maze - X-Industry - Red Sky Alliance2024-03-29T13:16:11Zhttps://redskyalliance.org/xindustry/feed/tag/mazeRansomware Author says Goodbye Forever, Hmmmmm....https://redskyalliance.org/xindustry/ransomware-author-says-goodbye-forever-hmmmmm2022-02-13T20:17:32.000Z2022-02-13T20:17:32.000ZBill Schenkelberghttps://redskyalliance.org/members/BillSchenkelberg<div><p><a href="{{#staticFileLink}}10099051699,RESIZE_710x{{/staticFileLink}}"><img class="align-left" src="{{#staticFileLink}}10099051699,RESIZE_400x{{/staticFileLink}}" width="250" alt="10099051699?profile=RESIZE_400x" /></a>If you or your company was unfortunate enough to be caught in the web of a ransomware attack, the consequences may have been devastating. Hopefully you got rid of the infection, but the all-important files affected by such an attack could still be under lock and key. Without backups, which is more common than you may think, the files may be gone forever.</p>
<p><strong>A tiny slice of good fortune: </strong>Occasionally, we all catch break. Files can sometimes be recovered in the following ways<a href="#_ftn1">[1]</a>:</p>
<ul>
<li>A ransomware author makes some sort of mistake, or their files are just simply coded badly. Researchers figure out a way to <a href="https://www.zdnet.com/article/cracking-ransomware-ransomwarrior-victims-can-now-retrieve-files-for-free/">recover the decryption key</a>, and publish it so victims can recover their files.</li>
<li>Authors offer up the keys themselves. This can be for a variety of reasons. They may have generated a bit too much heat, and are looking to retreat into the shadows with the suggestion of some good deed done. Other times, they decide “party’s over” with the release of a new variant and hand out a “Get out of jail free” pass to former victims.</li>
</ul>
<p><strong>What a maze !! </strong>So, back in 2019, Maze Ransomware came to the forefront. Initially it grabbed victims <a href="https://www.bleepingcomputer.com/news/security/maze-ransomware-says-computer-type-determines-ransom-amount/">via fake Cryptocurrency site traffic</a> and bounced it to exploit kit landing pages. It also claimed to vary ransom amounts depending on if the compromised machine was a workstation, home computer, or server. Tactics changed a little later on, with threats of exfiltrated data being published if ransom demands were not met. The group behind Maze eventually announced retirement, and infection numbers tailed off after one final flourish in August 2020. Maze affiliates quickly moved over to Egregor, which was then mired in the mud of several arrests. We are now into the second month of 2022, and there is yet more developments in Maze land.</p>
<table width="100%">
<tbody>
<tr>
<td>
<p>Hello, It’s developer. It was decided to release keys to the public for Egregor, Maze, Sekhmet ransomware families.</p>
<p>also there is a little bit harmless source code of polymorphic x86/x64 modular EPO file infector m0yv detected in the wild as Win64/Expiro virus, but it is not expiro actually, but AV engines detect it like this, so no single thing in common with gazavat. Each archive with keys have corresponding keys inside the numeric folders which equal to advert id in the config.</p>
<p>In the “OLD” folder of maze leak is keys for it’s old version with e-mail based. Consider to make decryptor first for this one, because there were too many regular PC users for this version.</p>
</td>
</tr>
</tbody>
</table>
<p><strong>We’re finished…(again). </strong>Someone has <a href="https://www.bleepingcomputer.com/news/security/ransomware-dev-releases-egregor-maze-master-decryption-keys/">posted to the Bleeping Computer forums</a>, claiming to be the developer of not only Maze, but also Egregor and Sekhmet ransomware families. The post reads as follows:</p>
<p><a href="{{#staticFileLink}}10099055055,original{{/staticFileLink}}"><img class="align-left" src="{{#staticFileLink}}10099055055,RESIZE_584x{{/staticFileLink}}" width="500" alt="10099055055?profile=RESIZE_584x" /></a>There is, once more, a claim that anyone involved is now definitely out of the Ransomware game for good. All the “source code of tools” are also supposedly gone forever. The forum poster included a zip containing decryption keys for the ransomware, and also some source code for malware used by the Maze gang.</p>
<p><strong>What’s the real reason for this departure? </strong>Decryption tools now exist for the 3 groups mentioned, thanks to the release of the keys on the forum post. The zip file has now been removed from the forum due to the inclusion of the malware source code. The author claims this forum post and announcement is not related to any arrest or takedown, but even so this feels more important as an announcement of leaving the malware realm to avoid trouble than being particularly helpful to victims just for the sake of it. Are they gone for good, or will they return once more with a new set of Ransomware files? Only time will tell…Red Sky does not think so.</p>
<p>Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization who has long collected and analyzed cyber indicators. For questions, comments or assistance, please contact the office directly at 1-844-492-7225, or <a href="mailto:feedback@wapacklabs.com">feedback@wapacklabs.com</a> </p>
<p>Weekly Cyber Intelligence Briefings:</p>
<ul>
<li>Reporting: <a href="https://www.redskyalliance.org/">https://www.redskyalliance.org/</a></li>
<li>Website: <a href="https://www.wapacklabs.com/">https://www.wapacklabs.com/</a></li>
<li>LinkedIn: <a href="https://www.linkedin.com/company/64265941">https://www.linkedin.com/company/64265941</a> </li>
</ul>
<p>Weekly Cyber Intelligence Briefings:</p>
<p>REDSHORTS - Weekly Cyber Intelligence Briefings</p>
<p><a href="https://attendee.gotowebinar.com/register/5504229295967742989">https://attendee.gotowebinar.com/register/5504229295967742989</a></p>
<p><a href="#_ftnref1">[1]</a> <a href="https://blog.malwarebytes.com/malwarebytes-news/2022/02/ransomware-author-releases-decryption-keys-says-goodbye-forever/">https://blog.malwarebytes.com/malwarebytes-news/2022/02/ransomware-author-releases-decryption-keys-says-goodbye-forever/</a></p></div>Ransomware-as-a-Service went to Business Schoolhttps://redskyalliance.org/xindustry/ransomware-as-a-service-went-to-business-school2021-02-08T17:28:26.000Z2021-02-08T17:28:26.000ZMac McKeehttps://redskyalliance.org/members/MacMcKee<div><p><a href="{{#staticFileLink}}8532841253,original{{/staticFileLink}}"><img class="align-left" src="{{#staticFileLink}}8532841253,RESIZE_400x{{/staticFileLink}}" width="250" alt="8532841253?profile=RESIZE_400x" /></a>A report published today by blockchain investigations firm Chainalysis confirms that cybercrime groups engaging in ransomware attacks don't operate in their own bubbles but often switch ransomware suppliers (RaaS services) in a search for better profits. The report analyzed how Bitcoin funds were transferred from victims to criminal groups, and how the money was divided among different parties involved in the ransomware attack, and how it was eventually laundered.</p>
<p>In today’s world, the ransomware landscape is very similar to how modern businesses operate. There are coders who create and rent the actual ransomware strain via services called RaaS or Ransomware-as-a-Service similar to how most modern software is provided today. Often, RaaS operators rent their ransomware to anyone who signs up, while others prefer to work with small groups of verified clients, which are usually called "affiliates." The affiliates are the actors who usually spread the ransomware via email or orchestrate intrusions into corporate or government networks, which they later infect and encrypt with the ransomware they rented from the RaaS operator.</p>
<p>In some cases, the affiliates are also multiple actor groups themselves. Affiliate groups specialize in breaching a company's network perimeter, and are called initial access vendors, while other groups are specialized in expanding this initial access inside hacked networks to maximize the ransomware's damage.</p>
<p>The ransomware landscape has evolved from previous years and is now a collection of multiple criminal groups, each providing its own highly-specialized service to one another, often across different RaaS providers.</p>
<p>The <a href="https://blog.chainalysis.com/reports/ransomware-connections-maze-egregor-suncrypt-doppelpaymer">Chainalysis report</a> confirms these informal theories with undisputable and unforgeable cryptographic proof left behind by the Bitcoin transactions that have taken place among some of these groups. Chainalysis said it found evidence to suggest that an affiliate for the now-defunct Maze RaaS was also involved with SunCrypt RaaS. "We see that the Maze affiliate also sent funds roughly 9.55 Bitcoin worth over $90,000 via an intermediary wallet to an address labeled 'Suspected SunCryptadmin,' which we've identified as part of a wallet that has consolidated funds related to a few different SunCrypt attacks," Chainalysis said.</p>
<p>"This suggests that the Maze affiliate is also an affiliate for SunCrypt, or possibly involved with SunCrypt in another way."</p>
<p>Similar findings also show a connection between the Egregor and DoppelPaymer operations. "In this case, we see that an Egregor wallet sent roughly 78.9 BTC worth approximately $850,000 to a suspected Doppelpaymer administrator wallet," researchers said. "Though we can't know for sure, we believe that this is another example of affiliate overlap. Our hypothesis is that the Egregor-labeled wallet is an affiliate for both strains sending funds to the Doppelpaymer administrators."</p>
<p>Chainalysis researchers also found evidence that the operators of the Maze and Egregor operations also used the same money-laundering service and over-the-counter brokers to convert stolen funds into fiat currency.</p>
