All posts by Rapid7 Labs

When Your Calendar Becomes the Compromise

Post Syndicated from Rapid7 Labs original https://www.rapid7.com/blog/post/ve-when-your-calendar-becomes-the-compromise-phishing

A new meeting on your calendar or a new attack vector?

It starts innocently enough. A new meeting appears in your Google calendar and the subject seems ordinary, perhaps even urgent: “Security Update Briefing,” “Your Account Verification Meeting,” or “Important Notice Regarding Benefits.” You assume you missed this invitation in your overloaded email inbox, and click “Yes” to accept.

Unfortunately, calendar invites have become an overlooked delivery mechanism for social engineering and phishing campaigns. Attackers are increasingly abusing the .ics file format, a universally trusted, text-based standard to embed malicious links, redirect victims to fake meeting pages, or seed events directly into users’ calendars without interaction. 

Because calendar files often bypass traditional email and attachment defenses, they offer a low-friction attack path into corporate environments. 

Defenders should treat .ics files as active content, tighten client defaults, and raise awareness that even legitimate-looking calendar invites can carry hidden risk.

The underestimated threat of .ics files

The iCalendar (.ics) format is one of those technologies we all rely on without thinking. It’s text-based, universally supported, and designed for interoperability between Outlook, Google Calendar, Apple, and countless other clients.

Each invite contains a structured list of fields like SUMMARY, LOCATION, DESCRIPTION, and ATTACH. Within these, attackers have found an opportunity: they can embed URLs, malicious redirects, or even base64-encoded content. The result is a file that appears completely legitimate to a calendar client, yet quietly delivers the attacker’s message, link, or payload.

Because calendar files are plain text, they easily slip through traditional security controls. Most email gateways and endpoint filters don’t treat .ics files with the same scrutiny as executables or macros. And since users expect to receive meeting invites, often from outside their organization, it’s an ideal format for social engineering.

How threat actors abuse the invite

Over the past year, researchers have observed a rise in campaigns abusing calendar invites to phish credentials, deliver malware, or trick users into joining fake meetings. These attacks often look mundane but rely on subtle manipulation:

  • The lure: A professional-looking meeting name and sender, sometimes spoofed from a legitimate organization.

  • The link: A URL hidden in the DESCRIPTION or LOCATION field, often pointing to a fake login page or document-sharing site.

  • The timing: Invites scheduled within minutes, creating urgency (“Your access expires in 15 minutes — join now”).

  • The automation: Calendar clients that automatically add external invites, ensuring the trap appears directly in the user’s daily schedule.

Cal1.png

Example of where some of the malicious components would reside in the .ics file

It’s clever, low-effort social engineering leveraging trust in a system built for collaboration.

The “invisible click” problem

The real danger of malicious calendar invites isn’t just the link inside,  it’s the automatic delivery mechanism. In certain configurations, Outlook and Google Calendar will automatically process .ics attachments and create tentative events, even if the user never opens or even receives the email. That means the malicious link is now part of the user’s trusted interface with their calendar.

This bypasses the usual cognitive warning signs. The email might look suspicious, but the event reminder popping up later? That feels like part of your day. It’s phishing that moves in quietly and waits.

Why traditional defenses miss it

Security tooling has historically focused on attachments that execute code or scripts. By contrast, .ics files are plain text and standards-based, so they don’t inherently appear dangerous. Many detection engines ignore or minimally parse them.

Attackers exploit that gap. They rely on the fact that few organizations monitor for BEGIN:VCALENDAR content or inspect calendar metadata for embedded URLs. Once delivered, the file can bypass filters, land in the user’s calendar, and lead to a high-confidence click.

What defenders can do now

Defending against calendar-based attacks begins with recognizing that these are not edge cases anymore. They’re a natural evolution of phishing  where user convenience becomes the delivery mechanism.

Here are a few pragmatic steps every organization should consider:

  1. Treat .ics files like active content. Configure email filters and attachment scanners to inspect calendar files for URLs, base64-encoded data, or ATTACH fields.

