Cyber criminals pivot away from ransomware encryption

Cases of straight-up knowledge theft and extortion now look like extra widespread a risk than ransomware, changing into the only most noticed risk within the second calendar quarter of 2023, in accordance with knowledge launched this week by researchers working with Cisco Talos.

According to Cisco Talos’s incident response telemetry, incidents of knowledge theft and extortion that didn’t contain any type of knowledge encryption or deployment of a ransomware grew by 25% from 1 April to the tip of June, accounting for 30% of incidents to which the organisation mounted a response. Ransomware was nonetheless the second most noticed risk, accounting for 17% of engagements.

Many of those extortion incidents will doubtless have stemmed from numerous assaults mounted by the Clop cyber crime cartel, which has exploited zero-days in numerous managed file switch (MFT) merchandise – most just lately Progress Software’s MOVEit Transfer – in 2023 to nice impact.

But Clop will not be the one group to be pivoting away from encryption and ransomware. The BianLian group additionally seems to have stopped conducting ransomware operations in favour of exfiltration-based extortion, and different teams together with Karakurt and RansomHouse are additionally following the development.

“Data theft extortion is not a new phenomenon, but the number of incidents this quarter suggests that financially motivated threat actors are increasingly seeing this as a viable means of receiving a final payout,” wrote report creator Nicole Hoffman.

“Carrying out ransomware attacks is likely becoming more challenging due to global law enforcement and industry disruption efforts, as well as the implementation of defences such as increased behavioural detection capabilities and endpoint detection and response (EDR) solutions,” she stated.

In the case of Clop’s assaults, Hoffman noticed that it was “highly unusual” for a ransomware group to so persistently exploit zero-days given the sheer time, effort and resourcing wanted to develop exploits. She instructed this meant that Clop doubtless has a degree of sophistication and funding that’s matched solely by state-backed superior persistent risk actors.

Given Clop’s incorporation of zero-days in MFT merchandise into its playbook, and its rampant success in doing so – the record of MOVEit victims compiled and maintained by analyst Bert Kondruss of KonBriefing Research exceeds 510 as of 27 July – she stated it was doubtless the gang would proceed its concentrating on of such functions.

In the extra conventional world of ransomware, Cisco Talos noticed development of latest operations akin to 8Base and MoneyMessage, along with established and prolific gamers akin to LockBit – the group behind the January 2023 hit on Royal Mail and final yr’s assault on Advanced Software that degraded NHS companies – and Royal.

8Base, which emerged in March 2022, is a personalized model of the Phobos ransomware that additionally steals knowledge previous to encrypting it on the sufferer’s methods. Despite being practically 18 months previous, it has solely actually elevated in prominence since June 2023.

In one 8Base assault that Cisco Talos responded to, the cyber criminals exploited the AnyDesk distant desktop app, and put in it within the Performance Logs listing in a doable try to keep away from detection. In this assault, the risk actor was additionally seen dumping credentials from the Local Security Authority Subsystem Service reminiscence, earlier than creating new processes with an present consumer token, escalating their privileges utilizing the runas command, after which utilizing the Windows command shell to execute malicious EnergyShell scripts.

MoneyMessage, in the meantime, was first noticed within the wild in March 2023, and continues to function on the still-successful double extortion (encryption plus knowledge theft) mannequin. Coded in C++, it makes use of quite a few encryption options beloved of ransomware gangs, together with the Elliptic Curve Diffle Hellman key change and ChaCha stream cipher algorithm.

In one incident to which Cisco Talos responded, the gang’s encryptor was dropped within the sufferer’s Netlogon listing, which allowed them to deploy their precise locker throughout a number of hosts. The gang was additionally capable of uninstall numerous safety instruments, akin to EDR options, utilizing EnergyShell scripts.

Read extra on Hackers and cybercrime prevention

• Coveware: Rate of victims paying ransom continues to plummet

  

  By: Alexander Culafi

• BlackCat and Clop gangs each declare cyber assault on Estée Lauder

  

  By: Alex Scroxton

• One month after MOVEit: New vulnerabilities discovered as extra victims are named

  

  By: Alex Scroxton

• Chainalysis observes sharp rise in ransomware funds

  

  By: Rob Wright