Tag Archives: ransomware

Ransomware Groups Demystified: CyberVolk Ransomware

Post Syndicated from Rapid7 Labs original https://blog.rapid7.com/2024/10/03/ransomware-groups-demystified-cybervolk-ransomware/

Ransomware Groups Demystified: CyberVolk Ransomware

As part of our ongoing efforts to monitor emerging cyber threats, we have analyzed the activities of CyberVolk, a politically motivated hacktivist group that transitioned into using ransomware and has been active since June 2024. Unlike traditional ransomware groups, CyberVolk initially positioned itself as a hacktivist organization, and then started to use ransomware as a tool for retaliation. The group openly declares allegiance to Russia and operates within a broader hacktivist movement, launching attacks in response to geopolitical events. This report offers an in-depth analysis of CyberVolk’s ransomware tactics, underlying motivations, and technical behaviors.

Rapid7 Labs has an ongoing commitment to help organizations understand and mitigate risk from the complex world of ransomware, and this includes highlighting these newer groups. In this post we’re going to focus on CyberVolk’s shift from a hacktivist group to one that now uses ransomware as a key tool in its operations.

Intro to the CyberVolk group

CyberVolk emerged in June 2024 as a hacktivist group associated with pro-Russian activities. Before settling on its current identity it went through several name changes. Initially known as GLORIAMIST India on March 28, 2024, the group rebranded itself as Solntsevskaya Bratva on June 10, 2024. However, this name was short-lived, and on June 23, 2024, the group adopted the name CyberVolk. Their operations escalated after the arrest of members from the hacktivist group NoName57(16), known for targeting NATO-aligned countries. In response, CyberVolk, alongside more than 70 affiliated hacktivist groups, launched coordinated Distributed Denial of Service (DDoS) and ransomware attacks against Spain, which had arrested the NoName57(16) members. These attacks are part of a broader strategy to retaliate against governments opposing Russian interests.

Ransomware Groups Demystified: CyberVolk Ransomware
Figure 1: CyberVolk’s name rebranding form March-June 2024

CyberVolk uses a combination of ransomware and DDoS attacks to undermine their targets. Spanish institutions have been a primary focus, with 27 entities reportedly affected since the campaign began.

This isn’t the first time a hacktivist group has taken a stroll down the dark side. Just last year, we covered the GhostLocker group, which made an attempt to transition from the hacktivist realm to ransomware-as-a-service (RaaS). Side bar: their debut into the ransomware world didn’t exactly go as planned. After realizing that success in the RaaS game wasn’t in their best interest, they swiftly pivoted back to their old hacktivist ways, likely with a sigh of relief. But let’s go back to the CyberVolk (with “Volk” meaning “wolf” in Russian).

Technical analysis of CyberVolk ransomware

We analyzed a sample of the CyberVolk ransomware.

| SHA256 | 102276ae1f518745695fe8f291bf6e69856b91723244881561bb1a2338d54b12 |

CyberVolk follows a standard execution flow typical to ransomware strains. One of the first actions it takes is saving an image file tmp.bmp to C:\Users\USER\AppData\Local\Temp\tmp.bmp and changing the victim’s desktop wallpaper — interestingly, this occurs before any files on the system are encrypted.

The ransomware then creates multiple threads to handle various tasks, including:

  • User interaction: A thread manages the interaction with the victim, displaying dialog boxes for the ransom message, decryption key entry, and cryptocurrency payment options for BTC (Bitcoin) and USDT ERC20. The addresses used are:
  • BTC: bc1q3c9pt084cafxfvyhn8wvh7mq04rq6naew0mk87
  • USDT: TXarMAbSLLmStn4RZj63cTH7tpbodGNGbZ At the time of writing, the BTC wallet had a balance of 0, and the USDT wallet held 34.79 USDT.
  • Task manager monitoring: Another thread checks repeatedly if Task Manager is running by searching for a window with the class name “TaskManagerWindow.” If found, it attempts to kill the process by sending a WM_CLOSE message. This action requires the ransomware to run with escalated privileges.
  • File scanning and encryption: CyberVolk performs a systematic scan of all available drive letters (from a to z) to identify valid drives for encryption. Once the encryption routine is triggered:
  • Files on the infected system are encrypted and given the .cvenc extension.
  • The ransomware methodically scans directories and subdirectories, encrypting files as it proceeds.
  • Decryption key management: After encrypting the files, CyberVolk presents the victim with an interface to input a decryption key following ransom payment. Here’s how the decryption process works:
  • Key validation: The ransomware checks if the entered decryption key is exactly 36 characters long. However, despite the full key being 36 characters, only the first 16 characters are passed to a substitution function that transforms part of the key using a predefined substitution table.
  • Substitution function: The function processes multiple encrypted string arrays and performs character substitution based on a preset character set. It compares each character from the first 16 characters of the entered key with encrypted string arrays and replaces them using the substitution table.
  • Writing the key: The transformed output is written to a file named dec_key.dat, which is then used to complete the decryption process. If the decryption key passes all checks, the ransomware decrypts the files.
  • Cleanup: After successful decryption, it removes files like dec_key.dat and time.dat from C:\Users\USER\AppData\Roaming\ to cover its tracks.
Ransomware Groups Demystified: CyberVolk Ransomware
Figure 2: CyberVolk dialog window

Experiment: Decryption key testing with CyberVolk ransomware

As part of a small experiment, we attempted to execute the CyberVolk ransomware with a pre-created dec_key.dat file placed in C:\Users\USER\AppData\Roaming\. This file contained hardcoded strings we found in the code, such as fc99bb1c28a5ae006e567faf4cfc0d707c1528e and ce12f0967bd216d248cafda3d46ad1368d9f3dee.

Upon running the malware, the presence of the file successfully triggered the decryption routine. However, despite the original file names being restored, the files themselves were empty.

In another experiment, we manually entered 36 random characters into the decryption key dialog box. Again, this triggered the decryption process, and although the file names were restored, the files remained empty.

Additionally, the ransomware claims that it will delete files if an incorrect decryption key is entered. We tested this by entering an invalid key (aaaa). The malware displayed a warning, but when we proceeded, all files remained encrypted, and none were deleted.

Ransomware Groups Demystified: CyberVolk Ransomware
Figure 3: Correct key warning

CyberVolk’s decryption routine seems to have a weakness in its validation process, allowing it to proceed with decryption even with incorrect or random keys. However, without the correct key, the files are rendered unusable, suggesting that the key validation might only partially function or that the ransomware is designed to deceive victims into thinking decryption is occurring, when in reality, the files remain damaged. This could be a design flaw or a deliberate tactic to further frustrate victims.

The fact that files are not deleted as promised when an incorrect key is entered also indicates a discrepancy between the ransomware’s claims and its actual behavior. This could either be a design flaw or a deliberate tactic to further confuse and frustrate victims. Ultimately, even if the ransomware initiates decryption, without the correct key, files remain damaged and unusable.

Ransom note

After encryption, a file named CyberVolk_ReadMe.txt is placed in every affected folder. The ransom note contains the following message:

All your files have been encrypted by CyberVolk ransomware.
Do not attempt to recover your files without the decryption key, which I will provide after you make the payment.
Failure to do so may result in your files being permanently lost.
Follow my instructions carefully.

Payment Details:
Transfer $1000 in Bitcoin to the following address.
You can contact me via Telegram: @hacker7
Our team is available at https:[//]t.me/cubervolk. We look forward to receiving your payment.

The ransom note directs victims to a non-existing channel https:[//]t.me/cubervolk. Looks like the ransomware creators were in such a rush to demand the ransom that they forgot to double-check their own link.

Code reuse from Babuk ransomware

Our comparison of CyberVolk and Babuk ransomware using BinDiff revealed some similarities, particularly in cryptographic routines and system-level interactions. For example, the function CryptAcquireContextW and other cryptographic setups show significant overlap between the two, indicating that CyberVolk’s developers likely reused Babuk’s encryption framework.

However, CyberVolk has added unique functionality, such as:

  • Anti-analysis techniques: Efforts to evade detection through Task Manager termination.
  • AES encryption: Unlike Babuk, CyberVolk incorporates the AES encryption algorithm, enhancing its cryptographic capabilities and further differentiating the two strains.

Conclusion

CyberVolk ransomware shows off the usual ransomware tricks complete with a few bugs for good measure. By reusing some of Babuk’s code — particularly in its cryptographic routines — it’s clear that ransomware authors are getting creative with their remix skills, building on old frameworks to make their threats just a little more polished.CyberVolk also introduces some original features, such as attempting to terminate system processes like Task Manager. It succeeds in this task when run with elevated privileges.

Our decryption tests revealed that ransomware has some flaws. CyberVolk’s key validation is weak enough that even random keys trigger the decryption routine, though files remain unusable without the correct key. Despite its warnings about deleting files if an incorrect key is entered, we found that files remained encrypted but were not deleted, highlighting a gap between what the ransomware claims and what it actually does.

Still, CyberVolk has caused significant disruption, particularly in Spain. With its mix of DDoS and ransomware attacks, it’s becoming a more serious threat. As the group refines its tactics, cybersecurity professionals should keep a close eye on its continued evolution.

Cybersecurity professionals should keep this ransomware on their radar. Despite its bugs, CyberVolk is evolving and has already proven effective, causing significant damage to entities in Spain. It adds enough new tricks to the traditional ransomware formula to evade detection and create serious headaches for its victims.

Read up on additional ransomware groups and get other insights from Rapid7 Labs here.

Weird Zimbra Vulnerability

Post Syndicated from Bruce Schneier original https://www.schneier.com/blog/archives/2024/10/weird-zimbra-vulnerability.html

Hackers can execute commands on a remote computer by sending malformed emails to a Zimbra mail server. It’s critical, but difficult to exploit.

In an email sent Wednesday afternoon, Proofpoint researcher Greg Lesnewich seemed to largely concur that the attacks weren’t likely to lead to mass infections that could install ransomware or espionage malware. The researcher provided the following details:

  • While the exploitation attempts we have observed were indiscriminate in targeting, we haven’t seen a large volume of exploitation attempts
  • Based on what we have researched and observed, exploitation of this vulnerability is very easy, but we do not have any information about how reliable the exploitation is
  • Exploitation has remained about the same since we first spotted it on Sept. 28th
  • There is a PoC available, and the exploit attempts appear opportunistic
  • Exploitation is geographically diverse and appears indiscriminate
  • The fact that the attacker is using the same server to send the exploit emails and host second-stage payloads indicates the actor does not have a distributed set of infrastructure to send exploit emails and handle infections after successful exploitation. We would expect the email server and payload servers to be different entities in a more mature operation.
  • Defenders protecting Zimbra appliances should look out for odd CC or To addresses that look malformed or contain suspicious strings, as well as logs from the Zimbra server indicating outbound connections to remote IP addresses.

Is Your Data Really Safe? How to Test Your Backups

Post Syndicated from David Johnson original https://www.backblaze.com/blog/is-your-data-really-safe-how-to-test-your-backups/

A decorative image showing icons related to backing up and restoring data.

Ransomware is now a billion dollar industry, and one of the best things any business can do to protect its bottom line is to back up. But, it’s important to remember that backups are only the first step in the process—when you are affected by a ransomware attack, natural disaster, or even human error, you’ll then need to restore. 

As your business scales and becomes more complex, so does your backup and restore process. You’ll have more types of data to restore, on more networks and devices, with more people involved at every step of the way. 

The best way to make sure your backups are effective? Test them regularly. Let’s talk about why and how. 

Good reasons to test your backups

By regularly testing your backups, you can improve your chances of a successful recovery and minimize the impact of data loss. Here are several reasons why regular backup testing is crucial:

  1. Data integrity verification: Testing ensures that your backups are accurate and complete. A failed test might reveal corrupted files or missing data that could lead to significant losses.
  2. Recovery process validation: By simulating the recovery process, you can identify potential bottlenecks or issues in your restoration procedures. This ensures that you can quickly and effectively recover your data in case of a disaster.
  3. Disaster readiness assessment: Regular testing helps you assess your overall disaster recovery plan. It reveals any weaknesses or gaps that need to be addressed to ensure business continuity and to meet recovery time objectives.
  4. Compliance adherence: Many industries have strict data retention and backup requirements. Testing helps you demonstrate compliance with these regulations. 
  5. Cyber insurance standards: Cyber insurance adoption is increasingly important for businesses, and many cyber insurance providers focus both on helping their clients prepare for ransomware attacks and recovery after the fact. As a result, many require regular backup verification testing and reporting. 
  6. Peace of mind: Knowing that your backups are reliable and tested can provide peace of mind and reduce stress during a crisis.
  7. Early detection of issues: Testing can uncover problems with your backup software, hardware, or processes early on, allowing you to address them before they lead to more significant consequences.

In short, regular backup testing not only confirms that your data is properly backed up, but also ensures that you’re meeting recovery point objectives (RPO), have key features like immutability configured properly, and supports overall business objectives.

Ransomware and backups

In addition to the above reasons, it’s important to note the growing trend for ransomware bad actors to specifically target backups. Veeam’s 2024 Ransomware Trends Report shows that 96% of attacks focus on backup repositories with the bad actors successfully affecting the backups in 76% of cases. Elsewhere, Sophos reports in instances where backups were compromised, ransomware demands doubled, and recovery costs were eight times higher. 

How to test your backups

Testing device backups is crucial to ensure data integrity and recoverability in case of loss or damage. Here are some effective methods:

1. Manual restoration tests

  • Regularly restore files: Select random files from your backup and restore them to a different location. Verify that the restored files are identical to the original files.
  • Test system restore: If your backup includes system images, periodically restore them to a separate partition or virtual machine to ensure they function correctly.

2. Automated testing tools

  • Backup software features: Many backup solutions offer built-in testing features. These tools can automatically verify the integrity of your backups and alert you to any issues. Restore services like Cloud Instant Backup Recovery can also provide valuable insight and support before, during, and after ransomware events. 
  • Third-party verification tools: Consider using specialized tools designed for backup verification. These tools can provide more in-depth analysis and reporting.

3. Simulated disaster scenarios 

  • Create a test environment: Set up a simulated disaster environment, such as a corrupted hard drive or a system failure.
  • Attempt recovery: Try to restore your data from the backup to the simulated environment. This will help you assess the effectiveness of your backup and recovery procedures.

4. Cloud-based backup testing for different recovery scenarios

  • Restore workstations: If you use cloud backup for your workstations, test restoring your files to a new device. This will show the functionality of the cloud backup service and ensure that your data can be accessed and restored successfully.
  • Restore server or network data: In addition to endpoints, you’ll also want to restore your servers or networks to different business locations. This lets you pressure test the cost of restores to account for things like hidden fees, and to ensure functions like immutability are properly configured.   

5. Regular backup verification

  • Check file integrity: Regularly verify the integrity of your backup files using checksums or hash functions. This will help detect any corruption or damage that may have occurred.
  • Review backup logs: Monitor your backup logs for any errors or warnings that might indicate issues with the backup process.

By following these methods, you can ensure that your device backups are reliable and that you can recover your data effectively in case of a disaster.

The human element

Don’t forget that this includes things like establishing where and how you’ll communicate if, for instance, company email is offline. It’s also important to designate incident managers to streamline decision making and ensure that essential personnel have the access and permissions they need. 

How cloud storage can help

Store your backup data in readily accessible, hot storage. This minimizes retrieval times during a disaster, enabling faster recovery of critical applications and data. 

By implementing a robust backup strategy that incorporates the 3-2-1 backup rule (or, the more robust, and increasingly enterprise standard 3-2-1-1-0 method), immutability, version control, and cloud storage, you can ensure the protection of your critical data against various threats. And, by testing frequently, you can rely on the fact that those backups—and your team—are ready to get your business back online as soon as possible.

The post Is Your Data Really Safe? How to Test Your Backups appeared first on Backblaze Blog | Cloud Storage & Cloud Backup

Our 4 Essential Strategy Takeaways from the Gartner® 2024 Report – How to Prepare for Ransomware Attacks

Post Syndicated from Rapid7 original https://blog.rapid7.com/2024/09/09/our-4-essential-strategy-takeaways-from-the-gartner-r-2024-report-how-to-prepare-for-ransomware-attacks/

Our 4 Essential Strategy Takeaways  from the Gartner® 2024 Report – How to Prepare  for Ransomware Attacks

As ransomware threats continue to evolve, security and risk management leaders must stay ahead by adopting comprehensive strategies to protect their organizations. The 2024 Gartner report, “How to Prepare for Ransomware Attacks”, provides critical insights into the latest tactics used by bad actors and offers practical solutions on how to fortify defenses.

Below, we highlight our four key strategy takeaways  from the report to help your organization prepare for and respond to ransomware attacks.

Adapt to the rise of extortionware

Traditional ransomware tactics are shifting towards extortionware—where attackers steal data and demand payment for its destruction rather than encrypting it. This growing threat emphasizes the need for robust data protection strategies.