  2. Review calendar client defaults. Disable automatic addition of external events when possible, or flag external organizers with clear warnings.

  3. Sanitize incoming invites. Content disarm and reconstruction (CDR) tools can strip out or neutralize dangerous links embedded in calendar fields.

  4. Raise awareness among users. Train employees to verify unexpected invites — especially those urging immediate action or containing meeting links they didn’t anticipate. Employees can also follow the helpful advice in this Google Support article.

  5. Use strong identity protection. Multi-factor authentication and conditional access policies mitigate the impact if a phishing link successfully steals credentials.

These steps don’t eliminate the threat, but they significantly increase friction for attackers and their malware.

A quiet evolution in social engineering campaigns

Malicious calendar invites represent a subtle yet telling shift in attacker behavior: blending into legitimate business processes rather than breaking them. In the same way that invoice-themed phishing emails once exploited trust in accounting workflows, .ics abuse leverages the quiet reliability of collaboration tools.

As organizations continue to integrate calendars with chat, cloud storage, and video platforms, the attack surface will only expand. Links inside invites will lead to files in shared drives, authentication requests, and embedded meeting credentials. These are all opportunities for exploitation.

Rethinking trust in everyday workflows

Defenders often focus on the extraordinary like zero days, ransomware binaries, and new exploits. Yet the most effective attacks remain the simplest: exploiting human trust in ordinary digital habits. A calendar invite feels harmless and that’s exactly why it works.

The next time an unexpected meeting appears in your calendar, it might be more than just a double-booking. It could be a reminder that security isn’t only about blocking malware, but about questioning what we assume to be safe.

2024 Threat Landscape Statistics: Ransomware Activity, Vulnerability Exploits, and Attack Trends

Post Syndicated from Rapid7 Labs original https://blog.rapid7.com/2024/12/16/2024-threat-landscape-statistics-ransomware-activity-vulnerability-exploits-and-attack-trends/

2024 Threat Landscape Statistics: Ransomware Activity, Vulnerability Exploits, and Attack Trends

Now that we’ve reached the end of another year, you may be looking around the cybersecurity infosphere and seeing a glut of posts offering “hot takes” on the 2024 threat landscape and predictions about what’s coming next. At Rapid7, we don’t truck in hot takes, but rather, cold hard facts. Staying ahead of adversaries requires more than just advanced tools — it requires the latest intelligence and collaborative insights from experts working from data that tells the whole story.

In this blog, the global experts across our Rapid7 Labs and Managed Services teams share real-time vulnerability insights and threat intelligence so that our customers can anticipate and prevent breaches, pinpoint critical threats, and confidently take command of their attack surface.

Our teams responded to hundreds of major incidents, significant vulnerabilities, and ransomware threats in 2024, bolstered by visibility into hundreds of trillions of events analyzed by the Rapid7 Threat Engine. Our response included emergent threat and external vulnerability research, which we share with the community regularly here on the Rapid7 blog, as well as incident response activities for our managed security customers around the globe.

The Rapid7 Labs team has rounded up statistics and trends that caught our eye throughout the year, spanning ransomware, initial access vectors, common malware strains, notable CVE exploitation, and more.

Ransomware Group Activity

The 2024 ransomware landscape was all about pushing boundaries, with several groups striving to make a name for themselves in extortion circles. Based on Rapid7 Labs data, 33 new or rebranded threat actors appeared between January 1 and December 10, 2024. In that same time period, there were a total of 75 groups (including the newbies) actively seeking to extort their victims by posting stolen data to their leak sites. Between these 74 groups there have been a total of 5,477 leak site posts.

