The group, called Coreid, has adopted a new version of its data exfiltration tool, offering more advanced capabilities to profitable affiliates, Symantec said.
The ransomware known as Darkside gained a level of infamy in May 2021 when it was used in a devastating attack on Colonial Pipeline, a company responsible for supplying oil and gas to the East Coast. Now the cyber criminals behind Darkside are using new ransomware with new tools and tactics that make them even more of a threat.
What is Coreid?
In a report published Thursday, security firm Symantec detailed the latest activities and methods Coreid is using to target organizations to ransomware. Coreid, also known in some circles as FIN7 or Carbon Spider, is a ransomware-as-a-service (RaaS) operation that develops ransomware tools and services and then collects funds from affiliated companies that use those tools to carry out the actual attacks. to be carried out.
After the Colonial Pipeline Incident brought undue attention Dark side, the creators have rebranded their offering as BlackMatter, allowing them to continue without the publicity surrounding the Darkside name. But in November 2021, the group stopped its BlackMatter operation in response to pressure from law enforcement. However, the operation quickly resurfaced, this time using the name Noberus to describe its ransomware offering. And it is Noberus that poses a greater threat with more advanced tools and technologies.
TO SEE: Mobile Device Security Policy (Tech Republic Premium)
How Noberus is more dangerous than other ransomware
First spotted in November last year, Noberus boasts several features designed to emphasize its superiority over other types of ransomware. To challenge its victims and law enforcement officers, Noberus offers two different encryption algorithms and four encryption modes, all of which can be used to encrypt a victim’s stolen files. The default encryption method uses a process called “intermittent encryption” to quickly and securely encrypt data while avoiding detection.
To extract the stolen files, Noberus uses a tool called Exmatter, which Symantec claims is designed to steal specific types of files from selected folders and then upload them to the attacker’s server before deploying the ransomware. Exmatter is constantly being refined and improved and can exfiltrate files via FTP, SFTP (Secure FTP) or WebDav. It can create a report of all processed exfiltrated files. And it can self-destruct if run in a non-corporate environment.
Noberus is also able to use info-stealing malware to get login credentials Veeam backup software, a data protection and disaster recovery product used by many organizations to store credentials for domain controllers and cloud services. The malware, known as Infostealer.Eamfo, can connect to the SQL database that stores the credentials and steal it through a specific SQL query.
Monetary affiliates that use Noberus to carry out attacks also pose a greater threat because of the tools at their disposal. While Coreid will get rid of affiliates that don’t generate enough money, they reward those that turn out to be profitable. Each partner who raises more than $1.5 million gets access to DDoS attack tools, files for victim phone numbers to contact them directly, and free brute force attack methods against specific systems.
“In most respects, this report simply confirms the fact that while there are a few monolithic full stack cybercrime gangs, many players in the cybercrime ecosystem specialize in a variety of functions,” said Chris Clements, VP Solutions Architecture for Cerberus Sentinel. “There are initial access brokers selling a foothold in networks, ransomware-as-a-service developers building the tools to escalate privileges, exfiltrate data and launch massive encryption operations, and their customers who use these toolsets to protect victims to extort.”
TO SEE: Password Breach: Why Pop Culture and Passwords Don’t Mix (Free PDF) (TechRepublic)
How to protect your organization from ransomware
How can organizations better defend against attacks with more sophisticated tools and tactics used by ransomware like Noberus?
“To stay safe from such powerful tools, organizations must adopt a true culture of cybersecurity that focuses on the foundations of awareness, prevention, monitoring and validation,” said Clements. “Against a rapidly evolving threat landscape, it is much more important that defenders focus their efforts on prevention and detection, not on cybercriminal tools, but rather on methods and behaviors that attackers use. Individual exploits can change on a daily basis, but cybercriminals’ targets change much more slowly. The primary goals of quickly finding and exfiltrating sensitive data and launching large-scale encryption campaigns are reliable targets to focus efforts on prevention and detection.”