Mandiant – AVADDON Ransomware

January 25, 2022

Mandiant – AVADDON Ransomware

Industry: N/A | Level: Operational  | Source: Mandiant

Mandiant has provided research on AVADDON ransomware operating between June 2020 and June 2021, when the group shut down since private encryption keys were released. The ransomware was advertised initially on Russian-speaking forums and targeted a variety of industry verticals. Nearly all sectors were impacted however, the highest based on victim count was in education, finance, government, healthcare, and technology. Based on the RaaS TTPs, Mandiant has speculated a potential link between AVADDON, BLACKMATTER and SABBATH. TTP observations included utilizing initial access brokers for compromised credentials, BLACKCROW and DARKRAVEN for custom web shells, RDP for lateral movement, EMPIRE and POWERSPLOIT for post-exploitation, scheduled tasks for persistence, 7zip for data archival, and MEGAsync for data staging and exfiltration.

  • Anvilogic Scenario: Avaddon Ransomware – Behaviors
  • Anvilogic Use Cases:
    • Potential Web Shell
    • Mimikatz
    • RDP Hijacking
    • Create/Modify Schtasks
    • PowerSploit Get-system.ps1

FinalSite Ransomware

January 05, 2022

FinalSite Ransomware

Industry: Education & Technology | Level: Strategic | Source: FinalSite

FinalSite – a school website design SaaS provider, suffered a ransomware attack on January 4th, 2022. The attack impacted various school districts as FinalSite claims to serve a large customer base, stating their solution is utilized by over 8,000 schools and universities in 115 different countries. The inaccessibly of their websites to schools has caused issues for school districts utilizing the service, to send emergency email notification. This is especially pertinent, as schools send notifications for school closures and COVID-related news. The company is currently working with cyber forensic investigations firm – Charles River Associates for a more comprehensive investigation and is providing limited details on the impact of the attack. From the company statement “After six days of investigation, we know when the threat actor entered, how they entered, and what they looked at. We are confident in saying that no client data has been viewed, compromised, or extracted”. While the ransomware strain is identified the SaaS provider did not disclose details of the variant.

AvoLocker Ransomware Backtracks

December 29, 2021

AvoLocker Ransomware Backtracks

Industry: Government | Level: Strategic | Source: BleepingComputer

A US police department was breached by AvosLocker last month resulting in data exfiltration and encryption. However, based on a shared screenshot from security researcher pancak3 via Twitter, the ransomware gang provided the decryptor key to the affected agency after learning the victim is associated with the US government, however no information was given to what data was stolen.

Diavol Ransomware – DFIR Report

December 29, 2021

Diavol Ransomware – DFIR Report

Industry: N/A | Level: Operational | Source: DFIR-Report

Intrusion analysis from The DFIR Report identified a BazarLoader infection leading to the deployment of Diavol Ransomware. The threat actor associated with Diavol ransomware is suspected to be Wizard Spider. The intrusion spanned over the course of three days in which the threat actors initial access was obtained from BazarLoader, delivered through a phishing email containing a malicious OneDrive link and following the infection, internal reconnaissance activity was initiated along with the execution of a batch script obtaining credentials located in the registry hives. Following an 18 hour break in activity, additional reconnaissance activity was initiated along with usage of the Rubeus tool, lateral movement with RDP and AnyDesk, with data exfiltration using FileZilla. Lastly, along with ransomware deployment a batch script was executed removing volume shadow compiles and stopping services.

  • Anvilogic Scenarios:
    • Diavol Ransomware
    • BazarLoader Behaviors

Conti & Log4Shell from AdvIntel

December 21, 2021

Conti & Log4Shell from AdvIntel

Industry: N/A | Level: Tactical | Source: AdvIntel

Continued vigilance on the threat landscape due to Log4Shell, has identified the Conti ransomware group showing signs of interest. A report from AdvIntel, detailed Conti had been deprived of new viable attack vectors since November, but had been searching for new methods. It wasn’t until the fallout of Log4Shell the ransomware group finally found what they’d been looking for. Multiple Conti members have been identified initiating scanning activity for the exploit. A recent quote from AdvIntel confirmed, “the criminals pursued targeting specific vulnerable Log4J2 VMware vCenter for lateral movement directly from the compromised network resulting in vCenter access affecting US and European victim networks from the pre-existent Cobalt Strike sessions.”

  • Anvilogic Scenarios:
    • Log4Shell Payload
    • Kinsing Behaviors
    • Unix File Download, Modified, Executed
  • Anvilogic Use Cases:
    • Potential CVE-2021-44228 – Log4Shell
    • File Download (Unix)
    • Modify File Attributes

Clop Ransomware Publishes Confidential Police Data

December 21, 2021

Clop Ransomware Publishes Confidential Police Data

Industry: Law Enforcement & Technology | Level: Strategic | Source: InfoSecurity

As reported by “The Mail” on December 19th, 2021, the Clop ransomware gang compromised IT services provider Dacoll in October 2021, and was able to obtain data from a police nation computer (PNC). The threat group posted the data on the dark web after Dacoll had refused to pay the ransom demand. Data from the leak included images of motorists who were captured by the UK’s National Automatic Number Plate Recognition (ANPR) system.

BlackByte Ransomware from RedCanary

December 01, 2021

BlackByte Ransomware from RedCanary

Industry: N/A | Level: Tactical | Source: RedCanary

RedCanary presented research from a BlackByte ransomware incident response engagement with Kroll. The attack sequence covered initial access from ProxyShell and web shell through post-exploitation with cobalt strike, impairing defenses with process monitoring, windows defender, and firewall modifications to ransomware and file exfiltration.

  • Anvilogic Scenario: BlackByte Behaviors

Cuba Ransomware

December 01, 2021

Cuba Ransomware

Industry: Critical Infrastructure | Level: Tactical | Source: FBI

The FBI released a flash report for Cuba ransomware based on tracking since November 2021, has compromised 49 entities across various critical infrastructure sectors, including but not limited to, financial, government, healthcare, manufacturing, and information technology. Hancitor malware is identified as the initial infection vector that leads to the Cuba ransomware. Threat actors utilize phishing emails, Microsoft Exchange vulnerabilities, compromised credentials, and RDP tools to gain initial access. Many legitimate Windows services are employed by the threat actors as well such as PowerShell, PsExec, in addition to leveraging Windows Admin privileges to execute their ransomware.

  • Anvilogic Scenario: Hancitor & Cuba Ransomware
  • Anvilogic Use Cases:
    • Executable Process from Suspicious Folder
    • PSexec Service Creation
    • Remote Admin Tools

Memento Team, Ransomware Gang

November 23, 2021

Memento Team, Ransomware Gang

Industry: N/A | Level: Operational | Source: Sophos

Ransomware gang, Memento Team, was observed by Sophos to have bypassed encryption protection using password-protected archives with WinRAR when the group’s initial Python 3.9 script was stopped by endpoint protection. The group was active in their victim’s network for a long time as there was a six-month dwell time from their initial access in April 2021, exploiting CVE-2021-21972 a vCenter vulnerability. During the threat actor’s time on the compromised network, they also deployed two coin-miners, XMR on May 18th, and XMRig on September 8th, which led to the victim’s network being encrypted with a password archive in October.

  • Anvilogic Scenario: Memento Team – Behavior