Donex a.k.a Muse/DarkRace/LockBit 3.0 Decryptor Released

On July 8 2024, researchers from Avast Decoded published a decryptor tool for DoNex ransomware. This malware family has been active since April 2022, originally bearing the name “Muse ransomware”. In November of the same year, they started mimicking the LockBit 3.0 ransomware, following the leak of the builder tool of this infamous malware. About half a year later, the threat actor opted for the name DarkRace, which changed once again in March 2024 to Donex ransomware. That March rebranding appears to be the last in the group’s existence, as no new samples appear since May of that year. And now, all its victims will get their files back to normal without paying a copper.

Ransom note of Muse ransomware

Ransom note of DarkRace ransomware

Ransom note of fake Lockbit 3.0 ransomware

Ransom note of Donex ransomware

For almost half a year, since March 2024, Avast had the decryptor on hand, using it without public disclosure. This allowed them to save money for quite a few companies that fell victim to the malware, while the hackers had no clue that something was going on. But now, a few months past the last sign of Donex ransomware activity, they decided to make the decryptor public. The entire case of having the effective and working decryption solution is possible due to the flaw present in the ransomware encryption mechanism.

Why didn’t they just make it public as soon as they discovered that flaw? Well, that would have given the hackers a clue about where exactly there has been a vulnerability, leading to it being patched, which would consequently render the decryptor useless. What cybercriminals have seen instead is a slow-but-steady decrease in the number of victims that have paid the ransom. And even though this may be a clue itself, there’s no guidance on where the issue is exactly.

How do I use the decryptor?

The program that the researchers released has a friendly interface that is not hard to deal with even for an ordinary user. After downloading it from the developers’ website, one will see an interface with detailed description for each step to come through. The only requirement is to have a so-called file pair: a version of a file in an encrypted and “normal” state. This would allow the tool to figure out the decryption key.

Once this manipulation with the key is complete, the program will automatically proceed with the rest of the files. Time elapsed for this procedure depends on the amount of files, and, obviously, the system’s calculation power. Unfortunately, there is no mass-decryption tool that will allow lifting the encryption from the entire network, for example. Still better than nothing though, especially considering that the frauds are no longer active and will likely ignore even genuine contacts for payment or negotiations.

The decryptor for one more ransomware is yet another reason to emphasize: you should never pay the hackers. Sooner or later, there will be a solution that will manage to get your files back. For now, make your infrastructure protected and always have a backup stored in a reliable place.

The post Donex, DarkRace, fake LockBit 3.0 and Muse Ransomware Decryptor Released appeared first on Gridinsoft Blog.

What is Script Malicious Code?

To understand how someone can run a script-based attack on a computer, we must know what scripts are. They are sets of commands for a system to execute. Users employ them to automatize processes that they would otherwise perform manually. Programmers and advanced users create scripts in scripting languages. Those can be, roughly speaking, general-purpose (such as JavaScript, Python, and PHP), OS-oriented (like PowerShell and AppleScript), and there are also special script languages for particular applications and environments.

The scripts are neither malicious files nor the main content of the files they inhabit. Instead, they are the documents’ allowable components, legal and, in theory, beneficial to the user. Scripts are not compiled. That means they are interpreted and executed by the software environment ad hoc without previous translation into machine code. For AppleScript, for example, such an environment is an Apple operating system. And for cross-system JavaScript (if it is about website construction), any modern web browser can serve as an interpreting environment.

The script-based hacker attacks are cyber crimes that use scripts as a primary tool.

Malware Script Examples

Cross-Site Scripting (XSS) Attacks

XSS (Cross-Site Scripting) attacks can result in data theft, session hijacking, and unauthorized access to confidential information. They also jeopardize user trust, damage the reputation of web applications, and may lead to legal repercussions under data privacy regulations like GDPR (General Data Protection Regulation) and CCPA (California Consumer Privacy Act).

<p>User's comment: <script>alert('Malicious Script')</script></p>
<!-- This user input is not properly sanitized -->
<p>User's comment: <?php echo $_GET['comment']; ?></p>

Consider a website that allows users to submit their own content or post comments. In this scenario, an attacker has posted a comment containing a script tagged as “Malicious Script.” This script was displayed directly without proper sanitation or encoding, leading it to execute in other users’ browsers when viewed. As a result, any user reading the comment would see a pop-up saying Malicious Script, illustrating how attackers can execute scripts in the browsers of unsuspecting users. This highlights a serious vulnerability: the script used in the attack could be modified to execute more complex commands that could potentially steal user data directly from their browser.

XML External Entity (XXE) Vulnerability

XXE, or XML External Entity attack, exploits vulnerabilities in applications that parse XML files. This issue arises when an application’s XML parser improperly configures security settings, allowing it to dereference external entities within the XML file. During parsing, if the application processes these entities, it could unintentionally leak sensitive data, disrupt services, perform unauthorized actions on the server, or access other parts of the system.

import xml.etree.ElementTree as ET
xml_data = """
<!DOCTYPE data [
<!ENTITY xxe SYSTEM "file:///etc/passwd">
]>
<data>&xxe;</data>
"""
root = ET.fromstring(xml_data)

When the Python script runs and processes the XML document with the ElementTree library, it attempts to access the /etc/passwd file.

SQL Injection

SQL injection is a prevalent cybersecurity risk where attackers can alter a web application’s database by inserting harmful SQL code into its input fields. These fields can include any data entry areas on a website, like web forms or URLs. When successful, SQL injection attacks allow attackers to access and manipulate databases, which could lead to the exposure of sensitive information.

user_input = input("Enter your username: ")
sql_query = "SELECT * FROM users WHERE username = '" + user_input + "'"
cursor.execute(sql_query)

In this scenario, user input is directly incorporated into the SQL query string. If an attacker provides harmful input, they might alter the SQL query, potentially obtaining unauthorized access to the database.

What is so worrying about script-based attacks?

First of all, scripts are not files, as we already mentioned. Antivirus programs have a hard time detecting them, or better to say: they are useless against scripts. It is so because modern security software focuses on detecting and removing malicious files. Thus, in the case of script-based attacks, we are dealing with ghostly malware, invisible to antivirus programs.

Another important thing is that scripts are generally hard to detect. They exist in primary memory, soon to be overwritten or erased. It is possible to find the origin of a script if criminals inaccurately leave traces, but why would they do that?

How can an attacker execute malware through a script?

Let’s make it clear: we are not talking about malicious scripts tied to websites (Cross-Site Scripting), which are more or less studied and covered by browser and antivirus security systems. Files fitted with simple yet treacherous scripts constitute a new problem. These are the files whose formats antivirus software lets through by default, not regarded as dangerous: PDF, Word, e-books, HTML applications, and others.

Simple JavaScript code usually employed in files like these can add various practical functions, like making PDF documents signable or featuring a fillable questionnaire. But the script can have a malicious purpose as well. In case of a script-based attack, it most likely will be a set of commands to download any other malware that harms for real. Ransomware, for instance, is the most lucrative type of attack for hackers. The crooks only expect a user to open a file to run the script or, in some cases, to allow macros therefor.

Script-stuffed files can also be downloaded items you are trusty about since they update programs you already have. At least, you believe so. These can be plug-ins, add-ons, and so on. Yes, the UAC will ask whether you want to download this file, but this always happens, and we tend to ignore such warnings. If the criminals manage to cheat you – consider they also cheated your security software. By the way, various untrustworthy PDF-readers and their plug-ins are some of the most dangerous programs in terms of script-based attack menace.

The script-based attacks mostly endanger Windows systems by exploiting vulnerabilities of Command Prompt and PowerShell, the in-built automation tools. However, neither Android, iOS nor even Linux is safe.

How to protect yourself and your workgroup?

The weakness of script-based malware is that it has to be run by the user. Therefore, the best protection is to be cautious and avoid unknown downloads. Remember that PDF, Word, and other data files can contain a malicious script. These bogus files are most likely to arrive via e-mail or messengers in letters sent seemingly by someone you trust – usually services-providing organizations. Be especially wary of reports from delivery companies like FedEx. Since a postal delivery is pretty believable to be unexpected, hackers often use this disguise for their phishing mail. Before downloading any attachments from suspicious senders, triple-check the source and the message itself. If you are attentive enough, you will find a mistake in the address line, your name, or the text itself.

In workgroups, it makes sense to separate those computers that need to run scripts from those that can do without them. The former should maintain extreme vigilance and advisably deploy zero-trust policy antivirus software, which is for the moment presented by Windows 11 Defender. It has many issues, but it seriously jeopardizes the plans of malefactors who go in for script-based attacks.

Script-fitted files can spread rapidly via the injured network using the same vulnerabilities of Windows elements they use to deliver their malicious payload. General security measures, such as file backup and network separation, are also a must to minimize the destructive effect of any successful cyber-attack.

How to detect script-based malware?

Download and install Anti-Malware by clicking the button below. After the installation, run a Full scan: this will check all the volumes present in the system, including hidden folders and system files. Scanning will take around 15 minutes.

After the scan, you will see the list of detected malicious and unwanted elements. It is possible to adjust the actions that the antimalware program does to each element: click "Advanced mode" and see the options in the drop-down menus. You can also see extended information about each detection - malware type, effects and potential source of infection.

Click "Clean Now" to start the removal process. Important: removal process may take several minutes when there are a lot of detections. Do not interrupt this process, and you will get your system as clean as new.

The post How can an attacker execute malware through a script? appeared first on Gridinsoft Blog.

Trojan:Win32/Cerber Overview

Trojan:Win32/Cerber is an older type of malware classified as ransomware. It first appeared in 2016 and quickly became one of the most common types of ransomware. Cerber encrypts files on the infected computer and demands a ransom (usually in Bitcoin) to provide the decryption key. The main spreading way of this malware is phishing emails, but it’s also common to see its loader hidden in pirated software.

As I’ve mentioned in the introduction, the detection name Trojan:Win32/Cerber was once referring to a specific ransomware family, Cerber. But after it stopped its activity in 2018, Microsoft started using its name for similar ransomware samples. Usually, those are some small-batch ransomware families that share code similarities with Cerber (or possibly are its direct descendants).

