Resecurity reports an alarming rise in ransomware targeting the energy sector worldwide, including nuclear facilities and related research entities, with attackers expanding across North America, Asia, and the EU. The article highlights evolving tactics such as intermittent encryption, rapid data exfiltration to enable extortion, and the growing role of Initial Access Brokers on the Dark Web, alongside state-actor concerns and large-asset targets; it also notes intensified activity around nuclear-energy entities and high-profile groups like ALPHV/BlackCat, Storm-1133, and Black Basta. #ALPHV #BlackBasta #Medusa #LockBit3 #MOVEit #NuclearEnergy
Keypoints
- Ransomware campaigns against the energy sector have risen globally, including the EU, North America, and Asia, with significant attention on nuclear-related targets.
- Attackers pursue high-value Critical Infrastructure assets to maximize ransom payouts, aided by IT/OT convergence risks, third-party exposure, and geopolitical instability.
- Intermittent encryption and fast exfiltration are emerging tactics to speed up attacks and reduce detection, while enabling immediate extortion.
- Ransomware groups are leveraging big-game hunting to target large organizations, and many are operating within a Ransomware‑as‑a‑Service ecosystem to expand reach.
- Dark Web Initial Access Brokers (IABs) are actively selling access to energy networks, including nuclear targets, on forums like RAMP, XSS, Exploit, and Breach Forums.
- Nuclear-energy entities are rising in priority for state-linked espionage or cyber-operations, with documented cases and open-source postings targeting labs, manufacturers, and energy firms.
MITRE Techniques
- [T1583] Acquire Infrastructure – Initial Access Brokers on the Dark Web actively seek credentials and unauthorized intrusion methods for the energy sector. ‘Initial Access Brokers (IABs) operating on the Dark Web who are actively seeking out credentials and other unauthorized intrusion methods for the energy sector.’
- [T1041] Exfiltration – Ransomware actors rapidly exfiltrate data to pivot into extortion phases. ‘By quickly seizing and exfiltrating data, ransomware actors can pivot into the extortion phase of the attack cycle more immediately.’
- [T1486] Data Encrypted for Impact – Intermittent encryption used to encrypt systems faster and reduce detection. ‘intermittent encryption enables threat actors to “encrypt systems faster and reduce the chances of being detected.”’
- [T1588] Acquire Capabilities – Ransomware‑as‑a‑Service operations enable affiliates; ‘entice affiliates to join their Ransomware‑as‑a‑Service operations.’
- [T1562.001] Impair Defenses – Security tool evasion as seen with av.bat/av1.bat and related activity. ‘av.bat – performs a hidden deletion of an application with the given GUID’ and related scripts
- [T1027] Obfuscated/Compressed Files and Information – s2.exe is encrypted and uses an anti-debugging technique. ‘This module, called s2.exe, is encrypted and uses an anti-debugging technique.’
- [T1490] Inhibit System Recovery – Deleting shadow copies via vssadmin.exe. ‘The cryptor spawns the process “vssadmin.exe” to delete snapshots.’
- [T1083] File and Directory Discovery – File collection using FindFirstFileA and FindNextFileA APIs. ‘The cryptor acquires data on files by utilizing the FindFirstFileA and FindNextFileA APIs.’
Indicators of Compromise
- [Hash] MD5 – 6f20f5aa2eb7a0c53a39b49024d938ee, and 2f4acd97542131cda5f26249176348e3
- [Hash] SHA256 – a9dd4eae8612729957bfeac53b764aba6243c749c7b7666e21acec1504efde84, and da6800063764aa4f39998d4aa069ca380ce6bcbe70099e16ece946c1754423cc
- [Hash] SHA512 – 188b46145135c5f850ac811975cc87f07a5493ee4d6c41db6ec361da5445b4e3b00964c7a691e4ab520dd2b88ed0a60969c43599a0d22b2b9f645f7250bc7e98, and 0ea3b49bacd9d2b7fbedf0296fdc6cd06c005c54d822a7e9041305c01a01c30a6604fbd17f43aea68716e3fd0639e7f25d76e703843c18d470bdc6930d54ef00
- [File Name] TI_c.exe, TI_c.dll, s2.exe, av.bat, av1.bat, sym.bat – samples referenced in the analysis
- [File Extension] .eb7ys69oc – used as the encryption extension for files
- [Registry] HKCR.eb7ys69oc – registry key created for the cryptor
- [Process] vssadmin.exe – invoked to delete Volume Shadow Copy snapshots
- [URL] https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/ – referenced as the ransomware’s cryptor site