Tag: encryption

The DONOT APT group has launched a campaign targeting Pakistan's manufacturing industry supporting maritime and defense sectors. The attack uses a malicious LNK file disguised as an RTF, which executes PowerShell commands to deliver a lure document and stager malware. The malware establishes persis…

A new ransomware called Ymir was discovered during an incident response case. It uses memory operations to evade detection and employs the ChaCha20 cipher for encryption. The attackers gained initial access via PowerShell commands and installed tools like Process Hacker before deploying Ymir. The r…

A new ransomware called Ymir was discovered during an incident response case. It uses memory operations to evade detection and employs the ChaCha20 cipher for encryption. The attackers gained initial access via PowerShell commands and installed tools like Process Hacker before deploying Ymir. The r…

A new ransomware called Fog has been identified, affecting education and recreation centers in the United States. The threat actors gain access through compromised VPN credentials, disable Windows Defender, and deploy the ransomware. Fog is a 32-bit EXE file compiled using Microsoft Visual C/C++. I…

The Beast Ransomware group, active since 2022, offers a Ransomware-as-a-Service (RaaS) platform with constant updates. It supports Windows, Linux, and ESXi systems, providing affiliates with customizable binary options. Beast employs advanced encryption methods, including Elliptic-curve and ChaCha2…

This analysis provides an in-depth look into the operations of the Cicada3301 Ransomware-as-a-Service (RaaS) group. It details the workflow of their affiliates within the panel and examines the multi-platform capabilities of their ransomware, encompassing Windows, Linux, ESXi, and even uncommon arc…

Lynx ransomware, discovered in July 2024, is a successor to INC ransomware targeting organizations in retail, real estate, architecture, and financial services in the U.S. and UK. It shares significant source code with INC and operates as a ransomware-as-a-service model. Lynx employs double extorti…

ShrinkLocker is a new ransomware strain that exploits Windows BitLocker to encrypt targeted data. Unlike typical ransomware, it abuses this legitimate feature to create a secure boot partition, locking users out unless a ransom is paid. The malware performs system checks, modifies registry entries,…

Repellent Scorpius is a new ransomware-as-a-service group distributing Cicada3301 ransomware. It emerged in May 2024 and employs double extortion tactics involving data theft. The report covers a technical analysis of the Cicada3301 ransomware, the group's tactics, connections to historical inciden…

The Underground ransomware, first observed in July 2023, targets Windows machines by encrypting files and demanding ransom. Attributed to the Russia-based RomCom group, it exploits CVE-2023-36884 and other common infection vectors. The ransomware deletes shadow copies, modifies RemoteDesktop settin…

RansomHub is a ransomware-as-a-service variant that has targeted over 210 victims across various critical infrastructure sectors since February 2024. It employs a double-extortion model, encrypting systems and exfiltrating data. The ransom note provides victims with a client ID and instructions to …

This analysis examines a recent malware campaign involving a dropper dubbed Gh0stGambit, which is employed to retrieve and execute encrypted payloads, specifically a variant of the notorious Gh0st Remote Access Trojan (RAT). The report details the multi-stage infection process, including the use of…

While overall activity levels dipped slightly in the first quarter of 2024, the number of claimed attacks remained high, with LockBit accounting for over 20%. The report explores the changing tactics employed by ransomware actors, including the exploitation of vulnerabilities, the use of Bring-Your…

Researchers have uncovered a cryptographic flaw in the DoNex ransomware and its previous iterations, allowing for the creation of a decryptor tool. Initially discovered in March 2024, this cryptographic weakness was made public at Recon 2024. The ransomware, which has undergone several rebrands sin…

This report provides an in-depth analysis of the BlackSuit ransomware, a threat that has been actively targeting various sectors since May 2023. It presents statistics from incident response engagements, explores the ransomware's behavior and technical analysis, and offers insights into the potenti…

The report analyzes the Mallox ransomware, which has been active since mid-2021 and focuses on multi-extortion by encrypting victims' data and threatening to post it on public TOR sites. Initially targeting Windows systems, Mallox has now developed Linux variants using custom Python scripts for pay…

The report describes an attack campaign leveraging the CVE-2024-4577 vulnerability to deliver the "TellYouThePass" ransomware. The attackers use the vulnerability to execute arbitrary PHP code and run a malicious HTML application that loads a .NET variant of the ransomware into memory. Upon executi…

Arctic Wolf Labs began monitoring the deployment of a new ransomware variant called Fog in early May 2024. The ransomware attacks targeted organizations in the education and recreation sectors within the United States. Evidence suggests threat actors gained initial access through compromised VPN cr…

This report examines a recent malicious campaign involving a JScript-based Remote Access Trojan (RAT) and its connections to the CobaltStrike penetration testing tool. The attack commences with an obfuscated JScript loader distributed through suspected phishing campaigns. Upon execution, it contact…

The report examines an incident where threat actors leveraged Microsoft's BitLocker encryption utility to deploy unauthorized file encryption on targeted systems. The adversaries employed a sophisticated VBScript that resized disk partitions, modified registry entries, enabled BitLocker with random…

This comprehensive analysis delves into the continuous evolution and refinement of sophisticated malware entities employed by a persistent cyberespionage group targeting organizations in the Asia-Pacific region. The malware, known as Waterbear and its latest iteration, Deuterbear, have undergone si…

This advisory details tactics, techniques, procedures and indicators of compromise related to Black Basta ransomware, a variant first identified in April 2022. Its affiliates have impacted over 500 organizations globally across multiple critical infrastructure sectors, including Healthcare and Publ…

This concise report provides insights into the evolving ransomware landscape, covering the KageNoHitobito and DoNex variants. It analyzes their infection vectors, victimology, attack methods, and associated indicators of compromise (IoCs). The report also highlights Fortinet's protections against t…