After infecting a victim’s PC, Win32/Cerber performs some basic checks and begins encrypting data. The malware adds its custom extension that differs from one sample to another; among the examples are .cerber, “.ba99”, “.98a0”, “.a37b”, “.a563”, or “.beef”. After finishing the encryption, it publishes a ransom demand note, which the victim is about to pay off.

One unusual tactic that I’ve seen in Trojan:Win32/Cerber is the use of a voice notification. After the encryption process is complete, each folder with encrypted data contains a ransom note titled #DECRYPT MY FILES#.txt. Additionally, these folders include #DECRYPT MY FILES#.html and #DECRYPT MY FILES#.vbs files. The latter contains a VBScript that, when executed, states the following:

“Attention. Attention. Attention. Your documents, photos, databases and other important files have been encrypted!“.

Technical Analysis

Let’s examine how Trojan:Win32/Cerber behaves using a real-world example. As a sample, let’s take one representative of this malware family. This file masquerades as an IObit utility, and even has all the file data rows filled with correct information.

Upon infiltrating the system, the malware performs specific checks to ensure it’s not running in a virtual environment. The next step involves checking the location of the current system to avoid infecting specific regions.

HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\ComputerName\ActiveComputerName
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\WMIC.exe
\REGISTRY\MACHINE\Software\Policies\Microsoft\Windows\System

To place its files, Cerber Trojan uses system temporary folders, particularly AppData\Local\Temp. Upon execution, the malware creates its copy in the said folder, and directs all the persistence hooks towards this file. Then, the original sample deletes itself, covering the tracks, and requests the system reboot. This looks as a rather organic maneuver considering that the cover for the reviewed sample is a system tuning utility.

Execution

After conducting its checks, the malware begins its primary task: encrypting data. It utilizes legitimate Windows tools, such as the command prompt, to automate actions and conceal traces. It performs the following processes:

C:\Users\\AppData\Local\Temp\Ahpdate.exe
C:\Windows\System32\taskkill.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s WdiSystemHost
C:\Windows\system32\svchost.exe -k DcomLaunch -p
C:\Windows\System32\schtasks.exe

The first command executes the executable file located in the temporary folder. Then, there are system commands aimed at terminating active processes (such as antivirus software), adding the malware to the Windows scheduler, and initiating certain functions.

Like any ransomware, Cerber invariably deletes shadow copies. This is done to maximize the difficulty of file restoration. To achieve this, the malware executes the following commands:

IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_ShadowCopy
C:\Windows\System32\svchost.exe -k swprv
C:\Windows\system32\vssvc.exe
C:\Windows\system32\wbem\wmic.exe shadowcopy delete

In short, Cerber requests access to all objects from the Win32_ShadowCopy class (information about all existing shadow copies) and then proceeds to delete them.

Is Trojan:Win32/Cerber False Positive?

In most cases, such detections are true, but there are rare instances when Trojan:Win32/Cerber may be a false positive. Surprisingly, this flag pops up to game files installed via Steam or other official platforms. It may happen because the endpoint code of the file may coincide with the endpoint code of typical virus endpoints. Typically, when this happens with a legitimate file, updating the signature databases to the latest version resolves the issue.

However, as for mods, add-ons, and game hacks, the situation is different. In this case, the likelihood of getting the Trojan:Win32/Cerber is much higher. While the first two options are developed by third-party developers and may be distributed through third-party websites, the last one generally illegal. Embedding malware into hacks, cheats, and game cracks is a common practice among malicious actors.

How To Remove Trojan:Win32/Cerber?

To completely remove Trojan:Win32/Cerber, it’s essential to utilize an advanced anti-malware solution. However, more importantly, this malware should neutralize ransomware during the download stage. Otherwise, it will execute its irreversible actions. I recommend GridinSoft Anti-Malware because its engine can detect most threats, and its Internet Security module blocks potentially malicious websites, significantly reducing the attack vector.

Download and install Anti-Malware by clicking the button below. After the installation, run a Full scan: this will check all the volumes present in the system, including hidden folders and system files. Scanning will take around 15 minutes.

After the scan, you will see the list of detected malicious and unwanted elements. It is possible to adjust the actions that the antimalware program does to each element: click "Advanced mode" and see the options in the drop-down menus. You can also see extended information about each detection - malware type, effects and potential source of infection.

Click "Clean Now" to start the removal process. Important: removal process may take several minutes when there are a lot of detections. Do not interrupt this process, and you will get your system as clean as new.

The post Trojan:Win32/Cerber appeared first on Gridinsoft Blog.

Embargo Ransomware Discovered, Coded in Rust

In May 2024, cybersecurity researchers discovered a new ransomware group called Embargo. It uses the Rust language, known for its security and parallelism capabilities. The Embargo has fast encryption that uses ChaCha20 and Curve25519 to lock victims’ files, making a recovery without paying a ransom nearly impossible. After encryption, the ransomware adds a random 6-symbol extension to the encrypted files. Discovered variants used the .564ba1 string, though it would likely change in future. The use of the Rust language indicates the growing trend of adopting modern languages to bypass traditional security solutions.