<p>Since several security firms have suggested that the Egregor RaaS is a rebrand and continuation of the older and defunct Maze operation, such findings come to support these theories, showing how old Maze tactics permeated to the new Egregor operation. "Interesting report and very much aligns with what we are seeing," <a href="https://twitter.com/uuallan">Allan Liska</a>, a security researcher with threat intelligence firm Recorded Future, told ZDNet.</p>
<p>"Recorded Future is seeing more fluidity in the RaaS market now than at any other time in the (admittedly short) history of the RaaS market. "Part of this is because of the reality that there is a growing stratification between the haves and have nots in ransomware. There are fewer actors making a lot of money, so ransomware actors are jumping from one RaaS to another to improve their chances of success," the Recorded Future analyst said. Liska says there are other connections and overlaps between other RaaS groups, and not just Maze, SunCrypt, and Egregor.</p>
<p>The Recorded Future analyst pointed to the Sodinokibi (aka REvil) RaaS operation as being one of the services where many groups overlap, primarily because the Sodinokibi administrator, an individual going by the name of Unknown, has often actively and openly recruited affiliates from other RaaS programs.<strong> </strong>But while we might view these connections and overlaps as a sign of successful cooperation between cybercrime groups, Chainalysis believes that this interconnectedness is actually a good sign for law enforcement.<strong> </strong>"The evidence suggests that the ransomware world is smaller than one may initially think given the number of unique strains currently operating," Chainalysis said.</p>
<p>In theory, should make cracking down and disrupting ransomware attacks a much easier task since a carefully planned blow could impact multiple groups and RaaS providers at the same time. According to Chainalysis, these weak spots are the money-laundering and over-the-counter services that RaaS operators and their affiliates often use to convert their stolen funds into legitimate currency.</p>
<p>By taking out legitimate avenues for converting funds and reaching real-world profitability, Chainalysis believes RaaS operations would have a hard time seeing a reason to operate when they can't profit from their work.</p>
<p>Red Sky Alliance has been has analyzing and documenting cyber threats for 9 years and maintains a resource library of malware and cyber actor reports available at <a href="https://redskyalliance.org">https://redskyalliance.org</a> at no charge.</p>
<p>Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or assistance, please contact the lab directly at 1-844-492-7225, or feedback@wapacklabs.com.</p>
<p> </p>
<p><strong>Reporting: </strong><a href="https://www.redskyalliance.org/">https://www.redskyalliance.org/</a></p>
<p><strong>Website: </strong><a href="https://www.wapacklabs.com/">https://www.wapacklabs.com/</a></p>
<p><strong>LinkedIn: </strong><a href="https://www.linkedin.com/company/wapacklabs/">https://www.linkedin.com/company/wapacklabs/</a></p>
<p><strong>Twitter: </strong><a href="https://twitter.com/wapacklabs?lang=en">https://twitter.com/wapacklabs?lang=en</a></p>
<p><strong>Weekly Cyber Intelligence Briefings: </strong></p>
<p><a href="https://attendee.gotowebinar.com/register/8782169210544615949">https://attendee.gotowebinar.com/register/8782169210544615949</a></p>
<p> </p>
<p><a href="{{#staticFileLink}}8532841283,original{{/staticFileLink}}">TR-21-039-001_RaaS.pdf</a> </p>
<p> </p></div>Ransomware’s Win, Place and Show for 2020https://redskyalliance.org/xindustry/ransomware-s-win-place-and-show-for-20202020-12-03T22:07:04.000Z2020-12-03T22:07:04.000ZJim McKeehttps://redskyalliance.org/members/JimMcKee<div><p><a href="{{#staticFileLink}}8246208482,RESIZE_930x{{/staticFileLink}}"><img class="align-left" src="{{#staticFileLink}}8246208482,RESIZE_400x{{/staticFileLink}}" alt="8246208482?profile=RESIZE_400x" width="250" /></a>Ransomware was one of the most observed cyber threats this year to date. <strong>Ryuk</strong> and <strong>Sodinokibi</strong>, were the most observed villains in Red Sky Alliance’s client investigations, have been joined by <strong>Maze</strong> as the <strong>top three ransomware variants so far in 2020</strong>. After launching several high-profile attacks earlier in 2020, the actors behind Ryuk ransomware seem to have gone on a vacation near the end of Q2. According to cyber threat analysts, Crimeware and their developers often have periods where they go dormant or spend time re-tooling, followed by a resurgence of activity.</p>
<p>This appears to be the case as there has been a spike in Ryuk related investigations recently, while a large US hospital system has also reportedly become a Ryuk victim as of September 28, 2020. Recently, open and closed sources have speculated that Ryuk has emerged with a new identity: Conti. Based on similarities in code, Conti ransomware is believed to be a descendent or similar variant of Ryuk ransomware, and it has been observed that operators have been hosting a victim “shaming” blog since August 2020. While ransomware figures prominently in myriad security alerts and media reports, business email compromise (BEC) remains a top threat for organizations worldwide with its associated risks like wire fraud and misdirected payroll.</p>
<p>Data exfiltration risks have been present in nearly half of all ransomware incidents. Ransomware actors have been plaguing victims by encrypting files, paralyzing operations, and demanding increasingly higher ransom amounts. Many groups are also exfiltrating data and threatening publication on the dark web, a relatively new tactic that gained momentum in early 2020. Since the introduction of Ransomware-as-a-Service (RaaS) made it easier for groups to deploy this threat, these new players have added exfiltration and publication to their demands. In addition, groups like Maze and Sodinokibi that pioneered the shaming sites have evolved their capabilities; Maze now boasts of a “cartel” that allows other ransomware variants to cross-post victims on their shaming site. In May 2020, Sodinokibi added an auction site to their shaming site where they offer data to the highest bidder.</p>
<p>While cyber threat actors say they will delete data upon payment of the ransom, recent events belie that claim. Incident responders have learned that rogue members of ransomware groups have approached and demanded a second payment from at least two victims who had already paid a ransom. When one of the victims balked at paying the second time, the data, which was supposed to be destroyed upon the first payment, ended up on an actor-controlled site. Caveat Emptor, “Let the buyer beware,” you cannot even trust a ransomware actor anymore.</p>
<p>Threat actors continue to leverage open remote desktop protocol (RDP) and Microsoft’s proprietary network communications protocol and most attacks were traced back to a phishing email. While ransomware strikes organizations of all sizes across every sector, investigators have observed four (4) sectors being struck especially hard this year: professional services, healthcare, and technology and telecommunications. Some threat actor groups claimed that they would avoid targeting healthcare organizations during COVID-19, others are either not so civic-minded or have done so unintentionally. This seems to have been the case when threat actors thought they were targeting a university in Germany, whereas, in reality, they struck an affiliated hospital system. Open-source reporting notes the threat actors exploited a VPN vulnerability to gain initial access to the system.</p>
<p>Red Sky Alliance has been tracking cybercriminals for years. Throughout our research, we have painfully learned through our clients that the installation, updating and monitoring of firewalls, cybersecurity, and proper employee training are keys to success, yet woefully not enough. Our current tools provide a valuable look into the underground, where malware like all the different variants of Ransomware are bought and sold, and help support current protections with proactive underground indicators of compromise. Please feel free to contact our analyst team for research assistance and Cyber Threat Analysis for your organization.</p>
<p>Red Sky Alliance has been analyzing and documenting cyber threats and vulnerabilities for over 9 years and maintains a resource library of malware and cyber actor reports. Malware comes and goes, but often is dusted off and reappears in current campaigns. </p>
<p>Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments, or assistance, please contact the lab directly at 1-844-492-7225, or <a href="mailto:feedback@wapacklabs.com">feedback@wapacklabs.com</a> </p>
<p>Weekly Cyber Intelligence Briefings:<br /> <a href="https://attendee.gotowebinar.com/register/8782169210544615949">https://attendee.gotowebinar.com/register/8782169210544615949</a></p>
<p> </p>
<ul>
<li>Reporting: <a href="https://www.redskyalliance.org/">https://www.redskyalliance.org/</a></li>
<li>Website: <a href="https://www.wapacklabs.com/">https://www.wapacklabs.com/</a></li>
<li>LinkedIn: <a href="https://www.linkedin.com/company/64265941">https://www.linkedin.com/company/64265941</a></li>
</ul>
<p> </p></div>Ransomware Groups Still Sell Data Even After Ransom Has Been Paidhttps://redskyalliance.org/xindustry/ransomware-groups-still-sell-data-even-after-ransom-has-been-paid2020-11-06T19:08:43.000Z2020-11-06T19:08:43.000ZMac McKeehttps://redskyalliance.org/members/MacMcKee<div><p><a href="{{#staticFileLink}}8131231863,RESIZE_710x{{/staticFileLink}}"><img class="align-left" src="{{#staticFileLink}}8131231863,RESIZE_400x{{/staticFileLink}}" alt="8131231863?profile=RESIZE_400x" width="250" /></a>It should come as no reprise that ransomware groups that steal a company's data and then get paid a fee to delete it don't always follow through on their promise.</p>
<p>The number of cases where this has happened has increased, according to a report<a href="#_ftn1">[1]</a> published by Coveware this week and according to several incidents shared by security researchers with ZDNet researchers over the past few months. These incidents take place only for a certain category of ransomware attacks — namely those carried out by "big-game hunters" or "human-operated" ransomware gangs. These two terms refer to incidents where a ransomware gang specifically targets enterprise or government networks, knowing that once infected, these victims can't afford prolonged downtimes and will likely agree to huge payouts.</p>
<p>But since the fall of 2019, more and more ransomware gangs began stealing large troves of files from the hacked organizations before encrypting the victims' files. The idea was to threaten the victim to release its sensitive files online if the company wanted to restore its network from backups instead of paying for a decryption key to recover its files. Some ransomware gangs even created dedicated portals called leak sites where they'd publish data from companies that didn't want to pay. If hacked companies agreed to pay for a decryption key, ransomware gangs also promised to delete the data they had stolen.</p>
<p>In a report published this week, Coveware, a company that provides incident response services to hacked companies, said that half of the ransomware incidents it investigated in Q3 2020 had involved the theft of company data before files were encrypted, doubling the number of ransomware incidents preceded by data theft it saw in the previous quarter.</p>
<p>But Coveware says that these types of attacks have reached a "tipping point" and that more and more incidents are being reported where ransomware gangs aren't keeping their promises.</p>
<p>For example, Coveware said it had seen groups using the REvil (Sodinokibi) ransomware approach victims weeks after the victim paid a ransom demand and ask for a second payment using renewed threats to make public the same data that victims thought was deleted weeks before. Coveware said it also saw the Netwalker (Mailto) and Mespinoza (Pysa) gangs publish stolen data on their leak sites even if the victim companies had paid the ransom demand. Security researchers have told ZDNet that these incidents were most likely caused by technical errors in the ransomware gang's platforms, but this still meant that the ransomware gangs hadn't deleted the data as they promised. Coveware also said it observed the Conti ransomware gang send victims falsified evidence as proof of having deleted the data. Such evidence is usually requested by the victim's legal team, but sending over falsified proof means the ransomware gang never intended to delete the data and was most likely intent on reusing at a later point.</p>
<p>On top of this, Coveware said it also saw the Maze ransomware gang post stolen data on their leak sites accidentally, even before they notified victims that they had stolen their files. This has also happened with the Sekhmet and Egregor gangs; both considered to have spun off from the original Maze operation, Coveware said. In addition to these, ZDNet also learned of additional incidents from other companies providing incident response services for ransomware attacks. Most of these incidents involve the Maze gang, the pioneer of the ransomware leak site, and the double-extortion scheme. More exactly, they involve "affiliates," a term that describes cybercriminals who bought access to the Maze ransomware-as-a-service (RaaS) platform and were using the Maze ransomware to encrypt files.</p>
<p>But while some affiliates play by the rules, some haven't. There have been cases where a former Maze affiliate who was kicked out of the Maze RaaS program had approached and tried to extort former victims with the same stolen data for the second time, data which they promised to delete. There have also been cases where Maze affiliates accidentally posted stolen data on the Maze leak site, even after a successful ransom payment. The data was eventually taken down, but not after the posts on the Maze site got hundreds or thousands of reads (and potential downloads).</p>
<p>Things got worse throughout the year for Maze affiliates as antivirus companies started detecting Maze payloads and blocking the encryption and stopping attacks. In many of these cases, the Maze affiliates had to settle for using only the data they managed to steal before the encryption was blocked and often had to settle for smaller ransom payments. Seeking new avenues of profits, in at least two cases, a Maze group attempted to sell employee credentials and personal data to security researchers posing as underground data brokers.</p>
<p>These examples confirm what many security researchers had already suspected — namely, that ransomware gangs can't be trusted or taken on their word.</p>
<p>Since many of the documents stolen in ransomware attacks contain sensitive personal and financial details, if resold, these documents can be very useful for a slew of fraudulent operations that a victim company's customers or employees need to be aware of and prepare for.</p>
<p>Red Sky Alliance has been has analyzing and documenting cyber threats for 8 years and maintains a resource library of malware and cyber actor reports. </p>
<p>The installation, updating and monitoring of firewalls, cyber security and proper employee training are keys to blocking attacks. Please feel free to contact our analyst team for research assistance and Cyber Threat Analysis on your organization.</p>
<p>What can you do to better protect your organization today?</p>
<ul>
<li>All data in transmission and at rest should be encrypted.</li>
<li>Proper data back-up and off-site storage policies should be adopted and followed.</li>
<li>Join and become active in your local Infragard chapter, there is no charge for membership. <a href="http://www.infragard.org/">infragard.org</a></li>
<li>Update disaster recovery plans and emergency procedures with cyber threat recovery procedures. And test them.</li>
<li>Institute cyber threat and phishing training for all employees, with testing and updating.</li>
<li>Recommend/require cyber security software, services and devices to be used by all at home working employees and consultants.</li>
<li>Review and update your cyber threat and information security policies and procedures. Make them a part of all emergency planning and training.</li>
<li>Ensure that all software updates and patches are installed immediately.</li>
<li>Enroll your company/organization in RedXray for daily cyber threat notifications are directed at your domains. RedXray service is $500 a month and provides threat intelligence on nine (9) cyber threat categories including Keyloggers, with having to connect to your network. Ransomware protection is included at no charge for RedXray customers.</li>
<li>Purchase annual cyber insurance coverage from Red Sky Alliance provided by Cysurance.</li>
</ul>
<p> </p>
<p>Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or assistance, please contact the lab directly at 1-844-492-7225, or <a href="mailto:feedback@wapacklabs.com">feedback@wapacklabs.com</a>.</p>
<p>Interested in a RedXray demonstration or subscription to see what we can do for you? Sign up here: <a href="https://www.wapacklabs.com/redxray">https://www.wapacklabs.com/redxray</a> </p>
<p><strong> </strong></p>
<p><strong>Reporting: </strong><a href="https://www.redskyalliance.org/">https://www.redskyalliance.org/</a></p>
<p><strong>Website: </strong><a href="https://www.wapacklabs.com/">https://www.wapacklabs.com/</a></p>
<p><strong>LinkedIn: </strong><a href="https://www.linkedin.com/company/wapacklabs/">https://www.linkedin.com/company/wapacklabs/</a></p>
<p><strong>Twitter: </strong><a href="https://twitter.com/wapacklabs?lang=en">https://twitter.com/wapacklabs?lang=en</a></p>
<p> </p>
<p><a href="{{#staticFileLink}}8131262479,original{{/staticFileLink}}">TR-20-310-001.pdf</a></p>
<p> </p>
<p><a href="#_ftnref1">[1]</a> <a href="https://www.coveware.com/blog/q3-2020-ransomware-marketplace-report">https://www.coveware.com/blog/q3-2020-ransomware-marketplace-report</a></p></div>Egregor Ransomware Joins an Exclusive Clubhttps://redskyalliance.org/xindustry/egregor-ransomware-joins-an-exclusive-club2020-10-06T21:20:20.000Z2020-10-06T21:20:20.000ZBill Schenkelberghttps://redskyalliance.org/members/BillSchenkelberg<div><p><a href="{{#staticFileLink}}8007968456,RESIZE_584x{{/staticFileLink}}"><img class="align-left" src="{{#staticFileLink}}8007968456,RESIZE_400x{{/staticFileLink}}" width="250" alt="8007968456?profile=RESIZE_400x" /></a>Cyber security researchers are warning about a recently uncovered ransomware variant called Egregor that appears to have infected about a dozen organizations worldwide over the past several months. Similarities to Sekhmet Crypto-Locking malware and bee noted.</p>
<p>True to other ransomware hackers, the bad actors behind the Egregor ransomware are threatening to leak victims' data if the ransom demands are not met within three days. The cybercriminals linked to Egregor are also mimicking Maze tactics, creating a "news" site on the Darknet that offers a list of victims that have been targeted and updates about when stolen and encrypted data will be released. Egregors' ransom note also says that aside from decrypting all the files, that is if the company pays the ransom, they will also provide recommendations for securing the company's network; or 'helping' them to avoid being breached again.</p>
<p>It is not clear how much ransom Egregor is demanding or if any data has been leaked, yet a copy of one ransom note posted online notes these cybercriminals plan to release stolen data through what they call "mass media."</p>
<p>The Egregor ransomware variant was first spotted in mid-September by several independent security researchers, who posted samples of the ransom note on Twitter.</p>
