Thursday , October 10 2024
coding

EXCLUSIVE
Analysis of 3 Ransomware Threats Active Right Now

Three emerging threats will be discussed below, along with how sandbox analysis can be utilized to detect them proactively.

Lockbit Ransomware:

CISA Warns of Critical Fortinet Flaw as Palo Alto and Cisco Issue Urgent Patches

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Wednesday added a critical security flaw impacting Fortinet products to its...
Read More
CISA Warns of Critical Fortinet Flaw as Palo Alto and Cisco Issue Urgent Patches

Palo Alto Networks issues fix for security flaws, Including CVE-2024-9463

Palo Alto Networks released a security advisory (PAN-SA-2024-0010) about several high-severity vulnerabilities in its Expedition migration tool, with CVSS scores...
Read More
Palo Alto Networks issues fix for security flaws, Including CVE-2024-9463

Microsoft October 2024 Patch: 5 Zero-Days, 118 flaw

In its recent Patch Tuesday release, Microsoft fixed 118 vulnerabilities, including five zero-day flaws, two of which are currently being...
Read More
Microsoft October 2024 Patch: 5 Zero-Days, 118 flaw

BD CIRT alert
Lumma C2 malware attack Bangladeshi several websites

The Cyber Threat Intelligence (CTI) Unit at BGD e-GOV CIRT has discovered a malware campaign involving the Lumma Stealer family....
Read More
BD CIRT alert  Lumma C2 malware attack Bangladeshi several websites

Qualcomm Patched Multi Flaws, Including 0-day

Qualcomm's October 2024 Security Bulletin reveals critical vulnerabilities in several chipsets, including the popular Snapdragon mobile platforms and FastConnect solutions....
Read More
Qualcomm Patched Multi Flaws, Including 0-day

BD CIRT announce “Cyber Drill 2024”: Registration open

BGD e-GOV CIRT is excited to announce the Financial Institutions and Critical Information Infrastructure (CII) Cyber Drill 2024, designed for...
Read More
BD CIRT announce “Cyber Drill 2024”: Registration open

First Half Of 2024 Report
Bangladeshi 32.4% government websites face cyber attack: NAS report

National Attack Surface (NAS) report for the first half of 2024 reveals that 56.6% of cyberattacks in Bangladesh targeted educational...
Read More
First Half Of 2024 Report  Bangladeshi 32.4% government websites face cyber attack: NAS report

Prince Ransomware Hits UK and US

A new ransomware campaign is targeting individuals and organizations in the UK and US. The "Prince Ransomware" attack uses a...
Read More
Prince Ransomware Hits UK and US

CISA warns active exploit of Zimbra & Ivanti endpoint manager Vulns

CISA has issued an urgent alert about critical vulnerabilities being exploited in Synacor’s Zimbra Collaboration and Ivanti’s Endpoint Manager (EPM)....
Read More
CISA warns active exploit of Zimbra & Ivanti endpoint manager Vulns

A summary of “2024 State of Cybersecurity survey” by ISACA

ISACA 2024 survey report reveals that 66% of cybersecurity professionals find their jobs more stressful now than five years ago....
Read More
A summary of “2024 State of Cybersecurity survey” by ISACA

The Lockbit ransomware is a major cybersecurity threat that appeared in 2019. It works as Ransomware-as-a-Service (RaaS), where affiliates use its software to carry out attacks. The Royal Mail was one of its main targets, and the attackers demanded an exceptionally high ransom of $80 million.

Lockbit ransomware uses the AES encryption algorithm to encrypt files, and then it encrypts the AES key using the RSA algorithm. This double encryption makes it very difficult for victims to recover their data without the decryption key.

The Lockbit ransomware has consistently evolved, with the most recent version being Lockbit v3, also known as Lockbit Black.

Despite a coalition of law enforcement agencies dismantling its infrastructure in early 2024, Lockbit has now resumed its operations.

