Advisory February 7, 2024

Prominent Ransomware in 2024

The Obrela Threat Intelligence Team

In recent years, the proliferation of ransomware attacks has surged, posing significant threats to individuals, businesses, and even entire industries. Ransomware, a form of malicious software designed to block access to computer systems or data until a ransom is paid, has evolved into a lucrative criminal enterprise, exploiting vulnerabilities in cybersecurity defenses worldwide. This alarming trend has garnered widespread attention prompting urgent calls for enhanced security measures, robust defenses, and international cooperation to combat this growing menace. It is only the beginning of 2024 but there has already been a number of ransomware attacks. Judging by the situation in 2023, 2024 is not going to be an exception, with many ransomware groups remaining active and some others increasing their activity.

Description

According to various sources that have studied ransomware activity over 2023 and the first month of 2024, it has been observed that Akira, Rhysida, 8Base and Malaslocker will be more active in 2024.

Below the most important details about each group can be found:

Akira

Akira, a novel ransomware variant, emerged onto the scene in March 2023, swiftly garnering attention for its distinctive characteristics and strategies. It is believed to have ties to the now-defunct Conti ransomware gang, as they share code elements such as string obfuscation and file encryption methods. Akira predominantly targets businesses operating in the United States and Canada across sectors like finance, real estate, and manufacturing. Employing double extortion tactics, Akira exfiltrates sensitive data from victims prior to encrypting their systems and files, thereby demanding payment for either scenario. Furthermore, it utilizes Ransomware-as-a-Service (RaaS), widening its accessibility to many threat actors. Encrypted files end with the .akira extension in their names.

Rhysida

Rhysida, a ransomware variant relatively new to the scene, has been active since May 2023. Initially targeting industries such as education, government, manufacturing, and technology, it has since shifted its focus to include healthcare and public health organizations. Operating on a global scale, Rhysida’s reach extends particularly to regions such as Indonesia, Germany, and the United States. The ransomware typically gains entry into the victims’ systems through phishing. Once inside, it employs Cobalt Strike for lateral movement within the network. Threat actors utilize PsExec to execute PowerShell scripts, known as g.ps1 script, terminates antivirus processes, deletes shadow copies, modifies remote desktop protocol (RDP) configurations, and alters active directory (AD) passwords. Rhysida then proceeds to encrypt files on the victim’s system, demanding a ransom for decryption. This ransomware variant is identified as Ransom.PS1.RHYSIDA.SM.

8Base

8Base, has been operating since April 2022. Despite its recent rapid appearance and evolution, the group has swiftly garnered attention for its aggressive tactics and the substantial volume of victims. It targets small and medium-sized enterprises (SMBs). Examination of ransomware samples suggests the utilization of a customized version of Phobos in conjunction with SmokeLoader.

Malaslocker

MalasLocker is a newly identified ransomware group that emerged in March 2023. Instead of demanding a direct monetary ransom, they ask for a donation to a charity organization. The group primarily targets large organizations, including corporations, government agencies, and educational institutions. They exploit vulnerabilities in systems and networks to gain unauthorized access. Once inside a victim’s network, MalasLocker encrypts files and demands a donation. They also use double extortion.

Except from the above, there are also some ransomware groups that were quite prolific during 2023 and do not show signs of stopping their attacks, which means it is important to keep an eye on them.

BlackCat/ALPHV

BlackCat ransomware, also identified as ALPHV, surfaced in November 2021, distinguishing itself through unique attributes and connections to prominent threat actor groups. Notably, BlackCat represents one of the first ransomware families that use the Rust programming language. This choice of programming language aims to circumvent detection by security solutions, which may encounter challenges in analyzing binaries coded in Rust. BlackCat exhibits versatility in its targeting, impacting a range of devices and operating systems, including Windows, Linux, and VMWare instances. Various entry points serve as vectors for infiltration. These include but are not limited to remote desktop applications, compromised credentials, and exploits of vulnerabilities within Exchange servers. The group leverages Ransomware-as-a-Service (RaaS) and employs double extortion tactics. BlackCat encrypts data using AES and ChaCha20 encryption algorithms, while DEV-0237 and DEV-0504 seem to have also adopted BlackCat.