<p>"The first time Egregor was analyzed by our team was earlier this week. We don't have specifics about how long it's operating but seems that the first public appearance of Egregor was September 18 on Twitter by @demonslay335 and @PolarToffee," a security researcher informed Information Security Media Group. "At this time, there are still only 13 companies in the 'hall of shame.'"</p>
<p>The recent alert notes that the Egregor variant appears to be a spinoff of another ransomware strain called Sekhmet, which has also been linked to criminal gangs threatening to release encrypted and stolen data if victims do not pay.</p>
<p>Analysts have noted that the Egregor ransomware uses several types of anti-analysis techniques, including code obfuscation and packed payloads, which means the malicious code "unpacks" itself in memory to avoid detection by security tools. Without the right decryptor key, it is difficult to analyze the full ransomware payload to learn additional details about how the malware works. </p>
<p>"The Egregor payload can only be decrypted if the correct key is provided in the process' command line, which means that the file cannot be analyzed, either manually or using a sandbox, if the exact same command line that the attackers used to run the ransomware isn't provided," according to the recent alert.</p>
<p>Researchers claim the use of the decryptor key makes a deeper analysis more difficult at this time. This means that if the analyst or researcher only have access to the packed file, without knowing how it was launched in the affected environment, Egregor's payload cannot be decrypted; thus executed.</p>
<p>The Egregor ransom note examined is vague and offers few clues about how the malware works and how the operators behind it will decrypt files once the ransom is paid. Unfortunately, there are no details on the ransom note or on the Egregor website. To get payment details, the victim needs to navigate to the deep web link Egregor provided and get instructions from the attacker through a live chat, which analysts have not conducted for security reasons. While it is not clear whether any data related to Egregor ransomware attacks has been leaked, security experts note that more cybercriminal gangs are using this technique to force victims to pay or as a warning to others.<a href="#_ftn1">[1]</a> Ransomware attacks are ever present. </p>
<p>Speaking at ISMG's Virtual Cybersecurity Summit in New York City last August, an attorney with the cybersecurity team at Baker Hostetler, said that in at least 25 percent of the ransomware cases his firm has helped investigate, attackers claimed to have not just crypto-locked systems but also to have exfiltrated data. This could be used in forcing compliance with the hacker’s threat of exposing internal documents. </p>
<p>In August 2020, the incident response firm Coveware released a report finding that of the thousands of ransomware cases the firm investigated in the second quarter of 2020, 30 percent involved attackers threatening to release stolen data.<a href="#_ftn2">[2]</a></p>
<p>BTW - Egregore is an occult concept representing a distinct non-physical entity that arises from a collective group of people. Historically, the concept referred to angelic beings, or watchers, and the specific rituals and practices associated with them, namely within Enochian traditions.<a href="#_ftn3">[3]</a></p>
<p>The installation, updating and monitoring of firewalls, cyber security and proper employee training are keys to blocking attacks such as ransomware. Red Sky Alliance offers tools and services to help stop these types of cyber-attacks. Please feel free to contact our analyst team for research assistance and Cyber Threat Analysis on your organization.</p>
<p>What can you do to better protect your organization today?</p>
<ul>
<li>All data in transmission and at rest should be encrypted.</li>
<li>Proper data back-up and off-site storage policies should be adopted and followed.</li>
<li>Implement 2-Factor authentication company wide.</li>
<li>Join and become active in your local Infragard chapter, there is no charge for membership. infragard.org</li>
<li>Update disaster recovery plans and emergency procedures with cyber threat recovery procedures. And test them.</li>
<li>Institute cyber threat and phishing training for all employees, with testing and updating.</li>
<li>Recommend/require cyber security software, services and devices to be used by all at home working employees and consultants.</li>
<li>Review and update your cyber threat and information security policies and procedures. Make them a part of all emergency planning and training.</li>
<li>Ensure that all software updates and patches are installed immediately.</li>
<li>Enroll your company/organization in RedXray for daily cyber threat notifications are directed at your domains. RedXray service is $500 a month and provides threat intelligence on nine (9) cyber threat categories including Keyloggers, with having to connect to your network. </li>
<li>Purchase annual cyber insurance coverage from Red Sky Alliance provided by Cysurance.</li>
</ul>
<p>Red Sky Alliance has been has analyzing and documenting cyber threats for 9 years and maintains a resource library of malware and cyber actor reports.</p>
<p>Articles about the cyber threat groups mentioned in this report can be found at <a href="https://redskyalliance.org">https://redskyalliance.org</a> There is no charge for access to these reports.</p>
<p>Our services can help protect with attacks such as these. We provide both internal monitoring in tandem with RedXray notifications on ‘external’ threats to include, botnet activity, public data breaches, phishing, fraud, and general targeting.</p>
<p>The installation, updating and monitoring of firewalls, cyber security and proper employee training are keys to blocking attacks. Please feel free to contact our analyst team for research assistance and Cyber Threat Analysis on your organization. For questions, comments or assistance, please contact the lab directly at 1-844-492-7225, or <a href="mailto:feedback@wapacklabs.com">feedback@wapacklabs.com</a> </p>
<ul>
<li>Reporting: <a href="https://www.redskyalliance.org/">https://www.redskyalliance.org/</a></li>
<li>Website: <a href="https://www.wapacklabs.com/">https://www.wapacklabs.com/</a></li>
<li>LinkedIn: <a href="https://www.linkedin.com/company/64265941">https://www.linkedin.com/company/64265941</a> </li>
</ul>
<p> </p>
<p><a href="#_ftnref1">[1]</a> <a href="https://thecyberwire.com/newsletters/daily-briefing/9/193">https://thecyberwire.com/newsletters/daily-briefing/9/193</a></p>
<p><a href="#_ftnref2">[2]</a> <a href="https://www.bankinfosecurity.co.uk/egregor-ransomware-adds-to-data-leak-trend-a-15110">https://www.bankinfosecurity.co.uk/egregor-ransomware-adds-to-data-leak-trend-a-15110</a></p>
<p><a href="#_ftnref3">[3]</a> <a href="https://en.wikipedia.org/wiki/Egregore">https://en.wikipedia.org/wiki/Egregore</a></p></div>Today Maze Ransomware Attends School in Personhttps://redskyalliance.org/xindustry/today-maze-ransomware-attends-school-in-person2020-09-18T15:26:51.000Z2020-09-18T15:26:51.000ZMac McKeehttps://redskyalliance.org/members/MacMcKee<div><p><strong><a href="{{#staticFileLink}}7941157687,original{{/staticFileLink}}"><img class="align-left" src="{{#staticFileLink}}7941157687,RESIZE_400x{{/staticFileLink}}" width="250" alt="7941157687?profile=RESIZE_400x" /></a> </strong></p><p>The back-to-school season has already been stressful for schools and families. Now a spate of ransomware attacks targeting K-12 schools has made it even more challenging. In May 2020, the FBI warned schools about the increasing risk of ransomware attacks during the pandemic. The agency warned that cyber actors would likely increase targeting of K-12 schools as an "opportunistic target" as more institutions shift from in-person learning to online classes and teachers and staff rely on remote access connections.</p><p>Maze is a particularly sophisticated strain of Windows ransomware that has attacked companies and organizations around the world and demanded that a cryptocurrency payment be made in exchange for the safe recovery of encrypted data. Similar to other ransomware seen in the past, Maze can spread across a corporate network, infect computers it finds and encrypts data so it cannot be accessed. What makes Maze ransomware more dangerous is that it also steals the data it finds and exfiltrates it to servers controlled by malicious hackers who then threaten to release it if a ransom is not paid by their deadline. Increasingly, other ransomware (such as REvil, also known as Sodinokibi) have been observed using similar tactics.</p><p>It appears that Maze ransomware gang is not only capable of writing sophisticated malware. They have also found a very effective way of increasing the pressure on its corporate “clients” to pay up. Cyber threat investigators have determined that these attackers saw that many organizations now have established backup protocols in place and realized that they needed to up the ante if they were to maximize their potential criminal earnings.</p><p>The first day of in-person and online classes had to be postponed in Hartford, Connecticut, last week after a ransomware virus caused an outrage of critical systems, including those that communicate bus schedules and routes.</p><p>Newhall School District in California canceled online classes Tuesday due to a ransomware attack. In New Jersey, the Somerset Hills School District shut down on the second day of classes because of an unexpected network disruption. It was later determined to be ransomware that targeted a limited portion of the network.</p><p>One of the largest school districts in the country, Fairfax County Public Schools in Virginia, was attacked last week during the first week of classes. The attack did not disrupt remote learning but according to InfoSecurity Magazine the hacking group Maze, a group that has been extensively covered by Red Sky Alliance after their attack of Chubb Group - successfully lifted student, staff, and faculty data from the network. As proof, the group uploaded about 2% of the data they stole and demanded payment to restore the systems and the data, a common ransomware tactic. The Fairfax school district said it was currently working with the FBI and its cybersecurity consultants to investigate the scope of the data compromise.