Light Dark
June 18, 2020 By David Bisson 3 min read
News

In early June 2020, the Maze gang teamed up with other crypto-malware actors to extort non-paying victims using its shared data leaks platform. Maze wasn’t the only strain that made news. Those behind the REvil family also attracted the security community’s attention when it began auctioning off data stolen by their creation. Additionally, security researchers discovered two new crypto-malware groups: Kupidon and Avaddon.

Top Story: Maze’s New Extortion Cartel

On June 3, digital security intelligence firm KeLa informed Bleeping Computer that the Maze ransomware gang had added information stolen from an architectural firm to its “Maze News” data leak site. This data dump wasn’t the first time Maze had publicly posted the stolen data of a victim who had refused to meet a ransom demand, but it was the first time Maze’s actors had used their site to publish the information stolen by a different ransomware group. Indeed, the information had come from a successful attack conducted by the LockBit Ransomware-as-a-Service (RaaS) platform.

Bleeping Computer contacted the Maze operators for clarification. In their response, the ransomware actors revealed they had partnered with LockBit to share their experience and data leaks platform. They also disclosed that another ransomware group would be joining their cartel in the coming days and that other gangs had shared their desire to join in the future.

Sure enough, Bleeping Computer learned of a “Maze News” posting pertaining to the Ragnar Locker ransomware strain just days later.

Also in Ransomware News

  • Victim Data Auctioned Off by REvil Ransomware Group: In the beginning of June, KrebsonSecurity learned that the malicious actors responsible for distributing REvil ransomware had posted an update on their “Happy Blog” dark web data leak site. The post announced that the digital attackers would begin auctioning off three databases and more than 22,000 files which they had stolen from an agricultural company. In their update, REvil’s handlers announced that the minimum deposit was $5,000 and that the bidding for the entire collection of stolen data would start at $50,000.
  • New Kupidon and Avaddon Ransomware Strains Discovered: On June 5, Bleeping Computer reported on a security researcher’s discovery of a new ransomware strain back in the beginning of May. The crypto-malware threat, detected as “Kupidon,” targeted both users and corporations at the time of discovery. After performing its encryption routine, the ransomware instructed the victim in its ransom note to visit a Tor site that contained an image of cupid and an email address for receiving payment instructions. News of Kupidon came just days before the computer self-help site learned about an attack campaign in which malspam emails containing a smily or winky face had leveraged a malicious JavaScript downloader to infect victims with samples of the new Avaddon ransomware family.
  • Decryption Tool Released for Tycoon Ransomware: The BlackBerry Research and Intelligence Team uncovered Tycoon, a multi-platform ransomware written in Java. The researchers found that malicious actors were using a trojanized java runtime environment (JRE) along with an obscure java image format to target Windows and Linux machines operated by SMBs in the education and software industries. Over the course of their analysis, the researchers found that Tycoon had reused a common RSA private key and subsequently wondered whether victims could recover their data encrypted by earlier versions of the ransomware for free. Emsisoft confirmed this to be the case when it released its updated RedRum decryption software (The earliest version of Tycoon had a .redrum file extension, per Dark Reading.).
  • QNAP Storage Devices Targeted by eChoraix Ransomware: At the beginning of June, ID-Ransomware documented a surge of reports from eChoraix victims seeking help to recover their data. A closer look revealed that the malicious actors who perpetrated those attacks gained access to QNAP storage devices by abusing vulnerabilities or by brute-forcing weak passwords. Upon gaining access, the ransomware then ran its decryption routine before dropping a ransom demand in which it asked victims to hand over a ransom fee of $500.
  • Thanos RaaS Tool Connected to Hakbit: According to Recorded Future, Insikt Group discovered Thanos Ransomware-as-a-Service (RaaS) for sale on an exploit forum while investigating the weaponization of RIPlace technique. In the process of analyzing the new ransomware, Insikt Group found that Thanos shared similar code with Hakbit, among other commonalities. These connections led Insikt Group to conclude that malicious actors had constructed Hakbit using the Thanos ransomware builder.

How to Defend Against Ransomware

Security professionals can help their organizations defend against a ransomware infection by ensuring they have access to the latest threat intelligence. These information feeds will give them the necessary data they need to stay on top of the latest crypto-malware attacks and techniques. Infosec personnel should also leverage an endpoint management tool to monitor their endpoints for suspicious activity that could be indicative of a ransomware infection.

 |  | 
David Bisson
Contributing Editor

More from News
August 23, 2023

Securing critical infrastructure with the carrot and stick

4 min read - It wasn’t long ago that cybersecurity was a fringe topic of interest. Now, headline-making breaches impact large numbers of everyday citizens. Entire cities find themselves under cyberattack. In a short time, cyber has taken an important place in the national discourse. Today, governments, regulatory agencies and companies must work together to confront this growing threat. So how is the federal government bolstering security for critical infrastructure? It looks like they are using a carrot-and-stick approach. Back in March 2022, the…

August 16, 2023

650,000 cyber jobs are now vacant: How to tackle the risk

4 min read - How far is the United States behind in filing cybersecurity jobs? As per Rep. Andrew Garbarino, R-N.Y., Chairman of the HHS Cybersecurity and Infrastructure Protection Subcommittee, overseas adversaries have a workforce advantage over FBI cyber personnel of 50 to one. His statements were made during a recent subcommittee hearing titled “Growing the National Cybersecurity Talent Pipeline.” Meanwhile, recent CyberSeek data shows over 650,000 cyber jobs to fill nationwide. Given the rising rate of cyberattacks, these numbers are truly alarming. How…

August 9, 2023

Will data backups save you from ransomware? Think again

4 min read - Backups are an essential part of any solid anti-ransomware strategy. In fact, research shows that the median recovery cost for ransomware victims that used backups is half the cost incurred by those that paid the ransom. But not all data backup approaches are created equal. A separate report found that in 93% of ransomware incidents, threat actors actively target backup repositories. This results in 75% of victims losing at least some of their backups during the attack, and more than…

August 2, 2023

Should you worry about state-sponsored attacks? Maybe not.

4 min read - More than ever, state-sponsored cyber threats worry security professionals. In fact, nation-state activity alerts increased against critical infrastructure from 20% to 40% from 2021 to 2022, according to a recent Microsoft Digital Defense Report. With the advent of the hybrid war in Ukraine, nation-state actors are launching increasingly sophisticated attacks. But is this the most prominent danger facing companies today? While nation-state-based attacks cannot be ignored, it looks like insider cyber incidents are far more common. In fact, for the…

Topic updates

 Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2023 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature