Threat Research

Cyble – New Ransomware Wave Engulfs Over 200 Corporate Victims

Securonix

The article highlights a rising wave of double-extortion ransomware campaigns, with new strains and groups expanding to protect and monetize stolen data. It discusses Rhysida, 8Base, MalasLocker and others, their techniques, victims, and recommended defenses. #Rhysida #8Base #MalasLocker #Zimbra

Keypoints

  • Ransomware groups are increasingly using double extortion, threatening publication of stolen data if demands aren’t met.
  • In the past week, more than three new ransomware strains have been identified, affecting over 200 victims globally.
  • About 10 new ransomware groups emerged in the last month, expanding the double-extortion model.
  • Rhysida encrypts files using RSA and AES, renames them with a .rhysida extension, and drops a ransom note as a PDF named “CriticalBreachDetected.pdf.”
  • 8Base operates a leak site with disclosed victims (66 reported) and provides guidelines for victims on how to respond; it also uses double extortion.
  • MalasLocker targets Zimbra servers and asks victims for donations rather than a traditional ransom; it has publicly listed about 169 victims.
  • Defense recommendations include offline backups, MFA, reducing exposed ports, user awareness, vulnerability management, and timely software updates.

MITRE Techniques

  • [T1059.001] PowerShell – The ransomware invokes PowerShell during execution (e.g., “cmd.exe /c start powershell.exe -WindowStyle Hidden -Command Sleep -Milliseconds 500; Remove-Item -Force -Path”).
  • [T1112] Modify Registry – The ransomware changes desktop wallpaper by editing registry entries, e.g., “system(“cmd.exe /c reg delete ”HKCUConttol PanelDesktop” /v Wallpaper /f”)” and related registry edits to NoChangingWall and wallpaper settings.
  • [T1083] File and Directory Discovery – The ransomware uses multiple threads to process files and directories, opens directories recursively, and performs operations on files.
  • [T1486] Data Encrypted for Impact – The Rhysida ransomware employs a combination of RSA and AES algorithms to encrypt files.

Indicators of Compromise

  • [File Hash] Rhysida Windows Executable – 0c8e88877383ccd23a755f429006b437 (MD5)
  • [File Hash] Rhysida Windows Executable – 69b3d913a3967153d1e91ba1a31ebed839b297ed (SHA1)
  • [File Hash] Rhysida Windows Executable – a864282fea5a536510ae86c77ce46f7827687783628e4f2ceb5bf2c41b8cd3c6 (SHA256)

Read more: https://blog.cyble.com/2023/05/23/new-ransomware-wave-engulfs-over-200-corporate-victims/