</p><p>In the same week, the Maze group also targeted the Clark County School District, the largest public-school district in Nevada. The CCSD announced it was "the victim of a criminal ransomware attack" that likely targeted the personal data of current and former teachers and staff. The school district, which includes Las Vegas, said it was working with law enforcement to investigate the matter and restore systems to secure, full functionality.</p><p>The Maze group also appears to have launched a similar attack in Ohio last week targeting the Toledo Public Schools.</p><p>Even before the pandemic, schools were easy targets for cybercriminals because many rely on legacy systems and relatively few have paid sufficient attention to their IT and cybersecurity defenses, including basic preventive measures like consistently backing up critical data. In addition, children’s identities, birth dates and Social Security number are attractive targets and easy to sell on the dark web forums. With these pieces of information, hackers can apply for driver’s licenses, passports, credit cards and loans.</p><p>The shift to entirely remote learning or hybrid models during COVID-19 has made those vulnerabilities even easier to exploit. A single ransomware attack can lock out teachers and administrators and essentially cancel classes for days or longer. "That is, I think, why school districts are perceived as being especially ripe targets right now," said Scott Shackelford, the cybersecurity program chair at Indiana University, Bloomington.</p><p>According to Emisoft, a security software company, there have been at least 53 school districts hit with ransomware attacks since the start of 2020. Last year, hackers targeted some 1,233 individual K-12 schools at the cost of roughly $7.5 billion. The use of ransomware is going to become "increasingly standard practice," Emsisoft reported, while the risks and costs associated with an attack continue to grow.</p><p>That was how the Athens Independent School District in Texas dealt with its ransomware attack earlier this summer. Ahead of the first day of school, hackers encrypted all of the data on school servers, multiple data backups and a few hundred computers. Teachers and administrators were locked out, unable to access communications, student schedules, assignments and grades.</p><p>After the attack postponed the first day of classes by one week, the school district agreed to pay hackers the $50,000 ransom in cryptocurrency. "We can’t afford to not pay it," AISD Board President Alicea Elliott said.</p><p>Ultimately, school boards have to be encouraged to adopt cybersecurity best practices, including investing in IT security, backing up and securing data, having a strong identity management system, like multifactor authentication and educating staff about how they can reduce vulnerabilities.</p><p>A typical ransomware attack may begin with something as simple as a phishing email sent to hundreds, thousands or just a few potential victims with a file containing malware. Once the victim has downloaded and opened the file or otherwise been convinced to turn over administrative access to their network, the bad actor can take over.</p><p>Most often, criminals will encrypt files to prevent users from accessing them and demand payment for returning access to the user. Often they restore access, other times they don't. In the case of the Maze hackers, they not only locked down networks but also stole personal data. Those attacks raise the stakes and the probability of a double-payday for hackers selling the data on the dark web. Some of the worst consequences of a typical ransomware attack on a school will be the disruption of classes. In cases where the attack also involves the theft of personal data, parents, teachers and staff are encouraged to take precautions to protect their identity.</p><p>Adults can protect against identity theft through credit monitoring and monitoring their financial accounts. The challenge is different for parents who are concerned that their child's personal data may have been exposed and/or sold to others.</p><p>Red Sky Alliance has been has analyzing and documenting cyber threats for 9 years and maintains a resource library of malware and cyber actor reports.</p><p>The installation, updating and monitoring of firewalls, cyber security and proper employee training are keys to blocking attacks. Please feel free to contact our analyst team for research assistance and Cyber Threat Analysis on your organization.</p><p>Link to RedXray collection and analysis tool: <a href="https://www.wapacklabs.com/redxray">https://www.wapacklabs.com/redxray</a></p><p>What can you do to better protect your organization today?</p><ul><li>All data in transmission and at rest should be encrypted.</li><li>Proper data back-up and off-site storage policies should be adopted and followed.</li><li>Implement 2-Factor authentication company wide.</li><li>Join and become active in your local Infragard chapter, there is no charge for membership. <a href="http://www.infragard.org">infragard.org</a></li><li>Update disaster recovery plans and emergency procedures with cyber threat recovery procedures. And test them.</li><li>Institute cyber threat and phishing training for all employees, with testing and updating.</li><li>Recommend/require cyber security software, services and devices to be used by all at home working employees and consultants.</li><li>Review and update your cyber threat and information security policies and procedures. Make them a part of all emergency planning and training.</li><li>Ensure that all software updates and patches are installed immediately.</li><li>Enroll your company/organization in RedXray for daily cyber threat notifications are directed at your domains. RedXray service is $500 a month and provides threat intelligence on nine (9) cyber threat categories including Keyloggers, with having to connect to your network. Ransomware protection is included at no charge for RedXray customers.</li><li>Purchase annual cyber insurance coverage from Red Sky Alliance provided by Cysurance.</li></ul><p> </p><p>Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or assistance, please contact the lab directly at 1-844-492-7225, or <a href="mailto:feedback@wapacklabs.com">feedback@wapacklabs.com</a>.</p><p> </p><ul><li>Reporting: <a href="https://www.redskyalliance.org/">https://www.redskyalliance.org/</a></li><li>Website: <a href="https://www.wapacklabs.com/">https://www.wapacklabs.com/</a></li><li>LinkedIn: <a href="https://www.linkedin.com/company/64265941%C2%A0">https://www.linkedin.com/company/64265941 </a></li></ul><p><a href="{{#staticFileLink}}7941159066,original{{/staticFileLink}}">TR-20-262-001_SchoolHacking.pdf</a></p></div>Maze Publishes Internal Data Again After Failed Extortion Attemptshttps://redskyalliance.org/xindustry/maze-publishes-internal-data-again-after-failed-extortion-attempt2020-08-07T20:09:57.000Z2020-08-07T20:09:57.000ZMac McKeehttps://redskyalliance.org/members/MacMcKee<div><p><a href="{{#staticFileLink}}7330777658,RESIZE_710x{{/staticFileLink}}"><img class="align-left" src="{{#staticFileLink}}7330777658,RESIZE_400x{{/staticFileLink}}" width="250" alt="7330777658?profile=RESIZE_400x" /></a>Maze ransomware is a<strong> </strong>complex piece of malware that uses some tricks to frustrate analysis right from the beginning. The malware starts preparing some functions that appear to save memory addresses in global variables to use later in dynamic calls though it does not actually use these functions later. The operators of the Maze ransomware have published tens of GB of internal data from the networks of enterprise business giants LG and Xerox following two failed extortion attempts.</p><p>The hackers leaked 50.2 GB they claim to have stolen from LG's internal network, and 25.8 GB of Xerox data. While LG issued a generic statement to <em>ZDNet </em>in June, neither company wanted to talk about the incident in great depth today. Both of these leaks have been teased since late June when the operators of the Maze ransomware created entries for each of the two companies on their "leak portal."</p><p>The main goal of the ransomware is to encrypt all files that it can in an infected system and then demand a ransom to recover the files. However, the most important characteristic of Maze is the threat that the malware authors give to the victims that, if they do not pay, they will release the information on the Internet. The Maze gang is primarily known for its eponymous ransomware string and usually operates by breaching corporate networks, stealing sensitive files first, encrypting data second, and demanding a ransom to decrypt files.</p><p>If a victim refuses to pay the fee to decrypt their files and decides to restore from backups, the Maze gang creates an entry on a "leak website" and threatens to publish the victim's sensitive data in a second form ransom/extortion attempt. The victim is then given a few weeks to think over its decision, and if victims do not pay during this second extortion attempt, the Maze gang will publish files on its portal</p><p>LG and Xerox are at this last stage, after apparently refusing to meet the Maze gang's demands. Based on screenshots shared by the Maze gang last month and by file samples downloaded and reviewed by <em>ZDNet </em>today, the data appears to contain source code for the closed-source firmware of various LG products, such as phones and laptops.</p><p>In an email of June 2020, the Maze gang told <em>ZDNet </em>that they did not execute their ransomware on LG's network, but they merely stole the company's proprietary data and chose to skip to the second phase of their extortion attempts. "We decided not to execute [the] Maze [ransomware] because their clients are socially significant and we do not want to create disruption for their operations, so we only have exfiltrated the data," the Maze gang told <em>ZDNet </em>via a contact form on their leak site.