According to Gartner: “Extortionware (encryption-free, data theft attack) is a growing tactic being used by bad actors.”

This evolution in tactics, which includes the emergence of 21 new ransomware groups in the first half of 2024, as noted in Rapid7’s Ransomware Radar Report, underscores the need for organizations to continuously update their defenses to counter new threats.

Actionable Strategy: Regularly update your threat models and security measures to account for new and emerging ransomware groups. Invest in advanced threat intelligence to stay informed about the latest tactics used by these criminal enterprises.

Strengthen your defenses with advanced detection technologies

This is increasingly important as ransomware attacks are becoming more frequent and sophisticated. Rapid7’s research highlights a 23% increase in ransomware posts on leak sites during the first half of 2024, further emphasizing the growing threat landscape.

We believe Gartner reinforces the importance of detection, stating: “… identity threat detection and response (NDR) tools  collect indicators of compromise (IOCs) and events that alert you to anomalous behaviors that could indicate that an attack ‘may’ be underway.”

In addition to these detection tools, Gartner advises that a defense strategy should include Endpoint Protection Platforms (EPPs), EDR, and mobile threat defense (MTD) solutions.

For organizations lacking the necessary in-house expertise or resources, Gartner recommends supplementing EDR with managed services: “If internal teams don’t have the necessary skill set or bandwidth, supplement EDR with managed services (see Market Guide for Managed Detection and Response Services).”

Actionable strategy: Implement and regularly update behavioral-anomaly-based detection technologies. Ensure that your security operations center (SOC) is equipped to respond swiftly to any detected threats.

Rapid7’s Managed Threat Complete, which integrates core MDR functionality with transparency into operations and technology, ensures comprehensive visibility across endpoints, networks, users, and cloud infrastructure. We believe this aligns with the Gartner recommendation to supplement EDR with managed services to enhance your organization’s security posture (see the Gartner Market Guide for Managed Detection and Response Services).

Pay attention to vulnerable targets

While large organizations are often targeted, mid-sized companies are increasingly vulnerable to ransomware attacks. Rapid7’s findings support this, showing that companies with $5 million in annual revenue are being attacked up to five times more often than larger enterprises. These organizations are particularly attractive to attackers due to their valuable data and often less mature security defenses.

Actionable strategy: Mid-sized organizations should prioritize investing in mature cybersecurity defenses, particularly in endpoint protection, identity management, and regular security training for employees.

You can view the Rapid7 Ransomware Radar Report here.

Pay attention to vulnerable targets

While large organizations are often targeted, mid-sized companies are increasingly vulnerable to ransomware attacks. Rapid7’s findings support this, showing that companies with $5 million in annual revenue are being attacked up to five times more often than larger enterprises. These organizations are particularly attractive to attackers due to their valuable data and often less mature security defenses.

Actionable strategy: Mid-sized organizations should prioritize investing in mature cybersecurity defenses, particularly in endpoint protection, identity management, and regular security training for employees.

You can view the Rapid7 Ransomware Radar Report here.

Prepare with a comprehensive ransomware playbook

One of the key insights from the Gartner research is the critical importance of having a well-prepared incident  response plan. Given the increasingly sophisticated nature of ransomware groups—many of which now operate like full-fledged businesses with their own marketplaces and support networks—a detailed and rehearsed ransomware playbook is essential for any organization.

Gartner  states: “Develop an incident response plan with containment strategies that is augmented with a ransomware playbook.”

Actionable strategy: Develop and regularly update a ransomware playbook that includes clear roles, decision-making protocols, and communication plans. Conduct regular tabletop exercises to ensure your team is prepared to act swiftly and effectively.

Conclusion: fortify your defenses against ransomware

Ransomware is an ever-present threat that requires a proactive, multi-layered approach to defense. We feel the 2024 Gartner Report “How to Prepare for Ransomware Attacks” provides essential strategies for preparing, detecting, and responding to these attacks. By implementing these recommendations, we believe your organization can better protect itself against the evolving tactics of cybercriminals.

Download the full Gartner report to explore detailed insights and recommendations for strengthening your ransomware defenses.

Gartner, Inc. How to Prepare for Ransomware Attacks. Paul Furtado. 16 April 2024.

GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the

U.S. and internationally and is used herein with permission. All rights reserved.

Security Researcher Sued for Disproving Government Statements

Post Syndicated from Bruce Schneier original https://www.schneier.com/blog/archives/2024/09/security-researcher-sued-for-disproving-government-statements.html

This story seems straightforward. A city is the victim of a ransomware attack. They repeatedly lie to the media about the severity of the breach. A security researcher repeatedly proves their statements to be lies. The city gets mad and sues the researcher.

Let’s hope the judge throws the case out, but—still—it will serve as a warning to others.

Selling Ransomware Breaches: 4 Trends Spotted on the RAMP Forum

Post Syndicated from Christiaan Beek original https://blog.rapid7.com/2024/08/20/selling-ransomware-breaches-4-trends-spotted-on-the-ramp-forum/

Selling Ransomware Breaches: 4 Trends Spotted on the RAMP Forum

The sale and purchase of unauthorized access to compromised enterprise networks has become a linchpin for cybercriminal operations, particularly in facilitating ransomware attacks. Underground forums are sharing guidelines on breaching networks and selling the access they obtain, leaving the exploitation to other malicious actors.

On underground criminal forums, these transactions allow actors with complementary skills to collaborate, amplifying the impact and reach of cyberattacks. The market for such access has grown notably, especially as ransomware operators increasingly employ double-extortion tactics. A foothold in a victim’s network, with credentials that enable stealthy operations, has never been a more lucrative — and popular — business model.

Organizations across all sectors and regions are vulnerable and a target. The collective shift to remote work during the COVID-19 pandemic has expanded the attack surface, as more remote access tools remain in use to this day. In our 2024 Attack Intelligence Report, we noted that 36% of all widespread threat events Rapid7 tracked in 2023 involved the exploitation of network edge device vulnerabilities. This trend has continued into 2024.

In this blog, we delve into a major forum frequented by ransomware actors and affiliates, called RAMP. As part of our research for the Rapid7 Ransomware Radar Report, we analyzed RAMP postings offering corporate access from January 1, 2024 to June 30, 2024, uncovering 4 key trends within this underground marketplace.

The forum: RAMP

Re-launched/branded in July 2021, the RAMP (Ransomware and Advanced Malware Protection) forum is an underground cybercriminal hub originally known as Payload.bin, tracing its roots back to 2012 when it first operated on the Tor network. With a primary focus on ransomware, RAMP is a multilingual platform catering to Russian, Chinese, and English speakers and boasts over 14,000 registered members. Access to RAMP is highly restricted; potential users must have been active members on the XSS and Exploit forums for at least two months, have posted at least ten times, and maintain a good reputation, or alternatively, pay a $500 registration fee for anonymity.

Selling Ransomware Breaches: 4 Trends Spotted on the RAMP Forum

RAMP serves as both a forum and a marketplace, offering ransomware kits, malware, and stolen data, while also providing comprehensive guides and tutorials for cyberattacks. It facilitates ransomware-as-a-service (RaaS) operations, enabling affiliates to deploy ransomware for a share of the profits. Despite its high registration fee, a stark contrast to the $120 annual fee for premium XSS users, RAMP’s closed community is a critical resource for many threat actors. The forum’s design mimics Silk Road-like darknet markets, including escrow features, and it operates primarily off-the-record to avoid law enforcement detection. Its administrator claims an annual revenue of around $250,000, benefiting from its predominantly Russian user base and a strict policy against selling certain illegal goods and services.

Selling Access

To investigate the trends and context around the selling of access into corporate networks, we analyzed all the postings on the RAMP forum from January through June 2024. Some of these posts were cross-posted on other underground forums as well. In most of the cases, the initial access was mentioned and/or the price asked. Where this data was not available, we classified that as ‘unknown’ in our dataset for analysis.

Selling Ransomware Breaches: 4 Trends Spotted on the RAMP Forum

So what are some of the trends we discovered?

Trend #1: Country Distribution

The United States leads the pack with the highest number of entries referencing the country of the company attackers have credentials or access to, followed by France and Brazil. Companies based in Western countries command a higher price due to their perceived wealth and easier access to resources for payment, so what we’re seeing thus far in 2024 (per the chart below) is what would be expected. The only exception to this is Brazil, likely due to Brazilian affiliates that target larger Brazilian businesses.

Selling Ransomware Breaches: 4 Trends Spotted on the RAMP Forum

Trend #2: Revenue Distribution

One of the variables that determine the asking price for network access is the revenue made by the target. Very often, sites like ZoomInfo are used to look up the annual revenue, which is then mentioned in the posting, as in our example below.

Selling Ransomware Breaches: 4 Trends Spotted on the RAMP Forum

As the chart below shows, we observed a broad range of revenue values within the RAMP dataset, where some entries specified exact amounts and others used ranges. A significant number of entries included revenues in the millions, particularly around $5 million USD.

In fact, companies with revenues in the $5 million range appeared twice as often as those in the $30-50 million range and 5 times more frequently than those with a $100 million revenue. This could indicate that such companies are large enough to hold valuable data but perhaps not as well protected as larger corporations. Regardless, this finding shows that companies with $5 million in revenue are attractive targets and represents an interesting shift from access brokers only targeting the “big fish.”

Selling Ransomware Breaches: 4 Trends Spotted on the RAMP Forum

Trend #3: Access Type Distribution

How are threat actors getting in? Our analysis shows that Remote Desktop Protocol (RDP) is the most common access type, followed by VPN. VPN presents a greater possibility of remaining undetected. That, in combination with the level of access (user or privileged user), demands a higher price.

Selling Ransomware Breaches: 4 Trends Spotted on the RAMP Forum

RDP is often used for remote work and system management, and it can be a significant vulnerability if not properly secured. The prevalence of RDP underscores the importance of securing remote access points.

As noted in our 2024 Attack Intelligence Report, missing or unenforced multi-factor authentication (MFA) gave rise to 41% of the incidents Rapid7 MDR observed in 2023. Companies should ensure robust security measures like MFA and proper network segmentation to protect RDP endpoints. Also, if we consider the combined value of VPN and such technologies, then the trend of targeting network edge devices will certainly continue.

Trend #4: Price Distribution

Many RAMP entries list unknown prices. Among the known prices, amounts like $500, $800, and $1000 are common. Company revenue, headquarter location, and the type of access are each a basis for how the threat actor formulates their asking price, which can range widely based on the perceived value of the target network. It is common for prices to spike based on the specific attributes of the target (e.g., revenue, security posture, type of data accessible).

Conclusion

Our analysis highlights key areas of concern for companies looking to protect themselves against access brokers. Businesses in the US, France, and Brazil, as well as those with revenues around $5 million, should be particularly vigilant. Securing remote access points, investing in robust solutions, and understanding the pricing dynamics of the black market for network access can help companies bolster their defenses against this pervasive threat.

By staying informed about these and other ransomware trends, businesses can better understand the risks and implement effective measures to safeguard their networks against unauthorized access.

If your organization needs assistance responding to a ransomware incident, Rapid7 Incident Response can help.

The State of Ransomware

Post Syndicated from Bruce Schneier original https://www.schneier.com/blog/archives/2024/08/the-state-of-ransomware.html

Palo Alto Networks published its semi-annual report on ransomware. From the Executive Summary:

Unit 42 monitors ransomware and extortion leak sites closely to keep tabs on threat activity. We reviewed compromise announcements from 53 dedicated leak sites in the first half of 2024 and found 1,762 new posts. This averages to approximately 294 posts a month and almost 68 posts a week. Of the 53 ransomware groups whose leak sites we monitored, six of the groups accounted for more than half of the compromises observed.

In February, we reported a 49% increase year-over-year in alleged victims posted on ransomware leak sites. So far, in 2024, comparing the first half of 2023 to the first half of 2024, we see an even further increase of 4.3%. The higher level of activity observed in 2023 was no fluke.

Activity from groups like Ambitious Scorpius (distributors of BlackCat) and Flighty Scorpius (distributors of LockBit) has largely fallen off due to law enforcement operations. However, other threat groups we track such as Spoiled Scorpius (distributors of RansomHub) and Slippery Scorpius (distributors of DragonForce) have joined the fray to fill the void.

Key Takeaways From The Take Command Summit: Unlocking Security Success

Post Syndicated from Emma Burdett original https://blog.rapid7.com/2024/08/09/key-takeaways-from-the-take-command-summit-unlocking-security-success/

Key Takeaways From The Take Command Summit: Unlocking Security Success

As cybersecurity threats continue to evolve, so must our defenses. The recent Rapid7 Take Command Summit provided invaluable insights into preparing for, responding to, and recovering from ransomware attacks. Here are three essential takeaways from the session, “Before, During, & After Ransomware Attacks,” that every cybersecurity professional should consider.

1. Proactive Defense is Crucial: Fortify your defenses before an attack happens.. According to the panel, comprehensive security measures such as regular patching, network segmentation, and user training are vital. Implementing endpoint detection and response solutions can significantly reduce vulnerabilities. Eddie Bobritsky said, “prevention is always coming before detection and response. Investing in proactive measures is crucial.”

2. Swift Decision-Making During an Attack: During an attack, immediate and decisive action is paramount. Establishing clear protocols and communication channels can mitigate damage effectively. The panel highlighted the importance of isolating infected systems and restricting network access to contain the threat. Robert Knapp said, “swift decision-making is key to minimizing impact and ensuring a successful investigation.”

3. Building Resilience After an Attack: Recovery is a multifaceted effort. Conducting thorough forensic analysis to identify the root causes of the attack and implementing robust data backup and recovery processes are essential steps. Lonnie Best said, “building resilience against the recurrence of ransomware attacks requires proactive security measures and regular security assessments.”

Key Statistics

  • 65% of organizations impacted by ransomware in 2023 faced more than 6 days of downtime.
  • Ransomware payments were said to have topped $1 billion in 2023.
  • Rapid7 tracked 5600 reported ransomware cases between January 2023 and February 2024.

No matter how much you invest in the before stage, it will always be cheaper than dealing with it afterwards.” – Eddy Bobritsky, Senior Director, Product Management, Rapid7

Ransomware attacks are a significant threat, but with the right strategies and proactive measures, organizations can enhance their defenses and build resilience. To dive deeper into these strategies and hear more from the experts, watch the full video from the Rapid7 Take Command Summit.

Rapid7’s Ransomware Radar Report Shows Threat Actors are Evolving …Fast.

Post Syndicated from Tom Caiazza original https://blog.rapid7.com/2024/08/06/rapid7s-ransomware-radar-report-shows-threat-actors-are-evolving-fast/

Rapid7’s Ransomware Radar Report Shows Threat Actors are Evolving …Fast.

Few issues keep cybersecurity professionals up at night more than the threat of ransomware. The ubiquity of targets, the relative organization of threat actors, and their multiple paths of entry make combating ransomware particularly formidable.

But there is one more facet to this threat that makes ransomware a vexing problem across all organizations: it’s evolving, constantly.

In a new report released today by Rapid7 Labs, researchers, threat intelligence experts, and detection & response teams have put together the latest state-of-play in the ransomware space. The Ransomware Radar Report offers some startling insights into who ransomware threat actors are and how they’ve been operating in the first half of 2024.

The fact of the matter is, ransomware as a business is booming. Over the first half of 2024, Rapid7 researchers found an increase of 23% in the number of posts ransomware groups were making to their leak sites. This correlates with the amount of extortion attempts these groups are attempting as they are rarely quiet about who they infiltrate. Surprisingly, one of the newest groups, RansomHub, made the second-most number of posts among the groups studied, with 181 over that six-month period. But, to put that into perspective, the leader, well-established LockBit, made 474 posts over the same time period.

This leads us to another intriguing finding: the number of new (or revamped) ransomware groups. We found that among a total of 68 unique groups posting extortion attempts, some 21 were either net new or rebranded from previous groups. The rebranded groups may indicate a bit of a silver lining as they are potentially due to the success of some recent law enforcement actions against ransomware threat actors.

However, threat actors are only half of the equation. The report also notes that the ransomware ecosystem may be moving away from the attacks on “big fish” we had seen in the past and toward smaller organizations as juicier targets. For instance, organizations with $5 million in annual revenue were five times more likely to be targeted than their larger counterparts. This could be for a lot of reasons, not the least of which is that these smaller organizations contain many of the same data threat actors are after, but they often have less mature security precautions in place.

Ransomware actors are also getting more sophisticated as businesses. They have their own marketplaces, sell their own products, and in some cases have 24/7 support. They also seem to be creating an ecosystem of collaboration and consolidation in the kinds of ransomware they deploy. Rapid7 researchers looked at different ransomware variants and found three distinct clusters of similarities. Essentially, many of these ransomware strains resemble one another. This could indicate collaboration among groups, reuse of source code, or the use of common builders. Other research avenues indicated that the number of ransomware families is going down — potentially showing that threat actors are focusing their efforts on more effective or specialized approaches.

The takeaways in this blog post are only the tip of the iceberg. The Ransomware Radar Report goes deep into the kinds of encryption algorithms that are trending at the moment and why, details on prevailing coding languages, and the varied tactics threat actors use to infiltrate organizations. To get the latest on ransomware and ensure your organization is well-informed and prepared for the fight against these threat actors, download the report here.

VMware ESXi CVE-2024-37085 Targeted in Ransomware Campaigns

Post Syndicated from Rapid7 original https://blog.rapid7.com/2024/07/30/vmware-esxi-cve-2024-37085-targeted-in-ransomware-campaigns/

VMware ESXi CVE-2024-37085 Targeted in Ransomware Campaigns

On Monday, July 29, Microsoft published an extensive threat intelligence blog on observed exploitation of CVE-2024-37085, an Active Directory integration authentication bypass vulnerability affecting Broadcom VMware ESXi hypervisors. The vulnerability, according to Redmond, was identified in zero-day attacks and has evidently been used by at least half a dozen ransomware operations to obtain full administrative permissions on domain-joined ESXi hypervisors (which, in turn, enables attackers to encrypt downstream file systems). CVE-2024-37085 was one of multiple issues fixed in a June 25 advisory from Broadcom; it appears to have been exploited as a zero-day vulnerability.

Per Broadcom’s advisory, successful exploitation of CVE-2024-37085 allows attackers “with sufficient Active Directory (AD) permissions to gain full access to an ESXi host that was previously configured to use AD for user management by re-creating the configured AD group (‘ESXi Admins’ by default) after it was deleted from Active Directory.”

Notably, Broadcom’s advisory differs from Microsoft’s description, which says: “VMware ESXi hypervisors joined to an Active Directory domain consider any member of a domain group named "ESX Admins" to have full administrative access by default. This group is not a built-in group in Active Directory and does not exist by default. ESXi hypervisors do not validate that such a group exists when the server is joined to a domain and still treats any members of a group with this name with full administrative access, even if the group did not originally exist.”

Also of note: While the VMware advisory indicates ESXi Admins is the default AD group, the Microsoft observations quoted in this blog all indicate use of ESX Admins rather than ESXi Admins.

ESXi hypervisors have been a popular target for ransomware groups in years past. Notably, since ESXi should not be internet-exposed, we would not expect CVE-2024-37085 to be an initial access vector — adversaries will typically need to have already obtained a foothold in target environments to be able to exploit the vulnerability to escalate privileges.

Exploitation

Microsoft researchers discovered CVE-2024-37085 after it was used as a post-compromise attack technique used by a number of ransomware operators, including Storm-0506, Storm-1175, Octo Tempest, and Manatee Tempest. The attacks Microsoft observed included use of the following commands, which first create a group named “ESX Admins” in the domain and then adds a user to that group:

net group “ESX Admins” /domain /add
net group “ESX Admins” username /domain /add

Microsoft identified three methods for exploiting CVE-2024-37085, including the in-the-wild technique described above:

  • Adding the “ESX Admins” group to the domain and adding a user to it (observed in the wild): If the “ESX Admins” group doesn’t exist, any domain user with the ability to create a group can escalate privileges to full administrative access to domain-joined ESXi hypervisors by creating such a group, and then adding themselves, or other users in their control, to the group.
  • Renaming any group in the domain to “ESX Admins” and adding a user to the group or using an existing group member: This requires an attacker to have access to a user that has the capability to rename arbitrary groups (i.e., by renaming one of them “ESX Admins”). The threat actor can then add a user, or leverage a user that already exists in the group, to escalate privileges to full administrative access.
  • ESXi hypervisor privileges refresh: Even if the network administrator assigns any other group in the domain to be the management group for the ESXi hypervisor, the full administrative privileges to members of the “ESX Admins” group are not immediately removed and threat actors still could abuse it.

Mitigation guidance

The following products and versions are vulnerable to CVE-2024-37085:

The Broadcom advisory on CVE-2024-37085 links to a workaround that modifies several advanced ESXi settings to be more secure; the workaround page notes that for all versions of ESXi (prior to ESXi 8.0 U3), “several ESXi advanced settings have default values that are not secure by default. The AD group "ESX Admins" is automatically given the VIM Admin role when an ESXi host is joined to an Active Directory domain.”

Broadcom VMware ESXi and Cloud Foundation customers should update to a supported fixed version as soon as possible. Administrators who are unable to update should implement workaround recommendations in the interim. ESXi servers should never be exposed to the public internet. Microsoft has additional recommendations on mitigating risk of exploitation in their blog.

Rapid7 customers

InsightVM and Nexpose customers who use ESXi hypervisors within their environments can assess their exposure to CVE-2024-37085 for the 8.x version stream with a vulnerability check available since June 2024. Support for scanning 7.0 is expected to be available in the July 30 content release.

InsightIDR and Managed Detection and Response customers have existing detection coverage through Rapid7’s expansive library of detection rules. Rapid7 recommends installing the Insight Agent on all applicable hosts to ensure visibility into suspicious processes and proper detection coverage. Below is a non-exhaustive list of detections that are deployed and will alert on behavior related to this vulnerability:

  • Attacker Technique – Creation of "ESX Admins" Domain Group using Net.exe

Is Ransomware Protection Working?

Post Syndicated from Bozho original https://techblog.bozho.net/is-ransomware-protection-working/

Recently an organization I’m familiar with suffered a ransomware attack. A LockBit ransomware infected a workstation and spread to a few servers. The attack was contained thanks to a quick incident response, but there was one important thing: the organization had a top-notch EDR installed. It’s in the Gartner’s leader quadrant for endpoint protection platforms. And it didn’t stop it. I won’t mention names, because the point here is not to attack a particular brand, but the fact that the attackers created a different build of the LockBit codebase meant that the signature-based detection didn’t work and so the files on the endpoints were encrypted. Not only that – attackers downloaded port scanners and executed password spraying on the network, in order to pivot to the servers, without much trouble caused by the EDR.

Ransomware is the most widespread type of attack, we have a security industry that’s trying to cope with those attacks for a long time, and in 2024 it’s sufficient to just rebuild the ransomware from source in order to not get caught. That’s a problem. To add insult to injury, the malware executable was called lockbit.exe_.

I think we need to think of better ways to tackle ransomware. I’m not an antivirus/EDR in-depth expert, but I have been thinking the following: why doesn’t the operating system have a built-in anti-ransomware functionality? The malware can stop endpoint agents, but it can’t stop the OS (well, it can stop OS services or modify OS dlls, I agree). I was thinking of native NTFS listeners to detect ransomware behavior – very fast enumeration and modification of files. Then I read this article titled “Microsoft Can Fix Ransomware Tomorrow” which echoed my thoughts. It’s not that simple as the title implies, and the article goes to argue that it’s hard, but something has to be done.

This may seriously impact the EDR market – if the top threat – ransomware – is automatically contained by built-in functionality, why purchase an EDR? Obviously, there are many other reasons to do so, but every budget cut will start from the EDR. Ransomware has been a successful driver for more investment in security. To prevent putting too much functionality in the OS, EDRs can tap into the detection capability of the OS to take further actions.

But ransomware works in a very simple way. Detecting mass-encryption of files is easy. Rate-limiting it is reasonable. You may be aware, but CPUs have AES-specific instructions that improve the performance of AES encryption – the fact that these instructions are used may be a further indicator of an ongoing ransomware attack.

I think we have to tap into the lower levels of our software stack – file system, OS, CPU – in order to tackle ransomware. It’s clear that omnipotent endpoint agents don’t exist, no matter how much “AI magic” you sprinkle ontop of them in the data sheet (I remember once asking another EDR vendor on a conference how exactly their AI is working. My impression from the answer was: it’s rules).

As I said, I’m no AV/EDR expert, and I expect comments like “But we are already doing that”. I’m sure APIs like this one are utilized by AV/EDRs, but they may be too slow or too heavy to be used. And it may mean that this APIs can be optimized for the ransomware-detection usecase. I don’t have a ready answer (otherwise I’d be an EDR vendor), but I’d welcome a serious discussion on that. We can’t be in a situation where purchasing an expensive security tool doesn’t reliably solve the most prominent threat – “off-the-shelf” ransomware.

The post Is Ransomware Protection Working? appeared first on Bozho's tech blog.

FBI Seizes BreachForums Website

Post Syndicated from Bruce Schneier original https://www.schneier.com/blog/archives/2024/05/fbi-seizes-breachforums-website.html

The FBI has seized the BreachForums website, used by ransomware criminals to leak stolen corporate data.

If law enforcement has gained access to the hacking forum’s backend data, as they claim, they would have email addresses, IP addresses, and private messages that could expose members and be used in law enforcement investigations.

[…]

The FBI is requesting victims and individuals contact them with information about the hacking forum and its members to aid in their investigation.

The seizure messages include ways to contact the FBI about the seizure, including an email, a Telegram account, a TOX account, and a dedicated page hosted on the FBI’s Internet Crime Complaint Center (IC3).

“The Federal Bureau of Investigation (FBI) is investigating the criminal hacking forums known as BreachForums and Raidforums,” reads a dedicated subdomain on the FBI’s IC3 portal.

“From June 2023 until May 2024, BreachForums (hosted at breachforums.st/.cx/.is/.vc and run by ShinyHunters) was operating as a clear-net marketplace for cybercriminals to buy, sell, and trade contraband, including stolen access devices, means of identification, hacking tools, breached databases, and other illegal services.”

“Previously, a separate version of BreachForums (hosted at breached.vc/.to/.co and run by pompompurin) operated a similar hacking forum from March 2022 until March 2023. Raidforums (hosted at raidforums.com and run by Omnipotent) was the predecessor hacking forum to both version of BreachForums and ran from early 2015 until February 2022.”

Ongoing Malvertising Campaign leads to Ransomware

Post Syndicated from Tyler McGraw original https://blog.rapid7.com/2024/05/13/ongoing-malvertising-campaign-leads-to-ransomware/

Executive Summary

Ongoing Malvertising Campaign leads to Ransomware

Rapid7 has observed an ongoing campaign to distribute trojanized installers for WinSCP and PuTTY via malicious ads on commonly used search engines, where clicking on the ad leads to typo squatted domains. In at least one observed case, the infection has led to the attempted deployment of ransomware. The analysis conducted by Rapid7 features updates to past research, including a variety of new indicators of compromise, a YARA rule to help identify malicious DLLs, and some observed changes to the malware’s functionality.  Rapid7 has observed the campaign disproportionately affects members of IT teams, who are most likely to download the trojanized files while looking for legitimate versions. Successful execution of the malware then provides the threat actor with an elevated foothold and impedes analysis by blurring the intentions of subsequent administrative actions.

Ongoing Malvertising Campaign leads to Ransomware
Figure 1. Simplified overview of the attack flow.

Overview

Beginning in early March 2024, Rapid7 observed the distribution of trojanized installers for the open source utilities WinSCP and PuTTy. WinSCP is a file transfer client, PuTTY a secure shell (SSH) client. The infection chain typically begins after a user searches for a phrase such as download winscp or download putty, on a search engine like Microsoft’s Bing. The search results include an ad for the software the user clicks on, which ultimately redirects them to either a clone of the legitimate website, in the case of WinSCP, or a simple download page in the case of PuTTY. In both cases, a link to download a zip archive containing the trojan from a secondary domain was embedded on the web page.

Ongoing Malvertising Campaign leads to Ransomware
Figure 2. Appearance of the cloned WinSCP website.

The infection begins after the user has downloaded and extracted the contents of the zip archive and executed setup.exe, which is a renamed copy of pythonw.exe, the legitimate Python hidden console window executable.

Ongoing Malvertising Campaign leads to Ransomware
Figure 3. Files contained within an archive targeting WinSCP.

Upon execution, setup.exe loads the malicious DLL python311.dll. As seen in Figure 2, the copy of the legitimate python311 DLL which setup.exe is intended to load has actually been renamed to python311x.dll. This technique is known as DLL side-loading, where a malicious DLL can be loaded into a legitimate, signed, executable by mimicking partial functionality and the name of the original library. The process of side-loading the DLL is also facilitated by hijacking the DLL search order, where attempts are made to load DLLs contained within the same directory first, before checking other directories on the system where a legitimate copy might be present. Rapid7 has also observed the Python 3.11 library being targeted in prior malware campaigns, such as the novel IDAT loader, discovered by Rapid7 during August of 2023.

The primary payload contained within python311.dll is a compressed archive encrypted and included within the DLL’s resource section. During execution, this archive is unpacked to execute two child processes.

Ongoing Malvertising Campaign leads to Ransomware
Figure 4. The process tree spawned by the malware.

First, the malware executes the unpacked copy of the legitimate WinSCP installer, seen in Figure 3 as WinSCP-6.1.1-Setup.exe. Then, the malicious Python script systemd.py is executed via pythonw.exe after being unpacked into the staging directory %LOCALAPPDATA%\Oracle\ along with numerous Python dependencies. Following the successful execution of both processes, setup.exe then terminates.

The script systemd.py, executed via pythonw.exe, decrypts and executes a second Python script then performs decryption and reflective DLL injection of a Sliver beacon. Reflective DLL injection is the process of loading a library into a process directly from memory instead of from disk. In several cases, Rapid7 observed the threat actor take quick action upon successful contact with the Sliver beacon, downloading additional payloads, including Cobalt Strike beacons. The access is then used to establish persistence via scheduled tasks and newly created services after pivoting via SMB. In a recent incident, Rapid7 observed the threat actor attempt to exfiltrate data using the backup utility Restic, and then deploy ransomware, an attempt which was ultimately blocked during execution.

The related techniques, tactics, and procedures (TTP) observed by Rapid7 are reminiscent of past BlackCat/ALPHV campaigns as reported by Trend Micro last year. This campaign, referred to as Nitrogen by Malwarebytes, and eSentire, has previously been reported to use similar methods.

Technical Analysis

To take a more in depth look at the malware delivery and functionality, we analyzed a malware sample recently observed being delivered to users looking for a PuTTY installer.

Initial Access

The source of the infection was a malicious ad served to the user after their search for download putty. When the user clicked on the ad, which are typically pushed to the top of the search results for visibility, they were redirected to a typo-squatted domain at the URL hxxps://puttty[.]org/osn.php. The landing page includes a download button for PuTTY, as well as two legitimate links to download a Bitvise SSH server/client. However, when the download link is clicked by the user it calls the embedded function loadlink(), which redirects the user to hxxps://puttty[.]org/dwnl.php, which then finally redirects the user to the most recent host of the malicious zip archive to serve the download. At the time of writing, puttty[.]org and the relevant URLs were still active, serving the zip archive putty-0.80-installer.zip from the likely compromised WordPress domain areauni[.]com.

Ongoing Malvertising Campaign leads to Ransomware
Figure 5. Landing page for the malicious ad.

Rapid7 observed the base domain, puttty[.]org was also serving a cloned version of a PuTTY help article available at BlueHost, where the download link provided is actually for the official distributor of the software. This relatively benign page is most likely conditionally served as a way to reduce suspicion as noted by Malwarebytes.

In comparison, the typo-squatted WinSCP domains conditionally redirected visits to Rick Astley’s Never Gonna Give You Up. Classic.

Execution

Upon extracting the zip archive putty-0.80-installer.zip, the user is once again presented with setup.exe, a renamed copy of pythonw.exe, to entice the user to initiate the infection by launching the executable.

Ongoing Malvertising Campaign leads to Ransomware
Figure 7. The extracted contents of putty-0.80-installer.zip.

Once executed, setup.exe will side-load the malicious DLL python311.dll. The DLL python311.dll then loads a renamed copy of the legitimate DLL, python3.dll, from the same directory after dynamically resolving the necessary functions from kernel32.dll by string match. Future requests for exported functions made by setup.exe can then be forwarded to python3.dll by python311.dll. This technique is commonly used when side-loading malware, so legitimate requests are proxied, which avoids unexpected behavior and improves stability of the payload delivery.

Ongoing Malvertising Campaign leads to Ransomware
Figure 8. Dynamic resolution of GetProcAddress.

Following the successful sideloading procedure, the malware then performs pre-unpacking setup by dynamically resolving additional functions from ntdll.dll. The malware still uses functionality similar to the publicly available AntiHook and KrakenMask libraries to facilitate setup and execution, as previously noted by eSentire, which provides additional evasion capabilities. AntiHook contains functionality to enumerate the loaded modules of a process, searching each one for hooks, and remaps a clean, unhooked version of the module’s text section, if hooks are found. KrakenMask contains functionality to spoof the return address of function calls, to evade stack traces, and functionality to encrypt the processes virtual memory at rest to evade memory scanners.

Ongoing Malvertising Campaign leads to Ransomware
Figure 9. ASM stub containing the return address spoofing logic, as seen in KrakenMask.
Ongoing Malvertising Campaign leads to Ransomware
Figure 10. Snippet of the function that performs byte comparisons to check for hooks, as seen in AntiHook.

The library ntdll.dll contains functions which make up the Windows Native API (NTAPI), which is generally the closest a process executed in user mode can get to utilizing functionality from the operating system’s kernel. By resolving NTAPI functions for use, malware can bypass detection applied to more commonly used user mode functions (WINAPI) and access lower level functionality that is otherwise unavailable. Several of the NTAPI function pointers resolved by the malware can be used for evasion techniques such as Event Tracing for Windows (ETW) tampering and bypass of the Anti-Malware Scan Interface (AMSI) as has been observed in prior Nitrogen campaign samples. Some of the functions are dynamically resolved from ntdll.dll are found using concatenation of stack strings to form the full name of the target API just before resolution is attempted, likely to help evade detection.

Resolved ntdll.dll functions
EtwEventWrite
EtwEventWriteFull
EtwNotificationRegister
EtwEventRegister

Table 1. Functions the malware dynamically resolves from ntdll.dll.

Other observed function strings
WldpQueryDynamicCodeTrust (wldp.dll)
AmsiScanBuffer (amsi.dll)

Table 2. Other evasion related WINAPI function strings observed in the malware

With setup complete, an encrypted resource stored within the resource section of python311.dll is retrieved using common resource WINAPI calls, including FindResourceA, LoadResource, SizeOfResource, and FreeResource.

Ongoing Malvertising Campaign leads to Ransomware
Figure 11. The encrypted resource is loaded into memory and decrypted using AES-256.

The resource is then decrypted in memory using an AES-256 hex key and initialization vector (IV) that are stored in the data section in plain text. The resulting file is a zip archive which contains three compressed files, including a legitimate MSI installation package for PuTTY and another compressed archive named installer_data.zip.

Ongoing Malvertising Campaign leads to Ransomware
Figure 12. Decrypted and decompressed contents of the resource.

To execute the PuTTY installer, the malware first creates a copy of the MSI file in the hard-coded directory C:\Users\Public\Downloads\ via a call to fopen and then decompresses and writes the retrieved MSI package content with multiple successive calls to fwrite and other CRT library file io functions, followed by fclose. The full output path is assembled by concatenating the target directory with the desired file name, which is retrieved from original_installer.txt. The contents of original_installer.txt are identical to the name of the MSI package observed in the resource, for this sample: putty-64bit-0.78-installer.msi.

Ongoing Malvertising Campaign leads to Ransomware
Figure 13. The malware creates the PuTTY MSI package within the public downloads directory.

The MSI package is then executed by a call to CreateProcessW with the command line msiexec.exe ALLUSERS=1 /i C:\Users\Public\Downloads\putty-64bit-0.78-installer.msi. So, before the execution of the next malware payload the user is provided with the software they were originally looking for. This functionality is commonly seen with trojans to avoid suspicion by the end user, as the user only sees the legitimate installation window pop up after initial execution. However, the version numbers between the executed MSI package, putty-64bit-0.78-installer.msi, and the initially downloaded zip archive, putty-64bit-0.80-installer.zip, don’t match — a potential indicator.

Ongoing Malvertising Campaign leads to Ransomware
Figure 14. The user only sees the installation window after executing setup.exe.

The same procedure is then repeated to copy the decompressed contents of the folder Oracle contained within the zip archive installer_data.zip to the staging directory created at %LOCALAPPDATA%\Oracle\. After the unpacking process is complete, another call by the malware to CreateProcessW executes the next payload with the command line %LOCALAPPDATA%\Oracle\pythonw.exe %LOCALAPPDATA%\Oracle\systemd.py. With its purpose completed, the loader then clears memory and passes back control to setup.exe, which promptly terminates, leaving the pythonw.exe process running in the background.

Ongoing Malvertising Campaign leads to Ransomware
Figure 15. Core functionality of systemd.py.

The Python script systemd.py contains multiple junk classes, which in turn contain numerous junk function definitions to pad out the core script. Ultimately, the script decrypts the file %LOCALAPPDATA%\Oracle\data.aes, which is a Sliver beacon DLL (original name: BALANCED_NAPKIN.dll), performs local injection of the Sliver DLL, and then calls the export StartW. The contents of main and other included functionality within the script appears to have been mostly copied from the publicly available Github repo for PythonMemoryModule.

Ongoing Malvertising Campaign leads to Ransomware
Figure 16. Strings within the DLL: The beacon was clearly generated by the Sliver framework.

Rapid7 has replicated the unpacking process of the beacon DLL in a python extraction script that is now publicly available along with a yara rule to detect the malicious DLL.

Mitigations

Rapid7 recommends verifying the download source of freely available software. Check that the hash of the downloaded file(s) match those provided by the official distributor and that they contain a valid and relevant signature. The DLLs that are side-loaded by malware are often unsigned, and are often present in the same location as the legitimately signed and renamed original, to which requests are forwarded. Bookmark the official distribution domains for the download of future updates.

DNS requests for permutations of known domains can also be proactively blocked or the requests can be redirected to a DNS sinkhole. For example, by using the publicly available tool DNSTwist we can identify several additional suspicious domains that match the observed ASNs and country codes observed for many of the C2 IPv4 addresses observed to be contacted by the malware as well as known malware hosts/facilitators.

Domain IPv4 ASN
wnscp[.]net 91.92.253[.]80 AS394711:LIMENET
puttyy[.]org 82.221.136[.]24 AS50613:Advania Island ehf
puutty[.]org 82.221.129[.]39 AS50613:Advania Island ehf
putyy[.]org 82.221.136[.]1 AS50613:Advania Island ehf

Table 3. More suspicious domains found via DNSTwist.

Rapid7 observed impacted users are disproportionately members of information technology (IT) teams who are more likely to download installers for utilities like PuTTY and WinSCP for updates or setup. When the account of an IT member is compromised, the threat actor gains a foothold with elevated privileges which impedes analysis by blending in their actions with that of the administrator(s), stressing the importance of verifying the source of files before download, and their contents before execution.

MITRE ATT&CK Techniques

Tactic Technique Procedure
Resource Development T1583.008: Acquire Infrastructure: Malvertising The threat actor uses ads to promote malware delivery via popular search engines.
Initial Access T1189: Drive-by Compromise The user clicks on a malicious ad populated from a typical search engine query for a software utility and is ultimately redirected to a page hosting malware.
Execution T1106: Native API The malware dynamically resolves and executes functions from ntdll.dll at runtime.
Execution T1204.002: User Execution: Malicious File The user downloads and executes setup.exe (renamed pythonw.exe), which side-loads and executes the malicious DLL python311.dll.
Execution T1059.006: Command and Scripting Interpreter: Python The malware executes a python script to load and execute a Sliver beacon.
Persistence T1543.003: Create or Modify System Process: Windows Service The threat actor creates a service to execute a C2 beacon. The threat actor loads a vulnerable driver to facilitate disabling antivirus software and other defenses present.
Persistence T1053.005: Scheduled Task/Job: Scheduled Task The threat actor creates a scheduled task to execute a C2 beacon.
Defense Evasion T1140: Deobfuscate/Decode Files or Information The malware uses various string manipulation and obfuscation techniques.
Defense Evasion T1222.001: File and Directory Permissions Modification: Windows File and Directory Permissions Modification The malware calls chmod to change file permissions prior to execution.
Defense Evasion T1574.001: Hijack Execution Flow: DLL Search Order Hijacking The malware contained in python311.dll is loaded by a renamed copy of pythonw.exe from the same directory.
Defense Evasion T1574.002: Hijack Execution Flow: DLL Side-Loading The malware contained in python311.dll is loaded by a renamed copy of pythonw.exe and proxies requests to a renamed copy of the legitimate DLL.
Defense Evasion T1027.002: Obfuscated Files or Information: Software Packing The final payload executed by the malware is unpacked through several layers of compression, encryption, and file formats.
Defense Evasion T1027.013: Obfuscated Files or Information: Encrypted/Encoded File The malware also stores other file dependencies with several layers of obfuscation
Defense Evasion T1055.001: Process Injection: Dynamic-link Library Injection The malware loads a Sliver beacon DLL via python script.
Lateral Movement T1570: Lateral Tool Transfer The threat actor uses SMB via Cobalt Strike to pivot post compromise
Exfiltration T1567.002: Exfiltration Over Web Service: Exfiltration to Cloud Storage The threat actor attempts to exfiltrate data to a backup using Restic.
Impact T1486: Data Encrypted for Impact The threat actor attempts the deployment of ransomware after exfiltrating data.

Rapid7 Detections

For Rapid7 MDR and InsightIDR customers, the following detection rules are currently deployed and alerting against malware campaigns like the one described in this blog:

Detections
Suspicious Process – Sliver C2 Interactive Shell Execution via PowerShell
Suspicious Process – Python Start Processes in Staging Directories
Attacker Technique – Renamed PythonW.exe Executed From Non-Standard Folder
Suspicious Service: Service Installed With Command Line using Python
Network Discovery – Nltest Enumerate Domain Controllers
Attacker Technique – Potential Process Hollowing To DLLHost
Suspicious Process – Gpupdate.exe Execution With No Arguments
Suspicious Process Access – LSASS Memory Dump Using MiniDumpWriteDump Function

Indicators of Compromise

Network Based Indicators (NBIs)

Domain/IPv4 Address Notes
wnscp[.]net Typo-squatted domain, found via DNSTwist
puttyy[.]org Typo-squatted domain, found via DNSTwist
puutty[.]org Typo-squatted domain, found via DNSTwist
putyy[.]org Typo-squatted domain, found via DNSTwist
vvinscp[.]net Typo-squatted domain
winnscp[.]net Typo-squatted domain
puttty[.]org Typo-squatted domain
areauni[.]com Malicious zip archive host, likely compromised domain
mkt[.]geostrategy-ec[.]com Malicious zip archive host, likely compromised domain
fkm-system[.]com Malicious zip archive host, likely compromised domain
185.82.219[.]92 C2 address
91.92.242[.]183 C2 address
91.92.244[.]41 C2 address
91.92.249[.]106 C2 address
91.92.249[.]155 C2 address
91.92.252[.]238 C2 address
91.92.255[.]71 C2 address
91.92.255[.]77 C2 address
94.156.65[.]115 C2 address
94.156.65[.]98 C2 address
94.156.67[.]185 C2 address
94.156.67[.]188 C2 address
94.156.67[.]83 C2 address
94.158.244[.]32 C2 address

Host Based Indicators (HBIs)

File SHA256 Notes
DellAPC.exe 8b1946e3e88cff3bee6b8a2ef761513fb82a1c81f97a27f959c08d08e4c75324 Dropped by the threat actor post compromise
DellCTSW2.exe N/A Dropped by the threat actor post compromise
DellCTSWin.exe 2ee435033d0e2027598fc6b35d8d6cbca32380eb4c059ba0806b9cfb1b4275cc Dropped by the threat actor post compromise
DellPPem.exe 4b618892c9a397b2b831917264aaf0511ac1b7e4d5e56f177217902daab74a36 Dropped by the threat actor post compromise
DellPRT.exe 725aa783a0cd17df603fbe6b11b5a41c9fbfd6fc9e4f2e468c328999e5716faa Dropped by the threat actor post compromise
KeePassDR.exe c9042a7ed34847fee538c213300374c70c76436ee506273b35282c86a11d9e6a Dropped by the threat actor post compromise
NVDisplay.Contain64.exe 35161a508dfaf8e04bb6de6bc793a3840a05f2c04bbbbf8c2237abebe8e670aa Dropped by the threat actor post compromise
NVDisplay.Container64.exe 8bc39017b1ea59386f74d7c7822063b3b00315dd317f55ddc6634bde897c45c1 Dropped by the threat actor post compromise
NVDisplay.exe bbdf350c6ae2438bf14fc6dc82bb54030abf9da0c948c485e297330e08850575 Dropped by the threat actor post compromise
OktaServiceAgent.exe 28e5ee69447cea77eee2942c04009735a199771ba64f6bce4965d674515d7322 Dropped by the threat actor post compromise
OktaServiceAgent.exe f36e9dec2e7c574c07f3c01bbbb2e8a6294e85863f4d6552cccb71d9b73688ad Dropped by the threat actor post compromise
PDMVault.exe 242b2c948181f8c2543163c961775393220d128ecb38a82fa62b80893f209cab Dropped by the threat actor post compromise
PDMVault.exe 9be715df88024582eeabdb0a621477e04e2cf5f57895fa6420334609138463b9 Dropped by the threat actor post compromise
PDMVaultConf.exe 8b0d04f65a6a5a3c8fb111e72a1a176b7415903664bc37f0a9015b85d3fc0aa7 Dropped by the threat actor post compromise
PDMVaultL.exe 169ef0e828c3cd35128b0e8d8ca91fbf54120d9a2facf9eb8b57ea88542bc427 Dropped by the threat actor post compromise
PDMVaultLP.exe N/A Dropped by the threat actor post compromise
PDMVaultSec.exe 61214a7b14d6ffb4d27e53e507374aabcbea21b4dc574936b39bec951220e7ea Dropped by the threat actor post compromise
PDMVaultSecs.exe 51af3d778b5a408b725fcf11d762b0f141a9c1404a8097675668f64e10d44d64 Dropped by the threat actor post compromise
PDMVaultTest.exe 96ea33a5f305015fdd84bea48a9e266c0516379ae33321a1db16bc6fabad5679 Dropped by the threat actor post compromise
ServerController.exe 02330e168d4478a4cd2006dd3a856979f125fd30f5ed24ee70a41e03e4c0d2f8 Dropped by the threat actor post compromise
SgrmBroker.exe 8834ec9b0778a08750156632b8e74b9b31134675a95332d1d38f982510c79acb Dropped by the threat actor post compromise
VMImportHost.exe c8a982e2be4324800f69141b5be814701bcc4167b39b3e47ed8908623a13eb10 Dropped by the threat actor post compromise
VMImportHost2.exe 47ec3a1ece8b30e66afd6bb510835bb072bbccc8ea19a557c59ccdf46fe83032 Dropped by the threat actor post compromise
VMImportHost3.exe 9bd3c7eff51c5746c21cef536971cc65d25e3646533631344728e8061a0624cb Dropped by the threat actor post compromise
VMSAdmin.exe f89720497b810afc9666f212e8f03787d72598573b41bc943cd59ce1c620a861 Dropped by the threat actor post compromise
VMSAdminUtil.exe ca05485a1ec408e2f429e2e377cc5af2bee37587a2eb91dc86e8e48211ffc49e Dropped by the threat actor post compromise
VMSAdminUtilityUp.exe 972ca168f7a8cddd77157e7163b196d1267fe2b338b93dabacc4a681e3d46b57 Dropped by the threat actor post compromise
VMSBackupConfig.exe 1576f71ac41c4fc93c8717338fbc2ba48374894345c33bdf831b16d0d06df23d Dropped by the threat actor post compromise
VMSBackupUpdate.exe a5dfc9c326b1303cc1323c286ecd9751684fb1cd509527e2f959fb79e5a792c2 Dropped by the threat actor post compromise
dp_agent.exe 13B2E749EB1E45CE999427A12BB78CBEBC87C415685315C77CDFB7F64CB9AAB0 Dropped by the threat actor post compromise
local.exe bd4abc70de30e036a188fc9df7b499a19a0b49d5baefc99844dfdec6e70faf75 Dropped by the threat actor post compromise
lr_agent.exe d95f6dec32b4ebed2c45ecc05215e76bf2f520f86ad6b5c5da1326083ba72e89 Dropped by the threat actor post compromise
ntfrss.exe f36089675a652d7447f45c604e062c2a58771ec54778f6e06b2332d1f60b1999 Dropped by the threat actor post compromise
op_agent.exe 17e0005fd046e524c1681304493f0c51695ba3f24362a61b58bd2968aa1bd01a Dropped by the threat actor post compromise
pp.txt N/A Notable naming scheme
pr_agent.exe d27f9c0d761e5e1de1a741569e743d6747734d3cdaf964a9e8ca01ce662fac90 Dropped by the threat actor post compromise
python311.dll CD7D59105B0D0B947923DD9ED371B9CFC2C2AA98F29B2AFBDCD3392AD26BDE94 Malicious DLL sideloaded by setup.exe. Compiled 2024-03-05. Original name: python311_WinSCP.dll.
python311.dll 02D8E4E5F74D38C8E1C9AD893E0CEC1CC19AA08A43ECC87AC043FA825382A583 Malicious DLL sideloaded by setup.exe. Compiled 2024-04-03. Original name: python311_WinSCP.dll.
python311.dll 500574522DBCDE5E6C89803C3DCA7F857F73E0868FD7F8D2F437F3CC31CE9E8D Malicious DLL sideloaded by setup.exe. Compiled 2024-04-10. Original name: python311_Putty.dll.
-redacted-.exe a1cb8761dd8e624d6872960e1443c85664e9fbf24d3e208c3584df49bbdb2d9c Ransomware, named after the impacted domain.
readme.txt N/A Ransom note
resticORIG.exe 33f6acd3dfeda1aadf0227271937c1e5479c2dba24b4dca5f3deccc83e6a2f04 Exfil tool dropped by the threat actor
rr__agent.exe d94ed93042d240e4eaac8b1b397abe60c6c50a5ff11e62180a85be8aa0b0cc4a Dropped by the threat actor post compromise
truesight.sys bfc2ef3b404294fe2fa05a8b71c7f786b58519175b7202a69fe30f45e607ff1c AV/EDR killer, used to facilitate the execution of ransomware.
veeam.backups.shell.exe 7d53122d6b7cff81e1c5fcdb3523ccef1dbd46c93020a0de65bc475760faff7d Dropped by the threat actor post compromise
vmtools.exe ED501E49B9418FCFAF56A2EFF7ADCF85A648BDEE2C42BB09DB8C11F024667BFA Dropped by the threat actor post compromise
vmtoolsda.exe 12AFBEC79948007E87FDF9E311736160797F245857A45C040966E8E029CA97B3 Dropped by the threat actor post compromise
vmtoolsdr.exe 989A8E6A01AA20E298B1FFAE83B50CEF3E08F6B64A8F022288DC8D5729301674 Dropped by the threat actor post compromise
vmtoolsds.exe 0AA248300A9F6C498F5305AE3CB871E9EC78AE62E6D51C05C4D6DD069622F442 Dropped by the threat actor post compromise
vmtoolsdt.exe DF0213E4B784A7E7E3B4C799862DB6EA60E34D8E22EB5E72A980A8C2E9B36177 Dropped by the threat actor post compromise
DellPP.exe 51D898DE0C300CAE7A57C806D652809D19BEB3E52422A7D8E4CB1539A1E2485D Dropped by the threat actor post compromise
DellPP2.exe 8827B6FA639AFE037BB2C3F092CCB12D49B642CE5CEC496706651EBCB23D5B9E Dropped by threat actor post compromise
data.aes F18367D88F19C555F19E3A40B17DE66D4A6F761684A5EF4CDD3D9931A6655490 Encrypted Sliver beacon
data.aes C33975AA4AB4CDF015422608962BD04C893F27BD270CF3F30958981541CDFEAD
Encrypted Sliver beacon
data.aes 868CD4974E1F3AC7EF843DA8040536CB04F96A2C5779265A69DF58E87DC03029 Encrypted Sliver beacon
systemd.py 69583C4A9BF96E0EDAFCF1AC4362C51D6FF71BBA0F568625AE65A1E378F15C65 Sliver beacon loader
systemd.py 03D18441C04F12270AAB3E55F68284DCD84721D1E56B32F8D8B732A52A654D2D Sliver beacon loader
systemd.py CF82366E319B6736A7EE94CCA827790E9FDEDFACE98601F0499ABEE61F613D5D Sliver beacon loader

Ongoing Social Engineering Campaign Linked to Black Basta Ransomware Operators

Post Syndicated from Rapid7 original https://blog.rapid7.com/2024/05/10/ongoing-social-engineering-campaign-linked-to-black-basta-ransomware-operators/

Ongoing Social Engineering Campaign Linked to Black Basta Ransomware Operators

Co-authored by Rapid7 analysts Tyler McGraw, Thomas Elkins, and Evan McCann

Executive Summary

Rapid7 has identified an ongoing social engineering campaign that has been targeting multiple managed detection and response (MDR) customers. The incident involves a threat actor overwhelming a user’s email with junk and calling the user, offering assistance. The threat actor prompts impacted users to download remote monitoring and management software like AnyDesk or utilize Microsoft’s built-in Quick Assist feature in order to establish a remote connection. Once a remote connection has been established, the threat actor moves to download payloads from their infrastructure in order to harvest the impacted users credentials and maintain persistence on the impacted users asset.

In one incident, Rapid7 observed the threat actor deploying Cobalt Strike beacons to other assets within the compromised network. While ransomware deployment was not observed in any of the cases Rapid7 responded to, the indicators of compromise we observed were previously linked with the Black Basta ransomware operators based on OSINT and other incident response engagements handled by Rapid7.

Overview

Since late April 2024, Rapid7 identified multiple cases of a novel social engineering campaign. The attacks begin with a group of users in the target environment receiving a large volume of spam emails. In all observed cases, the spam was significant enough to overwhelm the email protection solutions in place and arrived in the user’s inbox. Rapid7 determined many of the emails themselves were not malicious, but rather consisted of newsletter sign-up confirmation emails from numerous legitimate organizations across the world.

Ongoing Social Engineering Campaign Linked to Black Basta Ransomware Operators
Figure 1. Example spam email.

With the emails sent, and the impacted users struggling to handle the volume of the spam, the threat actor then began to cycle through calling impacted users posing as a member of their organization’s IT team reaching out to offer support for their email issues. For each user they called, the threat actor attempted to socially engineer the user into providing remote access to their computer through the use of legitimate remote monitoring and management solutions. In all observed cases, Rapid7 determined initial access was facilitated by either the download and execution of the commonly abused RMM solution AnyDesk, or the built-in Windows remote support utility Quick Assist.

In the event the threat actor’s social engineering attempts were unsuccessful in getting a user to provide remote access, Rapid7 observed they immediately moved on to another user who had been targeted with their mass spam emails.

Once the threat actor successfully gains access to a user’s computer, they begin executing a series of batch scripts, presented to the user as updates, likely in an attempt to appear more legitimate and evade suspicion. The first batch script executed by the threat actor typically verifies connectivity to their command and control (C2) server and then downloads a zip archive containing a legitimate copy of OpenSSH for Windows (ultimately renamed to ***RuntimeBroker.exe***), along with its dependencies, several RSA keys, and other Secure Shell (SSH) configuration files. SSH is a protocol used to securely send commands to remote computers over the internet. While there are hard-coded C2 servers in many of the batch scripts, some are written so the C2 server and listening port can be specified on the command line as an override.

Ongoing Social Engineering Campaign Linked to Black Basta Ransomware Operators
Figure 2. Initial batch script snippet
Ongoing Social Engineering Campaign Linked to Black Basta Ransomware Operators
Figure 3. Compressed SSH files within s.zip.

The script then establishes persistence via run key entries  in the Windows registry. The run keys created by the batch script point to additional batch scripts that are created at run time. Each batch script pointed to by the run keys executes SSH via PowerShell in an infinite loop to attempt to establish a reverse shell connection to the specified C2 server using the downloaded RSA private key. Rapid7 observed several different variations of the batch scripts used by the threat actor, some of which also conditionally establish persistence using other remote monitoring and management solutions, including NetSupport and ScreenConnect.

Ongoing Social Engineering Campaign Linked to Black Basta Ransomware Operators
Figure 4. The batch script creates run keys for persistence.

In all observed cases, Rapid7 has identified the usage of a batch script to harvest the victim’s credentials from the command line using PowerShell. The credentials are gathered under the false context of the “update” requiring the user to log in. In most of the observed batch script variations, the credentials are immediately exfiltrated to the threat actor’s server via a Secure Copy command (SCP). In at least one other observed script variant, credentials are saved to an archive and must be manually retrieved.

Ongoing Social Engineering Campaign Linked to Black Basta Ransomware Operators
Figure 5. Stolen credentials are typically exfiltrated immediately.
Ongoing Social Engineering Campaign Linked to Black Basta Ransomware Operators
Figure 6. Script variant with no secure copy for exfiltration.

In one observed case, once the initial compromise was completed, the threat actor then attempted to move laterally throughout the environment via SMB using Impacket, and ultimately failed to deploy Cobalt Strike despite several attempts. While Rapid7 did not observe successful data exfiltration or ransomware deployment in any of our investigations, the indicators of compromise found via forensic analysis conducted by Rapid7 are consistent with the Black Basta ransomware group based on internal and open source intelligence.

Forensic Analysis

In one incident, Rapid7 observed the threat actor attempting to deploy additional remote monitoring and management tools including ScreenConnect and the NetSupport remote access trojan (RAT). Rapid7 acquired the Client32.ini file, which holds the configuration data for the NetSupport RAT, including domains for the connection. Rapid7 observed the NetSupport RAT attempt communication with the following domains:

  • rewilivak13[.]com
  • greekpool[.]com
Ongoing Social Engineering Campaign Linked to Black Basta Ransomware Operators
Ongoing Social Engineering Campaign Linked to Black Basta Ransomware Operators
Figure 7 – NetSupport RAT Files and Client32.ini Content

After successfully gaining access to the compromised asset, Rapid7 observed the threat actor attempting to deploy Cobalt Strike beacons, disguised as a legitimate Dynamic Link Library (DLL) named 7z.DLL, to other assets within the same network as the compromised asset using the Impacket toolset.

In our analysis of 7z.DLL, Rapid7 observed the DLL was altered to include a function whose purpose was to XOR-decrypt the Cobalt Strike beacon using a hard-coded key and then execute the beacon.

The threat actor would attempt to deploy the Cobalt Strike beacon by executing the legitimate binary 7zG.exe and passing a command line argument of `b`, i.e. `C:\Users\Public\7zG.exe b`. By doing so, the legitimate binary 7zG.exe side-loads 7z.DLL, which in turn executes the embedded Cobalt Strike beacon. This technique is known as DLL side-loading, a method Rapid7 previously discussed in a blog post on the IDAT Loader.

Upon successful execution, Rapid7 observed the beacon inject a newly created process, choice.exe.

Ongoing Social Engineering Campaign Linked to Black Basta Ransomware Operators
Figure 8 – Sample Cobalt Strike Configuration

Mitigations

Rapid7 recommends baselining your environment for all installed remote monitoring and management solutions and utilizing application allowlisting solutions, such as AppLocker or ​​Microsoft Defender Application Control, to block all unapproved RMM solutions from executing within the environment. For example, the Quick Assist tool, quickassist.exe, can be blocked from execution via AppLocker.  As an additional precaution, Rapid7 recommends blocking domains associated with all unapproved RMM solutions. A public GitHub repo containing a catalog of RMM solutions, their binary names, and associated domains can be found here.

Rapid7 recommends ensuring users are aware of established IT channels and communication methods to identify and prevent common social engineering attacks. We also recommend ensuring users are empowered to report suspicious phone calls and texts purporting to be from internal IT staff.

MITRE ATT&CK Techniques

Tactic Technique Procedure
Denial of Service T1498: Network Denial of Service The threat actor overwhelms email protection solutions with spam.
Initial Access T1566.004: Phishing: Spearphishing Voice The threat actor calls impacted users and pretends to be a member of their organization’s IT team to gain remote access.
Execution T1059.003: Command and Scripting Interpreter: Windows Command Shell The threat actor executes batch script after establishing remote access to a user’s asset.
Execution T1059.001: Command and Scripting Interpreter: PowerShell Batch scripts used by the threat actor execute certain commands via PowerShell.
Persistence T1547.001: Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder The threat actor creates a run key to execute a batch script via PowerShell, which then attempts to establish a reverse tunnel via SSH.
Defense Evasion T1222.001: File and Directory Permissions Modification: Windows File and Directory Permissions Modification The threat actor uses cacls.exe via batch script to modify file permissions.
Defense Evasion T1140: Deobfuscate/Decode Files or Information The threat actor encrypted several zip archive payloads with the password “qaz123”.
Credential Access T1056.001: Input Capture: Keylogging The threat actor runs a batch script that records the user’s password via command line input.
Discovery T1033: System Owner/User Discovery The threat actor uses whoami.exe to evaluate if the impacted user is an administrator or not.
Lateral Movement T1570: Lateral Tool Transfer Impacket was used to move payloads between compromised systems.
Command and Control T1572: Protocol Tunneling An SSH reverse tunnel is used to provide the threat actor with persistent remote access.

Rapid7 Customers

InsightIDR and Managed Detection and Response customers have existing detection coverage through Rapid7’s expansive library of detection rules. Rapid7 recommends installing the Insight Agent on all applicable hosts to ensure visibility into suspicious processes and proper detection coverage. Below is a non-exhaustive list of detections that are deployed and will alert on behavior related to this malware campaign:

Detections
Attacker Technique – Renamed SSH For Windows
Persistence – Run Key Added by Reg.exe
Suspicious Process – Non Approved Application
Suspicious Process – 7zip Executed From Users Directory (*InsightIDR product only customers should evaluate and determine if they would like to activate this detection within the InsightIDR detection library; this detection is currently active for MDR/MTC customers)
Attacker Technique – Enumerating Domain Or Enterprise Admins With Net Command
Network Discovery – Domain Controllers via Net.exe

Indicators of Compromise

Network Based Indicators (NBIs)

Domain/IPv4 Address Notes
upd7[.]com Batch script and remote access tool host.
upd7a[.]com Batch script and remote access tool host.
195.123.233[.]55 C2 server contained within batch scripts.
38.180.142[.]249 C2 server contained within batch scripts.
5.161.245[.]155 C2 server contained within batch scripts.
20.115.96[.]90 C2 server contained within batch scripts.
91.90.195[.]52 C2 server contained within batch scripts.
195.123.233[.]42 C2 server contained within batch scripts.
15.235.218[.]150 AnyDesk server used by the threat actor.
greekpool[.]com Primary NetSupport RAT gateway.
rewilivak13[.]com Secondary NetSupport RAT gateway.
77.246.101[.]135 C2 address used to connect via AnyDesk.
limitedtoday[.]com Cobalt Strike C2 domain.
thetrailbig[.]net Cobalt Strike C2 domain.

Host-based indicators (HBIs)

File SHA256 Notes
s.zip C18E7709866F8B1A271A54407973152BE1036AD3B57423101D7C3DA98664D108 Payload containing SSH config files used by the threat actor.
id_rsa 59F1C5FE47C1733B84360A72E419A07315FBAE895DD23C1E32F1392E67313859 Private RSA key that is downloaded to impacted assets.
id_rsa_client 2EC12F4EE375087C921BE72F3BD87E6E12A2394E8E747998676754C9E3E9798E Private RSA key that is downloaded to impacted assets.
authorized_keys 35456F84BC88854F16E316290104D71A1F350E84B479EEBD6FBB2F77D36BCA8A Authorized key downloaded to impacted assets by the threat actor.
RuntimeBroker.exe 6F31CF7A11189C683D8455180B4EE6A60781D2E3F3AADF3ECC86F578D480CFA9 Renamed copy of the legitimate OpenSSH for Windows utility.
a.zip A47718693DC12F061692212A354AFBA8CA61590D8C25511C50CFECF73534C750 Payload that contains a batch script and the legitimate ScreenConnect setup executable.
a3.zip 76F959205D0A0C40F3200E174DB6BB030A1FDE39B0A190B6188D9C10A0CA07C8 Contains a credential harvesting batch script.

Layered Defense to Stop Attacks Before they Begin

Post Syndicated from Dina Durutlic original https://blog.rapid7.com/2024/05/09/layered-defense-to-stop-attacks-before-they-begin/

Layered Defense to Stop Attacks Before they Begin

Ransomware has evolved from opportunistic attacks to highly orchestrated campaigns driven by cyber criminals who are seeking high financial gains.

Ransomware-as-a-Service has increased due to its lowered barrier to entry, allowing even those with limited technical expertise to launch devastating attacks with relative ease. Big game hunting has made a comeback, targeting high-value organizations – such as large enterprises – to maximize ransom payouts. The introduction of triple extortion represents a chilling escalation in tactics and demands. Attackers will encrypt files and demand payment for their decryption not just once, twice, but sometimes three times. Malicious actors execute additional attacks to coerce victims into giving more money or forcing them to comply with the attacker.

Security teams understandably have a lot that keeps them up at night, but that’s where a trusted partner can help! We’re excited to announce the expansion of our leading managed detection and response (MDR) service, Managed Threat Complete, to include Ransomware Prevention.

Rapid7’s Ransomware Prevention provides a robust, patented preemptive solution to stop attacks before they begin. Coupled with the expertise of the Rapid7 MDR team, this additional layer of protection now extends comprehensive coverage end to end.

Don’t Give Malware a Chance with Ransomware Prevention

Ransomware Prevention provides security teams a robust solution leveraging Minerva technology to stop attacks before they begin. This patented technology is an additional layer of protection on the endpoint designed to disrupt malicious actors and prevent ransomware attacks. It provides customers with dedicated ransomware prevention engines that reinforce at each stage of an attack to strengthen defenses and minimize exposure.

Layered Defense to Stop Attacks Before they Begin

Full Coverage from a Single, Trusted Partner

Leveraging this new functionality, we take a more proactive approach to security operations. By unifying relevant exposure management, external threat intelligence, and now prevention capabilities, we are able to get ahead of risk and eliminate breaches earlier.

With Rapid7, customers can feel confident they are covered before, during, and after an attack. Our team of industry experts not only provides transparent service, but they also drastically reduce the risk of ransomware actors succeeding by mitigating attacks in early stages prior to ransomware deployment.