Ransomware-as-a-service (RaaS) groups like RansomHub exfiltrated data from hundreds of targets spanning healthcare, financial services, critical manufacturing, and many more. Rapid7’s ransomware data shows that since this group emerged in early February of this year, it has made 573 posts to its leak site (as of November 30). This high number of posts has earned RansomHub a spot in Rapid7’s “Top 10 Active Ransomware Groups” list for 2024, coming in a very close second to LockBit, which finished November with 579 posts. View the entire top 10 in the graphic below.

2024 Threat Landscape Statistics: Ransomware Activity, Vulnerability Exploits, and Attack Trends

While not as prolific at posting on their leak site as RansomHub, Qilin is an example of an established player that has exposed troves of sensitive data as well as achieved significant payouts. Not one to shy away from the healthcare space, Qilin leaked just under 1 million patient records after an attempt to extort $50m from London hospitals earlier this year. With typical ransom demands ranging from $50,000 to $800,000, plus a generous affiliate scheme, Qilin will likely be a mainstay of 2025.

One or two new groups are combining high-visibility attacks with attention-grabbing marketing stunts, most likely to quickly work their way up the affiliate ladder. Hellcat has seemingly come from nowhere to demand $125,000 in “French bread” from one victim. This is, of course, a gimmick on their part, with the ransom expected to be paid in Monero cryptocurrency. There are frequently much larger ransoms demanded, but not all of them come with built-in press appeal.

Several groups have periods in which they seemingly “go dark,” where we do not see posts to their leak sites for weeks at a time. It may be that these groups are using this time to rework their infrastructure, or perhaps they are receiving quick payouts from victims wishing to avoid reputational damage and the negative press associated with a breach coming to light.

Rapid7 incident responders have seen a combination of fresh-faced ransomware groups and old security tricks filling out much of the year. As organizations work to secure their externally facing systems, they must also account for criminals seeking to deceive employees with social engineering and psychological sleight of hand.

Looking out across organizations’ expansive attack surfaces, Rapid7 incident responders observed several vulnerabilities exploited in the wild for initial access this year. The verticals Rapid7 saw targeted the most were manufacturing, professional services, retail, and healthcare.

Social engineering in 2024 was geared toward easy initial access via exploitation of support services. One customer case involved a help desk employee being tricked into configuring a new MFA device and resetting a user password. A separate incident involved an SEO poisoning attack and the download and installation of a trojanized version of the freeware disk analyzer tool SpaceSniffer. Analysis and cleanup tools are popular targets for fake advertisements and bogus downloads, which are typically found at the top of sponsored search results.

Most Observed Malware

Several forms of malware have been at the front of the pack throughout 2024 across all industries. SocGholish, GootLoader, and AsyncRAT led the charge with a heady mix of remote access and credential theft. More than one-quarter (28%) of the customer incidents Rapid7 responded to in 2024 involved one of these three malware families.

2024 Threat Landscape Statistics: Ransomware Activity, Vulnerability Exploits, and Attack Trends

SocGholish was observed in 14% of incidents during 2024. The first of three heavily observed malware mainstays of 2024, SocGholish (also known as FakeUpdates) is rooted in website compromise and drive-by attacks. Hijacked websites are used to offer bogus “updates” to unsuspecting end users. You can see an example similar to SocGholish in our analysis of ClearFake from August 2023.

SocGholish updates often masquerade as commonly used programs like web browsers. If the campaign owners find the target system to be of interest, JavaScript is used to trigger a payload drawn from a wide variety of malware. In July of this year, SocGholish was used to distribute AsyncRAT, another of our most commonly observed remote access trojans (RATs).

GootLoader was observed in 10% of incidents during 2024. It is frequently observed in SEO poisoning campaigns typically involving targeted keywords on compromised websites. It is the delivery method for payloads such as Cobalt Strike via diverse search engine queries such as “Bengal cats” and “employment agreements.”

AsyncRAT was observed in 4% of incidents during 2024. It is a RAT that has been in use since 2019 for activities like data theft and keylogging. AsyncRAT typically arrives on a PC through social engineering or phony attachments and can also be used to deploy additional malware. It has also recently been used as part of a GenAI malware distribution campaign.

