Why should we be vary of double extortion ransomware groups?
The Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the Australian Cyber Security Centre (ACSC) last week issued a joint cybersecurity advisory regarding the BianLian ransomware gang.
This group has been actively targeting critical infrastructure sectors in the United States and Australia since June 2022.
Notably, the advisory stressed on the fact that since January 2023, the group shifted its focus exclusively to exfiltration-based extortion, omitting the encryption aspect of their attacks.
The Cyber Express has been tracking this change among almost all ransomware groups. These malicious actors not only encrypt valuable corporate data but also resort to threatening victims with exposing their sensitive information unless their demands are met.
The proliferation of double extortion ransomware groups
Several newly identified ransomware strains have wreaked havoc in the past week, leaving more than 200 victims in distress. Within the last month, approximately ten new double extortion ransomware groups have surfaced, further amplifying the urgency to combat this cyber threat.
Among these groups are CrossLock, Akira, BlackSuit, Rancoz, CryptNet, and RA Group.
Their swift emergence underscores the scalability and profitability of their criminal operations as they continually refine their methods to maximize financial gains.
Unveiling the tactics of double extortion ransomware groups
Recent ransomware strains reveal the ever-evolving tactics employed by these double extortion ransomware groups. One notable example is the Rhysida ransomware, which deviates from the norm by demanding victims make donations instead of traditional ransoms.
This unique approach suggests the involvement of hacktivists within the ransomware landscape. Another distinctive feature of Rhysida ransomware is its delivery of the ransom note as a PDF file, a departure from the usual text file format.
Unconventional techniques
Discovered by the MalwareHunter Team, Rhysida ransomware explicitly targets the Windows operating system. It leverages a combination of RSA and AES algorithms for file encryption.
Interestingly, it excludes specific directories such as $Recycle.bin, Documents and Settings, PerfLogs, Program Files, Program Files (x86), ProgramData, Recovery, and System Volume Information from encrypti
Moreover, files with extensions like .bat, .bin, .cab, .cmd, .com, .cur, .diagcab, .diagcfg, .diagpkg, .drv, .dll, .exe, .hlp, .hta, .ico, .lnk, .msi, .ocx, .ps1, .psm1, .scr, .sys, .ini, .db, .url, and .iso are not encrypted.
In a departure from typical ransomware behavior, Rhysida ransomware drops a PDF file named “CriticalBreachDetected.pdf” in every directory it infiltrates, serving as the ransom note.
It also generates a background image named “bg.jpg” based on the ransom note content, modifies the necessary registry entries, and sets it as the victim’s desktop background.
The case of 8Base ransomware
Another recently discovered double extortion ransomware group, 8Base, has been actively targeting victims. What sets this group apart is its implementation of a double extortion strategy.
They first steal victims’ data and then proceed to encrypt it. If the victim refuses to pay the ransom, the attackers publish the stolen data on their leak site.
The group has already exposed information about 66 victims on their website. The posts on their leak site can be traced back to April 2022, indicating a potentially active year without public disclosure of victims.
Unorthodox demands
Another newly discovered double extortion ransomware group, MalasLocker ransomware, has been observed primarily targeting Zimbra servers. This double extortion ransomware group stands out due to its unorthodox approach.
Instead of demanding a traditional ransom, MalasLocker asks victims to make donations. Their motive behind this unique demand sets them apart from other ransomware groups.
The surge in double extortion ransomware groups presents a growing threat to organizations worldwide. With their evolving techniques and increasing numbers, these malicious actors exploit vulnerabilities to maximize their financial gains.
Recent ransomware strains like Rhysida, 8Base, and MalasLocker exemplify the ever-changing nature of cyber threats. It is crucial for organizations and individuals to enhance cybersecurity measures and remain vigilant to combat this escalating menace effectively.
The fight against double extortion ransomware groups requires a proactive approach and continuous adaptation to safeguard valuable data and mitigate potential damages.