Our Incident Response team spends far fewer hours per incident than the industry average due to:

  • Continuous monitoring through MDR
  • Rapid remote containment of minor incidents
  • Early detection of events
  • Remediation support through the SOC and Customer Advisors

Differentiating on the Endpoint

Rapid7 is continuously working with our customers with the goal of providing differentiated endpoint solutions and capabilities. You can learn more about how Rapid7 protects endpoints here.

What’s Wrong With Google Drive, Dropbox, and OneDrive? More Than You Think

Post Syndicated from Vinodh Subramanian original https://www.backblaze.com/blog/whats-wrong-with-google-drive-dropbox-and-onedrive-more-than-you-think/

Cloud drives like Google Drive, Dropbox, Box, and OneDrive have become the go-to data management solution for countless individuals and organizations. Their appeal lies in the initial free storage offering, user-friendly interface, robust file-sharing, and collaboration tools, making it easier to access files from anywhere with an internet connection. 

However, recent developments in the cloud drives space have posed significant challenges for businesses and organizations. Both Google and Microsoft, leading providers in this space, have announced the discontinuation of their unlimited storage plans.

Additionally, it’s essential to note that cloud drives, which are primarily sync services, do not offer comprehensive data protection. Today, we’re exploring how organizations can recognize the limitations of cloud drives and strategize accordingly to safeguard their data without breaking the bank. 

Attention Higher Ed

Higher education institutions have embraced platforms like Google Drive, Dropbox, Box, and OneDrive to store vast amounts of data—sometimes reaching into the petabytes. With unlimited plans out the window, they now face the dilemma of either finding alternative storage solutions or deleting data to avoid steep fees. In fact, the education sector reported the highest rates of ransomware attacks with 80% of secondary education providers and 79% of higher education providers hit by ransomware in 2023. If you manage IT for a

Sync vs. Backup: Why Cloud Drives Fall Short on Full Data Security

Cloud Sync

Cloud drives offer users an easy way to store and protect files online, and it might seem like these services back up your data. But, they don’t. These services sync (short for “synchronize”) files or folders on your computer to your other devices running the same application, ensuring that the same and most up-to-date information is merged across each device.

The “live update” feature of cloud drives is a double-edged sword. On one hand, it ensures you’re always working on the latest version of a document. On the other, if you need to go back to a specific version of a file from two weeks ago, you might be out of luck unless you’ve manually saved that version elsewhere. 

Another important item to note is that if cloud drives are shared with others, often they can make changes to the content which can result in the data changing or being deleted and without notifying other users. With the complexity of larger organizations, this presents a potential vulnerability, even with well-meaning users and proactive management of drive permissions. 

Cloud Backup

Unlike cloud sync tools, backup solutions are all about historical data preservation. They utilize block-level backup technology, which offers granular protection of your data. After an initial full backup, these systems only save the incremental changes that occur in the dataset. This means if you need to recover a file (or an entire system) as it existed at a specific point in time, you can do so with precision. This approach is not only more efficient in terms of storage space but also crucial for data recovery scenarios.

For organizations where data grows exponentially but is also critically important and sensitive, the difference between sync and backup is a crucial divide between being vulnerable and being secure. While cloud drives offer ease of access and collaboration, they fall short in providing the comprehensive data protection that comes from true backup solutions, highlighting the need to identify the gap and choose a solution that better fits your data storage and security goals. A full-scale backup solution will typically include backup software like Veeam, Commvault, and Rubrik, and a storage destination for that data. The backup software allows you to configure the frequency and types of backups, and the backup data is then stored on-premises and/or off-premises. Ideally, at least one copy is stored in the cloud, like Backblaze B2, to provide true off-site, geographically distanced protection.

Lack of Protection Against Ransomware

Ransomware payments hit a record high $1 billion in 2023. It shouldn’t be news to anyone in IT that you need to defend against the evolving threat of ransomware with immutable backups now more than ever. However, cloud drives fall short when it comes to protecting against ransomware.

The Absence of Object Lock

Object Lock serves as a digital vault, making data immutable for a specified period. It creates a virtual air gap, protecting data from modification, manipulation, or deletion, effectively shielding it from ransomware attacks that seek to encrypt files for ransom. Unfortunately, most cloud drives do not incorporate this technology. 

Without Object Lock, if a piece of data or a document becomes infected with ransomware before it’s uploaded to the cloud, the version saved on a cloud drive can be compromised as well. This replication of infected files across the cloud environment can escalate a localized ransomware attack into a widespread data disaster. 

Other Security Shortcomings

Beyond the absence of Object Lock, cloud drives may also lag in other critical security measures. While many offer some level of encryption, the robustness of this encryption and its effectiveness in protecting data at reset and in transit can vary significantly. Additionally, the implementation of 2FA and other access control measures is not always standard. These gaps in security protocols can leave the door open for unauthorized access and data breaches.

Navigating the Shared Responsibility Model

The shared responsibility model of cloud computing outlines who is responsible for what when it comes to cloud security. However, this model often leads to a sense of false security. Under this model, cloud drives typically take responsibility for the security “of” the cloud, including the infrastructure that runs all of the services offered in the cloud. On the other hand, the customers are responsible for security “in” the cloud. This means customers must manage the security of their own data. 

What’s the difference? Let’s use an example. If a user inadvertently uploads a ransomware-infected file to a cloud drive, the service might protect the integrity of the cloud infrastructure, ensuring the malware doesn’t spread to other users. However, the responsibility to prevent the upload of the infected file in the first place, and managing its consequences, falls directly on the user. In essence, while cloud drives provide a platform for storing your data, relying solely on them without understanding the nuances of the shared responsibility model could leave gaps in your data protection strategy. 

It’s also important to understand that Google, Microsoft, and Dropbox may not back up your data as often as you’d like, in the format you need, or provide timely, accessible recovery options. 

The Limitations of Cloud Drives in Computer Failures

Cloud drives, such as iCloud, Google Drive, Dropbox, and OneDrive, synchronize your files across multiple devices and the cloud, ensuring that the latest version of a file is accessible from anywhere. However, this synchronization does not equate to a full backup of your computer’s data. In the event of a computer failure, only the files you’ve chosen to sync would be recoverable. Other data stored on the computer (but not in the sync folder) would be lost. 

While some cloud drives offer versioning, which allows you to recover previous versions of files, this features are often limited in scope and time. It’s not designed to recover all types of files after a hardware failure, which a comprehensive backup solution would allow. 

Additionally, users often have to select which folders of files are synchronized, potentially overlooking important data. This selective sync means that not all critical information is protected automatically, unlike with a backup solution that can be set to automatically back up all data.

The Challenges of Data Sprawl in Cloud Drives

Cloud drives make it easy to provision storage for a wide array of end users. From students and faculty in education institutions to teams in corporations, the ease with which users can start storing data is unparalleled. However, this convenience comes with its own set of challenges—and one of the most notable culprits is data sprawl. 

Data sprawl refers to the rapid expansion and scattering of data without a cohesive management strategy. It is the accumulation of vast amounts of data to the point where organizations no longer know what data they have or what is happening with that data. Organizations often struggle to get a clear picture of who is storing what, how much space it’s taking up, and whether certain data remains accessed or has become redundant. This can lead to inefficient use of storage resources, increased costs, and potential security risks as outdated or unnecessary information piles up. The lack of sophisticated tools within cloud drive platforms for analyzing and understanding storage usage can significantly complicate data governance and compliance efforts. 

The Economic Hurdles of Cloud Drive Pricing

The pricing structure of cloud drive solutions present a significant barrier to achieving both cost efficiency and operational flexibility. The sticker price is only the tip of the iceberg, especially for sprawling organizations like higher education institutions or large enterprises with unique challenges that make the standard pricing models of many cloud drive services less than ideal. Some of the main challenges are: 

  1. User-Based Pricing: Cloud drive platforms base their pricing on the number of users, an approach that quickly becomes problematic for large institutions and businesses. With staff and end user turnover, predicting the number of active users at any given time can be a challenge. This leads to overpaying for unused accounts or constantly adjusting pricing tiers to match the current headcount, both of which are administrative headaches. 
  2. The High Cost of Scaling: The initial promise of free storage tiers or low-cost entry points fades quickly as institutions hit their storage limits. Beyond these thresholds, prices can escalate dramatically, making budget planning a nightmare. This pricing model is particularly problematic for businesses where data is continually growing. As these data sets expand, the cost to store them grows exponentially, straining already tight budgets. 
  3. Limitations of Storage and Users: Most cloud drive platforms come with limits on storage capacity and a cap on the number of users. Upgrading to higher tier plans to accommodate more users or additional storage can be expensive. This often forces organizations into a cycle of constant renegotiation and plan adjustments. 

We’re Partial to an Alternative: Backblaze

While cloud drives excel in collaboration and file sharing, they often fall short in delivering the comprehensive data security and backup that businesses and organizations need. However, you are not without options. Cloud storage platforms like Backblaze B2 Cloud Storage secure business and educational data and budgets with immutable, set-and-forget, off-site backups and archives at a fraction of the cost of legacy providers. And, with Universal Data Migration, you can move large amounts of data from cloud drives or any other source to B2 Cloud Storage at no cost to you. 

For those who appreciate the user-friendly interfaces of services like Dropbox or Google Drive, Backblaze provides integrations that deliver comparable front-end experiences for ease of use without compromising on security. However, if your priority lies in securing data against threats like ransomware, you can integrate Backblaze B2 with popular backup tools including Veeam, Rubrik, and Commvault, for immutable, virtually air-gapped backups to defend against cyber threats. Backblaze also offers  free egress for up to three times your data stored—or unlimited free egress between many of our compute or CDN partners—which means you don’t have to worry about the costs of downloading data from the cloud when necessary. 

Beyond Cloud Drives: A Secure, Cost-Effective Approach to Data Storage

In summary, cloud drives offer robust file sharing and collaboration tools, yet businesses and organizations looking for a more secure, reliable, and cost-effective data storage solution have options. By recognizing the limitations of cloud drives and by leveraging the advanced capabilities of cloud backup services, organizations can not only safeguard their data against emerging threats but also ensure it remains accessible and within budget. 

The post What’s Wrong With Google Drive, Dropbox, and OneDrive? More Than You Think appeared first on Backblaze Blog | Cloud Storage & Cloud Backup.

Exploring the (Not So) Secret Code of Black Hunt Ransomware

Post Syndicated from Anna Širokova original https://blog.rapid7.com/2024/02/05/exploring-the-not-so-secret-code-of-blackhunt-ransomware-2/

Exploring the (Not So) Secret Code of Black Hunt Ransomware

It seems like every week, the cybersecurity landscape sees the emergence of yet another ransomware variant, with Black Hunt being one of the latest additions. Initially reported by cybersecurity researchers in 2022, this new threat has quickly made its presence known. In a recent incident, Black Hunt ransomware wreaked havoc by compromising around 300 companies in Paraguay.

Rapid7 Labs consistently monitors emerging threats, and this new ransomware variant caught our attention for several reasons. The behavior and potential impact of this new variant raised concerns among our team, prompting us to conduct a thorough analysis to better understand its capabilities and potential risks.

During our analysis we found notable similarities between Black Hunt ransomware and LockBit, which suggested that it uses leaked code of Lockbit. In addition, it uses some techniques similar to REvil ransomware.

Technical Analysis

In this analysis we examined the Black Hunt sample shared on X (formerly Twitter), by MalwareHunterTeam. In our investigation we found some interesting techniques and features used by this malware. The recent Black Hunt sample is a C++ executable, which widely reuses the leaked Lockbit ransomware code and shares similarities with several other recently spotted ransomware families.The execution of the ransomware on an infected machine starts with a check for a file named Vaccine.txt under directory C:\ProgramData path

Exploring the (Not So) Secret Code of Black Hunt Ransomware
Figure 1 – Check for the existence of Vaccine.txt file

If the file is found, malware terminates its execution. This file detection acts as an anti-exploitation flag for the ransomware. As this is not a well-known anti-sandbox/anti-VM technique, we assume that this file is in use by the threat actor (TA) itself. It is either created by the victim which is instructed to create it after the ransom is paid or dropped by the decryptor, if one is sent to the victim to decrypt the encrypted data. Adding that check is logical if the ransomware operators consider scenarios where their persistence mechanism and the ransomware binary remain on the system even after the ransom is paid and files are decrypted. Moreover, the fact that all files dropped by the ransomware are placed in the C:\ProgramData  directory further supports our assessment that this file is associated with the Black Hunt operation.

Next, the malware adjusts the following privileges to processes Access Token by using the `AdjustTokenPrivileges` API function:

Privilege Setting Description
SeDebugPrivilege Monitor and manipulate other processes.
SeRestorePrivilege Bypass file system security to restore files.
SeBackupPrivilege Read any file, regardless of permissions.
SeTakeOwnershipPrivilege Take control of critical system resources.
SeAuditPrivilege Manipulate security audit logs.
SeSecurityPrivilege Modify security settings of objects.
SeIncreaseBasePriorityPrivilege Gives service privilege to increase scheduling priority.

After modifying process privileges, the malware hides its window by invoking the `ShowWindow` function with the `nCmdShow` parameter set to 0, which corresponds to `SW_HIDE`. This action ensures that the malware’s window is not visible to the user, allowing it to operate stealthily in the background without drawing attention.

Exploring the (Not So) Secret Code of Black Hunt Ransomware
Figure 3 – Malware hiding its present from the user

The execution flow continues as the malware invokes the `GetCommandLineW` function. This function retrieves the command-line string for the current process, including the program name and any arguments passed during startup. This function is commonly used by malware and helps to gather information about command-line flags. Following this, another function call is made to `CMD_ARGS`.

Exploring the (Not So) Secret Code of Black Hunt Ransomware
Figure 4

The function processes a command-line string and checks if any of the following arguments were passed:

Argument Description
-local If passed, the ransomware will skip shared or network drives encryption.
-network If passed, the ransomware will encrypt only the network drives
-biggame If passed, the ransomware will only encrypt the files that contain .4dd, .4dl, .accdb, .accdc, .accde, .accdr, .accdt, .accft, .adb, .ade, .adf, .adp, .arc, .ora, .alf, .ask, .btr, .bdf, .cat, .cdb, .ckp, .cma, .cpd, .dacpac, .dad, .dadiagrams, .daschema, .db, .db-shm, .db-wal, .db3, .dbc, .dbf, .dbs, .dbt ,.dbv, .dbx, .dcb, .dct, .dcx, .ddl ,.dlis, .dp1 ,.dqy, .dsk, .dsn, .dtsx, .dxl, .eco, .ecx, .edb, .epim, .exb, .fcd, .fdb, .fic, .fmp, .fmp12, .fmpsl, .fol, .fp3, .fp4, .fp5, .fp7, .fpt, .frm, .gdb, .grdb, .gwi, .hdb, .his, .ib, .idb, .ihx, .itdb, .itw, .jet, .jtx, .kdb, .kexi, .kexic, .kexis, .lgc, .lwx, .maf, .maq, .mar, .mas, .mav, .mdb, .mdf, .mpd, .mrg, .mud, .mwb, .myd, .ndf, .nnt, .nrmlib, .ns2, .ns3, .ns4, .nsf, .nv, .nv2, .nwdb, .nyf, .odb, .oqy, .orx, .owc, .p96, .p97, .pan, .pdb, .pdm, .pnz, .qry, .qvd, .rbf, .rctd, .rod, .rodx, .rpd, .rsd, .sas7bdat, .sbf, .scx, .sdb, .sdc, .sdf, .sis, .spq, .sql, .sqlite, .sqlite3, .sqlitedb, .te, .temx, .tmd, .tps, .trc, .trm, .udb, .udl, .usr, .v12, .vis, .vpd, .vvv, .wdb, .wmdb, .wrk, .xdb, .xld, .xmlff, .abcddb, .abs, .abx, .accdw, .adn, .db2, .fm5, .hjt, .icg, .icr, .kdb, .lut, .maw, .mdn, .mdt extensions.
-backup If passed, the ransomware will only encrypt the files with .000, .cab, .zip and .rar extensions.
-noencrypt if passed, the malware will skip encryption.
-p If passed, specifies a path to be encrypted
-nologs If passed – If the flag is not set, the ransomware creates a log file named #BlackHunt_Logs.txt under C:\ProgramData directory. Otherwise no log files will be created.
-status If passed, sets the ransomware console windows to ‘SW_SHOW’ and shows the encryption status in the ransomware console window. The status information contains the System ID, running time, the amount of encrypted files and encrypted volume, as well as errors, alive workers and the code location. The status window constantly updated by the ransomware as long as it runs
-update If passed, the ransomware shows a fake Window Update screen
-kill If passed, the ransomware terminates processes from hardcoded process list and stops services from hardcoded service list
-scanner If passed, the ransomware scans for network shares
-cipher If passed, when all the encryption process is completed the ransomware uses Windows tool Cipher.exe on all drives to overwrite the deleted data. Same capability was utilized by Vohuk ransomware.
-restart if set in the end of encryption the following command will be executed to restart the pc ‘shutdown /r /t 15 /f’

The ransomware accepts additional arguments that modify its behavior, including disabling spreading capabilities, adjusting encryption speed, thread count for encryption, skipping mutex creation, and enabling debug mode to collect more information in the log file.