Initial Access Vectors

Vulnerability exploitation and remote access to systems without multi-factor authentication (MFA) continued to be the largest drivers of incidents overall in 2024, at 17% and 56% of incidents, respectively. We saw a significant (and rather unfortunate) shift in year-over-year initial access data in 2024 when compared to 2023. Roughly 40% of the incidents the Rapid7 Managed Services team saw in Q3 2023 were remote access to systems with missing or lax enforcement of MFA, particularly for VPNs and virtual desktop infrastructure (VDI). In Q3 2024, fully two-thirds (67%) of incident responses involved abuse of valid accounts and missing or lax enforcement of MFA — once again, mainly on VPNs and VDI, though exposed RDP also added a small number of incidents to remote access counts.

Vulnerability exploitation also remains a prevalent initial access vector, holding firm at 13% of incidents for both Q3 2023 and Q3 2024. Rapid7 MDR observed exploitation of the following CVEs in customer environments between January and November 2024 (non-exhaustive):

As the CVEs above demonstrate, the vulnerability exploitation Rapid7 has observed in managed customer environments has included newer flaws in addition to older, known vulnerabilities that have previously been under attack. Both Adobe ColdFusion CVE-2018-15961 and Oracle WebLogic Server CVE-2020-14882 have been on the U.S. Cybersecurity and Infrastructure Security Agency’s (CISA) list of Known Exploited Vulnerabilities (KEV) since November 2021.

Notable Vulnerabilities

While Rapid7 observed continued adversary use of zero-day vulnerabilities in network edge technologies like VPNs and secure gateways, zero-day flaws represented a lower overall percentage of major 2024 vulnerabilities when compared with what we saw in 2023. File transfer technologies also had a number of severe vulnerabilities disclosed in 2024 — but surprisingly, several of these have remained unexploited beyond the usual attempts to attack internet-facing honeypots. Critical issues in both Fortra’s GoAnywhere MFT software and Progress Software’s MOVEit Transfer solution were expected to see large-scale attacks, but happily, thus far those attacks have not materialized.

In Rapid7’s 2024 Attack Intelligence Report, we found that fully a quarter of widespread threat vulnerabilities our team analyzed for the period were the result of broad, global, zero-day exploitation by a single highly skilled threat actor. That trend lost traction in the back half of the year, but we still saw it rear its head from time to time. October 2024’s FortiManager RCE (CVE-2024-47575) offers a salient example: By the time the vulnerability was disclosed publicly, dozens of organizations around the world had already been compromised by a targeted but prolific threat campaign. A pair of widely exploited zero-day flaws in Palo Alto Networks firewalls (CVE-2024-0012, CVE-2024-9474) made for another prominent example. Rumors of a possible zero-day vulnerability swirled for weeks before the vendor was able to confirm real-world attacks in mid-November.

Below is a sample of notable CVEs from Rapid7’s vulnerability intelligence data, most (but not all) of which came under attack over the past 11 months.

2024 Threat Landscape Statistics: Ransomware Activity, Vulnerability Exploits, and Attack Trends

Rapid7’s open platform for vulnerability research, AttackerKB, incorporated new tags in 2024 to allow users to note when vulnerabilities were observed in ransomware or state-sponsored attacks. Our team and our community added ransomware tags to more than 250 CVEs in 2024, and 75-plus vulnerabilities have been tagged for their (verified) use in known, state-sponsored threat campaigns. More than 1,700 unique CVEs have been reported exploited in the wild in AttackerKB, and we’ve incorporated hundreds of detailed vulnerability assessments from security researchers, incident responders, and pen testers. Interested in exploring more vulnerability data? Join the community here.

