Threat Research

“How Ransomware Variants Empower Cybercrime Organizations”

SecureList

The article examines how ransomware actors increasingly rely on leaked variants and off-the-shelf builders to expand attacks, highlighting SEXi, Key Group, and Mallox as illustrative cases. It discusses their methods, weaknesses, and what their activities imply about the evolving Big Game Hunting landscape. #SEXi #KeyGroup #Mallox #Babuk #LockBit #ESXi #Windows #Linux #IxMetro #GitHub #Telegram #BigGameHunting

Keypoints

  • Ransomware Acquisition: Cybercriminals often acquire ransomware samples through the dark web, affiliations, or leaked variants.
  • SEXi Group: Targets ESXi applications using leaked variants (Babuk for Linux, Lockbit for Windows) and employs a unique contact method via Session messaging app.
  • Key Group: Utilizes multiple ransomware families and adjusts TTPs with each variant, showing a lack of professionalism in operations.
  • Mallox Group: Launched an affiliate program targeting wealthy organizations while excluding hospitals and educational institutions.
  • Big Game Hunting: The ransomware landscape has evolved, with more sophisticated tools leading to larger impacts on organizations.
  • Operational Gaps: Leaked variants often correspond with less professional setups, enabling tracking and potential takedowns.

MITRE Techniques

  • [T1078] Valid Accounts โ€“ Uses leaked credentials to gain access to victim systems. โ€œUtilizes leaked credentials to gain access to victim systems.โ€
  • [T1203] Exploitation for Client Execution โ€“ Exploits vulnerabilities in applications to execute ransomware. โ€œExploits vulnerabilities in applications to execute ransomware.โ€
  • [T1547] Boot or Logon Autostart Execution โ€“ Modifies registry keys to ensure ransomware runs at startup. โ€œModifies registry keys to ensure ransomware runs at startup.โ€
  • [T1071] Application Layer Protocol โ€“ Uses common protocols (e.g., HTTP, HTTPS) for communication with C2 servers. โ€œUses common protocols (e.g., HTTP, HTTPS) for communication with C2 servers.โ€
  • [T1486] Data Encrypted for Impact โ€“ Encrypts files on victim systems to demand ransom. โ€œEncrypts files on victim systems to demand ransom.โ€

Indicators of Compromise

  • [MD5] SEXi indicators โ€“ 4e39dcfb9913e475f04927e71f38733a, 0a16620d09470573eeca244aa852bf70
  • [MD5] Key Group indicators โ€“ bc9b44d8e5eb1543a26c16c2d45f8ab7, acea7e35f8878aea046a7eb35d0b8330
  • [MD5] Mallox indicators โ€“ 00dbdf13a6aa5b018c565f4d9dec3108, 01d8365e026ac0c2b3b64be8da5798f2

Read more: https://securelist.com/sexi-key-group-mallox-ransomware/113183/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint