{"id":23919,"date":"2024-02-12T12:10:06","date_gmt":"2024-02-12T20:10:06","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2024\/02\/12\/news-17649\/"},"modified":"2024-02-12T12:10:06","modified_gmt":"2024-02-12T20:10:06","slug":"news-17649","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2024\/02\/12\/news-17649\/","title":{"rendered":"Ransomware review: February 2024"},"content":{"rendered":"\n

This article is based on research by Marcelo Rivero, Malwarebytes’ ransomware specialist, who monitors information published by ransomware gangs on their Dark Web sites. In this report, “known attacks” are those where the victim did not<\/strong> pay a ransom. This provides the best overall picture of ransomware activity, but the true number of attacks is far higher.<\/em><\/p>\n

In January, we recorded a total of 261 ransomware victims, the lowest number of attacks since February 2023. This is normal, as past data reveals that historical January months tend to be one of the least active periods for ransomware gangs<\/a>. But don\u2019t let the relatively low number of attacks fool you: there was plenty of important ransomware news last month.\u00a0<\/p>\n

In January, researchers observed fake “security researchers” trying to trick ransomware victims into thinking that they can recover their stolen data. Described as \u201cfollow-on extortion\u201d attacks, the goal of these scams is to get the victims to pay Bitcoin for supposed assistance.<\/p>\n

The two examples we have of follow-on extortion attacks targeted victims of the Royal and Akira ransomware gangs, but it\u2019s unclear if the fake security researchers are a part of either of those gangs. Our guess? It\u2019s more likely that they are a fringe group simply seizing an opportunity to exploit victims already targeted by these gangs.\u00a0<\/p>\n

Let\u2019s analyze why, using two scenarios, assuming that the follow-up extortioners really are Royal or Akira.\u00a0\u00a0<\/p>\n

In scenario one, Royal or Akira steals data, prompting a ransom payment from the victim for data deletion. Then, Royal or Akira sends a splinter group to the same victim claiming Royal didn’t delete the data, offering deletion services for an additional fee. This scenario is pretty unlikely, as it undermines Royal’s credibility from the victim’s perspective, damaging the gang’s reputation.<\/p>\n

In scenario two, Royal or Akira steals data, but the victim hasn’t paid for deletion yet. The Royal or Akira splinter group then offers to recover the data for a fee. This predicament forces the victim to choose who to trust, likely deciding that it might be more logical to rely on Royal since they have more incentive to maintain a semblance of reliability. So, it then just becomes a normal double-extortion case but with an unnecessary extra step.<\/p>\n

In the first case, the “initial ransomware gang” has no leverage for a second round of extortion without contradicting their own claims and damaging their reputation. In the second case, the initial ransomware gang just does more work to get the same outcome, namely payment for data deletion.\u00a0<\/p>\n

Neither option presents a guaranteed connection to the original attackers. <\/p>\n

\"Known
Known ransomware attacks by gang, January 2024<\/figcaption><\/figure>\n
\"Known
Known ransomware attacks by country, January 2024<\/figcaption><\/figure>\n
\"Known
Known ransomware attacks by industry sector, January 2024<\/figcaption><\/figure>\n

In other January news, the UK’s National Cybersecurity Centre (NCSC) released a report <\/a>suggesting that AI will boost ransomware attack volume and severity in the next two years, particularly through lowering the entry barrier for novice hackers. A simple example is an affiliate using generative AI to create more persuasive phishing emails. This could decrease affiliates\u2019 dependence on Initial Access Brokers for accessing networks, leading to more attacks by individuals enticed by the lower initial investment.<\/p>\n

In general, however, we should be cautious about these predictions. Incorporating AI into cybercrime\u2014especially for automated discovery of vulnerabilities or efficient high-value data extraction, as NCSC\u2019s report suggests\u2014is extremely complex and costly. For major gangs like LockBit and CL0P, who manage multimillion-dollar operations, adopting these AI advancements might be more feasible, yet it is still far too early to speculate upon.<\/p>\n

In our view, RaaS groups will maintain their current operations in the short term. AI may introduce new methods and techniques for cybercriminals, to be sure, but the core principles of ransomware gangs\u2014based on access, leverage, and profit\u2014will likely continue unchanged for the foreseeable future.<\/p>\n

In other news, researchers last month witnessed Black Basta affiliates leveraging a new phishing campaign aimed at delivering a relatively new loader named PikaBot. <\/p>\n

PikaBot, an ostensible replacement for the notorious OakBot malware<\/a>, is an initial access tool that we first wrote about in mid-December<\/a>\u2014and it looks like it didn\u2019t take ransomware gangs long to start using it. While our original post about PikaBot focused on its distribution via malicious search ads and not phishing emails, ransomware gangs are known to use both attack vectors to gain initial access<\/a>.\u00a0<\/p>\n

A typical distribution chain for PikaBot, writes ThreatDown Intelligence researcher J\u00e9r\u00f4me Segura<\/a>, usually starts with an email (within an already-hijacked thread) containing a link to an external website. Users are then tricked to download a zip archive containing malicious JavaScript that downloads Pikabot from an external server.\u00a0<\/p>\n

As this news marks the first time that PikaBot has been publicly connected with any ransomware operations, it\u2019s safe to assume that the malware is actively being used by other gangs as well\u2014or that if it’s not, it will be soon.<\/p>\n

New leak site: MYDATA<\/h2>\n

Mydata is a new leak site from Alpha ransomware, a distinct group not to be confused with ALPHV ransomware. The site published the data of 10 victims in January. <\/p>\n

Preventing Ransomware<\/h2>\n

Fighting off ransomware gangs like the ones we report on each month requires a layered security strategy. Technology that preemptively keeps gangs out of your systems is great\u2014but it\u2019s not enough. <\/p>\n

Ransomware attackers target the easiest entry points: an example chain might be that they first try phishing emails, then open RDP ports, and if those are secured, they\u2019ll exploit unpatched vulnerabilities. Multi-layered security is about making infiltration progressively harder and detecting those who do get through. <\/p>\n

Technologies like Endpoint Protection (EP) and Vulnerability and Patch Management (VPM) are vital first defenses, reducing breach likelihood. <\/p>\n

The key point, though, is to assume that motivated gangs will eventually breach defenses. Endpoint Detection and Response (EDR) is crucial for finding and removing threats before damage occurs. And if a breach does happen\u2014ransomware rollback tools can undo changes.<\/p>\n

How ThreatDown Addresses Ransomware<\/strong><\/h2>\n

ThreatDown bundles take a comprehensive approach to these challenges. Our integrated solutions combine EP, VPM, and EDR technologies, tailored to your organization\u2019s specific needs. ThreatDown\u2019s select bundles offer:<\/p>\n