Following a series of high-profile attacks, several of the biggest names in the ransomware industry, such as DarkSide, Avaddon, and REvil, disappeared during the middle of this year.
However, several new ransomware gangs have recently debuted and are threatening organizations in various sectors. These new operators usually use double extortion and steal data before crypto-locking systems.
In a report published yesterday, security researchers at GovInfoSecurity detailed seven new ransomware entities: ALTDOS, AvosLocker, Hive, HelloKitty, LockBit 2.0 and OnePercent Group, and a DarkSide spinoff BlackMatter.
Previously, CIM wrote about four of them. In this post, we’ll cover the remaining three: ALTDOS, OnePercent Group, and BlackMatter.
This week, Singapore’s Cyber Security Agency, police, and Personal Data Protection Commission warned about the new ransomware operation, known as ALTDOS, that has been hitting organizations in Thailand, Singapore, and Bangladesh.
Like the other ransom groups, ALTDOS uses double extortion. This means that victims are asked to pay a ransom not only for a promised tool but also for the promise that their data will be deleted.
“It is currently unknown which ransomware variant is employed by ALTDOS,” according to their joint advisory. “ALTDOS will … contact the victim using an email address hosted on ProtonMail demanding that payment be made or the exfiltrated data will be published.”
If the victim does not pay the ransom within the given time frame, ALTDOS may also launch a distributed denial-of-service attack on the victim’s systems.
On Monday, the FBI has issued a warning about the OnePercent Group, active since November 2020. The gang uses phishing attacks to infect users with the IcedID (BokBot) banking Trojan. The group sends out emails that contain a fake Word or Excel document with a malicious macro. Once enabled, it drops and executes the Cobalt Strike penetration-testing tool.
With the help of PowerShell scripting, the attackers move laterally across the network and exfiltrate sensitive data to cloud storage using the Rclone tool, according to the FBI.
“The actors have been observed within the victim’s network for approximately one month prior to deployment of the ransomware,” the FBI reports. “The victim will start to receive phone calls through spoofed phone numbers with ransom demands and are provided a ProtonMail email address for further communication,” the FBI says.
The group also threatens to sell the stolen data to the REvil, aka Sodinokibi group, if the victim doesn’t pay up.
Security firm Armorblox noted that the indicators of compromise provided by the FBI show connection to the “Shathak” or “TA551” groups, which Mandiant designates UNC2420 and the IcedID infrastructure detailed in May by security firm Team Cymru.
In July, a cybercrime forum user known as BlackMatter announced a launch of a new operation that incorporated various features of DarkSide, REvil, and LockBit.
After analyzing a BlackMatter decryptor, Fabian Wosar of security firm Emsisoft said: “I am convinced that we are dealing with a DarkSide rebrand here.” Blockchain analysis firm Chainalysis has analyzed the cryptocurrency wallets of BlackMatter and also concluded that it’s a rebrand of DarkSide.
We see that ransomware operators do not simply disappear, they would simply set up a new group under a different name.
“We have known for 50 years that hacking is an addictive behavior,” says information security veteran William Hugh Murray. “It is naive to expect reform. ‘Rebranding’ is much more likely than reform or retirement.”