The creators of Embargo use a now-classic double extortion method. This means that they first demand a ransom to unlock encrypted files. After paying the ransom, they threaten to publish sensitive data online unless the victim pays the “for silence” again. The average ransom amount from Embargo is around $1 million (15 BTC).

Attack vector and infection process

Typically, the attack vector starts with phishing emails containing malicious attachments or links. After the user clicks on them, the payload is downloaded and executed on the victim’s system. In brief, Embargo seeks out specific instructions to control its actions when it runs. It targets directories R:\backups\, \\files01\finance, \\10.0.3.2\D$\Accounting, creates a unique mutex identifier and clears the recycle bin to prevent file recovery.

Additionally, it disables Windows recovery options by command C:\\Windows\\System32\\cmd.exe /q /c bcdedit /set {default} recoveryenabled no, stops specific running processes and system services, and identifies all connected drives and network resources to encrypt files. Embargo uses strong encryption methods, such as ChaCha20 and Curve, to securely lock files and leaves a ransom note named HOW_TO_RECOVER_FILES.txt in each folder it encrypts. Thus, the ransomware encrypts files to make them inaccessible without a decryption key, which TAs offer in exchange for a ransom payment.

ALPHV/BlackCat similarities

One of the most essential aspects of Embargo is its operational similarities to ALPHV/BlackCat. This notorious ransomware group recently ceased operations in what looked like an exit scam. Analysts note several things in common, that can point at this malware being a reborn variant of ALPHV ransomware.

• Codebase and infrastructure. A detailed analysis of Embargo’s code revealed similarities with ALPHV/BlackCat’s code solutions. In particular, it resembles a test sample of ALPHV ransomware written in Rust, that hackers released back in 2022. New sample, although visually different, repeats the structure and syntax of the older one.
• Darknet site design. As most of ransomware group, Embargo operates a Darknet site for negotiating and leaking data. The design of this page, however, is strikingly similar to what BlackCat gang used to have. Evidence of copying is also present in the HTML code of the page.

The post New Embargo Ransomware Discovered, Possible ALPHV Reborn appeared first on Gridinsoft Blog.

]]> https://gridinsoft.com/blogs/new-embargo-ransomware-discovered/feed/ 0 22359 https://gridinsoft.com/blogs/red-ransomware-discovered/ https://gridinsoft.com/blogs/red-ransomware-discovered/#respond Mon, 29 Apr 2024 15:05:23 +0000 https://gridinsoft.com/blogs/?p=21756 In March 2024, threat analysts detected a new ransomware group, called Red Ransomware. The group, which began its activities during the waning days of prominent groups such as Lockbit and ALPHV, has quickly established a presence in cyberspace. Who is Red Ransomware? Red Ransomware, also known as Red CryptoApp, first revealed itself on March 5,… Continue reading New Red Ransomware Group Discovered

The post New Red Ransomware Group Discovered appeared first on Gridinsoft Blog.

]]> In March 2024, threat analysts detected a new ransomware group, called Red Ransomware. The group, which began its activities during the waning days of prominent groups such as Lockbit and ALPHV, has quickly established a presence in cyberspace.

Who is Red Ransomware?

Red Ransomware, also known as Red CryptoApp, first revealed itself on March 5, 2024, immediately drawing attention to their activities by publishing the data of 11 victims on a Darknet leak site they called “Wall of Shame”. The original research uncovers the use of classic extortion techniques, but with utilization of modern technological approaches, including AI for negotiation. The ransomware group shows a high degree of premeditation by publishing the data of all victims at the same time. This is believed to have been done shortly to increase psychological pressure on future targets.



The ransom note used by the Red CryptoApp group:



Victims of Red Ransomware

The profile of Red Ransomware victims shows that they select their targets from specific sectors and countries, suggesting a specific target selection strategy. The main victims are businesses from the United States, from a whole pack of different economic sectors, including educational and legal. Aside from the US companies, hackers also listed victims from Canada, Singapore, Mexico, Spain, Italy, India, and Denmark.



How does Red Ransomware work?

The Red Ransomware group uses a number of techniques to hack into and control targeted systems. Each attack is a serious threat to organizations in various industries.

Initial Access

Red Ransomware begins its attack by infecting systems using phishing emails or exploiting vulnerabilities in software. All user files get a new extension .REDCryptoApp and cannot be accessed without a special key. Imagine that in an instant all your data is encrypted and inaccessible.

Target audience

Red Ransomware covers a wide range of targets, including countries such as the United States, Canada, Singapore, Mexico, Spain, Italy, India and Denmark. So far information technology, legal services, hospitality, transportation, manufacturing, education, electronics, and retail are the main targets. However, this hints that the group selects victims where maximum financial gain can be achieved.

Victim negotiation

To contact victims, a unique URL is provided on the TOR network for ransom negotiations. The interface for communication is well designed. There is a login panel where victims enter a unique hash code to access a chat window for negotiation. And for confirmation, you have to solve a captcha to get through to the chat.



Use of AI

Also, communicating with victims is like talking to a well-tuned bot. Apparently, they’re using AI to automate communication. This allows them to dialog with multiple victims at the same time.