</p><p>When reached out for comment in June, the LG security team told <em>ZDNet </em>they would investigate the incident and report any intrusion to authorities. In a follow-up email sent today, after the Maze gang published more than 50 GB of the company's files, the security team deflected our request for comment towards its communications team. When we reached out to the communications team, our email bounced, like what happened in June.</p><p>But while we have somewhat of an idea of what happened with the Maze attack on LG, things are a lot murkier when it comes to Xerox. The company has not returned requests for comment sent in June and August 2020.</p><p>It is unclear what internal systems the Maze gang encrypted, or if files were stolen and ransomed without encryption, like the LG incident. Based on a cursory review of data leaked online in August, it appears that the Maze gang has stolen data related to customer support operations. At the time of writing, we found information related to Xerox employees; however, we have not yet found files holding data on Xerox customers although, this is a large trove of information and reviewing all of it will take time.</p><p>Red Sky Alliance has been has analyzing and documenting cyber threats for 8 years and maintains a resource library of malware and cyber actor reports. </p><p>The installation, updating and monitoring of firewalls, cyber security and proper employee training are keys to blocking attacks. Please feel free to contact our analyst team for research assistance and Cyber Threat Analysis on your organization.</p><p>What can you do to better protect your organization today?</p><ul><li>All data in transmission and at rest should be encrypted.</li><li>Proper data back-up and off-site storage policies should be adopted and followed.</li><li>Join and become active in your local Infragard chapter, there is no charge for membership. <a href="http://www.infragard.org">infragard.org</a></li><li>Update disaster recovery plans and emergency procedures with cyber threat recovery procedures. And test them.</li><li>Institute cyber threat and phishing training for all employees, with testing and updating.</li><li>Recommend/require cyber security software, services and devices to be used by all at home working employees and consultants.</li><li>Review and update your cyber threat and information security policies and procedures. Make them a part of all emergency planning and training.</li><li>Ensure that all software updates and patches are installed immediately.</li><li>Enroll your company/organization in RedXray for daily cyber threat notifications are directed at your domains. RedXray service is $500 a month and provides threat intelligence on nine (9) cyber threat categories including Keyloggers, with having to connect to your network. Ransomware protection is included at no charge for RedXray customers.</li><li>Purchase annual cyber insurance coverage from Red Sky Alliance provided by Cysurance.</li></ul><p> </p><p>Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or assistance, please contact the lab directly at 1-844-492-7225, or <a href="mailto:feedback@wapacklabs.com">feedback@wapacklabs.com</a>.</p><p>Interested in a RedXray demonstration or subscription to see what we can do for you? Sign up here: <a href="https://www.wapacklabs.com/redxray">https://www.wapacklabs.com/redxray</a> </p><ul><li><strong>Reporting: <a href="https://www.redskyalliance.org/">https://www.redskyalliance.org/</a></strong></li><li><strong>Website: <a href="https://www.wapacklabs.com/">https://www.wapacklabs.com/</a></strong></li><li><strong>LinkedIn: <a href="https://www.linkedin.com/company/64265941">https://www.linkedin.com/company/64265941</a></strong></li></ul><p><a href="{{#staticFileLink}}7330797486,original{{/staticFileLink}}">TR-20-220_MazeArticle.pdf</a></p></div>Ransom Demands + Exposed Data being Auctioned = A new Business Opportunity for Cyber Actorshttps://redskyalliance.org/xindustry/ransom-demands-exposed-data-being-auctioned-a-new-business-opport2020-06-23T20:54:36.000Z2020-06-23T20:54:36.000ZJim McKeehttps://redskyalliance.org/members/JimMcKee<div><p><a href="{{#staticFileLink}}6244931697,RESIZE_584x{{/staticFileLink}}"><img class="align-left" src="{{#staticFileLink}}6244931697,RESIZE_400x{{/staticFileLink}}" width="250" alt="6244931697?profile=RESIZE_400x" /></a>2020, a year that will be remembered for many reasons. Stories will be told to children and grandchildren of when we all had to wear face masks, stand 6 feet apart, there were no sports, and where people were not permitted to hug or shake hands. Then there was the next economic collapse and subsequent worldwide insurrection. For those who hunt cybercriminals and attempt to expose criminal and state-sponsored hacking operations and techniques, the blurring of the lines between what constitutes a ransomware attack and data breach will be the chosen horror story, starting with the Maze ransomware group. </p>
<p>The main goal of the Maze ‘Cha Cha’ ransomware is to encrypt all files that it can in an infected system and then demand a ransom to recover the files the threat actor who took credit for locking up a very large US insurance company. And it appears Maze is continuing its attacking spree with full intensity. The Maze ransomware malware distribution saw an opportunity it could not ignore and continue to force victim companies to pay large ransoms. Ingenious in its lack of sophistication, and devious in the extra stress it causes business leaders. Maze threatens to release stolen data if the initial ransom demanded to decrypt encrypted files is not paid promptly. These threats continue to be a severe reality.</p>
<p>On New Year’s Day 2020, media reported that one of the victims of the Maze gang was suing the ransomware operators, referred to as “John Doe” in filed legal papers. This for illegally accessing the company’s network, encrypting files, and publishing data when the ransom was not paid. The company, Southwire, fell victim to a Maze attack in December 2019. Maze, before encrypting vital files needed to operate at an acceptable level, stole 120GB of data and proceeded to encrypt 878 devices.<a href="#_ftn1">[1]</a></p>
<p>The company did as is often advised and did not pay the ransom, which resulted in the ransomware gang publishing a section of the stolen data, showing that it would make good on its threats. The ransom amount initially was set at 850 bitcoins—approximately $6 million at the time, a staggering amount when compared to the several hundred demanded in the malware’s infancy. However, in an age of human-operated ransomware that is has a goal to topple giant corporations, millions now are being demanded with the amount dependent on how well-off the company is perceived to be and how anxious they may be to get back to business.<a href="#_ftn2">[2]</a></p>
<p>By the end of January 2020, the gang was releasing the data of multiple victims to extort payment from its victims. Given the extra pressure now faced by businesses to pay or not to pay again resurfaced and is now in a higher gear. But on a funny note, the Maze ransomware gang just recently screwed up by targeting a New York, NY design and construction firm instead of the Canadian Standards Association it intended to hit. Maze appears to have confused the organization with another CSA Group (csagroup.com), which is a Puerto Rice-based engineering management firm that appears to have its data stolen and encrypted.<a href="#_ftn3">[3]</a> This may expose the sophistication level of the group, yet they remain a serious threat.</p>
<p>By not only threatening but releasing stolen data, what was once treated as a ransomware incident is now also a data breach. If that data contains information protected by numerous data privacy laws, such as GDPR or PCI DSS, the company may be further fined due to non-compliance if the data was not properly managed. It has been argued that a ransomware attack amounts to a data breach regardless of whether data is released to the public; however, these cybersecurity debates have become purely academic in the face of current realities.</p>
<p>This pattern has continued with the latest development in the Maze saga, as the group seems to have teamed up with the gang behind Ragnar Locker. The partnership involves the shared use of the data-leaking platform created by those behind Maze. This would be the second group to partner with Maze, the first being LockBit. Lockbit was first seen when a malicious actor used a brute-force method on a web server that contained an outdated virtual private network (VPN). This attempt took several days for the actor to gain the required “Administrator” password. With the keys to the network kingdom, the nefarious individual abused Server Message Block (SMB) to perform automated network reconnaissance to then own more company systems. In the meantime, the malicious actor had already deployed the ransomware by instructing the compromised host to run a PowerShell command that retrieved a .png file from the compromised site. This host then instructed all other hosts, to which the attacker gained access, to execute the same PowerShell command, thereby automating the ransomware distribution process.</p>
<p>The payload of the retrieved dropper used two variants of a User Account Control (UAC) bypass to minimize the level of user interaction in its attack chain. It also loaded its modules dynamically to trick static analysis engines. This gave the threat the cover it needed to stop certain processes and delete shadow volume copies before it ultimately performed its encryption routine and dropped its ransom note.</p>
