Light Dark
June 18, 2020 By David Bisson 3 min read
News

In early June 2020, the Maze gang teamed up with other crypto-malware actors to extort non-paying victims using its shared data leaks platform. Maze wasn’t the only strain that made news. Those behind the REvil family also attracted the security community’s attention when it began auctioning off data stolen by their creation. Additionally, security researchers discovered two new crypto-malware groups: Kupidon and Avaddon.

Top Story: Maze’s New Extortion Cartel

On June 3, digital security intelligence firm KeLa informed Bleeping Computer that the Maze ransomware gang had added information stolen from an architectural firm to its “Maze News” data leak site. This data dump wasn’t the first time Maze had publicly posted the stolen data of a victim who had refused to meet a ransom demand, but it was the first time Maze’s actors had used their site to publish the information stolen by a different ransomware group. Indeed, the information had come from a successful attack conducted by the LockBit Ransomware-as-a-Service (RaaS) platform.

Bleeping Computer contacted the Maze operators for clarification. In their response, the ransomware actors revealed they had partnered with LockBit to share their experience and data leaks platform. They also disclosed that another ransomware group would be joining their cartel in the coming days and that other gangs had shared their desire to join in the future.

Sure enough, Bleeping Computer learned of a “Maze News” posting pertaining to the Ragnar Locker ransomware strain just days later.

Also in Ransomware News

  • Victim Data Auctioned Off by REvil Ransomware Group: In the beginning of June, KrebsonSecurity learned that the malicious actors responsible for distributing REvil ransomware had posted an update on their “Happy Blog” dark web data leak site. The post announced that the digital attackers would begin auctioning off three databases and more than 22,000 files which they had stolen from an agricultural company. In their update, REvil’s handlers announced that the minimum deposit was $5,000 and that the bidding for the entire collection of stolen data would start at $50,000.
  • New Kupidon and Avaddon Ransomware Strains Discovered: On June 5, Bleeping Computer reported on a security researcher’s discovery of a new ransomware strain back in the beginning of May. The crypto-malware threat, detected as “Kupidon,” targeted both users and corporations at the time of discovery. After performing its encryption routine, the ransomware instructed the victim in its ransom note to visit a Tor site that contained an image of cupid and an email address for receiving payment instructions. News of Kupidon came just days before the computer self-help site learned about an attack campaign in which malspam emails containing a smily or winky face had leveraged a malicious JavaScript downloader to infect victims with samples of the new Avaddon ransomware family.
  • Decryption Tool Released for Tycoon Ransomware: The BlackBerry Research and Intelligence Team uncovered Tycoon, a multi-platform ransomware written in Java. The researchers found that malicious actors were using a trojanized java runtime environment (JRE) along with an obscure java image format to target Windows and Linux machines operated by SMBs in the education and software industries. Over the course of their analysis, the researchers found that Tycoon had reused a common RSA private key and subsequently wondered whether victims could recover their data encrypted by earlier versions of the ransomware for free. Emsisoft confirmed this to be the case when it released its updated RedRum decryption software (The earliest version of Tycoon had a .redrum file extension, per Dark Reading.).
  • QNAP Storage Devices Targeted by eChoraix Ransomware: At the beginning of June, ID-Ransomware documented a surge of reports from eChoraix victims seeking help to recover their data. A closer look revealed that the malicious actors who perpetrated those attacks gained access to QNAP storage devices by abusing vulnerabilities or by brute-forcing weak passwords. Upon gaining access, the ransomware then ran its decryption routine before dropping a ransom demand in which it asked victims to hand over a ransom fee of $500.
  • Thanos RaaS Tool Connected to Hakbit: According to Recorded Future, Insikt Group discovered Thanos Ransomware-as-a-Service (RaaS) for sale on an exploit forum while investigating the weaponization of RIPlace technique. In the process of analyzing the new ransomware, Insikt Group found that Thanos shared similar code with Hakbit, among other commonalities. These connections led Insikt Group to conclude that malicious actors had constructed Hakbit using the Thanos ransomware builder.

How to Defend Against Ransomware

Security professionals can help their organizations defend against a ransomware infection by ensuring they have access to the latest threat intelligence. These information feeds will give them the necessary data they need to stay on top of the latest crypto-malware attacks and techniques. Infosec personnel should also leverage an endpoint management tool to monitor their endpoints for suspicious activity that could be indicative of a ransomware infection.

 |  | 
David Bisson
Contributing Editor

More from News
September 16, 2024

The rising threat of cyberattacks in the restaurant industry

2 min read - The restaurant industry has been hit with a rising number of cyberattacks in the last two years, with major fast-food chains as the primary targets. Here’s a summary of the kinds of attacks to strike this industry and what happened afterward. Data breaches have been a significant issue, with several large restaurant chains experiencing incidents that compromised the sensitive information of both employees and customers. In one notable case, a breach affected 183,000 people, exposing names, Social Security numbers, driver's…

September 11, 2024

DHS awards significant grant to improve tribal cybersecurity

4 min read - The Department of Homeland Security (DHS) has awarded $18.2 million in grants through the Tribal Cybersecurity Grant Program to boost cybersecurity defenses among Native American Indian Tribes. The program takes a big step in addressing the unique digital threats faced by tribal communities — a dedicated effort to improve cybersecurity infrastructure across these regions. The $18.2 million grant is just one component of DHS's broader strategy to enhance national cybersecurity. Administered by the Federal Emergency Management Agency (FEMA) in partnership…

September 9, 2024

ONCD releases request for information: Open-source software security

3 min read - Open-source software is a collective partnership across the development community that requires both private and public buy-in. However, securing open-source software can be tricky. With so many different people working on the coding, security measures are often overlooked, increasing the chances that a vulnerability will fall through the cracks and be exploited. The Open-Source Software Security Initiative (OS31) aims to provide governance over open-source security processes. After the Log4Shell vulnerability, securing open-source software became a top priority for the federal…

Topic updates

 Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2024 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature