As part of their post-compromise plan, the threat actors behind the ransomware-as-a-service ( RaaS ) scheme have been spotted using recently patched security vulnerabilities in Microsoft Active Directory and the Netlogon protocol to increase privileges and gain unauthorized access to the domain controller of a victim network.
” RansomHub has targeted over 600 companies worldwide, spanning areas such as healthcare, banking, government, and critical infrastructure, firmly establishing it as the most active ransomware group in 2024″, Group-IB experts in an exhaustive review published this year.
The ransomware group first appeared in February of this year, acquiring the source code for the now-defunct Knight ( previously Cyclops ) RaaS gang from the RAMP cybercrime forum to accede to its activities in February of this year. Five months later, a bag with the ability to remotely encrypt data using SFTP process was advertised on the illegal marketplace.
It comes in many varieties that are capable of encrypting data on Windows, VMware ESXi, and SFTP machines. In a relationship effort, RansomHub has also been spotted recruiting members from the LockBit and BlackCat groupings, which suggests that it is trying to profit from the law enforcement actions taking its foes.
The threat actor is said to have unsuccessfully attempted to break into the victim network using a publicly accessible proof-of-concept ( PoC ) in the incident that the Singaporean cybersecurity company has looked into using a publicly available proof-of-concept ( PoC ).
” This brute force effort was based on an enriched vocabulary of over 5, 000 usernames and passwords”, the scientists said. The boundary was finally breached as a result of the attacker gradually gaining access through a definition account usually used in data backup solutions.
Within 24 hours of the bargain, data crypto and intrusions were used to bring out the malware attack.
Particularly, it involved the weaponization of two known security flaws in Active Directory ( aka noPac ) and the Netlogon protocol ( aka ) to seize control of the domain controller and conduct lateral movement across the network.
” The abuse of the above-mentioned risks enabled the attacker to obtain complete privileged access to the site joystick, which is the nerve center of a Microsoft Windows-based infrastructure”, the scientists said.
” The intruder prepared the atmosphere for the last phase of the attack” after the eavesdropping operations were finished. With the intention of making the victim pay the ransom to get their data back, the attacker attempted to make all company data saved on the different NAS fully unintelligible, inaccessible, and impermissible to recover.
Another significant feature of the attack is the use of PCHunter to stop and evade terminal security measures as well as Filezilla for information intrusions.
The researchers claimed that the existence of a vibrant crime ecosystem is confirmed by the group’s roots, its offensive procedures, and its clashing characteristics with other groups.
” This environment thrives on the sharing, reusing, and rebranding of tools and source code, fueling a solid underwater market where high-profile patients, legendary parties, and substantial sums of money play main jobs”.
The development comes as the security company detailed the inner workings of a “formidable RaaS controller” known as , shedding light on their online process, their cross-platform malware army for Windows, Linux, and ESXi environments, and personalized encryption modes.
According to an analysis of the ransomware’s Windows and Linux versions, it resembles INC ransomware in some ways, suggesting that the threat actors were likely to have obtained the latter’s source code.
” Affiliates are incentivized with an 80 % share of ransom proceeds, reflecting a competitive, recruitment-driven strategy”, it . ” Lynx recently added multiple encryption modes: ‘ fast,’ ‘ medium,’ ‘ slow,’ and ‘ entire,’ giving affiliates the freedom to adjust the trade-off between speed and depth of file encryption”.
The group emphasizes that pentesters and skilled intrusion teams must undergo rigorous verification, according to the group’s recruitment postings on underground forums, underscoring Lynx’s emphasis on operational security and quality control. Additionally, they provide” call centers” for harassing victims and advanced storage options for affiliates who consistently produce profitable results.
Financially motivated attacks have also been reported in recent weeks using the (aka Trik ) botnet malware, which was distributed via phishing emails to deliver the ransomware.
” Unlike the past LockBit ransomware incidents, the threat actors relied on Phorpiex to deliver and execute LockBit ransomware”, Cybereason in an analysis. This approach is unique because the majority of ransomware deployments involve human operators carrying out the attack.
Unpatched VPN appliances ( CVE-2021-20038 ) can be used to elude internal network devices and hosts and ultimately install ransomware, which is another significant initial infection vector.
The attacks are also characterized by the use of Bring Your Own Vulnerable Driver ( ) techniques to disable endpoint protection controls as well as the use of tunneling tools to maintain persistence.
” After gaining access into the environment and performing reconnaissance, these tunneling tools are strategically deployed on critical network devices, including ESXi hosts, Windows hosts, VPN appliances, and network attached storage ( NAS ) devices”, Sygnia researchers .
The attackers use these devices to maintain access to and orchestrate their hacked networks by using robust and trustworthy communication channels.
The ransomware landscape, which is being led by both new and old threat actors, is still in flux, with attacks shifting from traditional encryption to data theft and extortion, even as victims are becoming more and more unwilling to pay, leading to a in 2024.
According to cybersecurity firm Huntress,” These tactics now include large rewards incentivized by organizations like RansomHub and Akira,” Huntress .