<p>The current partnership seems to be driven by the sharing of information and intelligence that can help future black hat operations become more effective at turning target networks into victim networks. As to what exactly Maze gets from the partnership, as it appears to researchers Maze is the main contributor group and is sharing its data-leaking platform. It is plausible that the associate groups get a share of the other’s profits for providing the Maze Platform as a Service. As more ransomware gangs struggle to successfully target big companies and organizations, cooperation between gangs is viewed as the next disturbing hacker trend that will shape the cyber threat landscape. The sharing of resources, intelligence, and ultimately victims will make ransomware more and more difficult to combat.</p>
<p>Soon after Maze began publishing stolen data, other groups joined the ransomware bandwagon. <a href="{{#staticFileLink}}6244708283,RESIZE_930x{{/staticFileLink}}"><img class="align-right" src="{{#staticFileLink}}6244708283,RESIZE_400x{{/staticFileLink}}" width="300" alt="6244708283?profile=RESIZE_400x" /></a>One of those was Sodinokibi (which Red Sky Alliance has reported on), also called Sodin and REvil by several security firms and media houses which published data appearing on a well-known Russian hacker forum. Prior to this Sodinokibi auction, REvil like many other ransomware gangs has sought to pressure victim companies into paying up by publishing a handful of sensitive files stolen from their extortion targets and then threatening to release more data unless and until the ransom demand is paid. Cyber threat experts say its recent auction is a sign that ransomware groups may be feeling the financial pinch from the current economic crisis, and are looking for new ways to extract value from victims who are now less likely or able to pay a ransom demand. Approximately 337MB was dumped to show that this gang was willing to make good on a threat it made earlier, soon after Maze began dumping data. Around the same time, the ransomware group had captured two high-level victims - Travelex and CDH Investments. Since these companies publicly stated they will not pay the ransom, it indicates a targeted and purposeful ransomware attack. In late 2019, the US Department of Justice (USDOJ) offered a $5 million bounty for information leading to the arrest and conviction of a Russian man, Maksim Viktorovich Yakubets, indicted for allegedly orchestrating a vast, international cybercrime network that called itself “Evil Corp” (REvil) and stole roughly $100 million from businesses and consumers.<a href="#_ftn4">[4]</a></p>
<p>Cybersecurity researchers published a follow-up report detailing the cost associated with ransomware for the first quarter of 2020, which again had risen, another 33 percent over the previous quarter. In the 4th quarter of 2019, the average ransom payment increased by 104 percent to $84,116. This up from $41,198 in 3rd quarter of 2019. While the median ransomware payment in the 4th quarter $14,179, the doubling of the average reflects the diversity of the threat actors that are actively attacking companies. Some criminal groups, such as Ryuk and Sodinokibi, have moved into the large enterprise space and are focusing their attacks on large companies where they can attempt to extort the organization for a seven-figure payout. For instance, Ryuk ransom payments reached a new high of $780,000 for impacted enterprises. On the other end of the spectrum, smaller Ransomware-as-a-Service variants such as Dharma, Snatch, and Netwalker continue to target the small business space with a high number of attacks. With demands as low as $1,500. Even these lower ransom amounts can cause serious damage in the SMB market. If the Corona pandemic economic downturn did not get the medium to small business, these lover level ransomware attack could very well close their doors for good.</p>
<p>In the 1st quarter of 2020, the average enterprise ransom payment increased to $111,605, up 33 percent from the 4th quarter of 2019. Ransomware distributors increasingly targeted large enterprises and were successful in forcing ransom payments for the safe recovery of data. Large enterprise ransom payments are the minority by volume, but the size of the payments dramatically pulled up the average ransom payment. The medium ransom payment remained relatively stable at $44,021, up only slightly from the 4th quarter medium of $42,179. The stability of the medium reflects the fact that the most ransom payments were modest relative to the average.</p>
<p>According to cyber investigators, Sodinokibi featured heavily as one of the main attackers responsible for the spike in ransomware costs. A key point discussed in their reports was the ransomware groups that were also making use of what the report describes as “data exfiltration” and what this article refers to as “data theft.” The maze was the only ransomware that was seen to decrease in data exfiltration attempts while others, including Sodinokibi, increased attempts to steal data. One such attack by Sodinokibi, of international interest, was the successful data exfiltration and encryption of the US legal firm Grubman Shire Meiselas & Sacks. The firm represents John Mellencamp, Elton John, David Letterman, Robert DeNiro, Christina Aguilera, Barbra Streisand, Bruce Springsteen, and Madonna to name a few, as well as numerous high-profile corporate entities.</p>
<p>The gang claims to have stolen 756GB worth of data from the law firm, and even threatened to release information discovered in the attack belonging to US President Donald Trump; however, it is unclear whether the law firm represents Trump in any of his private or public ventures. To prove that the gang did indeed have sensitive data on celebrities, it published a small amount of data pertaining to Christina Aguilera and Madonna. <a href="{{#staticFileLink}}6244879678,original{{/staticFileLink}}"><img class="align-right" src="{{#staticFileLink}}6244879678,RESIZE_584x{{/staticFileLink}}" width="450" alt="6244879678?profile=RESIZE_584x" /></a>The announcement was made via its blog, ironically titled, “Happy Blog.” Such announcements certainly applied increased pressure to the law firm’s decision-makers regarding whether to pay the ransom. The initial ransom demanded was $21 million USD, which would double if it were not paid promptly. As the writing of this report, Happy Blog is currently down.</p>
<p>The latest development in this story involves the Sodinokibi group creating an eBay-like auction site to sell the stolen data. The group claims to have already sold the data pertaining to Trump for $1 million and was looking to find buyers for the data pertaining to Madonna. This likely inspired the group to offer a bidding service to make it easier for those looking to gain information that could be used for blackmail, identity theft or numerous other destructive cyber activity.</p>
<p>The auction site was added to its blog at the start of June 2020. Reports from the time reported that the group was auctioning information belonging to two companies: a US food distributor and a Canadian agricultural company. The food distributor’s data started bids at $100,000 but the lot could be had for $200,000. The Canadian data had a similar bid and sale structure, this time bids started at $50,000 and bought once-off for $100,000.</p>
<p>The auction site even had a list of rules bidders had to agree to before participating. To bid on action, one has to register for each auction separately. After registration, you will need to make a deposit of 10 percent of the starting price. At the end of the auction, the amount will be refunded (except for blockchain commission). If you have not paid your bid on the winning auction, you will lose your deposit. This is to ensure that none of the bidders make fake bids. All computational operations are performed in the cryptocurrency Monero (XMR). By clicking ‘Continue,’ you confirm that you agree to the terms above. You will be given a username/password and details of deposit payment.</p>
<p>With ransomware operators looking to diversify their portfolios by making money off stolen data via auctions, the threat posed to organizations has increased significantly. To date, major law firms and Fortune 500 companies have fallen victim to ransomware incidents. The attackers also have other tricks in their malware bag which help their illegal activities. Not only are Maze and Sodinokibi releasing and auctioning off stolen data; currently, Ako, Clop, DoppelPaymer, Mespinoza, Nefilim, Nemty, NetWalker, Ragnar Locker, Sekhmet, and Snatch also have adopted similar tactics.</p>
<p>For the victims, the question of whether to pay adds complexity. It is clear some organizations do pay the ransom yet are faced with the added potential cost of fines for non-compliance with cyber regulations. The need to pay the ransom has raised the stakes beyond tolerable levels. However, despite the pressures faced by decision-makers, the advice is still not to pay the ransom. Not only do ransoms fund criminal enterprises but paying also opens the organization to exploitation from other ransomware and malware gangs working with the original black hat hacker.</p>
<p>During a recent interview, a spokesperson for the FBI summed up this view, “The FBI encourages victims to not pay a hacker’s extortion demands. The payment of extortion demands encourages continued criminal activity, leads to other victimizations, and can be used to facilitate additional serious crimes. Furthermore, paying a ransom does not guarantee the victim will regain access to their data. The best approach is to focus on defense-in-depth and have several layers of security as there is no single method to prevent compromise or exploitation.”</p>
<p>Security experts have yet not been able to trace the country of origin of the Maze ransomware. During their examination, McAfee Labs found some of the IP addresses belonging to the Russian Federation. However, it is not enough to confirm the origins, as IP spoofing is a common practice used by attackers to deliberately misdirect investigations and even cause disharmony among two states. In the past, Maze has been in the news for attacks against dozens of large businesses, conglomerates, government contractors, and IT service companies.</p>
<p>Red Sky Alliance has an expert white-hat hacker who emphasizes that there are generally two methods for big game ransomware extortion: blog with PII leaks (automated) and direct E-Mail (manual). Our analysts observed this behavior with Snatch ransomware. The group started manual, then moved to automated, and went back to manual extortion requiring the users to reach out to a specific Protonmail (Swiss service) address with their encrypted files extension. Every extension was unique to that client and was generated using some system and network meta-data. In our opinion, the automated platforms are more effective, because like Sodinokibi who openly states, “if a company doesn't pay our demands, they can pay 10x in GDPR fines.” The manual method, if conducted correctly with a new bulletproof email address being used to contact each victim, can be more OPSEC safe and will likely be adopted by English speaking hackers before the highly lucrative affiliate (organized crime) models we see in Russian forums. </p>
<p>Red Sky Alliance strongly recommends ongoing monitoring from both internal and external perspectives. Internal monitoring is common practice. However, external threats are often overlooked and can represent an early warning of impending attacks. Red Sky Alliance can provide both internal monitorings in tandem with RedXray notifications on external threats to include, botnet activity, public data breaches, phishing, fraud, and general targeting. Red Sky Alliance is in New Boston, NH USA. We are a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or assistance, please contact the lab directly at 1-844-492-7225, or <a href="mailto:feedback@wapacklabs.com">feedback@wapacklabs.com</a></p>
<p> </p>
<p><a href="#_ftnref1">[1]</a> <a href="https://securityboulevard.com/2020/06/stuck-between-a-data-breach-and-a-ransom/">https://securityboulevard.com/2020/06/stuck-between-a-data-breach-and-a-ransom/</a></p>
<p><a href="#_ftnref2">[2]</a> <a href="https://www.tripwire.com/state-of-security/featured/maze-ransomware-what-you-need-to-know/">https://www.tripwire.com/state-of-security/featured/maze-ransomware-what-you-need-to-know/</a></p>
<p><a href="#_ftnref3">[3]</a> <a href="https://cyware.com/alerts/tags/maze-ransomware">https://cyware.com/alerts/tags/maze-ransomware</a></p>
<p><a href="#_ftnref4">[4]</a> <a href="https://krebsonsecurity.com/2019/12/inside-evil-corp-a-100m-cybercrime-menace/">https://krebsonsecurity.com/2019/12/inside-evil-corp-a-100m-cybercrime-menace/</a></p></div>Don’t Get Lost in the Mazehttps://redskyalliance.org/xindustry/don-t-get-lost-in-the-maze2020-06-16T17:23:50.000Z2020-06-16T17:23:50.000ZBill Schenkelberghttps://redskyalliance.org/members/BillSchenkelberg<div><p><a href="{{#staticFileLink}}6014420079,RESIZE_400x{{/staticFileLink}}"><img class="align-left" src="{{#staticFileLink}}6014420079,RESIZE_400x{{/staticFileLink}}" alt="6014420079?profile=RESIZE_400x" width="250" /></a>Maze Ransomware hackers, previously known in the hacker community as “ChaCha Ransomware,” was discovered on 29 May 2020 by Jerome Segura, a malware intelligence officer. The main goal of ransomware is to encrypt all files in an infected system and subsequently demand a ransom to recover the files. The threat actor who took credit for compromising an insurance giant , seems to continue its attacking spree with full intensity. It is currently targeting the aerospace sector, specifically maintenance service provider VT San Antonio Aerospace, which has several contracts with US government and various airlines.</p>
<p>The Maze Ransomware threat actors have targeted the systems of VT San Antonio Aerospace in March 2020 by using an Admin account which had been compromised by use of a keylogger. The group claims to now be in possession of 1.5TB of unencrypted files and sensitive data, some of which has already been posted on their leak site. The purpose of the website was to share victims' names and stolen data. The longer it takes businesses to pay Maze ransom, the more information the group publishes.</p>
<p>The Maze group is apparently working on a dedicated mission of targeting enterprises across the globe. Recently, within the first week of June 2020, it has been reported that threat actors associated with Maze group have targeted Westech International, a global aerospace and marine engineering company, business services giant Conduent, and Kerr Controls who manufacture automation systems for commercial business.</p>
<p>The ransomware is mainly spread through exploit kits such as Fallout and Spelevo; desktop connections with weak passwords; phishing emails impersonating government agencies. For instance, in last October cyberattack on Italian organizations, emails were sent with a Word attachment that used macros to run the malware in the system. This malware is coded specifically to prevent reverse engineering, which makes static analysis by security researchers more difficult. Reverse engineering is a common practice used in cybersecurity to understand how a given program, like the malware in this case, works.</p>
<p>Security experts have not yet been able to trace the country of origin of the Maze ransomware. During their examination, McAfee Labs found some of the IP addresses belonged to the Russian Federation. However, the analysis is not enough to confirm Russia, but IP spoofing is a common practice used by attackers to deliberately misdirect investigations and even cause disharmony among nations. In the past, Maze has been in the news for attacks against dozens of large business conglomerates, government contractors, and IT service companies.</p>
<p>Red Sky Alliance strongly recommends ongoing monitoring from both internal and external perspectives. Internal monitoring is common practice and especially important. However, external threats are often overlooked and can represent an early warning of impending attacks. Red Sky Alliance can provide both internal monitoring in tandem with RedXray® notifications on external threats to include, botnet activity, public data breaches, phishing, fraud, and general targeting. These indicators of compromise (IOC) can be used to blacklist malicious malware. </p>
<p>RedXray® provides daily cyber threat notifications to enrolled customers, identifying threats; rather than those cyber threats facing all customers - everywhere in the world. RedXray® informs customers of threats <strong>before</strong> they become a breach. This important notification augments a cyber security service that ‘only’ monitor threats within an organization’s network or servers. RedXray® performs its data collection without a network connection to the customer and can be used to collect malicious data anywhere in the world. </p>
<p>RedXray® customers will now automatically receive Ransomware Protection, of up to $100K USD, at no additional charge. <a href="https://www.wapacklabs.com/redxray">https://www.wapacklabs.com/redxray</a></p>
<p>Red Sky Alliance is in New Boston, NH USA. We are a Cyber Threat Analysis and Intelligence Service organization. For questions, comments, or assistance, please contact the lab directly at 1-844-492-7225, or <a href="mailto:feedback@wapacklabs.com">feedback@wapacklabs.com</a></p>
<p>Reporting: <a href="https://www.redskyalliance.org/">https://www.redskyalliance.org/</a></p>
<p>Website: <a href="https://www.wapacklabs.com/">https://www.wapacklabs.com/</a></p>
<p>LinkedIn: <a href="https://www.linkedin.com/company/wapacklabs/">https://www.linkedin.com/company/wapacklabs/</a></p>
<p>Twitter: <a href="https://twitter.com/wapacklabs?lang=en">https://twitter.com/wapacklabs?lang=en</a></p>
<p> </p>
<p> </p></div>Ransomware Trendshttps://redskyalliance.org/xindustry/ransomware-trends2020-06-12T17:54:33.000Z2020-06-12T17:54:33.000ZJonathon Sweeneyhttps://redskyalliance.org/members/JonathonSweeney<div><p><a href="{{#staticFileLink}}5887188088,RESIZE_930x{{/staticFileLink}}"><img class="align-left" src="{{#staticFileLink}}5887188088,RESIZE_400x{{/staticFileLink}}" width="250" alt="5887188088?profile=RESIZE_400x" /></a>Like any profitable business model, ransomware gangs continue to innovate and increase their business. Recently, reports have emerged of a collaboration between the Maze and Lockbit gangs, as well as the REvil, aka Sodinokibi, operators not leaking stolen data for free when victims do not pay, but instead auctioning it off to the highest bidder.</p>
<p>Here are some of the latest ransomware trends noted by cyber analysts: <a href="{{#staticFileLink}}5887178700,original{{/staticFileLink}}">IR-20-164-002_Ransomware Trends.pdf</a></p></div>Maze Ransomwarehttps://redskyalliance.org/xindustry/maze-ransomware2019-12-30T22:05:09.000Z2019-12-30T22:05:09.000ZBill Schenkelberghttps://redskyalliance.org/members/BillSchenkelberg<div><p><a href="{{#staticFileLink}}3794386206,original{{/staticFileLink}}"><img class="align-full" src="{{#staticFileLink}}3794386206,RESIZE_710x{{/staticFileLink}}" width="304" height="107" alt="3794386206?profile=RESIZE_710x" /></a>FBI Flash Bulletin /<strong> TLP GREEN</strong></p>
<p>Unknown cyber actors have targeted multiple US and international businesses with Maze ransomware since early 2019. Maze encrypts files on an infected computer’s file system and associated network file shares. Once the victim has been compromised, but prior to the encryption event, the actors exfiltrate data. After the encryption event, the actors demand a victimspecific ransom amount paid in Bitcoin (BTC) in order to obtain the decryption key. An international Maze campaign targeted the healthcare sector, while its deployment in the US has been more varied. </p>
<p>Link to full report: <a href="{{#staticFileLink}}3794381878,original{{/staticFileLink}}">flash_maze_ransomware.pdf</a></p></div>