransomware is pushing cybersecurity workers to quit.  

• LinkedIn
• Twitter

R. Scott Raynovich at Forbes  for their reporting on At the RSA Conference, Jobs Still Key to The Cybersecurity Crisis.  

• LinkedIn
• Twitter

Jaikumar Vijayan at Dark Reading  for their reporting on Atlassian Confluence Server Bug Under Active Attack to Distribute Ransomware.  

• LinkedIn
• Twitter

‍