Tricky Ransomware Encrypts Small Data But Overwrites Large Data

The MalwareHunterTeam recently discovered a new ransomware operation that is particularly nasty.  Called Onyx, outwardly, the operation does what most ransomware campaigns do.  It gets inside a corporate network, exfiltrates the data that it wants, then seems to encrypt the rest, and then threatens to release the files to the broader public unless their demands for payment are met.

An additional fee is demanded to unlock the encrypted files, but there’s a catch in this instance.

Any file larger than 2MB in size is deleted and then overwritten before encryption to make it appear that the file is still intact.  Unfortunately, when victims pay the fee to have their files decrypted, they discover that the file is garbage and the actual file they wanted has been deleted.

This is not a flaw in the malicious code but rather an intentional design decision. It is implemented to inflict maximal pain on companies that fall victim to their attack.

The discovery was only recently made. So it’s quite likely that at least some companies have paid the demanded ransom in hopes of getting their files back, only to have those hopes dashed.

Given this fact, if you are hit with an Onyx attack, don’t pay the ransom.  It won’t do you any good, except where your smaller files are concerned.  Your only hope is to restore those files from backup, and you certainly don’t need to pay the ransom to do that.

Malware attacks in general and particularly ransomware attacks are an unfortunate part of corporate life these days.  Whether due to poor planning, faulty backups, or something else, some companies feel the need to pay the ransom and get on with the business of their business. However, in this case, the Onyx campaign proves that there is no honor among thieves.  Be careful out there.

New Delivery Method For Ransomware Discovered Called Bumblebee

Some interesting and disturbing changes are afoot in the hacking world.  It appears that the TrickBot gang is now working for the Conti Syndicate. TrickBot is a well-known group of botnet developers responsible for the creation of the BazarLoader. BazarLoader has been used by Conti in the past as their delivery system of choice when it comes to delivering ransomware as part of one of their sophisticated phishing campaigns.

Now though, the Conti Syndicate has a new tool at their disposal.  A newly developed malware loader dubbed Bumblebee.  Eli Salem is a seasoned malware reverse engineer at Cyberreason. Salem says that the techniques used by Bumblebee are similar to those used by BazarLoader. This suggests that they were developed by the same team, which points the way back to TrickBot.

So TrickBot’s developers made a new toy for the Conti Syndicate. Since Bumblebee became available, security researchers at Proofpoint and other organizations have been seeing evidence that other groups are switching away from BazarLoader and IcedID (also highly similar) in preference for Bumblebee.

Although similar in its overall structure to BazarLoader, Bumblebee appears to be a more advanced version.

It can  support a wide range of commands, including but not limited to:

  • Shi: shellcode injection
  • Dij: DLL injection in the memory of other processes
  • Dex: Download executable
  • dl: uninstall loader
  • And Ins: enable persistence via a scheduled task for a Visual Basic Script that loads Bumblebee

Worse is that there is clear evidence that Bumblebee is being actively developed and gains new features and capabilities with every update.

As of the update observed on April 19th, for example, the malicious code now supports multiple command-and-control servers. The development team has recently added an encryption layer that makes it more difficult to track communications to and from the command-and-control server.

What this means in terms of the bigger picture is anyone’s guess. It seems clear that there’s a growing level of cooperation and coordination in the hacking world lately, and that should scare just about everyone.

Microsoft Exchange Servers Targeted By Hackers

If you rely on a Microsoft Exchange server to handle email for your company, there is something you should be aware of. Recent research by security and analytics company Varonis has discovered that an affiliate of Hive ransomware has begun targeting Exchange servers that are vulnerable to ProxyShell security issues.

If the group in question finds a vulnerable server, they’ll install a variety of backdoors including Cobalt Strike beacon. That allows them to come back later and snoop around in your network for anything of value, steal administrator account credentials, make off with your company’s proprietary data, or encrypt your files and demand payment from you to get them back.

The exploited flaws are being tracked as CVE-2021-34473, CVE-2021-34523, and CVE-2021-31297. All 3 range in severity from 7.2 (high) to 9.8 (critical).

