Microsoft Threat Intelligence’s Post

In the second quarter of 2024, financially motivated threat actor Octo Tempest, our most closely tracked ransomware threat actor, added RansomHub and Qilin to its ransomware payloads in campaigns. Octo Tempest is known for sophisticated social engineering techniques, identity compromise and persistence, focus on targeting VMWare ESXi servers, and deployment of BlackCat ransomware. RansomHub is a ransomware as a service (RaaS) payload used by more and more threat actors, including ones that have historically used other (sometimes defunct) ransomware (like BlackCat), making it one of the most widespread ransomware families today. Notably, RansomHub was observed in post-compromise activity by Manatee Tempest following initial access by Mustard Tempest via FakeUpdates/Socgholish infections. In addition to RansomHub and Qilin, other notable ransomware families in this period include BlackSuit, LockBit, Medusa, Black Basta, and Play. Several new ransomware families emerged this quarter. Fog, which uses the .flocked extension, was first observed in May in campaigns by Storm-0844, a threat actor known for distributing Akira. To deploy Fog, Storm-0844 uses VPN clients to gain initial access, likely via valid accounts. They use open-source tools like ADFind, Rubeus, and Advanced IP Scanner for network discovery and lateral movement. They also use rclone for staging files to be exfiltrated. By June, Storm-0844 was deploying Fog in more campaigns than Akira. FakePenny is another new ransomware family we uncovered during this period. In April, we observed North Korean threat actor Moonstone Sleet (formerly Storm-1789) deploying FakePenny, part of a wide-ranging tradecraft that also includes a malicious tank game: https://msft.it/6046lOdRi Threat actors like Octo Tempest focus on identity compromise in their intrusions to access and persist in on-premises and cloud environments for data exfiltration and ransomware deployment. This quarter, Storm-0501 was observed adopting similar tactics, utilizing open-source toolkits like AADInternals for domain federations and other techniques to facilitate latter stages of attacks, which culminate in the deployment of Embargo ransomware. Threat actors also continue to leverage remote management and monitoring tools in ransomware campaigns. In May, we published research on Storm-1811 misusing Quick Assist in social engineering attacks, which were followed by delivery of various malicious tools, leading to Black Basta deployment: https://msft.it/6047lOdRc Users and organizations are advised to follow security best practices, especially credential hygiene, principle of least privilege, and Zero Trust. We publish reports on ransomware threat actors and associated activity in Microsoft Defender Threat Intelligence and Microsoft Defender XDR threat analytics. For more information and guidance, visit https://msft.it/6048lOdRY

nice overview of the recent ransomware threat landscape from Microsoft.

In the second quarter of 2024, financially motivated threat actor Octo Tempest, our most closely tracked ransomware threat actor, added RansomHub and Qilin to its ransomware payloads in campaigns. Octo Tempest is known for sophisticated social engineering techniques, identity compromise and persistence, focus on targeting VMWare ESXi servers, and deployment of BlackCat ransomware. RansomHub is a ransomware as a service (RaaS) payload used by more and more threat actors, including ones that have historically used other (sometimes defunct) ransomware (like BlackCat), making it one of the most widespread ransomware families today. Notably, RansomHub was observed in post-compromise activity by Manatee Tempest following initial access by Mustard Tempest via FakeUpdates/Socgholish infections. In addition to RansomHub and Qilin, other notable ransomware families in this period include BlackSuit, LockBit, Medusa, Black Basta, and Play. Several new ransomware families emerged this quarter. Fog, which uses the .flocked extension, was first observed in May in campaigns by Storm-0844, a threat actor known for distributing Akira. To deploy Fog, Storm-0844 uses VPN clients to gain initial access, likely via valid accounts. They use open-source tools like ADFind, Rubeus, and Advanced IP Scanner for network discovery and lateral movement. They also use rclone for staging files to be exfiltrated. By June, Storm-0844 was deploying Fog in more campaigns than Akira. FakePenny is another new ransomware family we uncovered during this period. In April, we observed North Korean threat actor Moonstone Sleet (formerly Storm-1789) deploying FakePenny, part of a wide-ranging tradecraft that also includes a malicious tank game: https://msft.it/6046lOdRi Threat actors like Octo Tempest focus on identity compromise in their intrusions to access and persist in on-premises and cloud environments for data exfiltration and ransomware deployment. This quarter, Storm-0501 was observed adopting similar tactics, utilizing open-source toolkits like AADInternals for domain federations and other techniques to facilitate latter stages of attacks, which culminate in the deployment of Embargo ransomware. Threat actors also continue to leverage remote management and monitoring tools in ransomware campaigns. In May, we published research on Storm-1811 misusing Quick Assist in social engineering attacks, which were followed by delivery of various malicious tools, leading to Black Basta deployment: https://msft.it/6047lOdRc Users and organizations are advised to follow security best practices, especially credential hygiene, principle of least privilege, and Zero Trust. We publish reports on ransomware threat actors and associated activity in Microsoft Defender Threat Intelligence and Microsoft Defender XDR threat analytics. For more information and guidance, visit https://msft.it/6048lOdRY