The post New Red Ransomware Group Discovered appeared first on Gridinsoft Blog.

]]> https://gridinsoft.com/blogs/red-ransomware-discovered/feed/ 0 21756 https://gridinsoft.com/blogs/hunt-ransomware/ https://gridinsoft.com/blogs/hunt-ransomware/#respond Sat, 06 Apr 2024 15:15:00 +0000 https://gridinsoft.com/blogs/?p=21156 Hunt ransomware is a new sample of the Dharma/CrySis ransomware family that appeared on April 5, 2024. This malware aims at encrypting the files and asking a ransom payment for their decryption. It unselectively targets both home users and corporations, correcting the ransom depending on the target. Jakub Kroustek was the first to discover this… Continue reading Hunt Ransomware (bughunt@keemail.me)

The post Hunt Ransomware (bughunt@keemail.me) appeared first on Gridinsoft Blog.

]]> Hunt ransomware is a new sample of the Dharma/CrySis ransomware family that appeared on April 5, 2024. This malware aims at encrypting the files and asking a ransom payment for their decryption. It unselectively targets both home users and corporations, correcting the ransom depending on the target. Jakub Kroustek was the first to discover this malware.
Ransomware remains a major threat, attacking both organizations and individuals. GridinSoft Anti-Malware provides excellent protection even against the most modern malware samples. Get yourself proper ransomware protection

What is Hunt Ransomware (bughunt@keemail.me)?

As I’ve said in the introduction, Hunt is a novice sample of the Dharma ransomware family. Being its part, Hunt ransomware follows its behavior patterns. The most noticeable one for the victim is the application of a complex extension, that contains the victim’s ID, the contact email (bughunt@keemail[.]me) and its .hunt extension. The files start looking as below after the encryption:

image.png → image.png.id-C3B22A85.[bughunt@keemail.me].hunt
document.docx → document.docx.id-C3B22A85.[bughunt@keemail.me].hunt



Hunt ransomware goes through the entirety of user disks, searching for the files it can encrypt. It is capable of ciphering the vast majority of ones, from images and videos to project files of specific software suites. However, this malware carefully avoids any system files – probably, to prevent system malfunctions that can potentially force the user into reinstalling the system.

Before applying the encryption, this malware disables built-in Windows backup options, such as Restore Points and Shadow Copies. They are rather useful for reverting the system state to pre-encryption, so such action is rather expected. Hunt ransomware uses the command you can see below to accomplish this.

vssadmin delete shadows /all /quiet

After finishing the encryption (i.e. it can’t find more unencrypted files), Hunt ransomware spawns a text file with a ransom note. It also opens an HTA file with the information about with more detailed information about what’s happened and instructions for the ransom payment. You can see the example of this pop-up window below.



How to Decrypt .hunt Files?

There is no dedicated decrypting utility for Hunt ransomware available at the moment. This malware uses strong encryption algorithms, so brute force will take gazillion years to accomplish. However, not everything is lost – tools that exploit flaws in encryption algos may appear, or law enforcement may take the ransomware down and release the decryption keys. During the first quarter of 2024, several decryption tools were released, so chances are not that slim.

For now, I can advise you to seek backups outside of the infected system. Cloud storages can contain the files this malware damaged in the attack. Places like social media, email conversations and messengers may contain the originals of the files, too. Even though they may not contain the latest changes, it is better than nothing.

How to Remove Ransomware?

To get rid of the ransomware, I recommend using GridinSoft Anti-Malware. This step is incredibly important to do before performing any attempts to recover the files. The malware remains active, and will instantly encrypt the fresh files. To prevent this and get rid of the infection, run a Full Scan with GridinSoft program and clean all the detected malicious programs.



The post Hunt Ransomware (bughunt@keemail.me) appeared first on Gridinsoft Blog.

]]> https://gridinsoft.com/blogs/hunt-ransomware/feed/ 0 21156 https://gridinsoft.com/blogs/unitedhealth-hack-6tb-data-leak/ https://gridinsoft.com/blogs/unitedhealth-hack-6tb-data-leak/#respond Mon, 01 Apr 2024 19:29:11 +0000 https://gridinsoft.com/blogs/?p=20906 UnitedHealth Group, one of the largest providers of health insurance and health care services in the United States, suffered a cyberattack with the following data breach. The company admitted that the personal data of millions of patients was “stolen” in a cyberattack. This incident is already being called one of the largest in healthcare history.… Continue reading UnitedHealth Hack Leaks 6 TB of User Data

The post UnitedHealth Hack Leaks 6 TB of User Data appeared first on Gridinsoft Blog.

]]> UnitedHealth Group, one of the largest providers of health insurance and health care services in the United States, suffered a cyberattack with the following data breach. The company admitted that the personal data of millions of patients was “stolen” in a cyberattack. This incident is already being called one of the largest in healthcare history. Total volume of data that hackers managed to leak is estimated at 6 terabytes.

UnitedHealth Hacked, Department Leaks Huge Amounts of Data

In February 2024, UnitedHealth Group experienced a massive cyberattack that compromised the data security of Change Healthcare. This division of the corporation processes medical claims and payments. As a result, systems responsible for processing prescriptions, medical claims and electronic payments were affected. This caused major problems for healthcare providers, pharmacies and payment systems across the country.



UnitedHealth Group responded quickly to the incident. They announced their intention to work with law enforcement to investigate the attack and strengthen security measures to protect patient data. The company also began notifying affected customers and offered them free credit history monitoring and fraud protection services as a compensation.

On Wednesday, UnitedHealth Group announced that it has made significant progress in restoring various core systems that were hit in the attack. It in particular caused an outage during the company’s response and impacted more than 100 Change Healthcare IT products and services.

Government Response

Size of UnitedHealth and its importance for the national healthcare industry could not keep the government silent. The U.S. Department of Health and Human Services has opened an investigation into the incident for a violation of the Health Information Protection and Accountability Act (HIPAA). The investigation is aimed at determining whether a breach of patient protection occurred. It also seeks to ascertain whether the relevant legal requirements for confidentiality of information were met.



UnitedHealth Group’s response was quick. They announced their intention to work with law enforcement to investigate the attack. Additionally, they vowed to strengthen security measures to protect patient data. The company also began notifying affected customers and offered them free credit history monitoring and fraud protection services.

BlackCat/ALPHV Claims Responsibility

ALPHV/BlackCat ransomware gang claimed responsibility for this attack earlier this year. Hackers announced that it was able to expropriate 6 terabytes of “highly selective data” regarding Change Healthcare customers. This information covers a wide range of data, including Tricare, Medicare, CVS Caremark, MetLife, and other large companies. It highlights the potential scale of the damage.



According to their story, UnitedHealth Group paid a $22 million ransom for a decryption key and a promise not to distribute the stolen data. This is a forced measure where the company is forced to pay huge sums to regain access to its own data and prevent further dissemination of stolen information. However, questions remain open as to whether BlackCat actually held the full ransom amount as claimed. Additionally, there are concerns about what assurances there are that the data will not be distributed or used in the future.

At the end of 2023, BlackCat’s infrastructure was seized in a coordinated law enforcement action. This severely disrupted the group’s operations for a period. Though as you can see BlackCat’s continued operations in defiance of law enforcement efforts. Disruption definitely slowed them down, but did not stop the operation entirely.

What stopped though is an exit scam, that group admins managed to pull in early March 2024. Hackers defrauded their partners, quitting the business with all the money of their affiliates. The said UnitedHealth subdivision appears to be one of their last targets – at least under this name. I expect them to resurface in this form or another.



The post UnitedHealth Hack Leaks 6 TB of User Data appeared first on Gridinsoft Blog.

]]> https://gridinsoft.com/blogs/unitedhealth-hack-6tb-data-leak/feed/ 0 20906 https://gridinsoft.com/blogs/bianlian-exploits-teamcity-vulnerability/ https://gridinsoft.com/blogs/bianlian-exploits-teamcity-vulnerability/#respond Tue, 12 Mar 2024 10:11:02 +0000 https://gridinsoft.com/blogs/?p=20303 BianLian, a group of cybercriminals known for their ransomware attacks, recently caught the attention of the information security community. By exploiting vulnerabilities in the JetBrains TeamCity platform, they managed to carry out multistage cyberattacks. Threat actors reportedly start their attack chain with a Golang-based backdoor, and work their way all the way to the ransomware… Continue reading BianLian Exploits TeamCity Vulnerability to Deploy Backdoors

The post BianLian Exploits TeamCity Vulnerability to Deploy Backdoors appeared first on Gridinsoft Blog.

]]> BianLian, a group of cybercriminals known for their ransomware attacks, recently caught the attention of the information security community. By exploiting vulnerabilities in the JetBrains TeamCity platform, they managed to carry out multistage cyberattacks. Threat actors reportedly start their attack chain with a Golang-based backdoor, and work their way all the way to the ransomware payload.

BianLian Exploits TeamCity vulnerabilities

Recent research uncovered a new trend in BianLian’s modus operandi. They revealed that threat actors behind the ransomware have been observed exploiting security flaws in JetBrains TeamCity software to conduct their attacks. Leveraging known vulnerabilities such as CVE-2024-27198 or CVE-2023-42793, attackers gained initial access to the environment, paving the way for further infiltration. By creating new users and executing malicious commands within the TeamCity infrastructure, threat actors orchestrated post-exploitation maneuvers and lateral movement, expanding their foothold in the victim’s network.

It is not the first case of TeamCity vulnerabilities exploitation. Consider reading our previous report on CozyBear threat actor using a different set of security flaws in this software.

Backdoor Deployment via PowerShell

The original report from GuidePoint Security says that despite initial success, BianLian fell back to a PowerShell version of their backdoor. This happened due to the surprising detection from Microsoft Defender. At the same time, hackers managed to deploy the network reconnaissance tools and use them before going for a PS backdoor.

The PowerShell backdoor version, obfuscated to hinder analysis, exhibited a multi-layered encryption scheme. Still, it was possible to understand what was going on and analyze the adversaries’ actions. Malware established a tunnel connection to the command server, waving ready for further actions. And while using PS in cyberattacks is not something unusual, entire backdoors based on PS, that also incorporates high levels of obfuscation, is a new tactic.

Functionality and Capabilities of Backdoor

The PowerShell backdoor described above mainly aims at facilitating covert access and control over compromised systems. Research summary reveals several features of this malware to be aware of.

The backdoor incorporates functionality to resolve IP addresses based on provided parameters, establishing TCP sockets for communication with remote command-and-control (C2) servers. Also, this enables bidirectional data exchange between the compromised system and the attacker-controlled infrastructure. Here is the code recovered by analysts:

#Function to Resolve IP address
function cakest{
param($Cakes_Param_1)
IF ($Cakes_Param_1 -as [ipaddress]){
return $Cakes_Param_1
}else{
$Cakes_Resolved_IP = [System.Net.Dns]::GetHostAddresses($Cakes_Param_1)[0].IPAddressToString;
}
return $Cakes_Resolved_ IP
}

Leveraging asynchronous execution techniques, the backdoor optimizes performance and evades detection by utilizing Runspace Pools. This allows multiple PowerShell instances to run concurrently, enhancing operational efficiency during post-exploitation activities.

Also, to ensure secure communication, the backdoor establishes SSL streams between the compromised system and C2 servers, encrypting data exchanged over the network. By employing encryption, threat actors mitigate the risk of interception and detection by network monitoring tools. Overall, the C2 communication bears on this code:

function cookies{
param (
#Default IP in parameter = 127.0.0.1
[String]$Cookies_Param1 - "0x7F000001",
[Int]$Cookies_Param2 - 1080,
[Switch]$Cookies_Param3 - $false,
[String]$Cookies_Param4 - "",
[Int]$Cookies_Params - 200,
[Int]$Cookies_Param6 - 0
)

Mimicking tactics observed in advanced malware, the backdoor validates SSL certificates presented by C2 servers, verifying the authenticity of remote endpoints. This authentication mechanism enhances the resilience of the communication channel against potential interception or infiltration attempts.

How to stay safe?

The BianLian threat group continues to evolve, and in light of their recent attacks, it is important to take appropriate security measures. Fortunately, they are more or less the same even for protecting against high-profile cybercrime groups.

• First and foremost, it is recommended to regularly update and patch externally facing applications. This helps mitigate known vulnerabilities that threat actors may exploit to infiltrate your systems.
• Ensure your team is well-versed in incident response procedures. Every member of your team should have a thorough understanding of how to respond effectively to security incidents. Regular drills should be conducted to refine response strategies and minimize the impact of potential security breaches.
• Conduct penetration tests informed by threat intelligence to proactively identify and address weaknesses in your defenses. Penetration tests involve simulated attacks on your systems to uncover vulnerabilities that could be exploited by malicious actors. By using threat intelligence to inform these tests, you can focus on the most impactful threats facing your organization.

• Additionally use advanced security solutions. EDR and XDR are a must, when we talk about corporate-grade cybersecurity. They can cover large networks of computers, orchestrating the response and detecting even sophisticated attacks like the one I’ve described above.



The post BianLian Exploits TeamCity Vulnerability to Deploy Backdoors appeared first on Gridinsoft Blog.

]]> https://gridinsoft.com/blogs/bianlian-exploits-teamcity-vulnerability/feed/ 0 20303 https://gridinsoft.com/blogs/alphv-ransomware-shutdown-scam/ https://gridinsoft.com/blogs/alphv-ransomware-shutdown-scam/#respond Tue, 05 Mar 2024 17:55:42 +0000 https://gridinsoft.com/blogs/?p=20138 On March 5, 2024, ALPHV/BlackCat ransomware claimed its shutdown, “due to the FBI takeover”. Despite the actions from law enforcement really happening to this gang before, there are quite a few signs of this being a false claim. Analysts suppose that ALPHV admins are just trying to pull an exit scam. ALPHV/BlackCat Ransomware Shuts Down… Continue reading ALPHV Ransomware Shut Down, Exit Scam Supposed

The post ALPHV Ransomware Shut Down, Exit Scam Supposed appeared first on Gridinsoft Blog.

]]> On March 5, 2024, ALPHV/BlackCat ransomware claimed its shutdown, “due to the FBI takeover”. Despite the actions from law enforcement really happening to this gang before, there are quite a few signs of this being a false claim. Analysts suppose that ALPHV admins are just trying to pull an exit scam.

ALPHV/BlackCat Ransomware Shuts Down

The story of ALPHV self-shutdown in fact unfolds when the leaks blog of the gang went offline. While this is not a rare occurrence for Darknet pages, rumors regarding group admins scamming their affiliates for $20 million is – a highly unpleasant stain on the image.



On Monday, March 4, 2024, negotiation sites of the gang went offline, meaning this is not just a coincidence. Lastly, all the pages associated with the cybercrime group were defaced with the FBI banner. Though, the latter appears to be just a save from their real takedown, that is now added using a Python server.



And well, why can’t this be a real FBI takedown? Especially considering that feds already did it earlier – this ended up in a rather laughable manner. It is not an unusual practice for law enforcement to pay another visit, especially when we talk about a renowned group of thugs like ALPHV is. But researchers say that NCA, one of the key anti-cybercrime authorities in Europe, deny their responsibility for the recent events around BlackCat.

