Halcyon Threat Insights 005: May 2024

Here are the key insights from the Halcyon Threat Research and Intelligence Team findings for May 2024 based on intelligence collected from our customer base. The evolving ransomware landscape continues to reveal intriguing trends when analyzed comprehensively.

Ransomware Prevented by Industry Vertical

Information Technology, Education and Finance were the most targeted industry verticals in May 2024:

• Information & Technology 33% (+2% mo/mo)
• Education 23% (-2% mo/mo)
• Finance & Insurance 15% (+6% mo/mo)
• State & Local Government 6% (-2% mo/mo)  
• Professional, Scientific & Technical Services 6% (+3% mo/mo)  
• Manufacturing 5% (-1.2% mo/mo)
• Healthcare & Pharmaceutical 4% (-2% mo/mo)  
• Arts, Entertainment & Recreation 3% (flat mo/mo)  
• Retail Trade 2% (-4% mo/mo)
• Other 2% (+1% mo/mo)  
• Transportation & Warehousing 1% (flat mo/mo)
• Accommodations & Food Services 0% (flat mo/mo)  
• Construction 0% (flat mo/mo)
• Mining 0% (-0.2% mo/mo)
• Utilities 0% (-0.6% mo/mo)

Threat Types by Category

Halcyon detected and blocked a wide variety of threats that were missed by other security layers in our client’s environments that are often precursors to the delivery of the ransomware payload.

Ransomware Precursors: Trojans

Halcyon detected an array of Trojans that may be precursors to ransomware payloads. It is important to understand that ransomware payloads are the tail-end of an attack, so it is critical to detect precursors prior to infection.  

Detecting and blocking trojan activity can prevent attackers from escalating privileges, moving laterally though the network, compromising user credential, exfiltrating sensitive data and more. Some of the trojans identified in April include: ‍

Trojan.agentb/gohive

Trojan:Win32/Agent.B are a Trojan family designed to redirect internet traffic to potentially malicious websites to establish command and control (C2), as well as for hooking and tampering with Windows-based applications, and it is often used as a dropper for other malware, ransomware payloads, and PUPs.

‍Trojan.foreign/trustezeb

The Trustezeb family of trojans (also known as Matsnu Trojan) is a malware/ransomware dropper often associated with banking trojans like Citadel and URLZone that is modular in design to provide additional functionalities, such as redirecting internet traffic to a potentially malicious URL and establishing command and control (C2) and can masquerade as other legitimate software. ‍

Trojan.razy/black

Razy is a malware family equipped with a browser extension that allows threat actors to commit click-fraud or steal cryptocurrency, download and install other malware/ransomware payloads. It has other functionalities like keystroke and website logging, as well as allowing remote access to the targeted device.

‍Trojan.hound/marte

Trojan.hound is a highly evasive and persistent family of spyware that can query process information on the targeted device by hooking API calls to collect user credentials and can install other hooks/patches in running processes. Ransomware operators may leverage it to enumerate files and directories or search specific locations of a host or network share to locate certain information for data exfiltration. ‍

Trojan.msil/krypt

Trojan.msil/krypt (or /crypt!tr) is family of spyware leveraged for establishing remote access to a targeted device for keylogging, reconnaissance, establishing command and control (C2), exfiltrating data, in performing denial-of-service (DoS) attacks, running or terminating processes, and as a dropper for other malware or ransomware payloads.

Ransomware: Payloads

Ransomware.phobos/crysis

Phobos ransomware emerged in 2017 and is assessed to be related to the earlier Dharma and CrySiS ransomware variants, as well as more recent Elking, Eight, Devos, BackMyData, and Faust ransomware variants. Phobos ransomware has been around for quite a while, but it is still actively being deployed against critical infrastructure targets. In February 2024 the FBI and CISA released a comprehensive alert detailing Phobos IOCs. Precursors to the detonation of the Phobos payload usually include the use of open-source tools like SmokeLoader, Cobalt Strike, and Bloodhound. ‍

Ransomware.lockbit/blackmatter

Prior to an international law enforcement task force takedown attempt in early 2024 dubbed Operation Cronos, LockBit was continuing to innovate their RaaS platform following the release of LockBit 3.0 in June of 2022 which incorporated elements of another ransomware family called BlackMatter. LockBit 3.0 is modular and configured with multiple execution options that direct the behavior of the ransomware on the affected systems. LockBit employs a custom Salsa20 algorithm to encrypt files. LockBit takes advantage of remote desktop protocol (RDP) exploitation for most infections, and spreads on the network by way of Group Policy Objects and PsExec using the Server Message Block (SMB) protocol. The latest versions incorporate advanced anti-analysis features and are a threat to both Windows and Linux systems.

‍Ransomware.basta/blackbasta

Black Basta continues to evolve their RaaS platform, with ransomware payloads that can infect systems running both Windows and Linux systems. Black Basta is particularly adept at exploiting vulnerabilities in VMware ESXi running on enterprise servers. Black Basta ransomware is written in C++ and can target both Windows and Linux systems, encrypts data with ChaCha20, and then the encryption key is encrypted with RSA-4096 for rapid encryption of the targeted network. In some cases, Black Basta leverages malware strains like Qakbot and exploits such as PrintNightmare during the infection process. Black Basta also abuses insecure Remote Desktop Protocol (RDP) deployments, one of the leading infection vectors for ransomware. ‍

Ransomware.akira/zusy

Akira operates a RaaS written in C++ that is capable of targeting both Windows and Linux systems, typically by exploiting credentials for VPNs. Akira modules will delete Windows Shadow Volume Copies leveraging PowerShell and are designed to encrypt a wide range of file types while avoiding Windows system files with .exe, .lnk, .dll, .msi, and .sys extensions. Akira also abuses legitimate LOLBins/COTS tools like PCHunter64, making detection more difficult. In July, a Linux variant for Akira was detected in the wild, and the group was also observed remotely exploiting a zero-day in Cisco’s Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) software (CVE-2023-20269) in brute force attacks since at least August. Akira has also been observed exploiting VMware ESXi vulnerabilities for lateral movement.

‍Ransomware.blacksuit/rents

BlackSuit is not a traditional Ransomware-as-a-Service (RaaS); it operates privately without known affiliates. It exhibits technical similarities to the Royal ransomware in its encryption mechanisms and operational tactics. Some sources believe BlackSuit may be a rebranding of Royal (which was a rebranding of Conti). BlackSuit operates with a high level of secrecy, keeping its developments and tactics closely guarded. Unlike many ransomware operations that rely on a network of affiliates, BlackSuit controls its operations tightly, which could be a strategic decision to maintain operational security and maximize profits.

Threat Actor Spotlight: INC Ransom

INC Ransom was first observed in the summer of 2023, and it is unclear if they maintain a RaaS affiliate operation or are a closed group.  

INC uses common TTPs such as leveraging compromised RDP (Remote Desktop Protocol) credentials to gain access and move laterally in a targeted environment.  

Initial infections have been observed via phishing and exploitation of a vulnerability in Citrix NetScaler (CVE-2023-3519). The group claims to be a “moral agent” and suggests that it is helping victims by exposing their weaknesses.

INC has been observed delivering ransomware using legitimate tools like WMIC and PSEXEC and uses other Living-off-the-Land (LOTL) techniques, abusing applications Including MSPaint, WordPad, NotePad, MS Internet Explorer, MS Windows Explorer, and AnyDesk for lateral movement.  

INC has also been observed abusing tools like Esentutl for reconnaissance and MegaSync for data exfiltration. INC is written in C++ and uses AES-128 in CTR mode to encrypt files, and it also has a Linux version.  

It is unclear if INC employs any advanced security tool evasion techniques, and there are indications that they may attempt to delete Volume Shadow Copies (VSS) to hinder encryption rollback attempts.

INC did not emerge until the second half of 2023, but they appear to be ramping up operations as they refine their code and attack sequences. INC instructs victims to log into a Tor portal with a unique user ID provided by the attackers. It is unclear what the average ransom demand is at this point.

INC practices double extortion and maintains a leaks site for double extortion, threatening to expose victims. INC has made good on threats to expose sensitive data if a target does not pay the ransom demand.

Notable victims include the Peruvian Army, NHS Scotland, Xerox, Trylon Corp, Ingo Money, BPG Partners Group, DM Civil, Nicole Miller INC., Pro Metals, Springfield Area Chamber of Commerce, US Federal Labor Relations Authority, Yamaha Philippines and more.

Learn more about the leading ransomware threat actors by consulting the Halcyon quarterly RaaS (Ransomware as a Service) and extortion group reference guide, Power Rankings: Ransomware Malicious Quartile, and check out the Recent Ransomware Attacks resource site.