Last week in security news, the authors of Shade ransomware announced that they were releasing 750,000 decryption keys to help their remaining victims recover their files for free. Speaking of ransomware, a notorious malware-as-a-service (MaaS) botnet added crypto-ransomware capabilities, thereby augmenting its ability to target Android users. Several other botnets also attracted the attention of security researchers.

Top Story of the Week: The End of Shade Ransomware

In a GitHub post, the authors of Shade ransomware announced the publication of 750,000 decryption keys along with their own custom decryption software. The malicious actors noted that some victims might have trouble using these resources to recover their files for free. In response, those nefarious individuals vocalized their hope that security firms would use the published keys and software to create commercial decryption tools that would be easier to use.

This announcement marked the last stage of Shade ransomware’s retirement. After ceasing all distribution of their creation in late 2019, those responsible for the ransomware said that they had deleted all data and source codes relating to their activity.

Source: iStock

Also in Security News

  • Return of Black Rose Lucy Marked by Addition of Ransomware Features: Check Point Research discovered that the Black Rose Lucy botnet had returned from a two-year hiatus by masquerading as a video player application. The digital threat leveraged this disguise to use its new ransomware features and encrypt all files identified in the device’s directories.
  • BEC Scam Launched by Florentine Banker Steals £600K: Also from Check Point Research, a threat group known as the Florentine Banker attracted security professionals’ attention by targeting at least three large financial organizations with sophisticated business email compromise (BEC) scams. In one of these attacks, the group successfully stole £600,000.
  • New Shellbot Linux Malware Launched by Outlaw Hacking Group: Yoroi Security came across a new Linux malware called Shellbot that originated from the Outlaw hacking group. Early versions of this threat arrived with a module for conducting distributed denial-of-service (DDoS) attacks, but later versions used a Monero miner and Perl backdoor as its main elements.
  • LeetHozer Botnet Samples Share Attack Resources With Moobot: The Network Research Lab at 360 observed that the new LeetHozer botnet used the same downloader and the same unique string in its vulnerability exploitation routine as Moobot. Acknowledging those similarities, the research team posited that Moobot and LeetHozer originated from the same group of attackers.
  • Inquiry Discovered Multi-Year PhantomLance Campaign: Kaspersky launched an inquiry into a backdoor Trojan identified by another security firm back in July 2019. This effort revealed that the campaign, dubbed PhantomLance, had been active since at least 2016 and had infiltrated several app marketplaces including the Google Play store.
  • Zero-Day Flaw in Sophos Firewalls Exploited by Information Stealer: Researchers at Sophos revealed that malicious actors had exploited a zero-day flaw to achieve remote code execution on some of the security firm’s firewall products. That malicious activity enabled those actors to install the Asnarök Trojan for the purpose of stealing data from their victims.
  • High-Severity Code Injection Vulnerability Plugged in WP Plugin: In late April, Wordfence discovered a vulnerability in the Real-Time Find and Replace WordPress plugin that could enable a malicious actor to inject malicious Javascript into an exposed site by tricking the site admin. The security firm notified the plugin’s developer who responded by issuing a patch a few hours later.
  • Department of Labor’s FMLA Used as Lure to Target Users: IBM X-Force detected a phishing campaign in which digital attackers used the U.S. Department of Labor’s Family and Medical Leave Act (FMLA) to convince recipients to open an email attachment. Once opened, that file infected recipients with Trickbot.

Security Tip of the Week: Review Your Organization’s Ransomware Defenses

Security professionals can strengthen defenses against ransomware threats such as Shade by using an ongoing security awareness training program to build up a positive security culture in the workplace. This effort will cultivate employees’ familiarity with phishing campaigns and other social engineering attacks, thereby reducing the number of available distribution channels for attackers. In addition, infosec personnel should leverage the latest threat intelligence to stay on top of evolving ransomware campaigns.

More from

Patch Tuesday -> Exploit Wednesday: Pwning Windows Ancillary Function Driver for WinSock (afd.sys) in 24 Hours

‘Patch Tuesday, Exploit Wednesday’ is an old hacker adage that refers to the weaponization of vulnerabilities the day after monthly security patches become publicly available. As security improves and exploit mitigations become more sophisticated, the amount of research and development required to craft a weaponized exploit has increased. This is especially relevant for memory corruption vulnerabilities. Figure 1 — Exploitation timeline However, with the addition of new features (and memory-unsafe C code) in the Windows 11 kernel, ripe new attack…

OneNote, Many Problems? The New Phishing Framework

There are plenty of phish in the digital sea, and attackers are constantly looking for new bait that helps them bypass security perimeters and land in user inboxes. Their newest hook? OneNote documents. First noticed in December 2022, this phishing framework has seen success in fooling multiple antivirus (AV) tools by using .one file extensions, and January 2023 saw an attack uptick as compromises continued. While this novel notes approach will eventually be phased out as phishing defenses catch up,…

When the Absence of Noise Becomes Signal: Defensive Considerations for Lazarus FudModule

In February 2023, X-Force posted a blog entitled “Direct Kernel Object Manipulation (DKOM) Attacks on ETW Providers” that details the capabilities of a sample attributed to the Lazarus group leveraged to impair visibility of the malware’s operations. This blog will not rehash analysis of the Lazarus malware sample or Event Tracing for Windows (ETW) as that has been previously covered in the X-Force blog post. This blog will focus on highlighting the opportunities for detection of the FudModule within the…

LastPass Breaches Cast Doubt on Password Manager Safety

In 2022, LastPass suffered a string of security breaches which sparked concern among cyber professionals and those impacted by the intrusions. Some called into question the way LastPass handled and responded to the incident. In addition, the situation ignited a wider conversation about the risks linked to utilizing password managers. A password manager helps users generate strong passwords and safeguards them within a digital locker. A master password secures all data, which enables users to conveniently access all their passwords…