sekhmet - X-Industry - Red Sky Alliance2024-03-29T13:10:02Zhttps://redskyalliance.org/xindustry/feed/tag/sekhmetRansomware Author says Goodbye Forever, Hmmmmm....https://redskyalliance.org/xindustry/ransomware-author-says-goodbye-forever-hmmmmm2022-02-13T20:17:32.000Z2022-02-13T20:17:32.000ZBill Schenkelberghttps://redskyalliance.org/members/BillSchenkelberg<div><p><a href="{{#staticFileLink}}10099051699,RESIZE_710x{{/staticFileLink}}"><img class="align-left" src="{{#staticFileLink}}10099051699,RESIZE_400x{{/staticFileLink}}" width="250" alt="10099051699?profile=RESIZE_400x" /></a>If you or your company was unfortunate enough to be caught in the web of a ransomware attack, the consequences may have been devastating. Hopefully you got rid of the infection, but the all-important files affected by such an attack could still be under lock and key. Without backups, which is more common than you may think, the files may be gone forever.</p>
<p><strong>A tiny slice of good fortune: </strong>Occasionally, we all catch break. Files can sometimes be recovered in the following ways<a href="#_ftn1">[1]</a>:</p>
<ul>
<li>A ransomware author makes some sort of mistake, or their files are just simply coded badly. Researchers figure out a way to <a href="https://www.zdnet.com/article/cracking-ransomware-ransomwarrior-victims-can-now-retrieve-files-for-free/">recover the decryption key</a>, and publish it so victims can recover their files.</li>
<li>Authors offer up the keys themselves. This can be for a variety of reasons. They may have generated a bit too much heat, and are looking to retreat into the shadows with the suggestion of some good deed done. Other times, they decide “party’s over” with the release of a new variant and hand out a “Get out of jail free” pass to former victims.</li>
</ul>
<p><strong>What a maze !! </strong>So, back in 2019, Maze Ransomware came to the forefront. Initially it grabbed victims <a href="https://www.bleepingcomputer.com/news/security/maze-ransomware-says-computer-type-determines-ransom-amount/">via fake Cryptocurrency site traffic</a> and bounced it to exploit kit landing pages. It also claimed to vary ransom amounts depending on if the compromised machine was a workstation, home computer, or server. Tactics changed a little later on, with threats of exfiltrated data being published if ransom demands were not met. The group behind Maze eventually announced retirement, and infection numbers tailed off after one final flourish in August 2020. Maze affiliates quickly moved over to Egregor, which was then mired in the mud of several arrests. We are now into the second month of 2022, and there is yet more developments in Maze land.</p>
<table width="100%">
<tbody>
<tr>
<td>
<p>Hello, It’s developer. It was decided to release keys to the public for Egregor, Maze, Sekhmet ransomware families.</p>
<p>also there is a little bit harmless source code of polymorphic x86/x64 modular EPO file infector m0yv detected in the wild as Win64/Expiro virus, but it is not expiro actually, but AV engines detect it like this, so no single thing in common with gazavat. Each archive with keys have corresponding keys inside the numeric folders which equal to advert id in the config.</p>
<p>In the “OLD” folder of maze leak is keys for it’s old version with e-mail based. Consider to make decryptor first for this one, because there were too many regular PC users for this version.</p>
</td>
</tr>
</tbody>
</table>
<p><strong>We’re finished…(again). </strong>Someone has <a href="https://www.bleepingcomputer.com/news/security/ransomware-dev-releases-egregor-maze-master-decryption-keys/">posted to the Bleeping Computer forums</a>, claiming to be the developer of not only Maze, but also Egregor and Sekhmet ransomware families. The post reads as follows:</p>
<p><a href="{{#staticFileLink}}10099055055,original{{/staticFileLink}}"><img class="align-left" src="{{#staticFileLink}}10099055055,RESIZE_584x{{/staticFileLink}}" width="500" alt="10099055055?profile=RESIZE_584x" /></a>There is, once more, a claim that anyone involved is now definitely out of the Ransomware game for good. All the “source code of tools” are also supposedly gone forever. The forum poster included a zip containing decryption keys for the ransomware, and also some source code for malware used by the Maze gang.</p>
<p><strong>What’s the real reason for this departure? </strong>Decryption tools now exist for the 3 groups mentioned, thanks to the release of the keys on the forum post. The zip file has now been removed from the forum due to the inclusion of the malware source code. The author claims this forum post and announcement is not related to any arrest or takedown, but even so this feels more important as an announcement of leaving the malware realm to avoid trouble than being particularly helpful to victims just for the sake of it. Are they gone for good, or will they return once more with a new set of Ransomware files? Only time will tell…Red Sky does not think so.</p>
<p>Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization who has long collected and analyzed cyber indicators. For questions, comments or assistance, please contact the office directly at 1-844-492-7225, or <a href="mailto:feedback@wapacklabs.com">feedback@wapacklabs.com</a> </p>
<p>Weekly Cyber Intelligence Briefings:</p>
<ul>
<li>Reporting: <a href="https://www.redskyalliance.org/">https://www.redskyalliance.org/</a></li>
<li>Website: <a href="https://www.wapacklabs.com/">https://www.wapacklabs.com/</a></li>
<li>LinkedIn: <a href="https://www.linkedin.com/company/64265941">https://www.linkedin.com/company/64265941</a> </li>
</ul>
<p>Weekly Cyber Intelligence Briefings:</p>
<p>REDSHORTS - Weekly Cyber Intelligence Briefings</p>
<p><a href="https://attendee.gotowebinar.com/register/5504229295967742989">https://attendee.gotowebinar.com/register/5504229295967742989</a></p>
<p><a href="#_ftnref1">[1]</a> <a href="https://blog.malwarebytes.com/malwarebytes-news/2022/02/ransomware-author-releases-decryption-keys-says-goodbye-forever/">https://blog.malwarebytes.com/malwarebytes-news/2022/02/ransomware-author-releases-decryption-keys-says-goodbye-forever/</a></p></div>Ransomware Demand – Answer Line 1https://redskyalliance.org/xindustry/ransomware-demand-answer-line-12020-12-10T15:12:35.000Z2020-12-10T15:12:35.000ZBill Schenkelberghttps://redskyalliance.org/members/BillSchenkelberg<div><p><a href="{{#staticFileLink}}8270285688,RESIZE_400x{{/staticFileLink}}"><img class="align-left" src="{{#staticFileLink}}8270285688,RESIZE_400x{{/staticFileLink}}" width="250" alt="8270285688?profile=RESIZE_400x" /></a>For ransomware actors, innovation is a key to success, as crime gangs look for new ways to dupe people and make crypto-locking malware even more lucrative. Some hacking groups have started cold-calling victims to inform them that their systems have been hit by ransomware and request a ransom to resolve the situation. An old, yet tried and true use of chicanery. Sometime old schemes become new schemes. This is just the latest in a long line of shakedown tactics, which include not just using crypto-locking malware but leaking data to increase the psychological pressure on victims to pay. The Egregor ransomware group has been taking over business printers and printing out their demands for all employees to read. Another devious trick.</p>
<p>Cyber threat experts explain the quantity of ransomware attacks and amount of ransom payments are on the rise. This may be due to the so-called human-operated ransomware, referring to gangs that do not only rely on malware and opportunistic infections, rather they bring advanced network penetration and other skills to perpetrate attacks. This is actually very clever. Many such operations also appear to have focused more on ‘big-game hunting,’ meaning attempting to take down larger targets to demand much larger ransoms for every given attack. Investigators are reporting that these gangs are writing business plans and analyzing exactly how much they can demand as the ransom payment.<a href="#_ftn1">[1]</a> Criminals are smart too.</p>
<p>Let’s look at a new scheme, Extortion-as-a-Service (EaaS). Following the practices of legitimate business practices, ransomware groups are looking to expand their prospects and seek to attempt transforming as many of their tactics into extorting victims, sometimes via lengthy negotiations. These ‘new’ tactics are classic sales and marketing initiatives. How to convert more <u>prospects</u> or as in this example, victims into paying a ransom, multiple gangs appear to have been outsourcing these efforts to one or more call centers.</p>
<p>Ransomware operations have been cold-calling victims since August 2020, when Maze contacted an organization it had compromised. In September 2020, the operators behind the Conti ransomware group telephoned Galstan & Ward Family and Cosmetic Dentistry, a dental practice in Georgia, to tell them they had been victims of a ransomware attack and to demand the ransom amount to be paid.</p>
<p>A list of gangs known to have used this tactic includes Ryuk and its successor, Conti. Maze's successor, Egregor has additionally used this tactic, in addition their hijacking of company printers. Based on comments made by Maze members, "it appears that they are using a third-party team to do those calls," states the IR firm Arete. "Based on voicemail recordings, the messages appear to be very scripted and it sounds like a person reading the pre-written message." "We think it's the same outsourced call center group that is working for all the [ransomware gangs], as the templates and scripts are basically the same across the variants," reports the CEO of Coveware. </p>
<p>Sekhmet may have been the first ransomware operation to rely on this tactic. "We can't say for sure but we think that we are the first group that tries to contact the companies by phone as soon as possible after the incident," the operators behind Sekhmet posted to their leaks site. The use of call centers demonstrates some ransomware operators' increasing business understanding. "The segmentation and specialization that is implied by the use of call centers to handle victim negotiations demonstrates the evolution and maturity of the cyber extortion industry," says Coveware. "Some of these groups have staffing and budgets akin to a midsized company," he adds. "They have the same problems, as well, with miscommunications, poor training and vendor and staff turnover that impact their operations."</p>
<p>Outsourcing hacking operations to threaten victims is just the most recent in myriad of innovations that ransomware gangs have been using to maximize their returns. Others include:</p>
<ul>
<li>Leak sites: In November 2019, the Maze gang pioneered the practice of exfiltrating data and then leaking samples of it. Since then, more than a dozen gangs have created name-and-shame sites where they leak victim names and data samples or threaten to auction stolen data to the highest bidder.</li>
<li>Data-deletion promises: As more organizations have put better defenses in place, ransomware gangs have shifted from requiring a ransom in exchange for the promise of a decryption tool to falsely promising to delete stolen data if victims pay.</li>
<li>Ransomware-as-a-service affiliate programs: In RaaS programs, ransomware operators provide malware to affiliates, who share in the profits whenever a victim pays. Such programs help maximize the returns for both parties, and they have been thriving.</li>
<li>Recruiting specialists: Driven in part by RaaS, as well as the lure of big-game hunting profits, more gangs have been recruiting specialists across numerous disciplines, ranging from network penetration and encryption to negotiations and working with cloud-based data.</li>
<li>Easier access to victims: As part of the burgeoning cybercrime-as-a-service ecosystem, there has been a surge in initial access brokers who sell ready-to-use, remote access into penetrated corporate networks, typically gathered by brute-forcing remote desktop protocol connections. Buying such access means ransomware-wielding gangs do not have to focus on amassing victims themselves but can move immediately to trying to steal data, infect organizations' systems and then extort organizations.</li>
</ul>
<p>The increased use of these criminal tactics, sometimes in combination, means that ransomware attacks can leave victims not just having to recover from a crypto-locking malware outbreak but, oftentimes, having to investigate a suspected data breach, which can trigger a host of unexpected government notification rules.</p>
<p>Red Sky Alliance has been tracking cyber criminals for years. Throughout our research we have painfully learned through our clients that the installation, updating and monitoring of firewalls, cyber security and proper employee training are keys to success, yet woefully not enough. Our current tools provide a valuable look into the underground, where malware like all the different variants of malware, like ransomware, are bought and sold and help support current protections with proactive underground indicators of compromise. Please feel free to contact our analyst team for research assistance and Cyber Threat Analysis for your organization.</p>
<p>Red Sky Alliance has been has analyzing and documenting cyber threats and vulnerabilities for over 9 years and maintains a resource library of malware and cyber actor reports. Malware comes and goes, but often is dusted off and reappears in current campaigns. </p>
<p>Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or assistance, please contact the lab directly at 1-844-492-7225, or <a href="mailto:feedback@wapacklabs.com">feedback@wapacklabs.com</a> </p>
<p>Weekly Cyber Intelligence Briefings:<br /> <a href="https://attendee.gotowebinar.com/register/8782169210544615949">https://attendee.gotowebinar.com/register/8782169210544615949</a></p>
<p> </p>
<ul>
