Ransomware Roundup: 07.08.22

Written by
Halcyon Team
Published on
Jul 8, 2022

This week’s round up …

  • AstraLocker calls it quits … on ransomware, not cybercrime
  • Fed warns of Maui ransomware – plot twist: it’s North Korean, not Hawaiian
  • Attackers are adopting Brute (Ratel) force tactics
  • Hive gets Rusty

AstraLocker calls it quits … on ransomware, not cybercrime

The AstraLocker developer told BleepingComputer that they are “done with ransomware for now. I'm going in cryptojaking lol." This comes on the heels of a recent campaign in which they were infecting computers directly from malicious Microsoft Word attachments.

There have been recent reports that the effect of inflation on cryptocurrency markets is tarnishing the shine of ransomware for cybercriminals, which may have provided some motivation for the change.

“The widespread fall has forced cybercriminals to recalculate their ransoms, security professionals say, and has pushed out of business some of the services that handle their ill-gotten gains, such as dark web crypto-swapping marketplaces. It's also accelerating a preexisting shift toward crimes such as malware attacks and corporate phishing scams that target actual dollars, rather than crypto,” Bree Fowler at CNet reported.

This shines a dubious light on the AstraLocker developer’s claims of getting into cryptojacking, but good judgment amongst criminals is generally in short supply.

The updated version of AstraLocker is looking for a quick payout

Lindsey O’Donnell-Welch at Decipher by Duo reported on an updated version of the AstraLocker that can be delivered directly from infected Microsoft Office files. According to the article, the intent is “an unusually quick delivery method leading researchers to believe that the threat actor behind the ransomware is solely interested in making a big impact and receiving a quick payout.”  

“Typically, affiliate threat actors avoid pushing ransomware early, opting instead to push files that allow them to expand their reach within the target environment,” O'Donnell-Welch quoted Joseph Edwards, a researcher with ReversingLabs. “Ransomware almost invariably is deployed last, after compromising the victim's Domain Controller(s), which enables the cybercriminals to use the domain controller (for example: Active Directory) to deploy a group policy object and encrypt all hosts in the affected domains.”

Fed warns of Maui ransomware – plot twist: it is North Korean, not Hawaiian

Several federal agencies in the United States released a cybersecurity advisory of the Maui ransomware that targets healthcare organizations and is alleged to be sponsored by the government of North Korea. The nation is under heavy sanctions, which makes generating revenue difficult for the totalitarian regime.

“The warning is the starkest alert to date that North Korea, which the U.S. has long alleged uses its hackers to raise money for state programs like its nuclear weapons development, has turned to locking up essential American services as a new way to generate money for the state,” Kevin Collier at NBC New reports.

The joint alert posted by the U.S. Cybersecurity & Infrastructure Security Agency, the Federal Bureau of Investigations and the Department of Treasury urges victims to refrain from paying the ransom “as doing so does not guarantee files and records will be recovered and may pose sanctions risks.”

Attackers are adopting Brute (Ratel) force tactics

Lawrence Abrams at Bleeping Computer reports on malicious actors switching from Cobalt Strikea long time favorite – to Brute Ratel as the post-exploitation kit of choice. Abrams quotes research conducted by Palo Alto Networks’ Unit 42, which finds that these tools are potentially disastrous in the hands of ransomware groups.

“Instead, this tool is uniquely dangerous in that it was specifically designed to avoid detection by endpoint detection and response (EDR) and antivirus (AV) capabilities. Its effectiveness at doing so can clearly be witnessed by the aforementioned lack of detection across vendors on VirusTotal,” the researchers wrote in the report.

Hive gets Rusty

A report by the Microsoft Threat Intelligence Center found that Ransomware as a Service group Hive is taking a page from BlackCat’s playbook and has migrated their malicious payload to the Rust programming language. The Hive ransomware was previously written in the Go language, and according to Microsoft, Rust provides benefits in that it has access to lower-level resources and it is relatively more difficult to analyze or reverse engineer.

“The upgrades in the latest variant are effectively an overhaul: the most notable changes include a full code migration to another programming language and the use of a more complex encryption method. The impact of these updates is far-reaching, considering that Hive is a RaaS payload that Microsoft has observed in attacks against organizations in the healthcare and software industries by large ransomware affiliates like DEV-0237,” MSTIC wrote in the report.

Thanks to the reporters and researchers

Shout out to the following people for their original reporting and research referenced in this week’s Ransomware Roundup.

Sergiu Gatlan at Bleeping Computer for their reporting on AstraLocker ransomware shuts down and releases decryptors.

Bree Fowler at CNet for their reporting on Crypto Crash Rattles Cybercriminals, Pushing Them Beyond Ransomware.

Kevin Collier at NBC News for their reporting onNorth Korea is targeting hospitals with ransomware, U.S. agencies warn.

Lawrence Abrams at Bleeping Computer for their reporting on Ransomware, hacking groups move from Cobalt Strike to Brute Ratel.

Mike Harbison at Unit 42 for their research on Brute Ratel C4 Red Teaming Tool Being Abused by Malicious Actors.

Peter Renals at Unit 42 for their research on Brute Ratel C4 Red Teaming Tool Being Abused by Malicious Actors.

Microsoft Threat Intelligence Center at Microsoft Threat Intelligence for their research on Hive ransomware gets upgrades in Rust.

See Halcyon in action

Interested in getting a demo?
Fill out the form to meet with a Halcyon Anti-Ransomware Expert!

Let's get started

halcyon.ai is committed to protecting and respecting your privacy, and we’ll only use your personal information to administer your account and to provide the products and services you requested from us. From time to time, we would like to contact you about our products and services, as well as other content that may be of interest to you. If you consent to us contacting you for this purpose, please tick below to say how you would like us to contact you:

You may unsubscribe from these communications at any time. For more information on how to unsubscribe, our privacy practices, and how we are committed to protecting and respecting your privacy, please review our Privacy Policy.

By clicking submit below, you consent to allow halcyon.ai to store and process the personal information submitted above to provide you the content requested.