The MosesStaff hacking gang has entered the ‘ransomware’ fight with a twist: they aren’t interested in blackmail money. Check Point Research (CPR) said on November 15 that the group began targeting companies in Israel in September of this year, joining operations by Pay2Key and BlackShadow.
The goal of these operations was to infect their victims’ computers with ransomware, inflict harm, and steal important information that would be used in future public disclosures. Ransomware authors such as Maze, Conti, and LockBit, to name a few, have used the Dark Web to build specialized data leak websites as a means of double-extortion.
During an attack, these gangs will take vital business information before the victim’s systems are encrypted. If they refuse to pay, these organizations risk having their data disclosed or sold to the public.
MosesStaff, on the other hand, is open about its intentions: the assaults are political. There is no ransom demand; the primary goal is to steal information and create damage. According to the researchers, initial access is achieved through flaws in public-facing systems, such as the problems in Microsoft Exchange Server that were patched earlier this year.
MosesStaff then drops a webshell to run more commands after access has been granted. Data from the target system is then exfiltrated, including domain names, machine names, and credentials, to create a bespoke version of the PyDCrypt virus. This payload is primarily concerned with infecting additional susceptible workstations on a network and ensuring that the primary encryption payload, DCSrv, is effectively executed. DCSrv is centered on the DiskCryptor open-source utility.
The DiskCryptor bootloader is also run to prevent the machine from being booted without a password. According to the researchers, if properly stored EDR data are accessible, it may be feasible to reverse the existing encryption process under the right circumstances.
Because of development time logs and coding hints in a program used, OICe.exe, submitted to VirusTotal from Palestine long before the campaign started, CPR thinks they may be situated in Palestine.