This group is hardly unique in exploiting these flaws.  They’ve been used by other hacker groups including Cuba, Babuk, BlackByte, Conti, and others.  The fact that the exploits seem to be growing in popularity among the hacking community is the most troubling aspect of the recent discovery.

Hive has been around since at least June of last year (2021) and the group has evolved considerably since they first appeared. That prompted the FBI to release a report detailing their activities and tactics to better prepare IT professionals for attacks the group might make against their organizations.

In October 2021, the Hive gang added Linus and Free BSD variants to their growing bank of tricks and they became one of the most active ransomware operations as measured by the frequency of their attacks.

Just last month, researchers operating out of Sentinel Labs discovered that the group is utilizing a new obfuscation technique in a bid to better mask the malicious payloads they introduce to infected networks.

All of this points to the fact that the Hive group is actively working to improve the efficiency and effectiveness of their attacks.  Stay vigilant and be on the alert for this group.  They’ve got a well deserved reputation for being dangerous.

The San Francisco 49ers Recently Hit With Ransomware Attack

Hackers will attack absolutely anybody.  No one is safe and nothing is sacred.  Not even football is safe.

The most recent high-profile attack was made against the San Francisco 49ers according to BleepingComputer which got confirmation from the 49ers.

According to the information disclosed by the 49ers they are in the process of recovering from an attack by the BlackByte ransomware gang which caused a “temporary disruption” of parts of the 49ers IT infrastructure.

Currently we have few details.  We do not know for example whether the BlackByte gang was able to successfully deploy their ransomware. We cannot confirm the gang’s claims that they stole data from the football organization.

Their official disclosure statement reads in part, as follows:

“The San Francisco 49ers recently became aware of a network security incident that resulted in temporary disruption to certain systems on our corporate IT network. Upon learning of the incident, we immediately initiated an investigation and took steps to contain the incident.

Third-party cybersecurity firms were engaged to assist, and law enforcement was notified.

While the investigation is ongoing, we believe the incident is limited to our corporate IT network; to date, we have no indication that this incident involves systems outside of our corporate network, such as those connected to Levi’s Stadium operations or ticket holders.

As the investigation continues, we are working diligently to restore involved systems as quickly and as safely as possible.”

While the BlackByte gang isn’t particularly active, security professionals have been aware of their activities since July 2021. They have taken down their share of relatively high-profile targets and are certainly not to be ignored.

The lesson here is simple.  No matter who you are you are not safe.  The hackers don’t care and they will come for you.  Stay vigilant out there because 2022 is just getting started.

Ransomware Attack Wreaks Havoc On Prison Employees And Inmates

Chalk up another first for the hackers.  For the first time that we know of, a successful hacking attack caused prisoners in New Mexico to be confined to their cells for a time.

The Metropolitan Detention Center in Bernalillo County, New Mexico went into lockdown on January 5th of this year (2022) when hackers infiltrated the prison system’s network and deployed a malware payload.

For the duration of the system outage the prison cells could not be opened.

While the incident was not reported at the time, details came to light indirectly when the attack and its effects were referenced in court documents. One public defender representing the inmates suggested that their Constitutional rights had been violated due to the incident, which meant that visitations were cancelled.

In addition to the uproar it caused among the prison population, a number of the local government’s databases appear to have been corrupted. Until functionality was restored the employees of the prison could not access camera feeds or access any inmate data.

Of course, the physical keys carried by the guards still worked. However, given the situation, the Warden placed the entire facility on lockdown for the duration of the incident.  Full functionality was restored by the afternoon of January 5th.

Few additional details have been revealed about the attack.  We don’t even know what sort of malware was deployed.  Only that the system is “still being repaired,” according to country officials, and that certain systems are still being impacted.

Unfortunately, the issue has prompted Federal Law Enforcement’s involvement as the prison was already under fire for poor conditions.  What happens next is anyone’s guess.

It’s understandable that the county is being somewhat tight-lipped about the incident. That’s especially considering the court case. At least some additional transparency would be appreciated.