Threat actors behind the Ransomhub Ransomware-as-a-Service (RAAS) scheme leverage security flaws currently patched with Microsoft Active Directory and Netlogon protocols to escalate privileges and turn to domain controllers in victim networks It has been observed that it is utilizing the Netlogon protocol to gain unauthorized access. Their post-compromise strategy.
“Ransomhub targets over 600 organizations across sectors such as healthcare, finance, government and critical infrastructure, and established it firmly in 2024 as the most active ransomware group,” said Group. -IB analysts said in a thorough report released this week.
The ransomware group first appeared in February 2024 and has accelerated its operation by obtaining source code related to the now-deprecated Knight (formerly Cyclops) Larsgang of the Lamp Cyber Crime Forum. About five months later, an illegal market updated locker was advertised, with the ability to remotely encrypt data via the SFTP protocol.
It comes with multiple variants that allow you to encrypt files on Windows, VMware ESXI, and SFTP servers. Ransomhub has also been observed to actively recruit affiliates from Lockbit and Blackcat groups as part of its partnership program, indicating its attempts to leverage law enforcement measures targeting rivals.
In an incident analyzed by a Singaporean cybersecurity company, threat actors use publicly available proof of concept (POC) to influence Palo Alto Networks PAN-OS devices (CVE-2024-3400) It is said that they tried to take advantage of a serious flaw. ), before eventually violating the victim network by brute force attacks on the VPN service.
“This brute force attempt was based on a concentrated dictionary of over 5,000 usernames and passwords,” the researchers said. “The attacker ultimately gained access through the default accounts that are frequently used in data backup solutions, and ultimately the perimeter was compromised.”
The initial access was then abused, carrying out a ransomware attack, and data encryption and delamination occurred within 24 hours of compromise.
In particular, it includes weaponization of two known security flaws in Active Directory (CVE-2021-42278 aka NOPAC) and Netlogon protocol (CVE-2020-1472 aka Zerologon), grabs control of domain controllers and laterals across the network. Moved directionally. .
“The exploitation of the above vulnerabilities allowed the attacker to gain full privileged access to the domain controller, a neural center of Microsoft’s window-based infrastructure,” the researchers said. .
“After the removal operation was completed, the attacker prepared the environment for the final stage of the attack. The attacker manipulated it to provide all the corporate data, stored in various NASs and was completely unreadable. The purpose of enforcing victims to pay ransom is to retrieve the data, which is inaccessible, prevented from being restored.”
Another notable aspect of the attack is the use of pchunter to stop and bypass the endpoint security solution, and filezilla for data removal.
“The origins of the Ransomhub group, its attack operations and overlapping characteristics with other groups confirm the existence of a vivid cybercrime ecosystem,” the researchers said.
“This environment thriving in the sharing, reuse and rebranding of tools and source code, promoting a robust underground market where famous victims, infamous groups and substantial amounts play a central role. Masu.”
Cybersecurity companies detail the internal mechanisms of the “formal RAAS operator,” known as Lynx, highlighting affiliate workflows, cross-platform ransomware arsenals for Windows, Linux and ESXI environments, and customizable encryption modes. It was developed to hit.
Analysis of Windows and Linux versions of ransomware shows it is very similar to Inc ransomware, indicating that it is likely that the threat actor has obtained the source code for the latter.
“Affiliates are incentivized with an 80% share of ransom revenue, reflecting a competitive, recruitment-driven strategy,” he said. “Lately, Lynx has added multiple encryption modes: “Fast”, “Medium”, “Slow”, and “Overall” give the freedom to adjust the trade-off between speed and depth of file encryption. Give it to affiliate marketing. ”
“The group’s recruitment post at the underground forum highlights the rigorous verification process of pentesters and skilled intrusion teams, highlighting Lynx’s emphasis on operational security and quality control. Results . “
In recent weeks, financially motivated attacks have also been observed using Phorpiex (aka Trik) botnet malware propagated via phishing emails to deliver lock bit ransomware .
“Unlike previous Lockbit Ransomware Icidents, threat actors rely on Phorpiex to provide and run Lockbit Ransomware,” Cybereason said in the analysis. “This technique is unique because ransomware deployments are usually made up of human operators carrying out the attack.”
Another important initial infection vector concerns the use of unpaid VPN appliances (e.g. CVE-2021-20038) to access internal network devices and hosts and ultimately deploy Abyss locker ransomware.
Attacks are also characterized by using tunnel tools to maintain persistence and by leveraging proprietary Vulnerable Driver (BYOVD) techniques to disable endpoint protection controls.
“After gaining access to the environment and performing reconnaissance, these tunnel tools will be strategically deployed to critical network devices such as ESXI hosts, Windows hosts, VPN appliances, and network attached storage (NAS) devices. ” says Sygnia researchers.
“By targeting these devices, attackers ensure robust and trustworthy communication channels to maintain access across the compromised network and coordinate malicious activity.”
The ransomware landscape, led by old and new threat actors, continues to maintain attacks where attacks pivot from traditional encryption to data theft and fear tor. .
“Groups like Ransomhub and Akira encourage stolen data with great rewards and put these tactics incredibly advantageous,” said cybersecurity company Huntress.
Source link