After verifying passed arguments and ensuring the absence of the -nomutex flag, the ransomware proceeds to create a `BLACK_HUNT_MUTEX`. Next, it elevates its process priority to `HIGH_PRIORITY_CLASS` using the `SetPriorityClass` API function.

The ransomware made 200 attempts to load `Fake.dll`, likely as a tactic to slow up/evade the execution in the sandbox. Following this, it employs the `IsDebuggerPresent` API call to detect if debugging is in progress. If a debugger is detected, the ransomware terminates.

Further analysis revealed that Black Hunt maintains a whitelist of 15 countries, as detailed in the table below.

Language Code Language Country
2092 Azeri (Cyrillic) Azerbaijan
1068 Azeri (Latin) Azerbaijan
1067 Armenian Armenia
1059 Belarusian Belarus
1079 Georgian Georgia
1071 Macedonian North Macedonia
1088 Kyrgyz Kyrgyzstan
2073 Moldovan Moldova (Russian language)
1064 Tajik (Cyrillic) Tajikistan
1090 Turkmen Turkmenistan
2115 Uzbek (Cyrillic) Uzbekistan
1091 Uzbek (Latin) Uzbekistan
1058 Ukrainian Ukraine
1065 Persian Iran
1055 Turkish Turkey

The malware uses the `GetSystemDefaultUILanguage` function to identify one of 15 hardcoded languages. If it detects any of these languages, it terminates execution.

Exploring the (Not So) Secret Code of Black Hunt Ransomware
Figure 5 – Hardcoded list of languages

Following language detection, the malware attempts to establish an internet connection by calling the `getaddrinfo` function to resolve the domain ip-api.com.

The ransomware checks if `BlackKeys` mutex exists, and if not, it creates it by using `CreateMutexA` API.

Next,the malware begins a key initialization process. First, it attempts to load a key by using `CryptImportKey` with a buffer containing the key. It looks for the key in files named C:\ProgramData\#BlackHunt_Public.key and C:\ProgramData\#BlackHunt_Private.key, and also verifies the presence of C:\ProgramData\#BlackHunt_ID.txt. If the key loading fails, the malware switches to generating a 128-bit RSA key pair.

After initializing encryption keys, the ransomware creates a HKEY_LOCAL_MACHINE\Software\Classes\.Hunt2 registry key to define settings for files with `.Hunt2` extension.It adds a `DefaultIcon` registry key under `.Hunt2` and assigns a default value to the dropped icon file.

Next, the ransomware creates a new {2C5F9FCC-F266-43F6-838DAE269E11} value under HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run registry key and sets it data to C:\ProgramData\#BlackHunt_ReadMe.hta that will make the `.hta` file be executed on reboot.This file is a Black Hunt ransom note. Here we can notice additional proof of reuse of Lockbit ransomware code by BlackHunt operators, the value name is identical to the one LockBit 2.0 used in their attacks.

The Black Hunt ransomware makes several modifications to the Windows registry to disable security measures, alter system functionality, and potentially limit user control over the system. Below are the commands used

Command Action
/c reg add "HKEY_LOCAL_MACHINE\Software\Classes.Hunt2" /f" Adds a registry key .Hunt2 under HKEY_LOCAL_MACHINE\Software\Classes\
/c reg add "HKEY_LOCAL_MACHINE\Software\Classes.Hunt2\DefaultIcon" /ve /t REG_SZ /d
"C:\ProgramData#BlackHunt_Icon.ico" /f");
Sets the default icon for .Hunt2 files to C:\ProgramData#BlackHunt_Icon.ico
/c reg add "HKEY_LOCAL_MACHINE\Software\Classes\Hunt2" /f"); Adds a registry key Hunt2 under HKEY_LOCAL_MACHINE\Software\Classes\
/c reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run" /v Adds an entry to the Windows startup registry key to run C:\ProgramData#BlackHunt_ReadMe.hta
/c reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run"
/v "{2C5F9FCC-F266-43F6-BFD7-838DAE269E11}"
/t REG_SZ /d "C:\ProgramData#BlackHunt_ReadMe.hta" /f");
Adds an entry to the Windows startup registry key to run C:\ProgramData#BlackHunt_ReadMe.hta
SHChangeNotify(0x8000000, 0, 0, 0); Notifies the system of changes that might require refreshing icons or interface elements

The list of modified registries can be found in the IOC section or on the Rapid7 Labs GitHub page.

Afterward, the malware checks for various command-line arguments, and its execution flow depends on which arguments are set.

`-p` flag

If set, it proceeds to sets persistence by creating scheduled tasks to execute the malware upon system startup using the command /c SCHTASKS.exe /Create /RU “NT AUTHORITY\SYSTEM” /sc onstart /TN “Windows Critical Update” /TR “%s” /F.

`-safemode` flag

If it is, the malware configures the safe mode setting to ensure its execution after the system boots in safe mode, after which it restarts the machine. For more information on that technique check the Safe Mode section of this article.

If the `-safemode` flag is not set, the malware creates ransom note, primary and secondary contact emails `[email protected]` and `[email protected]`, respectively, a placeholder ID for infected machines, and the Tor address http[:]//sdif9821kjsdvcjlksaf2kjhlksvvnktyoiasuc921f.

`-update`  flag

If set, the malware drops `#BlackHunt_Update.hta` to the C:\ProgramData directory and executes it. The purpose of that flag is to create a fake Windows Update screen while encrypting the victim’s data. After that, the malware empties the recycle bin by calling `SHEmptyRecycleBinW`.

`-kill` flag

If set, the malware enumerates running processes and terminates 130 predefined processes and services. The full list of processes and services can be found in the IOC section or on the Rapid7 Labs GitHub page.

After completing its service termination routine, the malware tries to access the registry key SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System, known for storing system policies such as User Account Control (UAC) settings. If successful, it modifies two registry values: `EnableLUA` and `EnableLinkedConnections`.

Exploring the (Not So) Secret Code of Black Hunt Ransomware
Figure 6-UAC settings modification

By setting`EnableLUA` to 0, the malware effectively disables this security feature, granting itself elevated privileges without user intervention. Additionally, the malware sets the `EnableLinkedConnections` registry key, allowing any user to see network drives that were mapped for other users. This gives ransomware the ability to gain access to sensitive network resources.The malware invokes the `RefreshPolicyEx` API function to enforce the modifications made.

Next, the malware manipulates shadow storage. For conventional disk types, such as DRIVE_FIXED, it executes commands like /c vssadmin resize shadowstorage /for=C:\ /on=C:\ /maxsize=401MB. For disk types not explicitly specified, such as DRIVE_RAMDISK, it uses /c vssadmin resize shadowstorage /for=C:\ /on=C:\

Afterwards , the malware removes the shadow copies using vssadmin.exe Delete Shadows /all /quiet and disables automatic repair by executing bcdedit /set {default} recoveryenabled No.

Exploring the (Not So) Secret Code of Black Hunt Ransomware
Figure 7- Shadow storage manipulation

Next, the attackers execute a sequence of commands to clean up the system and implement critical modifications.

Command Description
bcdedit /set {default} bootstatuspolicy IgnoreAllFailures Adjusts boot status policy for normal booting despite failures, blocking access to System Image Recovery
fsutil.exe usn deletejournal /disks (D and C) Deletes Volume USN Journal on disks D and C, disrupting file system change tracking
wbadmin.exe delete catalog -quiet Silently removes backup catalogs, erasing backup data
Disables System Restore tasks with sc Halts System Restore functionality, limiting recovery options

If the  `-scanner` flag is set the ransomware will attempt to retrieve the ARP cache table and scan the addresses using the servername as a parameter. This function utilizes `NetShareEnum` to gather information about network shares on a given server.

Finally,  the encryption routine starts. Encrypted files renamed with  `.Hunt2` extension. After the encryption, the ransomware deletes itself, and the ransom note is displayed to the user.

Exploring the (Not So) Secret Code of Black Hunt Ransomware
Figure 8 – Black Hunt ransomware note

Additional functionality

Spreading mechanism

Ransomware tries to enumerate shares on the localhost (127.0.0.1) using  `NetShareEnum`. If shares are found and no error occurs, the malware tries to process  drive paths. It checks each path for specific conditions met and that the path is not a remote path. If these conditions are met, it processes the argument as a local drive path by extracting the drive letter and formatting it as \127.0.0.1{drive_letter}.

The malware attempts to locate a NAS server and paths to files on removable drives. Additionally, it searches for shared folders and attempts to spread by enumerating local shared folders using `NetShareEnum`. If a network share is found, it copies itself to the share using `CopyFileW`. After spreading, it clears setup event logs by executing cmd /c wevtutil.exe.

Safe mode

If the `-safemode` argument is set, the malware executes the encryption process in Safe Mode. To ensure execution after rebooting in Safe Mode, the malware sets up the system as follows:

1) Obtains a user environment variable.

2) Executes the net user username `Black_Hunt_2.0` command to set a new user password.

3) Adds a new `AutoAdminLog` value under the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon and sets it to 1, enabling auto login in Windows.

4) Creates a `DefaultUserName` value under the same registry key and sets it.

5) Creates a `DefaultPassword` registry value and sets it to the changed password.

6) Executes the /c bootcfg /raw /a /safeboot:network /id 1 and /c bcdedit /set {current} safeboot network commands to force the computer to boot into Safe Mode with Networking.

7) Creates a new`BackToNormal` value under HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce and sets it to bcdedit /deletevalue {current} safeboot” /f.

8) Sets an additional value under the `RunOnce` key named `BlackHunt` and sets it to the current malware running path.

9) Finally, restarts the system by executing shutdown /r /t 7 /f

Rapid7 Customers

For Rapid7 MDR and InsightIDR customers, the following Attacker Behavior Analytics (ABA) rules are currently deployed and alerting on the activity described in this blog:

  • Suspicious Process – Delete File Shadow Copies With PowerShell
  • Attacker Technique – Rundll32 Running DLL in Root of ProgramData
  • Suspicious Process – Regsvr32.exe Registering DLL in ProgramData
  • Persistence – Run Key Added by Reg.exe
  • Suspicious Registry Event – Unusual Registry Run Keys
  • Attacker Technique – Disabling UAC Remote Restrictions
  • Suspicious Registry Edit – Shell\Open\Command Edited, Possible UAC Bypass
  • Attacker Technique – Reg.exe disabling the User Access Control (UAC) remote restriction
  • Suspicious Process – Possible UAC Bypass via MMC.exe
  • Attacker Technique – Svchost.exe Spawns cmd.exe Executing Scheduled Task
  • Persistence – SchTasks Creating A Task Pointed At Users Temp Or Roaming Directory
  • Ransomware – LockBit Command-Line Arguments
  • Suspicious Process – VSSADMIN List and Create Shadow Commands (MVD detection)
  • Suspicious Registry Event – BCDEDIT Safeboot Minimal
  • UAC Bypass – Notepad Launching CMD or PowerShell
  • Defense Evasion – Disabling Multiple Security or Backup Products (MVD detection)
  • Suspicious Process – Diskshadow (Windows Server) Delete Shadow Copies

MITRE ATT&CK Techniques

|

Tactic Technique **Details
Execution Native API (T1106) The ransomware may execute its malicious activities by interacting with system APIs.
Persistence Scheduled Task/Job: Scheduled Task (T1053.005 ) Black Hunt sets persistence by creating scheduled tasks to execute the malware upon system startup using the command
Persistence Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder (T1547.001) Modifies the Windows Registry to establish persistence, ensuring it runs automatically upon system startup.
Privilege Escalation Abuse Elevation Control Mechanism: Bypass User Account Control (T1548.002 ) Black Hunt grants itself elevated privileges without user intervention by modifying registry values: EnableLUA and EnableLinkedConnections.
Defense Evasion, Privilege Escalation Access Token Manipulation (T1134) Black Hunt manipulate access tokens, granting itself privileges to perform various actions on the system
Defense Evasion Modify Registry (T1112) Modifies registry keys to disable security features, alter system configurations, and establish persistence.
Defense Evasion Impair Defenses: Disable or Modify Tools (T1562.001) Black Hunt disables security tools to avoid possible detection of their malware/tools and activities
Defense Evasion File Deletion ( T1070.004 ) Black Hunt empties the Windows Recycle Bin to permanently delete files and prevent recovery attempts.
Defense Evasion Indicator Removal on Host: Clear Windows Event Logs (T1070.001) The ransomware clears Windows Event Logs to erase evidence.
Defense Evasion Impair Defenses: Safe Mode Boot (T1562.009) Black Hunt disable endpoint defenses
Defense Evasion Hide Artifacts: Hidden Window (T1564.003) Black Hunt uses a hidden window to conceal malicious activity from the plain sight of users.
Discovery Network Service Discovery (T1046) Black Hunt lists services running on the local network
Discovery System Location Discovery: System Language Discovery (T1614.001) Black Hunt gather information about the system language of a host in order to infer the geographical location of that host
Discovery Network Share Discovery (T1135) Black Hunt enumerates shared network drives and folders to access other systems
Discovery File and Directory Discovery (T1083) Black Hunt enumerates files and directories to identify whether certain objects should be encrypted
Discovery Process Discovery (T1057) Black Hunt performs process discovery/enumeration to terminate processes that could interfere with the encryption process.
Impact Inhibit System Recovery (T1490) Deletes backups, volume shadow copies, and disables automatic repair and recovery features.
Impact Data Encrypted for Impact (T1486) Black Hunt is capable for encrypting victim’s files
Impact Service Stop (T1489) Stops certain services, such as those related to backup, security software, and others

IOCs

Attribute Value Description
mutex BLACK_HUNT Mutex used by the ransomware
mutex BaseNamedObjects\BlackKeys Mutex used by the ransomware
sha256 C25F7B30D224D999CE337A13224C1CDE9FFB3F415D7113548DE9914A1BB3F123 #BlackHunt_Update.hta file
primary email Teikobest@gmail dot com Primary contact email for ransom
secondary email Loxoclash@gmail dot com Secondary contact email for ransom
Tor address http[://]sdif9821kjsdvcjlksaf2kjhlksvvnktyoiasuc921f
sha256 74df3452a6b9dcdba658af7a9cf5afb09cce51534f9bc63079827bf73075243b Black Hunt ransomware
sha256 35619594724871138875db462eda6cf24f2a462e1f812ff27d79131576cd73ab Black Hunt ransomware
sha256 32877793a1e0d72235e9e785e1f55592c32c9f08b73729815b8103b09a54065f Black Hunt ransomware
sha256 7eea62dcae4e2e5091dd89959529ae047071415a890dda507db4c53b6dcab28b Black Hunt ransomware
sha256 13a5c3b72f81554e04b56d960d3a503a4b08ec77abb43756932a68b98dac1479 Black Hunt ransomware

Registry Modified by Black Hunt Ransomware

Registry Modification Description
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run {2C5F9FCC-F266-43F6-BFD7-838DAE269E11} REG_SZ C:\ProgramData#BlackHunt_ReadMe.hta Adds a startup entry to run a file at system startup
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender DisableAntiSpyware REG_DWORD 1 Disables Windows Defender anti-spyware protection
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection DisableRealtimeMonitoring REG_DWORD 1 Disables Windows Defender real-time monitoring
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Spynet SubmitSamplesConsent REG_DWORD 2 Sets the consent level for submitting samples to Microsoft
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats Threats_ThreatSeverityDefaultAction REG_DWORD 1 Sets default actions for threats detected by Windows Defender
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction Low, Medium, High, Severe REG_DWORD 6 Sets default actions for threats of different severities
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\UX Configuration Notification_Suppress REG_DWORD 1 Suppresses Windows Defender notifications
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer NoClose, StartMenuLogOff REG_DWORD 1 Disables the ability to close the Start Menu and log off
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System DisableChangePassword, DisableLockWorkstation, NoLogoff, DisableTaskMgr REG_DWORD 1 Disables various system functionalities such as changing password, locking workstation, logging off, and task manager
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore DisableConfig, DisableSR REG_DWORD 1 Disables System Restore configuration and functionality
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WinRE DisableSetup REG_DWORD 1 Disables Windows Recovery Environment setup
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client DisableBackupLauncher, DisableRestoreUI, DisableSystemBackupUI, DisableBackupUI REG_DWORD 1 Disables various backup client functionalities
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer NoRun REG_DWORD 1 Disables the ability to run programs

References

https://twitter.com/RakeshKrish12/status/1597839380558716928

https://twitter.com/malwrhunterteam/status/1744499152011104549

https://blog.sonicwall.com/en-us/2021/09/lockbit-2-0-the-ransomware-behind-the-accenture-breach/

https://blog.sonicwall.com/en-us/2023/02/vohuk-ransomware-uses-cipher-exe-making-files-recovery-impossible/

Rapid7 Labs GitHub

https://github.com/rapid7/Rapid7-Labs/blob/main/IOCs/BlackHunt.txt

2023 Ransomware Stats: A Look Back To Plan Ahead

Post Syndicated from Christiaan Beek original https://blog.rapid7.com/2024/01/12/2023-ransomware-stats-a-look-back-to-plan-ahead/

2023 Ransomware Stats: A Look Back To Plan Ahead

2023 Ransomware Stats: A Look Back To Plan Ahead

Last year was not a year for the faint of heart. Organizations of every size found themselves faced with ransomware attacks at varying levels of sophistication, yet every one of them was damaging. And as we step into 2024, the first victims of ransomware attacks are already being reported. What can the 2023 ransomware stats tell us about the year that was, and how can we use them to plan for the year ahead?

In this blog we will dissect the multifaceted dimensions of ransomware attacks observed in 2023, providing insights and looking a bit forward to what 2024 might bring. For our data analytics, we make use of publicly available data (like posts from the ransomware groups themselves) and 2023 ransomware incident data from our MDR team, both of which we’ve enriched with context from the data gathered in Rapid7 Labs.

The 2023 Ransomware Landscape

Most ransomware groups have leak sites where they announce victims of their campaigns. These leak sites are a tactic to put more pressure on their victims to pay the ransom; if the ransom is not paid, they will leak the compromised data via that site. The frequency of posts is a good indicator of how often and which groups are active, but the ransomware landscape is larger than that.

The number of unique ransomware families these groups utilized in 2023 decreased by more than half, from 95 new families in 2022 to 43 in 2023. This tells us that the “current” ransomware families and models are working/profitable and there’s no need to develop something brand new.

Our combined sources uncovered nearly 5200 reported ransomware cases throughout the course of 2023. In reality, we believe that number was actually higher because it doesn’t account for the many attacks that likely went unreported.

Coveware, a security consulting firm, found that the average ransom payment for Q3 2023 was $850,700 USD. That is only the amount paid for the ransom; the real costs for recovering of a ransomware incident are based on a range of factors that include:

  • Downtime
  • Damage to reputation
  • Lost business
  • Labour hours
  • Increased insurance coverage costs
  • Legal counseling and settlement fees

The same report mentioned a staggering 41% of victims opted to pay the ransom.

The below scatter plot shows the number of ransomware incidents attributed to the top 20 ransomware groups for 2023, based on leak site communications, public disclosures, and Rapid7 incident response data.

2023 Ransomware Stats: A Look Back To Plan Ahead

Zooming in on the most active groups (supported by a large ecosystem of initial access brokers), the top 5 groups we identified are:

  • Alphv aka BlackCat ransomware
  • BianLian
  • Cl0P
  • Lockbit(3)
  • Play

The below polar-bar chart visualizes these groups’ frequency of postings per month on their leak sites:

2023 Ransomware Stats: A Look Back To Plan Ahead

2023 Ransomware Attacks

Rapid7 Labs conducted an analysis of the 2023 ransomware attacks using data sourced from both external and internal reports. We compared the modus operandi of these attacks and mapped them out against the MITRE ATT&CK model. The results are visualized in the following diagram:

2023 Ransomware Stats: A Look Back To Plan Ahead

This diagram effectively encapsulates the common patterns and methodologies observed in the majority of ransomware attacks. It serves as a visual representation, outlining the sequence of steps typically followed by attackers from initial breach to final ransom demand. In our statistics, exploiting a public facing application and having a valid account are the top initial attack vectors we observed in ransomware-focused attacks in 2023.

Ransomware Groups That Came and Went

In 2023, several ransomware groups ceased their operations or underwent significant transformations. Hive ransomware marked the year’s start with its disruption in January. BlackByte, after briefly reappearing with a new white logo, went offline for the last two months of 2023.

Royal ransomware rebranded itself as Black Suit, as evidenced by the matching binaries.They took down their victim portal and started posting more on their Black Suit leak site.

Vice Society, another group, became inactive for over three months, taking down their main and backup leak sites.

NoEscape, previously known as Avaddon, executed an exit scam, further indicating the volatile and shifting landscape of ransomware groups in 2023. An “exit scam” is a fraudulent scheme where a business or individual collects funds or assets from customers or investors and then suddenly ceases operations, disappearing with the collected funds.

Who To Watch For in 2024

We anticipate that the top 5 groups mentioned will still be active in 2024; however, during the course of 2023, new groups surfaced that are interesting to watch. In random order: Cactus, Rhysida, 8base, Hunters International, Akira, and the recently surfaced Werewolves group are those to keep an eye out for.

Digging Deeper Into Object Lock

Post Syndicated from Pat Patterson original https://www.backblaze.com/blog/digging-deeper-into-object-lock/

A decorative image showing data inside of a vault.

Using Object Lock for your data is a smart choice—you can protect your data from ransomware, meet compliance requirements, beef up your security policy, or preserve data for legal reasons. But, it’s not a simple on/off switch, and accidentally locking your data for 100 years is a mistake you definitely don’t want to make.

Today we’re taking a deeper dive into Object Lock and the related legal hold feature, examining the different levels of control that are available, explaining why developers might want to build Object Lock into their own applications, and showing exactly how to do that. While the code samples are aimed at our developer audience, anyone looking for a deeper understanding of Object Lock should be able to follow along.

I presented a webinar on this topic earlier this year that covers much the same ground as this blog post, so feel free to watch it instead of, or in addition to, reading this article. 

Check Out the Docs

For even more information on Object Lock, check out our Object Lock overview in our Technical Documentation Portal as well as these how-tos about how to enable Object Lock using the Backblaze web UI, Backblaze B2 Native API, and the Backblaze S3 Compatible API:

What Is Object Lock?

In the simplest explanation, Object Lock is a way to lock objects (aka files) stored in Backblaze B2 so that they are immutable—that is, they cannot be deleted or modified, for a given period of time, even by the user account that set the Object Lock rule. Backblaze B2’s implementation of Object Lock was originally known as File Lock, and you may encounter the older terminology in some documentation and articles. For consistency, I’ll use the term “object” in this blog post, but in this context it has exactly the same meaning as “file.”

Object Lock is a widely offered feature included with backup applications such as Veeam and MSP360, allowing organizations to ensure that their backups are not vulnerable to deliberate or accidental deletion or modification for some configurable retention period.

Ransomware mitigation is a common motivation for protecting data with Object Lock. Even if an attacker were to compromise an organization’s systems to the extent of accessing the application keys used to manage data in Backblaze B2, they would not be able to delete or change any locked data. Similarly, Object Lock guards against insider threats, where the attacker may try to abuse legitimate access to application credentials.

Object Lock is also used in industries that store sensitive or personal identifiable information (PII) such as banking, education, and healthcare. Because they work with such sensitive data, regulatory requirements dictate that data be retained for a given period of time, but data must also be deleted in particular circumstances. 

For example, the General Data Protection Regulation (GDPR), an important component of the EU’s privacy laws and an international regulatory standard that drives best practices, may dictate that some data must be deleted when a customer closes their account. A related use case is where data must be preserved due to litigation, where the period for which data must be locked is not fixed and depends on the type of lawsuit at hand. 

To handle these requirements, Backblaze B2 offers two Object Lock modes—compliance and governance—as well as the legal hold feature. Let’s take a look at the differences between them.

Compliance Mode: Near-Absolute Immutability

When objects are locked in compliance mode, not only can they not be deleted or modified while the lock is in place, but the lock also cannot be removed during the specified retention period. It is not possible to remove or override the compliance lock to delete locked data until the lock expires, whether you’re attempting to do so via the Backblaze web UI or either of the S3 Compatible or B2 Native APIs. Similarly, Backblaze Support is unable to unlock or delete data locked under compliance mode in response to a support request, which is a safeguard designed to address social engineering attacks where an attacker impersonates a legitimate user.

What if you inadvertently lock many terabytes of data for several years? Are you on the hook for thousands of dollars of storage costs? Thankfully, no—you have one escape route, which is to close your Backblaze account. Closing the account is a multi-step process that requires access to both the account login credentials and two-factor verification (if it is configured) and results in the deletion of all data in that account, locked or unlocked. This is a drastic step, so we recommend that developers create one or more “burner” Backblaze accounts for use in developing and testing applications that use Object Lock, that can be closed if necessary without disrupting production systems.

There is one lock-related operation you can perform on compliance-locked objects: extending the retention period. In fact, you can keep extending the retention period on locked data any number of times, protecting that data from deletion until you let the compliance lock expire.

Governance Mode: Override Permitted

In our other Object Lock option, objects can be locked in governance mode for a given retention period. But, in contrast to compliance mode, the governance lock can be removed or overridden via an API call, if you have an application key with appropriate capabilities. Governance mode handles use cases that require retention of data for some fixed period of time, with exceptions for particular circumstances.

When I’m trying to remember the difference between compliance and governance mode, I think of the phrase, “Twenty seconds to comply!”, uttered by the ED-209 armed robot in the movie “RoboCop.” It turned out that there was no way to override ED-209’s programming, with dramatic, and fatal, consequences.

ED-209: as implacable as compliance mode.

Legal Hold: Flexible Preservation

While the compliance and governance retention modes lock objects for a given retention period, legal hold is more like a toggle switch: you can turn it on and off at any time, again with an application key with sufficient capabilities. As its name suggests, legal hold is ideal for situations where data must be preserved for an unpredictable period of time, such as while litigation is proceeding.

The compliance and governance modes are mutually exclusive, which is to say that only one may be in operation at any time. Objects locked in governance mode can be switched to compliance mode, but, as you might expect from the above explanation, objects locked in compliance mode cannot be switched to governance mode until the compliance lock expires.

Legal hold, on the other hand, operates independently, and can be enabled and disabled regardless of whether an object is locked in compliance or governance mode.

How does this work? Consider an object that is locked in compliance or governance mode and has legal hold enabled:

  • If the legal hold is removed, the object remains locked until the retention period expires.
  • If the retention period expires, the object remains locked until the legal hold is removed.

Object Lock and Versioning

By default, Backblaze B2 Buckets have versioning enabled, so as you upload successive objects with the same name, previous versions are preserved automatically. None of the Object Lock modes prevent you from uploading a new version of a locked object; the lock is specific to the object version to which it was applied.

You can also hide a locked object so it doesn’t appear in object listings. The hidden version is retained and can be revealed using the Backblaze web UI or an API call.

As you might expect, locked object versions are not subject to deletion by lifecycle rules—any attempt to delete a locked object version via a lifecycle rule will fail.

How to Use Object Lock in Applications

Now that you understand the two modes of Object Lock, plus legal hold, and how they all work with object versions, let’s look at how you can take advantage of this functionality in your applications. I’ll include code samples for Backblaze B2’s S3 Compatible API written in Python, using the AWS SDK, aka Boto3, in this blog post. You can find details on working with Backblaze B2’s Native API in the documentation.

Application Key Capabilities for Object Lock

Every application key you create for Backblaze B2 has an associated set of capabilities; each capability allows access to a specific functionality in Backblaze B2. There are seven capabilities relevant to object lock and legal hold. 

Two capabilities relate to bucket settings:

  1. readBucketRetentions 
  2. writeBucketRetentions

Three capabilities relate to object settings for retention: 

  1. readFileRetentions 
  2. writeFileRetentions 
  3. bypassGovernance

And, two are specific to Object Lock: 

  1. readFileLegalHolds 
  2. writeFileLegalHolds 

The Backblaze B2 documentation contains full details of each capability and the API calls it relates to for both the S3 Compatible API and the B2 Native API.

When you create an application key via the web UI, it is assigned capabilities according to whether you allow it access to all buckets or just a single bucket, and whether you assign it read-write, read-only, or write-only access.

An application key created in the web UI with read-write access to all buckets will receive all of the above capabilities. A key with read-only access to all buckets will receive readBucketRetentions, readFileRetentions, and readFileLegalHolds. Finally, a key with write-only access to all buckets will receive bypassGovernance, writeBucketRetentions, writeFileRetentions, and writeFileLegalHolds.

In contrast, an application key created in the web UI restricted to a single bucket is not assigned any of the above permissions. When an application using such a key uploads objects to its associated bucket, they receive the default retention mode and period for the bucket, if they have been set. The application is not able to select a different retention mode or period when uploading an object, change the retention settings on an existing object, or bypass governance when deleting an object.

You may want to create application keys with more granular permissions when working with Object Lock and/or legal hold. For example, you may need an application restricted to a single bucket to be able to toggle legal hold for objects in that bucket. You can use the Backblaze B2 CLI to create an application key with this, or any other set of capabilities. This command, for example, creates a key with the default set of capabilities for read-write access to a single bucket, plus the ability to read and write the legal hold setting:

% b2 create-key --bucket my-bucket-name my-key-name listBuckets,readBuckets,listFiles,readFiles,shareFiles,writeFiles,deleteFiles,readBucketEncryption,writeBucketEncryption,readBucketReplications,writeBucketReplications,readFileLegalHolds,writeFileLegalHolds

Enabling Object Lock

You must enable Object Lock on a bucket before you can lock any objects therein; you can do this when you create the bucket, or at any time later, but you cannot disable Object Lock on a bucket once it has been enabled. Here’s how you create a bucket with Object Lock enabled:

s3_client.create_bucket(
    Bucket='my-bucket-name',
    ObjectLockEnabledForBucket=True
)

Once a bucket’s settings have Object Lock enabled, you can configure a default retention mode and period for objects that are created in that bucket. Only compliance mode is configurable from the web UI, but you can set governance mode as the default via an API call, like this:

s3_client.put_object_lock_configuration(
    Bucket='my-bucket-name',
    ObjectLockConfiguration={
        'ObjectLockEnabled': 'Enabled',
        'Rule': {
            'DefaultRetention': {
                'Mode': 'GOVERNANCE',
                'Days': 7
            }
        }
    }
)

You cannot set legal hold as a default configuration for the bucket.

Locking Objects

Regardless of whether you set a default retention mode for the bucket, you can explicitly set a retention mode and period when you upload objects, or apply the same settings to existing objects, provided you use an application key with the appropriate writeFileRetentions or writeFileLegalHolds capability.

Both the S3 PutObject operation and Backblaze B2’s b2_upload_file include optional parameters for specifying retention mode and period, and/or legal hold. For example:

s3_client.put_object(
    Body=open('/path/to/local/file', mode='rb'),
    Bucket='my-bucket-name',
    Key='my-object-name',
    ObjectLockMode='GOVERNANCE',
    ObjectLockRetainUntilDate=datetime(
        2023, 9, 7, hour=10, minute=30, second=0
    )
)

Both APIs implement additional operations to get and set retention settings and legal hold for existing objects. Here’s an example of how you apply a governance mode lock:

s3_client.put_object_retention(
    Bucket='my-bucket-name',
    Key='my-object-name',
    VersionId='some-version-id',
    Retention={
        'Mode': 'GOVERNANCE',  # Required, even if mode is not changed
        'RetainUntilDate': datetime(
            2023, 9, 5, hour=10, minute=30, second=0
        )
    }
)

The VersionId parameter is optional: the operation applies to the current object version if it is omitted.

You can also use the web UI to view, but not change, an object’s retention settings, and to toggle legal hold for an object:

A screenshot highlighting where to enable Object Lock via the Backblaze web UI.

Deleting Objects in Governance Mode

As mentioned above, a key difference between the compliance and governance modes is that it is possible to override governance mode to delete an object, given an application key with the bypassGovernance capability. To do so, you must identify the specific object version, and pass a flag to indicate that you are bypassing the governance retention restriction:

# Get object details, including version id of current version
object_info = s3_client.head_object(
    Bucket='my-bucket-name',
    Key='my-object-name'
)

# Delete the most recent object version, bypassing governance
s3_client.delete_object(
    Bucket='my-bucket-name',
    Key='my-object-name',
    VersionId=object_info['VersionId'],
    BypassGovernanceRetention=True
)

There is no way to delete an object in legal hold; the legal hold must be removed before the object can be deleted.

Protect Your Data With Object Lock and Legal Hold

Object Lock is a powerful feature, and with great power… you know the rest. Here are some of the questions you should ask when deciding whether to implement Object Lock in your applications:

  • What would be the impact of malicious or accidental deletion of your application’s data?
  • Should you lock all data according to a central policy, or allow users to decide whether to lock their data, and for how long?
  • If you are storing data on behalf of users, are there special circumstances where a lock must be overridden?
  • Which users should be permitted to set and remove a legal hold? Does it make sense to build this into the application rather than have an administrator use a tool such as the Backblaze B2 CLI to manage legal holds?

If you already have a Backblaze B2 account, you can start working with Object Lock today; otherwise, create an account to get started.

The post Digging Deeper Into Object Lock appeared first on Backblaze Blog | Cloud Storage & Cloud Backup.