Thanks to VMware TAU (Threat Analysis Unit) for publishing a technical report about the ransomware, cryptominers, and RAT attacks and techniques. This document focused on all recent critical threats against the Linux-based multi-cloud environment, like REvil and Defray777.
I asked one of my technical staff (TW:alirahimi681) to review this very useful document. After his deeply reading, he summarized an easy-to-read draft about two categories of threats in this document: Ransomware and Cryptominer. Then I decided to publish this briefing on my blog for whom that may not read the whole original document.
Ransomware families:
VMware TAU analyzed nine ransomware families and characterized their evolution. They started analyzing the different characteristics of the ransomware samples of each of these by looking at the static information extracted from their ELF files. While threats can be a combination of shell scripts, Python scripts, and binaries, this report focuses on the binaries. Binaries are usually the components that carry out the file system encryption in a ransomware attack.
REvil: Also known as Sodinokibi, originally targeted Windows hosts but released a Linux version in spring 2021. Interestingly, this threat relies on the esxcli tools to stop the current ESXi virtual machines. It then encrypts their on-disk images to prevent the recovery of running VMs. Recently, REvil actors have been targeted by a coordinated take-down operation that may impact future variants.
DarkSide: The actors behind DarkSide initially distributed REvil. Usually, they are using REvil as a service they called ransomware as a service (RaaS) operator. This ransomware has been used to target a wide variety of organizations and initially targeted Windows but quickly evolved to include Linux targets and in particular, those running on ESXi servers. These servers are usually targeted after the threat actors gain access to a VMware vCenter deployment, often by means of stolen credentials.
BlackMatter: The actors behind BlackMatter made sure to publicly announce that they were not targeting specific verticals, such as healthcare, oil and gas, government, and critical infrastructure companies possibly following the backlash that the Colonial Pipeline attack created, and the unwanted attention that the DarkSide operators received.
Defray777: Defray ransomware is another Linux-based threat that targets ESXi VMs. An interesting property of some of its samples is that it doesn’t strip or tamper with ELF binaries, which makes them easier to analyze. This ransomware family is closely related to RansomEXX to the point that sometimes the two families are considered to be variations of the same threat.
HelloKitty: The actors behind HelloKitty ransomware have achieved notoriety after successfully attacking CD Projekt Red, the makers of the Cyberpunk 2077 video game. It’s a Windows-based threat that evolved and expanded into the Linux world, targeting Linux-based systems and ESXi servers. Like other samples that target ESXi VMs, HelloKitty uses the esxcli tool to stop the VMs currently running before encrypting their files.
ViceSociety: Their malware shows substantial similarities with the HelloKitty ransomware. This ransomware family was responsible for attacking the United Health Centers in the San Joaquin Valley in California, among other targets, which resulted in the leaking of sensitive patient record
EreBus: This is a relatively older ransomware family. It initially targeted Windows hosts but evolved in 2016 to include a Linux variant. This threat is unique because of its multilingual nature. While the actors behind the ransomware have stopped their activity, it is still an interesting sample that shares some behaviors with other ransomware families.
GonnaCry: This is an open-source ransomware sample written in C and Python. While the Python version is mostly used as a way to showcase some of the behaviors associated with ransomware, the C version has actually been observed in the wild.
ECh0raix: This ransomware targets QNAP NAS storage devices with weak credentials. This family is written in the Go language, and its features are simpler than other ransomware families.
Cryptominer Families:
No comments:
Post a Comment