In early June 2020, the Maze gang teamed up with other crypto-malware actors to extort non-paying victims using its shared data leaks platform. Maze wasn’t the only strain that made news. Those behind the REvil family also attracted the security community’s attention when it began auctioning off data stolen by their creation. Additionally, security researchers discovered two new crypto-malware groups: Kupidon and Avaddon.
Top Story: Maze’s New Extortion Cartel
On June 3, digital security intelligence firm KeLa informed Bleeping Computer that the Maze ransomware gang had added information stolen from an architectural firm to its “Maze News” data leak site. This data dump wasn’t the first time Maze had publicly posted the stolen data of a victim who had refused to meet a ransom demand, but it was the first time Maze’s actors had used their site to publish the information stolen by a different ransomware group. Indeed, the information had come from a successful attack conducted by the LockBit Ransomware-as-a-Service (RaaS) platform.
Bleeping Computer contacted the Maze operators for clarification. In their response, the ransomware actors revealed they had partnered with LockBit to share their experience and data leaks platform. They also disclosed that another ransomware group would be joining their cartel in the coming days and that other gangs had shared their desire to join in the future.
Sure enough, Bleeping Computer learned of a “Maze News” posting pertaining to the Ragnar Locker ransomware strain just days later.
Also in Ransomware News
- Victim Data Auctioned Off by REvil Ransomware Group: In the beginning of June, KrebsonSecurity learned that the malicious actors responsible for distributing REvil ransomware had posted an update on their “Happy Blog” dark web data leak site. The post announced that the digital attackers would begin auctioning off three databases and more than 22,000 files which they had stolen from an agricultural company. In their update, REvil’s handlers announced that the minimum deposit was $5,000 and that the bidding for the entire collection of stolen data would start at $50,000.
- Decryption Tool Released for Tycoon Ransomware: The BlackBerry Research and Intelligence Team uncovered Tycoon, a multi-platform ransomware written in Java. The researchers found that malicious actors were using a trojanized java runtime environment (JRE) along with an obscure java image format to target Windows and Linux machines operated by SMBs in the education and software industries. Over the course of their analysis, the researchers found that Tycoon had reused a common RSA private key and subsequently wondered whether victims could recover their data encrypted by earlier versions of the ransomware for free. Emsisoft confirmed this to be the case when it released its updated RedRum decryption software (The earliest version of Tycoon had a .redrum file extension, per Dark Reading.).
- QNAP Storage Devices Targeted by eChoraix Ransomware: At the beginning of June, ID-Ransomware documented a surge of reports from eChoraix victims seeking help to recover their data. A closer look revealed that the malicious actors who perpetrated those attacks gained access to QNAP storage devices by abusing vulnerabilities or by brute-forcing weak passwords. Upon gaining access, the ransomware then ran its decryption routine before dropping a ransom demand in which it asked victims to hand over a ransom fee of $500.
- Thanos RaaS Tool Connected to Hakbit: According to Recorded Future, Insikt Group discovered Thanos Ransomware-as-a-Service (RaaS) for sale on an exploit forum while investigating the weaponization of RIPlace technique. In the process of analyzing the new ransomware, Insikt Group found that Thanos shared similar code with Hakbit, among other commonalities. These connections led Insikt Group to conclude that malicious actors had constructed Hakbit using the Thanos ransomware builder.
How to Defend Against Ransomware
Security professionals can help their organizations defend against a ransomware infection by ensuring they have access to the latest threat intelligence. These information feeds will give them the necessary data they need to stay on top of the latest crypto-malware attacks and techniques. Infosec personnel should also leverage an endpoint management tool to monitor their endpoints for suspicious activity that could be indicative of a ransomware infection.