Key Learnings

The threat landscape in 2024 saw a host of new ransomware actors creating chaos in novel ways, but it also showed that attackers are willing to use tried and true techniques to breach defenses. At the end of the day (ahem, year) the best practices remain the best practices. Having a strong vulnerability risk management program in place, building strong defenses against phishing and spear phishing campaigns, having robust patching procedures (particularly for zero-days), and instituting multi-factor authentication remain some of the strongest ways to prevent threat actors from making your organization another statistic. Speaking of statistics, here’s an infographic with some highlights from this post.

As always, Rapid7 Labs is here to help. We’ve spent 2024 doing unique and groundbreaking research into the behaviors of threat actors and we have no plans to let up in 2025. If you would like to see our work to date, head over to the Rapid7 Labs page. And keep an eye on it for big things to come next year.

Ransomware Groups Demystified: CyberVolk Ransomware

Post Syndicated from Rapid7 Labs original https://blog.rapid7.com/2024/10/03/ransomware-groups-demystified-cybervolk-ransomware/

Ransomware Groups Demystified: CyberVolk Ransomware

As part of our ongoing efforts to monitor emerging cyber threats, we have analyzed the activities of CyberVolk, a politically motivated hacktivist group that transitioned into using ransomware and has been active since June 2024. Unlike traditional ransomware groups, CyberVolk initially positioned itself as a hacktivist organization, and then started to use ransomware as a tool for retaliation. The group openly declares allegiance to Russia and operates within a broader hacktivist movement, launching attacks in response to geopolitical events. This report offers an in-depth analysis of CyberVolk’s ransomware tactics, underlying motivations, and technical behaviors.

Rapid7 Labs has an ongoing commitment to help organizations understand and mitigate risk from the complex world of ransomware, and this includes highlighting these newer groups. In this post we’re going to focus on CyberVolk’s shift from a hacktivist group to one that now uses ransomware as a key tool in its operations.

Intro to the CyberVolk group

CyberVolk emerged in June 2024 as a hacktivist group associated with pro-Russian activities. Before settling on its current identity it went through several name changes. Initially known as GLORIAMIST India on March 28, 2024, the group rebranded itself as Solntsevskaya Bratva on June 10, 2024. However, this name was short-lived, and on June 23, 2024, the group adopted the name CyberVolk. Their operations escalated after the arrest of members from the hacktivist group NoName57(16), known for targeting NATO-aligned countries. In response, CyberVolk, alongside more than 70 affiliated hacktivist groups, launched coordinated Distributed Denial of Service (DDoS) and ransomware attacks against Spain, which had arrested the NoName57(16) members. These attacks are part of a broader strategy to retaliate against governments opposing Russian interests.

Ransomware Groups Demystified: CyberVolk Ransomware
Figure 1: CyberVolk’s name rebranding form March-June 2024

CyberVolk uses a combination of ransomware and DDoS attacks to undermine their targets. Spanish institutions have been a primary focus, with 27 entities reportedly affected since the campaign began.

This isn’t the first time a hacktivist group has taken a stroll down the dark side. Just last year, we covered the GhostLocker group, which made an attempt to transition from the hacktivist realm to ransomware-as-a-service (RaaS). Side bar: their debut into the ransomware world didn’t exactly go as planned. After realizing that success in the RaaS game wasn’t in their best interest, they swiftly pivoted back to their old hacktivist ways, likely with a sigh of relief. But let’s go back to the CyberVolk (with “Volk” meaning “wolf” in Russian).

Technical analysis of CyberVolk ransomware

We analyzed a sample of the CyberVolk ransomware.

| SHA256 | 102276ae1f518745695fe8f291bf6e69856b91723244881561bb1a2338d54b12 |

CyberVolk follows a standard execution flow typical to ransomware strains. One of the first actions it takes is saving an image file tmp.bmp to C:\Users\USER\AppData\Local\Temp\tmp.bmp and changing the victim’s desktop wallpaper — interestingly, this occurs before any files on the system are encrypted.

