Rewterz Threat Alert – GuLoader Malspam Campaign – Active IOCs
November 29, 2022Rewterz Threat Alert – Black Basta Ransomware Group Targeting US Companies With Aggressive QakBot Campaign – Active IOCs
November 29, 2022Severity
High
Analysis Summary
Recent ransomware attacks by the Russian-based ransomware family tracked as RansomBoggs Ransomware has targeted a number of Ukrainian organizations, according to researchers.
The attacks against various Ukrainian companies were first discovered on November 21, 2022, according to the security firm that dubbed the new ransomware strain, RansomBoggs.
“While the malware written in .NET is new, its deployment is similar to previous attacks attributed to Sandworm,” the company stated, in a series of tweets on Friday,
Sandworm aka BlackEnergy and TeleBots has been active since 2000 and is controlled by Unit 74455 of the Russian GRU’s Main Center for Special Technologies (GTsST).
Microsoft reported a similar campaign in October that targeted companies in the logistics and transportation industries with the ransomware called Prestige and the attacks were attributed to Sandworm.
The code of the RansomBoggs ransomware shows that the threat actors make several references to the Pixar movie Monsters, Inc. The ransom note, SullivanDecryptsYourFiles.txt, shows that the threat actors imitating the movie’s main character, James P. Sullivan, and the executable file is likewise entitled Sullivan.version?>.exe.
The ransomware employs a PowerShell script, which specialists discovered is ‘almost identical’ to the one used in Industroyer2 attacks on the energy industry that came to light in April.
The POWERGAP PowerShell script was used to deploy CaddyWiper data wiper malware via a loader called ArguePatch also known as AprilAxe.
RansomBoggs encrypts files in CBC mode with AES-256 and appends the .chsch extension to the encrypted files. The key is then written to aes.bin after being RSA encrypted.
Over the years, the Sandworm threat actor group has had a well-known history of attacking vital infrastructure over the years. The group is also responsible for the NotPetya ransomware, causing billion worth of losses to hundreds of companies around the world in June 2017.
Impact
- File Encryption
- Identity Theft.
- Financial Loss
Remediation
- Block all threat indicators at your respective controls.
- Search for Indicators of compromise (IOCs) in your environment utilizing your respective security controls
- Maintain cyber hygiene by updating your anti-virus software and implementing a patch management lifecycle.
- Maintain Offline Backups – In a ransomware attack, the adversary will often delete or encrypt backups if they have access to them. That’s why it’s important to keep offline (preferably off-site), encrypted backups of data and test them regularly.
- Emails from unknown senders should always be treated with caution.
- Never trust or open ” links and attachments received from unknown sources/senders.
- Patch and upgrade any platforms and software timely and make it into a standard security policy. Prioritize patching known exploited vulnerabilities and zero-days.
- Along with network and system hardening, code hardening should be implemented within the organization so that their websites and software are secure. Use testing tools to detect any vulnerabilities in the deployed codes.
- Enable antivirus and anti-malware software and update signature definitions in a timely manner. Using multi-layered protection is necessary to secure vulnerable assets