Two other signs potentially indicate that ALPHV is going out of business. Their admin offers ransomware source code for sale for a hefty $5 million, and the group’s Tox chat has its status changed to “GG”. And well, both of them do not necessarily mean a shutdown, but this is a rather unusual behavior for this ransomware gang. This looks especially fishy considering slug-in-salt excuses coming from their administrators.

Is it the end of BlackCat?

Yes, BlackCat is most likely done at this point. Regardless of whose story is true, it will be rather hard to explain the comeback. Though, the FBI story is the least likely to be true, meaning that threat actors are not detained. Which eventually gives ALPHV the chance for return, just in a different form.

It is a pretty common thing for ransomware gangs to morph into a different group after the dissemination of the original one. Either we will see the breakup of this large group on a selection of smaller ones, or its reborn with a different name, but carbon copied essence. This, or the members will find themselves in a different ransomware group – experienced employees are of a high value in the cybercrime world, too.

What is ALPHV/BlackCat?

BlackCat a.k.a ALPHV is a ransomware group that appeared back in 2021. It primarily targets corporations, encrypting and stealing data from both Linux and Windows systems. Vast networks of affiliates, along with a rather daring selection of targets quickly propelled this ransomware to the top of the charts.

Targeting of large companies, along with asking for large sums of money inevitably made ALPHV a wanted target for law enforcement. Back in December 2023, a significant portion of its Darknet sites suffered an attack from the FBI, which was nonetheless reverted. And since then, the cybercrime group did not show any sign of problems – until these days.



The post ALPHV Ransomware Shut Down, Exit Scam Supposed appeared first on Gridinsoft Blog.

]]> https://gridinsoft.com/blogs/alphv-ransomware-shutdown-scam/feed/ 0 20138 https://gridinsoft.com/blogs/lockbit-is-back/ https://gridinsoft.com/blogs/lockbit-is-back/#respond Sun, 25 Feb 2024 10:02:17 +0000 https://gridinsoft.com/blogs/?p=19952 The story around LockBit ransomware takedown on February 19 continues to unfold. After almost a week of downtime and silence, the infamous gang is back online on a new Onion domain, boasting new hacks. To top it all off, an infamous LockBitSupp released a lengthy statement about what happened and what’s next. LockBit Ransomware is… Continue reading LockBit is Back With New Claims and Victims

The post LockBit is Back With New Claims and Victims appeared first on Gridinsoft Blog.

]]> The story around LockBit ransomware takedown on February 19 continues to unfold. After almost a week of downtime and silence, the infamous gang is back online on a new Onion domain, boasting new hacks. To top it all off, an infamous LockBitSupp released a lengthy statement about what happened and what’s next.

LockBit Ransomware is Back After Law Enforcement Takedown.

Following the rough takedown of all the Darknet sites that belong to LockBit ransomware, the gang representatives were mostly silent until February 24, 2024. At around 21:00 GMT, the chief of the cybercrime gang released a long PGP signed message with the explanation from the hackers’ point of view. In it, they describe the supposed way they were hacked and the future of LockBit. Spoiler – not a lot will change, except for LockBitSupp promises to be less lazy.



For the way the law enforcement agencies managed to access the servers, the PHP vulnerability is named. CVE-2023-3824 vulnerability, discovered back in August 2023, allows for remote code execution and received CVSS rating of 9.8/10. Well-deserved, considering how popular PHP is; LockBitSupp even supposes that other threat actors who were hacked recently suffered from this exact vulnerability.

Also, the hacker supposes that the FBI could have access to the network for quite some time. The reason why law enforcement decided to pull the trigger is the publication of data leaked from Fulton County court, specifically documents regarding Donald Trump’s court cases.

Had it not been for the election situation, the FBI would have continued to sit on my server waiting for any leads to arrest me and my associates, but all you need to do to not get caught is just quality cryptocurrency laundering. The FBI can sit on your resources and also collect information useful for the FBI, but do not show the whole world that you are hacked…

Why did it take 4 days to recover? Because I had to edit the source code for the latest version of PHP, as there was incompatibility.LockBitSupp

LockBit Takedown Aftermath

So, what do we see almost a week past the takedown of LockBit? Law enforcement agencies dealt quite a damage to both the group image and hardware. The amount of leaked information, including decryption keys and data stolen from companies’ networks seriously cuts the profits of the ransomware gang. And considering the detainments in Poland and Ukraine, the leaks were not only about operational information – personal data of malware operators was also exposed to some extent.

However, this was barely enough to force the LockBit gang to stop. Sure, they are now starting from scratch, with only a few listings present on the reborn of their leak page. But they will carry on, taking the past mistakes into account. The individuals captured in Eastern Europe are unlikely to be affiliates – more probably just server administrators or money mules. LockBit’s story keeps rolling, and I’m pretty sure they have a couple of aces up their sleeves.



The post LockBit is Back With New Claims and Victims appeared first on Gridinsoft Blog.

]]> https://gridinsoft.com/blogs/lockbit-is-back/feed/ 0 19952