Detecting and Analyzing LockBit Black Ransomware in a Sandbox:

Lockbit Ransomware:The Lockbit ransomware is a major cybersecurity threat that appeared in 2019. It works as Ransomware-as-a-Service (RaaS), where affiliates use its software to carry out attacks. The Royal Mail was one of its main targets, and the attackers demanded an exceptionally high ransom of $80 million. Lockbit ransomware uses the AES encryption algorithm to encrypt files, and then it encrypts the AES key using the RSA algorithm. This double encryption makes it very difficult for victims to recover their data without the decryption key. Before encrypting the data, the malware steals all the information from the infected computers, increasing the extortion. The Lockbit group has a website where they list their victims. They pressure companies to pay a ransom. If the victims refuse, their stolen data is published. The Lockbit ransomware has consistently evolved, with the most recent version being Lockbit v3, also known as Lockbit Black. Despite a coalition of law enforcement agencies dismantling its infrastructure in early 2024, Lockbit has now resumed its operations. A recent attack involved sending phishing emails using the Phorpiex botnet. The malware was hidden in the email attachments. Detecting and Analyzing LockBit Black Ransomware in a Sandbox: To avoid a LockBit infection, we can proactively analyze all suspicious files, including email attachments, in a sandbox. As part of the analysis, we can observe: CMSTMLUA process that performs privilege escalation, allowing the ransomware to gain higher-level access to the system. The desktop wallpaper change is a common tactic ransomware operators use to notify victims of compromised systems. A ransom note file containing instructions and Tor URLs for communicating with the attackers. The sandbox provides a conclusive verdict, classifying the analyzed file as exhibiting malicious activity.
Analysis of the LockBit 3.0 ransomware in the ANY.RUN sandbox

To avoid a LockBit infection, we can proactively analyze all suspicious files, including email attachments, in a sandbox.

As part of the analysis, we can observe:

  • CMSTMLUA process that performs privilege escalation, allowing the ransomware to gain higher-level access to the system.
    The desktop wallpaper change is a common tactic ransomware operators use to notify victims of compromised systems.
    A ransom note file containing instructions and Tor URLs for communicating with the attackers.

The sandbox provides a conclusive verdict, classifying the analyzed file as exhibiting malicious activity.

Bluesky Ransomware:

The BlueSky ransomware, detected in Q2 of 2022, is still a major cybersecurity threat. It targets the Windows multithreading architecture to encrypt files faster. This harmful software uses advanced encryption techniques with the ChaCha20 algorithm. It can also spread to other devices on the same network.

After encrypting the files, the ransomware changes their names by adding the .bluesky extension. It also creates a ransom instruction file, instructing victims to pay a ransom by accessing a page on Tor.

Detecting and Analyzing BlueSky Ransomware in a Sandbox:

Despite BlueSky’s anti-analysis functionality, we can easily expose it by uploading its sample to a free malware sandbox like ANY.RUN, which offers a safe virtual environment for detonating it.

See this analysis session for more details.

Analysis of the Bluesky ransomware in the ANY.RUN sandbox

Analysis of the Bluesky ransomware in the ANY.RUN sandbox:

The service instantly detects the malware and notifies us about its presence by adding the corresponding tags “bluesky” and “ransomware”. It also lists the activities carried out by the program including:

File renaming.

Creation and dropping of a ransom note containing instructions on how to decrypt the locked files. Thanks to its interactivity, the sandbox lets us open this note manually and read its contents.

Analysis also reveals that the note contains a TOR network URL, which the victim is instructed to visit to make the ransom payment.

After analysis is complete, we receive a detailed report with all the important information gathered during the file execution, including indicators of compromise.

Beast Ransomware:

Beast ransomware, also known as Monster ransomware, emerged in March 2022. It is built on the Delphi programming language and has the ability to attack both Windows and Linux systems.

The malware doesn’t affect users in CIS countries, indicating that the creators might be from that region. The Beast ransomware uses a high-level encryption method and also archives the encrypted files.

The malware is mainly spread through email attachments and links, taking advantage of people’s vulnerability to phishing attacks. Despite being a new type of ransomware, Beast has the potential to become a serious and widespread threat, similar to LockBit.

Detecting and Analyzing Beast Ransomware in a Sandbox:

By running suspicious files and URLs in a sandbox, we can easily expose Beast and other malware.

Analysis of the Beast ransomware in ANY.RUN sandbox

Consider this analysis session.

Some of the Beast activities detected by the service include:

Installation of a mutex characteristic of the Beast malware.
Attempt to obtain the host’s IP address.
Connection to an external SMB server.

Analyze Suspicious Files and URLs in ANY.RUN

ANY.RUN sandbox allows you to interactively analyze malware. You can safely engage with files and links in a virtual environment to investigate the full extent of each threat.

The service finds and lists all activities in network traffic, registry, file system, and processes, and extracts signs of compromise.

Source: cybersecuritynews.com

Check Also

ransomware

Most ransomware attacks happen between 1 a.m. and 5 a.m.

Ransomware attacks have increased a lot in the past year. Cybercriminals are using different tactics, …

Leave a Reply

Your email address will not be published. Required fields are marked *