LockBit

LockBit, operating as Ransomware-as-a-Service (RaaS), debuted in June 2021 as an evolution of its precursor, ABCD Ransomware, which initially surfaced in September 2019. Since its emergence, LockBit RaaS has enticed affiliates through recruitment campaigns conducted in underground forums, leading to a surge in its activity during the third quarter of 2021. Purportedly, the operators of LockBit claim that their encryption software holds the distinction of being the fastest among all active ransomware as of June 2021.

Cl0p

Cl0p ransomware targets a range of retail industries and organizations, demanding substantial ransoms in exchange for compromised data. It continues to evolve through ongoing and emerging campaigns. The group is linked with the Russian threat group TA505, and is known for its Ransomware-as-a-Service (RaaS) model. Cl0p operations have been observed deploying various zero-day exploits, including the recent Moveit Transfer exploitation. The ransomware strain employed in Cl0p attacks, Cryptomix, has been in circulation since 2019.

Play

Play Ransomware, also identified as PlayCrypt, emerged as a notorious threat entity in June 2022. Its operations have targeted a broad spectrum of organizations spanning North America, South America, and Europe, with a primary focus on critical infrastructure, in sectors such as manufacturing, healthcare, and retail. Employing the tactic of double extortion, Play Ransomware not only encrypts but also exfiltrates sensitive data. The ransom note left by Play is notably simplistic, featuring solely the word “PLAY” alongside an email address for victim communication, typically located at the root of the hard drive (often C:). Play capitalizes on known vulnerabilities for initial network entry, exploiting flaws such as ProxyNotShell and OWASSRF within Microsoft Exchange Server. These entry points enable network infiltration and the deployment of remote administration tools like AnyDesk before the ransomware payload is executed. Notably, Play has similarities with Hive and Nokoyawa.

Recommendations

Preventing ransomware incidents necessitates a blend of proactive actions and constant awareness. Below are essential guidelines to mitigate the risk of ransomware infiltration:

  1. Update Software: Ensure regular updates for your operating system, software applications, and antivirus tools. These updates often contain crucial security patches to address vulnerabilities exploited by ransomware.
  2. Strengthen Passwords and Implement Multi-Factor Authentication (MFA): Enforce the use of strong, distinct passwords across all accounts and activate MFA wherever feasible to enhance security layers.
  3. Security Awareness Training: Provide comprehensive training to employees on recognizing phishing emails, suspicious links, and attachments. Encourage them to validate unexpected emails or requests before taking any action.
  4. Regularly Back Up Data: Establish a consistent backup regimen for critical data. Store backups securely and offline to prevent compromise during ransomware attacks.
  5. Restrict User Permissions: Limit user access permissions to essential functions, reducing the risk of unauthorized entry to sensitive systems and data.
  6. Implement Network Segmentation: Divide your network to isolate critical systems and sensitive data, limiting the potential spread of ransomware during an intrusion.
  7. Utilize Security Solutions: Employ robust cybersecurity solutions such as firewalls, intrusion detection systems, and endpoint protection platforms to detect and thwart ransomware threats.
  8. Monitor Network Activities: Stay vigilant by monitoring network traffic and system logs for indications of suspicious behavior. Early detection is key to mitigating the impact of ransomware incidents.
  9. Stay Updated: Stay ahead of the latest ransomware threats and techniques. Subscribe to security alerts and stay informed via cybersecurity news channels to anticipate emerging risks. Obrela provides advisories regarding emerging attacks and vulnerabilities regularly.
  10. Develop a Response Plan: Create and regularly assess a comprehensive incident response strategy to effectively manage ransomware incidents. This plan should encompass containment measures, data restoration procedures, and communication protocols with stakeholders.
  11. Managed detection and response (MDR): It is a proactive and dynamic cybersecurity approach that combines technology and human expertise to perform threat hunting, monitoring, and response 24/7, offering visibility, readiness and resilience. The main benefit of MDR is that it helps rapidly identify and limit the impact of threats without the need for additional staffing. MDR not only prevents cyber threats but also actively searches for them, responds to them, and aims at minimizing the damage. It essentially offers continuous monitoring and real-time response capabilities.

By adhering to these preventive measures and remaining vigilant, organizations can significantly reduce their susceptibility to ransomware attacks.

 

References

cyber shield, security