AvosLocker Ransomware (RaaS): A New Ransomware Group Emerges

AvosLocker recently made headlines as a new ransomware-as-a-service (RaaS) that commenced operations in June, represented by a purple bug brand logo. Operating based on a similar modus operandi to most RaaS, AvosLocker has started promoting its RaaS program via various forums on the dark web in its search for affiliates. AvosLocker’s primary mode of malware delivery is through spam email campaigns and online advertisements. After a successful compromise, AvosLocker then offers technical assistance to victims, providing support to recover the compromised systems. As seen on their Tor Network Site, AvosLocker uses 256-bit custom AES encryption and appends encrypted files with the extension .avos. Victims are then led to a landing page to begin the negotiations with the AvosLocker team.

AvosLocker Tor Site
Analyzing AvosLocker
AvosLocker ransom note

Upon execution, AvosLocker encrypts files on the victim’s machine and disables file recovery and system restore. A ransom note is left on the victim’s machine, which includes a link and a corresponding ID for access to the AvosLocker Tor site.

AvosLocker payment page

Once access is granted, AvosLocker provides a clean user interface that displays four main components: 

  1. Countdown Timer –  Displays time left before the ransom is doubled.
  2. Test Decryption –  A feature that allows victims to upload an encrypted sample file to check whether it can be successfully decrypted.
  3. Support Bot – A chat feature that gives victims the ability to interact with the AvosLocker group and is used for negotiations and payment support-related matters.
  4. Payment Information – A QR code is provided for payment address with the ransom currency denoted in cryptocurrency XMR (MONERO).
AvosLocker is paid via MONERO cryptocurrency

Subsequently, should the owner of the data choose to not pay the ransom, the AvosLocker group then puts the victim’s data up for sale via a press release.

AvosLocker Press Release Onion Service on the Tor network (captured October 20, 2021)

Within seconds of an infection, ReaQta-Hive is able to effectively reconstruct the complete breach, by providing complete details of attacker tactics.

New call-to-action

Running the attack

ReaQta-Hive’s Behavioural Tree showing the AvosLocker ransomware

ReaQta-Hive is equipped with ransomware protection capabilities to prevent any potential data encryption on endpoints. Any ransomware behaviour is automatically blocked upon detection to ensure that sensitive data is protected.

AvosLocker is automatically stopped by ReaQta-Hive within seconds

ReaQta-Hive was able to autonomously stop AvosLocker in very early attack stages, effectively mitigating any business interruptions. ReaQta’s AI automations terminated all malicious processes and stopped the threat within seconds, then closed off the alert to reduce any additional actions required of security teams.

New call-to-action

Ransomware attacks will only continue to surge globally. Organizations and its security leaders should already have security and mitigation plans in place to ensure that their sensitive data stays safe against any destructive malware.

To learn more about what makes ReaQta unique, please visit Why ReaQta and apply for a demonstration.

The arrival of Windows 11, seamlessly supported by ReaQta

Microsoft has made Windows 11 operating system available for new machines since October 5, 2021 and having the Windows 11 ISO download go-live at the same time. This means that anyone can update their existing machine without waiting for a prompt or choose to do a complete fresh install by themselves. According to a note in the Microsoft Document, Microsoft has also accelerated the offering of Windows 11 to eligible devices.

Through Microsoft’s own machine learning processes, it will automatically determine if a system can handle a Windows 11 upgrade The minimum system requirements can be found here.  

Windows 11 system requirements

Should the specifications not be met, the Operating System parts for upgrade will not arrive, as determined by Microsoft’s machine learning processes. Machines that do not meet the requirements for upgrade will continue to function with Windows 10, with the support lifecyle ending on October 14th, 2025. This will be the 10 years mark since the operating system was first introduced. 

New call-to-action

For those who are unsure if your PC can run Windows 11, please download the PC Health Check app to find out.

Does ReaQta Support Windows 11?

At ReaQta, we have made certain that our customers will be supported on Windows 11 from day one, out of the box, extending ReaQta’s extensive security suite to our customers.