Great overview here of the Ransomware threats currently in play, especially for our State & Local Government customers. If you haven’t deployed our latest security tools, including Sentinel and Defender as well as G5 and now AI for Security, I strongly urge rapid adoption along with Zero Trust protocols. #Microsoft #Security #StateAndLocalGovernment

According to a Microsoft report, Scattered Spider has been observed deploying RansomHub and Qilin #ransomware strains. 𝐖𝐡𝐲 𝐢𝐬 𝐭𝐡𝐢𝐬 𝐢𝐦𝐩𝐨𝐫𝐭𝐚𝐧𝐭? - Scattered Spider is known for utilizing #socialengineering tactics to gain access to organizations thus making them effective at gaining initial access. - Qilin and RansomHub are both relatively new ransomware strains. Both are destructive, often making it hard for companies to recover from #backups. - Both Qilin and RansomHub negotiators are aggressive, going beyond #encryption and #dataexfiltration to try to obtain payment. The combination of the two speaks to an increasingly aggressive landscape for ransomware groups who are looking for ways to be more effective at securing #ransom payments. Scattered Spider is also known to be a group of individuals working together, rather than a more traditionally defined threat group. It is not surprising that these individuals may also be working as affiliates of other ransomware groups. 𝐖𝐡𝐚𝐭 𝐬𝐡𝐨𝐮𝐥𝐝 𝐲𝐨𝐮 𝐝𝐨? 1. Review how robust your defenses are against #socialengineering attacks. 2. Review the effectiveness of your #backups. 3. Incorporate more aggressive #negotiation tactics into your tabletop exercises. #cybersecurity #ransomwareprotection

🔴 Multiple U.S. agencies are warning about Phobos ransomware, a RaaS deployed in widespread attacks against critical infrastructure. 🔘 "Structured as a ransomware as a service (RaaS) model, Phobos ransomware actors have targeted entities including municipal and county governments, emergency services, education, public healthcare, and critical infrastructure to successfully ransom several million in U.S. dollars," the government said. 🔘 The advisory comes from the U.S. Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI) and the Multi-State Information Sharing and Analysis Center (MS-ISAC). 🔘 Active since May 2019, multiple variants of Phobos ransomware have been identified to date, namely Eking, Eight, Elbie, Devos, Faust, and Backmydata. Late last year, Cisco Talos Intelligence Group revealed that the threat actors behind the 8Base ransomware are leveraging a Phobos ransomware variant to conduct their financially motivated attacks. 🔘 There is evidence to suggest that Phobos is likely closely managed by a central authority, which controls the ransomware's private decryption key. 🔘 Attack chains involving the ransomware strain have typically leveraged phishing as an initial access vector to drop stealthy payloads like SmokeLoader. Alternatively, vulnerable networks are breached by hunting for exposed RDP services and exploiting them by means of a brute-force attack. 🔘 A successful digital break-in is followed by the threat actors dropping additional remote access tools, taking advantage of process injection techniques to execute malicious code and evade detection, and making Windows Registry modifications to maintain persistence within compromised environments. 🔘 “Additionally, Phobos actors have been observed using built-in Windows API functions to steal tokens, bypass access controls, and create new processes to escalate privileges by leveraging the SeDebugPrivilege process," the agencies said. "Phobos actors attempt to authenticate using cached password hashes on victim machines until they reach domain administrator access." 🔘 The e-crime group is also known to use open-source tools such as Bloodhound and Sharphound to enumerate the active directory. File exfiltration is accomplished via WinSCP and Mega.io, after which volume shadow copies are deleted in an attempt to make recovery harder. 🔘 The disclosure comes as Bitdefender detailed a meticulously coordinated ransomware attack impacting two separate companies at the same time. The attack, described as synchronized and multifaceted, has been attributed to a ransomware actor called CACTUS. 🔘 “CACTUS continued infiltrating the network of one organization, implanting various types of remote access tools and tunnels across different servers," Martin Zugec, technical solutions director at Bitdefender, said in a report published last week. #rcc #cybersecurity #ransomware #injection #bruteforce #remote #report #hack #attack #news

