Ransomware Roundup: 07.08.22

This week’s round up …

  • AstraLocker calls it quits … on ransomware, not cybercrime
  • Fed warns of Maui ransomware – plot twist: it’s North Korean, not Hawaiian
  • Attackers are adopting Brute (Ratel) force tactics
  • Hive gets Rusty

AstraLocker calls it quits … on ransomware, not cybercrime

The AstraLocker developer told BleepingComputer that they are “done with ransomware for now. I'm going in cryptojaking lol." This comes on the heels of a recent campaign in which they were infecting computers directly from malicious Microsoft Word attachments.

There have been recent reports that the effect of inflation on cryptocurrency markets is tarnishing the shine of ransomware for cybercriminals, which may have provided some motivation for the change.

“The widespread fall has forced cybercriminals to recalculate their ransoms, security professionals say, and has pushed out of business some of the services that handle their ill-gotten gains, such as dark web crypto-swapping marketplaces. It's also accelerating a preexisting shift toward crimes such as malware attacks and corporate phishing scams that target actual dollars, rather than crypto,” Bree Fowler at CNet reported.

This shines a dubious light on the AstraLocker developer’s claims of getting into cryptojacking, but good judgment amongst criminals is generally in short supply.

The updated version of AstraLocker is looking for a quick payout

Lindsey O’Donnell-Welch at Decipher by Duo reported on an updated version of the AstraLocker that can be delivered directly from infected Microsoft Office files. According to the article, the intent is “an unusually quick delivery method leading researchers to believe that the threat actor behind the ransomware is solely interested in making a big impact and receiving a quick payout.”  

“Typically, affiliate threat actors avoid pushing ransomware early, opting instead to push files that allow them to expand their reach within the target environment,” O'Donnell-Welch quoted Joseph Edwards, a researcher with ReversingLabs. “Ransomware almost invariably is deployed last, after compromising the victim's Domain Controller(s), which enables the cybercriminals to use the domain controller (for example: Active Directory) to deploy a group policy object and encrypt all hosts in the affected domains.”

Fed warns of Maui ransomware – plot twist: it is North Korean, not Hawaiian

Several federal agencies in the United States released a cybersecurity advisory of the Maui ransomware that targets healthcare organizations and is alleged to be sponsored by the government of North Korea. The nation is under heavy sanctions, which makes generating revenue difficult for the totalitarian regime.

“The warning is the starkest alert to date that North Korea, which the U.S. has long alleged uses its hackers to raise money for state programs like its nuclear weapons development, has turned to locking up essential American services as a new way to generate money for the state,” Kevin Collier at NBC New reports.

The joint alert posted by the U.S. Cybersecurity & Infrastructure Security Agency, the Federal Bureau of Investigations and the Department of Treasury urges victims to refrain from paying the ransom “as doing so does not guarantee files and records will be recovered and may pose sanctions risks.”

Attackers are adopting Brute (Ratel) force tactics

Lawrence Abrams at Bleeping Computer reports on malicious actors switching from Cobalt Strikea long time favorite – to Brute Ratel as the post-exploitation kit of choice. Abrams quotes research conducted by Palo Alto Networks’ Unit 42, which finds that these tools are potentially disastrous in the hands of ransomware groups.

“Instead, this tool is uniquely dangerous in that it was specifically designed to avoid detection by endpoint detection and response (EDR) and antivirus (AV) capabilities. Its effectiveness at doing so can clearly be witnessed by the aforementioned lack of detection across vendors on VirusTotal,” the researchers wrote in the report.

Hive gets Rusty

A report by the Microsoft Threat Intelligence Center found that Ransomware as a Service group Hive is taking a page from BlackCat’s playbook and has migrated their malicious payload to the Rust programming language. The Hive ransomware was previously written in the Go language, and according to Microsoft, Rust provides benefits in that it has access to lower-level resources and it is relatively more difficult to analyze or reverse engineer.

“The upgrades in the latest variant are effectively an overhaul: the most notable changes include a full code migration to another programming language and the use of a more complex encryption method. The impact of these updates is far-reaching, considering that Hive is a RaaS payload that Microsoft has observed in attacks against organizations in the healthcare and software industries by large ransomware affiliates like DEV-0237,” MSTIC wrote in the report.

Thanks to the reporters and researchers

Shout out to the following people for their original reporting and research referenced in this week’s Ransomware Roundup.

Sergiu Gatlan at Bleeping Computer for their reporting on AstraLocker ransomware shuts down and releases decryptors.

Bree Fowler at CNet for their reporting on Crypto Crash Rattles Cybercriminals, Pushing Them Beyond Ransomware.

Kevin Collier at NBC News for their reporting onNorth Korea is targeting hospitals with ransomware, U.S. agencies warn.

Lawrence Abrams at Bleeping Computer for their reporting on Ransomware, hacking groups move from Cobalt Strike to Brute Ratel.

Mike Harbison at Unit 42 for their research on Brute Ratel C4 Red Teaming Tool Being Abused by Malicious Actors.

Peter Renals at Unit 42 for their research on Brute Ratel C4 Red Teaming Tool Being Abused by Malicious Actors.

Microsoft Threat Intelligence Center at Microsoft Threat Intelligence for their research on Hive ransomware gets upgrades in Rust.

The Halcyon Platform

Halcyon is the industry’s first dedicated, adaptive security platform focused specifically on stopping ransomware attacks. Halcyon is built by offensive security experts to stop attackers. Our platform is a lightweight agent that combines multiple proprietary advanced prevention engines along with AI models trained solely on ransomware.

Ready to get a demo? Fill out the form and let’s talk!

Get a Demo

Meet with a Halcyon Anti-Ransomware Expert