Displaying items by tag: ransomware as a service

A 20-year-old Russian National Magomedovich Astamirov was arrested in Arizona and had his initial appearance in court yesterday. The arrest and charges come after a lengthy investigation into the Ransomware as a Service Group, LockBit. This is the second arrest in six months related to the group’s activities with a third warrant/indictment issued for another individual, Mikhail Pavlovich Matveev, who is still at large. According to the DOJ press release Astamirov is suspected of conspiring with other LockBit members to attack multiple organizations in the US and around the globe. Astamirov is believed to have managed various IP and Email addresses used for ransomware deployment and communication with the victims of attacks.

Anyone that does not think that cybercrime is now a bug business has been living under a rock. The news related to different cybercrime-as-a-service groups, especially ransomware, has never been more frequent. We have seen groups offer larger profit sharing, special tools, access to customization tools and now we hear that the Cyclops group is even offering an information stealer as something of a value add if you use their services.

The group behind BlackCat ransomware seem to be following some good business practices as they have launched a new variant with improved performance (faster encryption) and detection evasion. First identified in February of 2023 the new variant has been given some extra attention after an update to this flavor was seen in April. BlackCat is notable as being the first ransomware written in Rust identified in the wild.

In the never-ending saga of Ransomware, the threat groups that deploy or leverage this tool for financial gain are always looking for a new method of installation and ways to avoid increasingly sophisticated security measures. Although most organizations might not be employing overly sophisticated security, the really good targets might be. Even the use of advanced MDR/XDR makes the exposure window smaller when it comes to many ransomware attacks.

As part of our ongoing (really never ending) series on modern ransomware, we are taking a look at a recent study of one Ransomware as a Service operation. In this case the look is at the Qilin scheme which was brought to light by Group-IB. They were able to infiltrate the group through a conversation with a recruiter (nothing like being invited in). The cybersecurity firm started their inside look in March of 2023 and what they found was eye opening. It shows that RaaS clearly pays well and that services like this make things easy and profitable for people looking to get in on the “fun” but might not have the skill set or infrastructure to do it on their own.

The same Ransomware gang that hit MSI recently also appears to have hit Pharmacy services provider PharMerica and stole information on 5.8 million patents. The data that was exfiltrated as part of the attack includes social security numbers, full name and address, health insurance, medications, and date of birth. PharMerica disclosed the breach to the Maine Attorney General on March 12th, 2023.

Ransomware is a huge shadow over many businesses and individuals’ heads. It has loomed as a significant threat since the first stains hit the internet inside malicious zip files masquerading as “Xerox” documents. Since that time ransomware and the groups behind it have evolved significantly. At the top of the food chain are groups like Hive and Conti who have not only evolved their own tools but utilize strategic approaches to their organizations complete with acquisitions and, in some cases, attempted legitimate business fronts to further their activities.

There is an old saying that say, what someone can lock, someone else can unlock. This is usually used regarding attackers getting into a network or compromising protected data. It is not often applied to security researchers unlocking information encrypted by a major ransomware threat group. However, this is exactly what has happened as researchers at Kookmin University in South Korea say they have utilized a flaw in the encryption method used by Hive Ransomware to find a way to unlock it.