<li>Reporting: <a href="https://www.redskyalliance.org/">https://www.redskyalliance.org/</a></li>
<li>Website: <a href="https://www.wapacklabs.com/">https://www.wapacklabs.com/</a></li>
<li>LinkedIn: <a href="https://www.linkedin.com/company/64265941">https://www.linkedin.com/company/64265941</a> </li>
</ul>
<p> </p>
<p><a href="#_ftnref1">[1]</a> <a href="https://www.bankinfosecurity.com/ransomware-call-centers-cold-call-victims-to-demand-ransom-a-15535">https://www.bankinfosecurity.com/ransomware-call-centers-cold-call-victims-to-demand-ransom-a-15535</a></p></div>Egregor Ransomware Joins an Exclusive Clubhttps://redskyalliance.org/xindustry/egregor-ransomware-joins-an-exclusive-club2020-10-06T21:20:20.000Z2020-10-06T21:20:20.000ZBill Schenkelberghttps://redskyalliance.org/members/BillSchenkelberg<div><p><a href="{{#staticFileLink}}8007968456,RESIZE_584x{{/staticFileLink}}"><img class="align-left" src="{{#staticFileLink}}8007968456,RESIZE_400x{{/staticFileLink}}" width="250" alt="8007968456?profile=RESIZE_400x" /></a>Cyber security researchers are warning about a recently uncovered ransomware variant called Egregor that appears to have infected about a dozen organizations worldwide over the past several months. Similarities to Sekhmet Crypto-Locking malware and bee noted.</p>
<p>True to other ransomware hackers, the bad actors behind the Egregor ransomware are threatening to leak victims' data if the ransom demands are not met within three days. The cybercriminals linked to Egregor are also mimicking Maze tactics, creating a "news" site on the Darknet that offers a list of victims that have been targeted and updates about when stolen and encrypted data will be released. Egregors' ransom note also says that aside from decrypting all the files, that is if the company pays the ransom, they will also provide recommendations for securing the company's network; or 'helping' them to avoid being breached again.</p>
<p>It is not clear how much ransom Egregor is demanding or if any data has been leaked, yet a copy of one ransom note posted online notes these cybercriminals plan to release stolen data through what they call "mass media."</p>
<p>The Egregor ransomware variant was first spotted in mid-September by several independent security researchers, who posted samples of the ransom note on Twitter.</p>
<p>"The first time Egregor was analyzed by our team was earlier this week. We don't have specifics about how long it's operating but seems that the first public appearance of Egregor was September 18 on Twitter by @demonslay335 and @PolarToffee," a security researcher informed Information Security Media Group. "At this time, there are still only 13 companies in the 'hall of shame.'"</p>
<p>The recent alert notes that the Egregor variant appears to be a spinoff of another ransomware strain called Sekhmet, which has also been linked to criminal gangs threatening to release encrypted and stolen data if victims do not pay.</p>
<p>Analysts have noted that the Egregor ransomware uses several types of anti-analysis techniques, including code obfuscation and packed payloads, which means the malicious code "unpacks" itself in memory to avoid detection by security tools. Without the right decryptor key, it is difficult to analyze the full ransomware payload to learn additional details about how the malware works. </p>
<p>"The Egregor payload can only be decrypted if the correct key is provided in the process' command line, which means that the file cannot be analyzed, either manually or using a sandbox, if the exact same command line that the attackers used to run the ransomware isn't provided," according to the recent alert.</p>
<p>Researchers claim the use of the decryptor key makes a deeper analysis more difficult at this time. This means that if the analyst or researcher only have access to the packed file, without knowing how it was launched in the affected environment, Egregor's payload cannot be decrypted; thus executed.</p>
<p>The Egregor ransom note examined is vague and offers few clues about how the malware works and how the operators behind it will decrypt files once the ransom is paid. Unfortunately, there are no details on the ransom note or on the Egregor website. To get payment details, the victim needs to navigate to the deep web link Egregor provided and get instructions from the attacker through a live chat, which analysts have not conducted for security reasons. While it is not clear whether any data related to Egregor ransomware attacks has been leaked, security experts note that more cybercriminal gangs are using this technique to force victims to pay or as a warning to others.<a href="#_ftn1">[1]</a> Ransomware attacks are ever present. </p>