🚨 Ransomware Incidents of the Week On September 27, 2023, Johnson Controls International (JCI), a global leader in smart building solutions, fell victim to a ransomware attack orchestrated by the notorious Dark Angels gang. The attackers claimed to have seized a staggering 27 TB of data from 25 file servers. Despite the impact on some IT systems, JCI assures that its operations are ongoing. The company is collaborating with law enforcement and cybersecurity experts to investigate the incident and recover the stolen data. This event underscores the escalating threat landscape, emphasizing the need for robust cybersecurity measures in critical industries. 📈 New Trend in Ransomware Attacks: FBI Warning The FBI issues a warning regarding a concerning trend in ransomware attacks—deploying multiple strains to encrypt systems within a remarkably short timeframe, often under 48 hours. This tactic poses a significant challenge for defenders, complicating the detection and response to simultaneous ransomware strains. This evolving strategy has been observed by the FBI over recent months, with one instance noting a victim's network encrypted by three different ransomware strains in less than two days. Other Ransomware Attacks in the Spotlight: 1. 3AM Ransomware: A novel strain, 3AM, surfaced after an unsuccessful attempt to deploy LockBit ransomware. Researchers are still uncovering its capabilities. 2. Greater Manchester Police (GMP) Attack: GMP in the UK reported a ransomware incident affecting personal information due to an attack on a third-party supplier. Although operational systems remained unscathed, investigations are underway. 3. Double Whammy: An organization faced a second ransomware attack within 48 hours, highlighting the persistent threat post-initial compromise. Organizations must remain vigilant even after an attack and prioritize ongoing protection measures. Conclusion and Recommendations: As we witness a surge in sophisticated ransomware attacks, organizations must fortify their defenses: - Implement robust security measures: Multi-factor authentication, endpoint protection, and regular employee training. - Backup and recovery plan: Swift data recovery is crucial in ransomware scenarios. This is our area; you can use and recommend Narbulut with peace of mind. Narbulut offers a ransomware alert system as a built-in feature. - Keep software updated: Regular updates often include critical security patches. - Continuous network monitoring: Early detection is key to minimizing damage. The examples above show that the sector or size is not important, we all are the target of cybercriminals. In the face of these threats, a proactive cybersecurity stance is non-negotiable. Let's collectively strengthen our defenses and remain vigilant against the evolving landscape of cyber threats. 💻🔒 #ransomware #cybersecurity #securityawareness #threatintelligence #data #dataprotection #backup #technology #ransomwareprotection

$15 Million on the Line: The Hunt for the Architects of LockBit’s Digital Empire The recent crackdown on the LockBit ransomware gang marks a significant milestone in the global fight against cybercrime. The U.S. State Department’s announcement of a $15 million bounty for information leading to the arrest of LockBit members underscores the seriousness of the threat posed by this group. LockBit, responsible for over 2,000 attacks worldwide since January 2020, has caused extensive disruptions, extracting more than $144 million in ransoms. The operation, dubbed ‘Operation Cronos,’ led to the seizure of LockBit’s infrastructure, including 34 servers and over 200 crypto wallets, and resulted in the arrest of several affiliates. LockBit’s modus operandi involved a sophisticated ransomware-as-a-service (RaaS) model, allowing affiliates to deploy the ransomware in exchange for a cut of the profits. This decentralized approach made LockBit one of the most resilient and widespread ransomware threats. The seizure of LockBit 3.0’s infrastructure and the release of a decryption tool have provided temporary relief to victims but the discovery of a next-gen encryptor, LockBit-NG-Dev, indicates the gang’s intention to evolve. The impact of these developments is twofold. Firstly, the immediate disruption to LockBit’s operations will likely lead to a temporary decrease in ransomware incidents attributed to this group. Secondly, the public release of decryption keys and the detailed analysis of LockBit’s new encryptor will aid cybersecurity professionals in defending against future iterations of the malware. Organizations must leverage this incident to bolster their cybersecurity defenses. Adopting a multi-layered security approach, including regular backups, endpoint protection, and employee training, is crucial. Furthermore, engaging with cybersecurity firms that offer threat intelligence and incident response services can provide an added layer of protection. nGuard’s comprehensive cybersecurity solutions, such as vulnerability assessments, penetration testing, and managed security services, are designed to mitigate the risks posed by ransomware and other cyber threats. By understanding the tactics, techniques, and procedures (TTPs) used by groups like LockBit, nGuard helps organizations stay one step ahead of cybercriminals. The takedown of LockBit’s infrastructure and the significant bounty for information on its members represent a bold move in the global effort to combat ransomware. While this is a notable victory, the fight against cybercrime is far from over. Organizations must remain vigilant, continuously updating their security postures to counter emerging threats. Partnering with cybersecurity experts like nGuard can provide the expertise and support needed to navigate this ever-evolving landscape, ensuring resilience against ransomware and other cyber threats. #technology #informationsecurity #hacking