The ransomware then creates multiple threads to handle various tasks, including:

  • User interaction: A thread manages the interaction with the victim, displaying dialog boxes for the ransom message, decryption key entry, and cryptocurrency payment options for BTC (Bitcoin) and USDT ERC20. The addresses used are:
  • BTC: bc1q3c9pt084cafxfvyhn8wvh7mq04rq6naew0mk87
  • USDT: TXarMAbSLLmStn4RZj63cTH7tpbodGNGbZ At the time of writing, the BTC wallet had a balance of 0, and the USDT wallet held 34.79 USDT.
  • Task manager monitoring: Another thread checks repeatedly if Task Manager is running by searching for a window with the class name “TaskManagerWindow.” If found, it attempts to kill the process by sending a WM_CLOSE message. This action requires the ransomware to run with escalated privileges.
  • File scanning and encryption: CyberVolk performs a systematic scan of all available drive letters (from a to z) to identify valid drives for encryption. Once the encryption routine is triggered:
  • Files on the infected system are encrypted and given the .cvenc extension.
  • The ransomware methodically scans directories and subdirectories, encrypting files as it proceeds.
  • Decryption key management: After encrypting the files, CyberVolk presents the victim with an interface to input a decryption key following ransom payment. Here’s how the decryption process works:
  • Key validation: The ransomware checks if the entered decryption key is exactly 36 characters long. However, despite the full key being 36 characters, only the first 16 characters are passed to a substitution function that transforms part of the key using a predefined substitution table.
  • Substitution function: The function processes multiple encrypted string arrays and performs character substitution based on a preset character set. It compares each character from the first 16 characters of the entered key with encrypted string arrays and replaces them using the substitution table.
  • Writing the key: The transformed output is written to a file named dec_key.dat, which is then used to complete the decryption process. If the decryption key passes all checks, the ransomware decrypts the files.
  • Cleanup: After successful decryption, it removes files like dec_key.dat and time.dat from C:\Users\USER\AppData\Roaming\ to cover its tracks.
Ransomware Groups Demystified: CyberVolk Ransomware
Figure 2: CyberVolk dialog window

Experiment: Decryption key testing with CyberVolk ransomware

As part of a small experiment, we attempted to execute the CyberVolk ransomware with a pre-created dec_key.dat file placed in C:\Users\USER\AppData\Roaming\. This file contained hardcoded strings we found in the code, such as fc99bb1c28a5ae006e567faf4cfc0d707c1528e and ce12f0967bd216d248cafda3d46ad1368d9f3dee.

Upon running the malware, the presence of the file successfully triggered the decryption routine. However, despite the original file names being restored, the files themselves were empty.

In another experiment, we manually entered 36 random characters into the decryption key dialog box. Again, this triggered the decryption process, and although the file names were restored, the files remained empty.

Additionally, the ransomware claims that it will delete files if an incorrect decryption key is entered. We tested this by entering an invalid key (aaaa). The malware displayed a warning, but when we proceeded, all files remained encrypted, and none were deleted.

Ransomware Groups Demystified: CyberVolk Ransomware
Figure 3: Correct key warning

CyberVolk’s decryption routine seems to have a weakness in its validation process, allowing it to proceed with decryption even with incorrect or random keys. However, without the correct key, the files are rendered unusable, suggesting that the key validation might only partially function or that the ransomware is designed to deceive victims into thinking decryption is occurring, when in reality, the files remain damaged. This could be a design flaw or a deliberate tactic to further frustrate victims.

The fact that files are not deleted as promised when an incorrect key is entered also indicates a discrepancy between the ransomware’s claims and its actual behavior. This could either be a design flaw or a deliberate tactic to further confuse and frustrate victims. Ultimately, even if the ransomware initiates decryption, without the correct key, files remain damaged and unusable.

Ransom note

After encryption, a file named CyberVolk_ReadMe.txt is placed in every affected folder. The ransom note contains the following message:

All your files have been encrypted by CyberVolk ransomware.
Do not attempt to recover your files without the decryption key, which I will provide after you make the payment.
Failure to do so may result in your files being permanently lost.
Follow my instructions carefully.