<p>Speaking at ISMG's Virtual Cybersecurity Summit in New York City last August, an attorney with the cybersecurity team at Baker Hostetler, said that in at least 25 percent of the ransomware cases his firm has helped investigate, attackers claimed to have not just crypto-locked systems but also to have exfiltrated data. This could be used in forcing compliance with the hacker’s threat of exposing internal documents. </p>
<p>In August 2020, the incident response firm Coveware released a report finding that of the thousands of ransomware cases the firm investigated in the second quarter of 2020, 30 percent involved attackers threatening to release stolen data.<a href="#_ftn2">[2]</a></p>
<p>BTW - Egregore is an occult concept representing a distinct non-physical entity that arises from a collective group of people. Historically, the concept referred to angelic beings, or watchers, and the specific rituals and practices associated with them, namely within Enochian traditions.<a href="#_ftn3">[3]</a></p>
<p>The installation, updating and monitoring of firewalls, cyber security and proper employee training are keys to blocking attacks such as ransomware. Red Sky Alliance offers tools and services to help stop these types of cyber-attacks. Please feel free to contact our analyst team for research assistance and Cyber Threat Analysis on your organization.</p>
<p>What can you do to better protect your organization today?</p>
<ul>
<li>All data in transmission and at rest should be encrypted.</li>
<li>Proper data back-up and off-site storage policies should be adopted and followed.</li>
<li>Implement 2-Factor authentication company wide.</li>
<li>Join and become active in your local Infragard chapter, there is no charge for membership. infragard.org</li>
<li>Update disaster recovery plans and emergency procedures with cyber threat recovery procedures. And test them.</li>
<li>Institute cyber threat and phishing training for all employees, with testing and updating.</li>
<li>Recommend/require cyber security software, services and devices to be used by all at home working employees and consultants.</li>
<li>Review and update your cyber threat and information security policies and procedures. Make them a part of all emergency planning and training.</li>
<li>Ensure that all software updates and patches are installed immediately.</li>
<li>Enroll your company/organization in RedXray for daily cyber threat notifications are directed at your domains. RedXray service is $500 a month and provides threat intelligence on nine (9) cyber threat categories including Keyloggers, with having to connect to your network. </li>
<li>Purchase annual cyber insurance coverage from Red Sky Alliance provided by Cysurance.</li>
</ul>
<p>Red Sky Alliance has been has analyzing and documenting cyber threats for 9 years and maintains a resource library of malware and cyber actor reports.</p>
<p>Articles about the cyber threat groups mentioned in this report can be found at <a href="https://redskyalliance.org">https://redskyalliance.org</a> There is no charge for access to these reports.</p>
<p>Our services can help protect with attacks such as these. We provide both internal monitoring in tandem with RedXray notifications on ‘external’ threats to include, botnet activity, public data breaches, phishing, fraud, and general targeting.</p>
<p>The installation, updating and monitoring of firewalls, cyber security and proper employee training are keys to blocking attacks. Please feel free to contact our analyst team for research assistance and Cyber Threat Analysis on your organization. For questions, comments or assistance, please contact the lab directly at 1-844-492-7225, or <a href="mailto:feedback@wapacklabs.com">feedback@wapacklabs.com</a> </p>
<ul>
<li>Reporting: <a href="https://www.redskyalliance.org/">https://www.redskyalliance.org/</a></li>
<li>Website: <a href="https://www.wapacklabs.com/">https://www.wapacklabs.com/</a></li>
<li>LinkedIn: <a href="https://www.linkedin.com/company/64265941">https://www.linkedin.com/company/64265941</a> </li>
</ul>
<p> </p>
<p><a href="#_ftnref1">[1]</a> <a href="https://thecyberwire.com/newsletters/daily-briefing/9/193">https://thecyberwire.com/newsletters/daily-briefing/9/193</a></p>
<p><a href="#_ftnref2">[2]</a> <a href="https://www.bankinfosecurity.co.uk/egregor-ransomware-adds-to-data-leak-trend-a-15110">https://www.bankinfosecurity.co.uk/egregor-ransomware-adds-to-data-leak-trend-a-15110</a></p>
<p><a href="#_ftnref3">[3]</a> <a href="https://en.wikipedia.org/wiki/Egregore">https://en.wikipedia.org/wiki/Egregore</a></p></div>