Read our new blog article on Automating Data Leaks: New Extortion Tactics Used by Ransomware Gangs - https://lnkd.in/dD5dt54n \[vc_row\]\[vc_column\]\[vc_cta h2=”Contact Our Ransomware & Cybersecurity Experts” h2_font_container=”tag:p|font_size:1.5em|text_align:left” h2_google_fonts=”font_family:Lato%3A100%2C100italic%2C300%2C300italic%2Cregular%2Citalic%2C700%2C700italic%2C900%2C900italic|font_style:900%20bold%20regular%3A900%3Anormal” h4=”We will get back to you as quickly as possible!” h4_font_container=”tag:p|font_size:1.3em|text_align:left|color:rgba\(157%2C157%2C158%2C0.89\)” h4_google_fonts=”font_family:Lato%3A100%2C100italic%2C300%2C300italic%2Cregular%2Citalic%2C700%2C700italic%2C900%2C900italic|font_style:900%20bold%20regular%3A900%3Anormal” style=”flat” css=”” use_custom_fonts_h2=”true” use_custom_fonts_h4=”true”\]Get Help Now\[/vc_cta\]\[vc_column_text\]The world of ransomware is a never ending arms race, with hackers and cybersecurity experts continuously trying to outsmart each other. The general trend in ransomware over the past year has been a shift towards more targeted, high profile spear phishing attacks. These attacks usually involve high ransom demands, and involve weeks or months of dedicated work by hackers overseeing every step of the process. But older methods are still finding a niche. Avaddon,…

Ransomware: A Persistent Threat in 2024 Ransomware continues to be a major cybersecurity threat, with recent trends indicating a rise in both the complexity and frequency of attacks. Here's a closer look at some of the key developments and the steps organizations can take to protect themselves: Recent Trends: 1. Hybrid Ransomware: Combining traditional ransomware with other forms of cyber threats, such as data manipulation and destructive malware, hybrid ransomware aims to cause maximum disruption [oai_citation:1,Emerging trends in ransomware: What to expect in 2024 | Acronis](https://lnkd.in/dnjwCBan). 2. Ransomware-as-a-Service (RaaS): This model has evolved, providing cybercriminals with sophisticated tools, improved encryption, and customer support, making it easier for attackers to launch effective campaigns [oai_citation:2,Emerging trends in ransomware: What to expect in 2024 | Acronis](https://lnkd.in/dnjwCBan). 3. Supply Chain Attacks: Ransomware targeting supply chains is on the rise, exploiting vulnerabilities in third-party software to gain access to primary targets [oai_citation:3,Emerging trends in ransomware: What to expect in 2024 | Acronis](https://lnkd.in/dnjwCBan). Case Studies: - City of Dallas: In May 2023, Dallas faced a significant ransomware attack by the Royal group, resulting in $8.5 million in damage and recovery costs despite not paying the ransom [oai_citation:4,Ransomware Trends and Solutions For 2024](https://lnkd.in/dmTkdwYX). - TSMC: The Taiwan Semiconductor Manufacturing Company experienced a supply chain attack through their partner Kinnmax, illustrating the vulnerabilities within interconnected business ecosystems [oai_citation:5,Ransomware Trends and Solutions For 2024](https://lnkd.in/dmTkdwYX). Protective Measures: 1. Employee Training: Regularly educate employees on the latest phishing tactics and the importance of cybersecurity hygiene. 2. Endpoint Protection: Utilize advanced endpoint protection solutions that employ behavior-based detection and real-time threat intelligence. 3. Network Segmentation: Limit the spread of ransomware by segmenting networks and enforcing least privilege access. 4. Regular Backups: Maintain and regularly test backups, ensuring they are stored offline to prevent compromise during an attack. 5. Incident Response Planning: Develop and routinely update an incident response plan to effectively manage and mitigate ransomware attacks. Ransomware remains a dynamic threat, evolving with technological advancements and shifting tactics. By staying informed and implementing robust security measures, organizations can better protect themselves against these pervasive attacks. #CyberSecurity #Ransomware #DataProtection #TechTrends #CyberThreats