Payment Details:
Transfer $1000 in Bitcoin to the following address.
You can contact me via Telegram: @hacker7
Our team is available at https:[//]t.me/cubervolk. We look forward to receiving your payment.

The ransom note directs victims to a non-existing channel https:[//]t.me/cubervolk. Looks like the ransomware creators were in such a rush to demand the ransom that they forgot to double-check their own link.

Code reuse from Babuk ransomware

Our comparison of CyberVolk and Babuk ransomware using BinDiff revealed some similarities, particularly in cryptographic routines and system-level interactions. For example, the function CryptAcquireContextW and other cryptographic setups show significant overlap between the two, indicating that CyberVolk’s developers likely reused Babuk’s encryption framework.

However, CyberVolk has added unique functionality, such as:

  • Anti-analysis techniques: Efforts to evade detection through Task Manager termination.
  • AES encryption: Unlike Babuk, CyberVolk incorporates the AES encryption algorithm, enhancing its cryptographic capabilities and further differentiating the two strains.

Conclusion

CyberVolk ransomware shows off the usual ransomware tricks complete with a few bugs for good measure. By reusing some of Babuk’s code — particularly in its cryptographic routines — it’s clear that ransomware authors are getting creative with their remix skills, building on old frameworks to make their threats just a little more polished.CyberVolk also introduces some original features, such as attempting to terminate system processes like Task Manager. It succeeds in this task when run with elevated privileges.

Our decryption tests revealed that ransomware has some flaws. CyberVolk’s key validation is weak enough that even random keys trigger the decryption routine, though files remain unusable without the correct key. Despite its warnings about deleting files if an incorrect key is entered, we found that files remained encrypted but were not deleted, highlighting a gap between what the ransomware claims and what it actually does.

Still, CyberVolk has caused significant disruption, particularly in Spain. With its mix of DDoS and ransomware attacks, it’s becoming a more serious threat. As the group refines its tactics, cybersecurity professionals should keep a close eye on its continued evolution.

Cybersecurity professionals should keep this ransomware on their radar. Despite its bugs, CyberVolk is evolving and has already proven effective, causing significant damage to entities in Spain. It adds enough new tricks to the traditional ransomware formula to evade detection and create serious headaches for its victims.

Read up on additional ransomware groups and get other insights from Rapid7 Labs here.

Ransomware Groups Demystified: Lynx Ransomware

Post Syndicated from Rapid7 Labs original https://blog.rapid7.com/2024/09/12/ransomware-groups-demystified-lynx-ransomware/

Ransomware Groups Demystified: Lynx Ransomware

As part of our research and tracking of threats, Rapid7 Labs is actively monitoring new and upcoming threat groups and the ransomware domain is known for having a large number of them. In the Ransomware Radar Report, Rapid7 Labs shared the observation that in the first half of 2024, 21 new or rebranded ransomware groups surfaced. Many of those are not immediately coming into the spotlight as abusing some fancy new or recently discovered vulnerability, or — as we measure activity — posting a large number of data leaks.

Rapid7 Labs has an ongoing commitment to help organizations understand and mitigate the complex world of ransomware, and this includes highlighting these newer groups. In this post we’re going to focus on the recently-emerged Lynx ransomware group.

Intro to the Lynx group

The Lynx ransomware group was identified in July 2024, and has claimed more than 20 victims in various industry sectors to date. The group is using both single and double extortion techniques against their victims; however, they claim to be “ethical” with regards to choosing victims, according to their press release on July 24th:

“Lynx Ransomware core motivation is grounded in financial incentives, with a clear intention to avoid undue harm to organizations. We recognize the importance of ethical considerations in the pursuit of financial gain and maintain a strict policy against targeting governmental institutions, hospitals, or non-profit organizations, as these sectors play vital roles in society.”

