Top 5 Emerging Ransomware Threats to Watch Out For (June-July 2023)

At SISA, we understand the ever-evolving nature of cyber threats and the importance of staying one step ahead to protect your organization’s sensitive data and assets. Our dedicated team of experts is constantly monitoring various platforms, gathering intelligence, and analyzing the latest cyber threats to provide valuable insights into the latest cyber risks that can impact organizations.
This monthly post provides a condensed overview of the threats encountered throughout the month.

Our team brings to you five significant ransomware threats that have recently been active with their targeted attacks worldwide including BlackSuit ransomware exploiting Windows and Linux users, BlackCat ransomware group launching malvertising campaigns, Crysis threat actors deploying Venus ransomware via RDP, RedEnergy operating as Stealer-as-a-Ransomware, and Big Head ransomware spreading through fake Windows update.

Read on to discover more…

1. New Linux ransomware strain BlackSuit shows striking similarities to Royal

Researchers have discovered a new ransomware called BlackSuit, which bears striking similarities to the well-known Royal ransomware. This suggests that BlackSuit may be an affiliate or derivative of Royal, possibly reusing its source code. What makes BlackSuit particularly concerning is its ability to target both Windows and Linux users, posing a threat to a wide range of operating systems. Security researchers conducted a comprehensive analysis of BlackSuit, examining both the Windows 32-bit and ESXi 64-bit versions.

The ransomware appends the file extension .blacksuit to encrypted files and leaves a ransom note with details of the attack, a unique victim ID, and a TOR chat site link for communication with the attackers. In addition, the cybercriminals behind BlackSuit utilize a data leak site to publish compromised data if the ransom is not paid. Intriguingly, the Linux sample of BlackSuit matched YARA rules for Royal ransomware, leading to the discovery of numerous similarities between the two strains. Further analysis of the source code revealed astonishing levels of similarity, with 98% function similarity and 99.5% block similarity between the 64-bit samples, as well as significant resemblances in the 32-bit samples. These findings underscore the overlap in the source code of BlackSuit and Royal ransomware.

2. BlackCat ransomware group exploits WinSCP application in malvertising campaign

The BlackCat ransomware group, known as ALPHV, has been discovered operating malicious advertising (malvertising) campaigns that distribute malware through fake webpages imitating the popular WinSCP file-transfer application for Windows. Their deceptive technique involves manipulating search results on search engines like Bing and Google to prioritize harmful ads over legitimate ones when users search for “WinSCP Download.”

Unsuspecting victims who click on these ads are redirected to tutorial websites designed to resemble the genuine WinSCP website. These tutorial sites act as intermediaries, leading users to cloned web pages featuring a deceptive “Download” button that, when clicked, downloads an ISO file containing the malware dropper and payload. The malware establishes persistence, installs a trojanized DLL, and connects to a command-and-control server, granting the threat actors control over the compromised system.

3. Crysis threat actors deploying Venus ransomware through remote desktop connections

Remote Desktop Protocol (RDP) remains a prominent attack vector, accounting for 24% of cyberattacks in 2022. Cybercriminals are actively selling unauthorized RDP access on underground forums, highlighting its exploitation in the cybercrime ecosystem. Recent findings reveal that threat actors deploying Crysis ransomware scan the internet for vulnerable RDP endpoints. Using brute force or dictionary attacks, they gain unauthorized access to systems to install either Crysis or Venus ransomware.

Crysis ransomware encrypts victim files and displays a ransom note with an onion email address for contact. Venus ransomware encrypts files and claims to have stolen sensitive information, urging victims to establish contact within 48 hours. Venus ransomware also terminates various programs, disrupting normal operations. Researchers have observed additional malware on compromised systems, including scanning tools and credential stealers attributed to NirSoft. The attackers utilize Mimikatz for internal reconnaissance. These tactics demonstrate an evolving strategy to exploit RDP vulnerabilities, cause harm, and gather sensitive information.

4. RedEnergy: The stealthy Stealer-as-a-Ransomware threat

Researchers have discovered a new malware called RedEnergy, which operates as Stealer-as-a-Ransomware. It is known for targeting energy utilities, oil and gas companies, telecommunications firms, and machinery sectors. It uses a deceptive FAKEUPDATES campaign to infiltrate systems by tricking users into updating their web browsers. Once inside, RedEnergy covertly extracts sensitive information and encrypts files, holding them hostage for ransom. What distinguishes RedEnergy is its ability to target victims through reputable LinkedIn pages, adding credibility to its tactics. Notable victims include an industrial machinery manufacturing company in the Philippines and organizations in Brazil.

RedEnergy employs a multi-stage approach, disguising malicious executables as legitimate files and utilizing obfuscation techniques and HTTPS communication for command and control. Suspicious FTP interactions also suggest data exfiltration. In the final stage, RedEnergy erases shadow drive data and Windows backups, limiting file recovery options and the attackers leave a ransom note demanding payment. RedEnergy’s comprehensive tactics, including obfuscation, multi-stage execution, and targeted exploitation highlight its sophistication and potential damage.

5. New ‘Big Head’ ransomware displays fake Windows update alert

The newly discovered ransomware strain known as “Big Head” has been analyzed by security experts, revealing its propagation through malvertising that advertises fake Microsoft Word and Windows upgrades. Security researchers examined two samples of the virus as well as conducted a technical analysis, concluding that the variations are the work of a single attacker experimenting with different strategies. Big Head is a .NET binary ransomware that installs three AES-encrypted files on the targeted machine. These files are responsible for spreading the virus, communicating with a Telegram bot, and encrypting data while potentially displaying a fake Windows update to the user.

The ransomware also creates a registry autorun key, overwrites files as needed, modifies system file properties, and disables Task Manager upon execution. Before encrypting files, Big Head checks if it is running on a virtual machine and only proceeds with encryption if the system language is not set to the Commonwealth of Independent States (CIS) language. The ransomware displays a deceptive Windows update screen while encrypting data and places the ransom note in various folders, accompanied by a modified wallpaper warning of the infection.

Key recommendations to combat cyber risks:

• Ensure that all Windows and Linux systems are regularly updated with the latest security patches and updates to mitigate vulnerabilities that could be exploited by ransomware.
• Deploy a multi-layered security approach that includes firewalls, intrusion detection and prevention systems, endpoint protection, and robust antivirus solutions.
• Maintain regular and secure backups of critical data and verify their integrity. Backups should be stored offline or in a separate network to prevent them from being compromised by ransomware.
• Ensure copies of critical data are not accessible for modification or deletion from the system where the data resides.
• Train employees in ransomware awareness, including safe browsing practices, identifying phishing emails, and the importance of not clicking on suspicious links or downloading attachments from unknown sources.
• Implement robust email and web filtering solutions that can detect and block malicious attachments, links, and websites associated with ransomware distribution.
• Implement the principle of least privilege, granting users only the necessary permissions to perform their tasks. This limits the potential impact of ransomware if a user’s account is compromised.
• Conduct red-team exercises and penetration tests to assess the defense capabilities of your organization.
• Enable multi-factor authentication (MFA) across all devices and systems using RDP. This adds an extra layer of security by requiring additional authentication factors beyond just a password.
• Keep up to date with the latest cybersecurity trends, vulnerabilities, and attack techniques. Regularly monitor threat intelligence sources and collaborate with industry peers and security communities to stay informed about potential risks.