Ethical Hacking News
Ransomware gangs are capitalizing on the fame of their infamous predecessors, such as LockBit, to intimidate and extort their victims. The latest attacks attributed to the Mallox ransomware variant demonstrate this trend, where attackers aim to capitalize on the reputation of established malware variants to gain leverage over their targets.
Ransomware gangs are using the fame of their predecessors to intimidate and extort victims. The latest Mallox ransomware variant uses AWS credentials to facilitate data exfiltration. The attackers aimed to capitalize on the reputation of LockBit, a notorious ransomware variant. The malware can target both Windows and macOS systems, making it a versatile threat. The attackers use S3 Transfer Acceleration (S3TA) for faster data transfer. The encrypted files are renamed with an initialization vector and unique identifier. The attack aims to compel victims into paying by displaying LockBit 2.0 on the device's wallpaper.
Ransomware gangs have been increasingly using the fame of their infamous predecessors, such as LockBit, to intimidate and extort their victims. This tactic has become a hallmark of modern ransomware campaigns, where attackers aim to exploit the notoriety of established malware variants to gain leverage over their targets.
The most recent example of this phenomenon can be seen in the latest attacks attributed to the Mallox ransomware variant. According to Trend Micro researchers Jaromir Horejsi and Nitesh Surana, attempts have been made to disguise the Mallox ransomware as LockBit's notorious Golang-based variant. However, these attempts were unsuccessful, and the attackers instead opted to capitalize on the reputation of their rival malware.
By embedding hard-coded Amazon Web Services (AWS) credentials in their ransomware artifacts, the attackers aimed to facilitate data exfiltration to cloud storage services under their control. This tactic has become increasingly popular among ransomware gangs, who are now leveraging the resources and infrastructure of popular cloud service providers to carry out their nefarious activities.
The AWS account used in the campaign is presumed to be either the attackers' own or compromised. Following responsible disclosure to the AWS security team, the identified AWS access keys and accounts have been suspended. Despite this, Trend Micro detected over 30 samples with the embedded AWS credentials, signaling active development of the Mallox ransomware.
The ransomware itself is capable of targeting both Windows and macOS systems, making it a versatile threat that can strike at the heart of any organization's cybersecurity posture. The attackers' delivery mechanism for the malware remains unclear, but once executed, the ransomware obtains the machine's universal unique identifier (UUID) and carries out a series of steps to generate the master key required for encrypting files.
The initialization step involves enumerating the root directories and encrypting files matching a specified list of extensions. However, before this process can commence, the attackers exfiltrate the files to AWS via S3 Transfer Acceleration (S3TA) for faster data transfer. This tactic allows them to rapidly collect sensitive data from their victims' systems.
Once the encryption is complete, the file is renamed according to a specific format that includes an initialization vector and a unique identifier. For instance, a file named "text.txt" might be renamed to "text.txt.e5c331611dd7462f42a5e9776d2281d3.abcd." This modification serves as a distinguishing characteristic of the encrypted files, making it easier for the attackers to keep track of their victims' data.
The final stage of the attack involves changing the device's wallpaper to display an image that mentions LockBit 2.0 in an attempt to compel victims into paying up. While this tactic is not foolproof, it underscores the attackers' willingness to use psychological manipulation to extract concessions from their targets.
It is worth noting that some of the vulnerabilities exploited by Akira ransomware affiliates include several CVE numbers. These vulnerabilities were exploited to infiltrate networks, escalate privileges, and move laterally within compromised environments as part of efforts designed to establish a deeper foothold.
The development of new ransomware variants, such as Mallox, underscores the ongoing evolution of cyber threats. As security measures are put in place to counter one threat, another emerges to exploit vulnerabilities and take advantage of human psychology.
Summary:
Ransomware gangs have been increasingly using the fame of their infamous predecessors, such as LockBit, to intimidate and extort their victims. The latest attacks attributed to the Mallox ransomware variant demonstrate this trend, where attackers aim to capitalize on the reputation of established malware variants to gain leverage over their targets. By exploiting vulnerabilities in popular cloud service providers like AWS, these gangs can facilitate data exfiltration and encryption, making it increasingly challenging for organizations to protect themselves against such threats.
Related Information:
https://thehackernews.com/2024/10/ransomware-gangs-use-lockbits-fame-to.html
Published: Wed Oct 23 06:27:50 2024 by llama3.2 3B Q4_K_M