When a victim has been hit, the infamous readme.txt surfaces on desktops and contains the link to the Tor site of Lynx and the ID needed to enter the portal:

Ransomware Groups Demystified: Lynx Ransomware

Along with the portal for victims to log in, the group is hosting a public blog and also a leaks page where victims are showcased in an attempt to enforce payment.

Analyzing Lynx ransomware

In order to conduct our analysis, we took a sample that had been observed being used in August 2024.

Ransomware Groups Demystified: Lynx Ransomware

Underground rumors claim that the Lynx group has purchased the source code from another group Rapid7 tracks: INC ransomware. When conducting a binary diff on the samples of Lynx and INC ransomware, the overall results show a 48 percent similarity score, where the functions have a score of 70.8 percent:

Ransomware Groups Demystified: Lynx Ransomware

Based on the diff and some other comparisons we conducted, there are overlaps in functions and arguments, but in our opinion not enough to prove fully that Lynx was derived from INC ransomware’s source code.

An initial look at the Lynx ransomware sample finds that in the code, three URLs stand out as already pointing to suspicious sites:

hxxp://lynxblog[.]net/

hxxp://lynxch2k5xi35j7hlbmwl7d6u2oz4vp2wqp6qkwol624cod3d6iqiyqd[.]onion/login

hxxp://lynxbllrfr5262yvbgtqoyq76s7mpztcqkv6tjjxgpilpma7nyoeohyd[.]onion/disclosures

In addition, the ransomware has several command line options to run:

Ransomware Groups Demystified: Lynx Ransomware

Inside the ransomware, the readme.txt — aka the ransomware notification — is hidden using Base64 to decode the message. The ID to log into the portal will be generated, but overall the note is similar to other ransomware notes:

Your data is stolen and encrypted.

Download TOR Browser to contact with us.

ID

~ %id%

Chat site:

~ TOR Network: http://lynxchatly4zludmhmi75jrwhycnoqvkxb4prohxmyzf4euf5gjxroad.onion/login

~ TOR Mirror #1: http://lynxchatfw4rgsclp4567i4llkqjr2kltaumwwobxdik3qa2oorrknad.onion/login

~ TOR Mirror #2: http://lynxchatohmppv6au67lloc2vs6chy7nya7dsu2hhs55mcjxp2joglad.onion/login ~ TOR Mirror #3: http://lynxchatbykq2vycvyrtjqb3yuj4ze2wvdubzr2u6b632trwvdbsgmyd.onion/login

Key ransomware functionalities:

1.Process and Service Management:

  • The ransomware attempts to kill various system processes and services using methods like the RestartManager. It specifically targets services that might hinder the encryption process, such as backup-related services.
  • It enumerates and stops dependent services and processes, utilizing system APIs such as EnumDependentServicesW and ControlService.

2.Shadow Copy Deletion:

  • A major target of this ransomware is deleting volume shadow copies, which are often used to restore data. The string “Successfully delete shadow copies from %c:” suggests the use of vssadmin or other similar commands to ensure backup files are removed.

3.File Encryption:

  • It encrypts files across the system, including network shares and drives (Encrypt network shares, Load hidden drives). The use of terms like “Encrypting file: %s” and “Encrypt only specified directory” indicates the ransomware can focus on specific folders or file types, increasing its precision.
  • There is also the ability to encrypt only selected files, directories, or network shares based on configuration (–file, –dir <dirPath>, –encrypt-network).

Lynx: Ones to watch

While the Lynx ransomware group says it takes an “ethical” stance, there is no scenario where attacking and extorting victims can be viewed in that way. Lynx’s aggressive targeting and dual extortion tactics make them a threat to watch. With overlaps in functionality between Lynx and INC ransomware, the potential for source code sharing and evolution among ransomware groups remains a critical concern for defenders.

As organizations navigate these threats, it’s crucial to stay vigilant, invest in robust security measures, and be prepared to respond quickly to ransomware incidents. Rapid7 Labs will continue to monitor and analyze the activities of groups like Lynx to provide timely insights and actionable intelligence for the community.