Threat Research

Ransomware: Activity Levels Remain High Despite Disruption

Symantec

Ransomware activity remained high in 2024 despite notable disruptions to major groups, as actors shifted tactics and returned to extortion-heavy operations. The re-emergence of Clop under Snakefly and ongoing use of BYOVD and driver-based techniques show threat actors adapting to enforcement pressures while continuing to target enterprises with data theft and encryption. #Snakefly #MOVEit

Keypoints

  • U.S.-led law enforcement operations disrupted Noberus (Nobelium) in December 2023 and impacted its activity; Noberus closed in March 2024 amid affiliate fallout, while LockBit continued operating after a February 2024 international operation.
  • Vulnerability exploitation remains a key initial access method, notably CVE-2024-4577 on PHP/XAMPP for Windows enabling remote code execution, followed by tool deployment on compromised servers.
  • Attackers dropped tools on vulnerable servers, including a malicious HTA file with BadPotato, a custom web shell, and a loader used to deploy TellYouThePass ransomware.
  • Clop (Cl0p) ransomware returned in Q1 2024, led by Snakefly, shifting from encryption to data theft and now resuming double extortion via zero-day exploits like MOVEit.
  • BYOVD (Bring-Your-Own-Vulnerable-Driver) remains a preferred tactic to disable security solutions, with Warp AV Killer leveraging a vulnerable Avira driver for this purpose.
  • Despite disruptions, overall ransomware activity stayed high in 2024 and is expected to persist as a major enterprise threat.
  • Protection updates and mitigations are advised via the vendor’s threat intelligence bulletin.

MITRE Techniques

  • [T1190] Exploit Public-Facing Application – Exploitation of a CGI argument injection flaw on Windows hosts enabling remote code execution. “Successful exploitation of the vulnerability can lead to remote code execution.”
  • [T1105] Ingress Tool Transfer – After gaining access, attackers download tools including a malicious HTA file with BadPotato, a custom web shell, and a loader to deploy ransomware. “Once the attackers gain access to a vulnerable server, they download several tools, including a malicious HTA file that contains a copy of the open-source privilege-escalation tool BadPotato; a custom web shell; and a loader previously observed being used to deploy TellYouThePass ransomware.”
  • [T1068] Exploitation for Privilege Escalation – BYOVD usage to disable security solutions and escalate privileges via driver weaknesses. “Bring-Your-Own-Vulnerable-Driver (BYOVD) continues to be a favored tactic among ransomware groups, particularly as a means of disabling security solutions.”
  • [T1218] Signed Binary Proxy Execution – Privilege and payload deployment via signed or vulnerable drivers (e.g., Warp AV Killer leveraging a vulnerable driver to disable security products). “Warp AV Killer, which has been used by at least one LockBit affiliate… leverages a vulnerable Avira anti-rootkit driver to disable security products.”
  • [T1486] Data Encrypted for Impact – Deployment of TellYouThePass ransomware after loader execution. “loader previously observed being used to deploy TellYouThePass ransomware.”

Indicators of Compromise

  • [File hash] Web shell – 4de4621da1b7da597c2c8def4c08b8d405672dadb9c70d7dffd647c8d6abd394
  • [File hash] Loader – 95279881525d4ed4ce25777bb967ab87659e7f72235b76f9530456b48a00bac3
  • [File hash] TellYouThePass – 5e446efb6c4f296fb8f25ef7a1a0a482f51dc475bd5ef3e89be9d43782a9f60f, 7d6877eb8a3e2da1e8b06e2ed41604c6c3d5ced8293f7cc7e760ba972303bd0e
  • [File hash] TellYouThePass – f572898ab9f9a0fabac77d5d388680f84f85f9eb2c01b4e5de426430c6b5008f
  • [File hash] Clop – 3f41e2ceff3a04cd6de6aadce7e7b7c8584940e4320a7db55dd712debb061510, 4d571f4d0008deb01e3144e0e3d5f882c5422acfcb4dd260082852a822d8d2fb
  • [File hash] Warp AV Killer – 1453179d46ef89eb780f8b82632f352017a3586e8d49fc3f087f633f7bebbf0a, 67e4c18e80d4d1acb9395f4a1fe9c2a75d95fcccdb33bcdd5259ba6f47e60e57
  • [File hash] Suspected Clop – 6fb438feeb8369c5b82bfaa77144a641f7645c321f0b24dd97cfe2687b1ebd44, 88efa81984852dac62d325f2091a09de1e6423a711d7913aeac103c50664cf84
  • [File hash] TellYouThePass – aa43f34c3fa67aea994c1babeb71b46c7b24eccaa0455ae21aa561e251e7cc4d

Read more: https://symantec-enterprise-blogs.security.com/threat-intelligence/ransomware-q2-2024