ReaQta agent running on Windows 11 Operating System

ReaQta Windows agent, version 3.6.1 and above, fully supports Windows 11, providing the same security and performance coverage on Windows 11 as on Windows 10. For devices with an older version of ReaQta agent, please upgrade the agent prior to Windows 11 upgrade to be supported. 

New call-to-action

IBM to Acquire ReaQta

An event of this magnitude requires more than my usual few lines on LinkedIn: we have entered into an agreement to be acquired by IBM.

For the past 7 years, we’ve worked hard to create an environment that fosters innovation and promotes new ideas, we’ve challenged the “usual way of doing things” and arrived at new concepts, ideas, workflows and technologies. Most of what we ended up creating emerged from our own constraints and desire to build a process that was efficient and more machine-driven, we never liked the idea of solving problems by hiding them behind the now proverbial RFoP (Room Full of People), we felt like it was cheating and wanted to make sure that all the tedious or time-sensitive tasks were taken over – to the maximum extent possible – by algorithms. For us, A.I. and Machine Learning were never buzzwords but a means to an end.

The result was a solution, ReaQta-Hive, that I personally loved from day one, as it embodied our core values: simplicity and automation. Building an “easy-to-use” business solution is definitely a difficult task. Finding the balance between how much data to show and how much you choose not to, in order to avoid information overload, is incredibly difficult. How do you select what’s important? How do you decide what isn’t? We’re dealing with sophisticated threats, where nothing is certain and everything is new, so drawing the line is often difficult. Our secret weapon has always been a team of incredibly gifted talent that we have carefully selected – and many times they have chosen us! – over the years. We’ve always made sure to keep the conversation going between all departments, and these exchanges have worked very well to plant the seeds for brilliant new ideas.

All those efforts eventually paid off, Gartner named us Cool Vendors in October 2020, we successfully managed several MITRE rounds, and our customer base continued to grow at a steady pace. Shortly thereafter, when the conversation with IBM began, the security team shared their ideas and strategy with us and everything aligned perfectly. Discussion after discussion it became clear that the direction we had taken, and the direction IBM had chosen, were really the same (net of a difference in scale factor, of course ;). And here we are today.

I’m excited about what’s coming next and also incredibly proud. The idea of participating in the creation of QRadar XDR, on such a large scale, is incredibly rewarding and is also a strong validation of the technology we have developed. I’m proud, because this is the result of a fantastic team that managed to remain cohesive, reliable, inventive and vibrant, even as the world was changing and we moved from bustling offices to the tranquility of our living rooms.

In IBM we will join forces with top talent from around the world, a unique opportunity for our team to be exposed to the best and most creative minds and continue to innovate faster than we ever thought possible. This is the beginning of an exciting new journey to change the way we think about cybersecurity, and I’m excited about what lies ahead!

Cover image shamelessly stolen from Christopher Meenan’s LinkedIn post.

Alberto Pelliccione

Conti Ransomware (RaaS): A New Wage-Paying Affiliate Model

The Cybersecurity and Infrastructure Security Agency (CISA) issued an advisory on Sep 22 around the CONTI Ransomware Group, providing detailed information regarding its exploits and affiliates. Together with the Federal Bureau of Investigation (FBI), they have seen Conti ransomware in over 400 attacks targeted on international enterprises. A PDF version of the advisory which contains a technical breakdown on the ransomware group and the mitigation steps is available here.

While operating as a ransomware-as-a-service model, Conti provides a different compensation structure as compared to typical affiliate models. According to CISA, Conti has devised a new wage-paying scheme for deployers of the ransomware, instead of only receiving a fractional return of proceeds from a successful compromise. While other RaaS models like LockBit2.0, BlackMatter and RansomEXX pay affiliates only when a breach is successful, Conti lowers the barriers for malicious insiders or disgruntled employees to launch ransomware. This greatly incentivises deviant behavior as potential insiders get paid at the onset, even if the attack is unsuccessful.

New call-to-action

Analyzing Conti
Conti Recovery Service Tor Site

Conti actors use a wide range of tools and methods to gain initial access into organizations, including the use of targeted spear phishing campaigns via custom crafted emails that contain malicious attachments or links, that often contain embedded scripts that are used to download or drop other malware. 

Other common methods of entry include stolen or weak Remote Desktop Protocol (RDP) credentials, phone calls, illegitimate software, other malware distribution networks and common vulnerabilities in external assets.

New call-to-action

According to a leaked Conti ransomware playbook, Conti actors exploit vulnerabilities such as “PrintNightmare” in unpatched assets to escalate privileges and move laterally across a victim’s network. Once the victim’s data has been stolen and encrypted, a double extortion technique is employed, demanding a ransom in exchange for the encrypted information. The victim is then threatened with the public release of the data should ransom be left unpaid.

Conti ransom note

Running the attack

ReaQta-Hive reconstructs an entire breach within seconds of an infection, by providing the full details of attack behaviours and techniques used.

ReaQta-Hive’s Behavioural Tree showing the Conti ransomware

Built with ransomware protection capabilities, ReaQta-Hive autonomously blocks ransomware once any ransomware behavior is exhibited to prevent any potential data encryption on the endpoint.

Conti is automatically stopped by ReaQta-Hive within seconds

ReaQta automatically stopped Conti within seconds, effectively mitigating the risks of any business interruptions and downtime. In addition to stopping the threat, ReaQta’s AI automations autonomously terminated all malicious processes and closed off the alert, reducing any extra actions required of the security team.

As ransomware attacks continue to grow to become one of the greatest security challenges for organizations globally, it is imperative that security leaders prioritize having mitigation plans ready so that swift action can be taken.

New call-to-action


CISA recommends the following actions to reduce the risk of compromise by a Conti ransomware attack: 

  1. Ensure multi-factor authentication (MFA) is enabled across the organization.
  2. Ensure network segmentation via the usage of demilitarized zones (DMZs) and network traffic management controls are in place to prevent ingress and egress communications with known malicious IP addresses. Implement strong spam filters and conduct regular user training programs to enforce proper cyber hygiene.
  3. Ensure assets and software are routinely patched and updated.
  4. Use application allowlisting, preventing employees from installing illegitimate applications or unauthorized software which contravenes organization’s security policy. Implement execution prevention by disabling macro scripts from Microsoft Office files transmitted via email.
  5. Implement endpoint and detection response tools. Endpoint and detection response tools like ReaQta-Hive provide unparalleled visibility into the security status of endpoints and proactively secure organisations against malicious cyber actors.
  6. Control access to resources over the network, i.e restricting RDP.
  7. Ensure user accounts are properly configured for the right access controls and privilege rights and check logs to ensure account holders are legitimate users.

To learn more about what makes ReaQta unique, please visit Why ReaQta and apply for a demonstration.

Remote code execution vulnerability CVE-2021-40444 could become the next prolific cyber crime tool. Here’s how to stay ahead of such exploits.

A recently discovered exploit targeting a vulnerability in Microsoft’s internal browser engine, MSHTML, could become a prolific tool by cyber criminals in both targeted and wide-spread campaigns. CVE-2021-40444, a remote code execution vulnerability within Microsoft’s MSHTML browser engine was disclosed by Microsoft in a 07 September 2021 advisory1 but a malicious document involved in the exploit chain was discovered separately by security researchers a week prior. Public analysis of the document has led to the creation of multiple proof of concepts of the exploit now widely available. Despite the availability and ease of use of the exploit, any attack chain involving the exploit will generate noticeably anomalous behavior on the target machines.

According to Microsoft in a 15 September analysis of the exploit chain2, attacks involving the exploit were first observed in August 2021 in which emails posing as legal agreements led the victim to the malicious document on a file sharing site. Once the document was opened, a malicious JavaScript contained in another remotely hosted file was loaded via an external OLEObject relationship. The use of the exploit allowed the attack to circumvent Protected Mode in Microsoft Office, thus not requiring any additional interaction by the victim. From there, a remotely hosted CAB file containing a DLL posing as a INF file was downloaded, decompressed, then loaded, which in turn fetched a custom Cobalt Strike beacon loader. 

New call-to-action

The exploit itself is not technically challenging to deploy, and since the exploit was first made known to the broader public, several proof of concepts have been publicly released to include examples which makes customization relatively easy. As MSHTML is exposed in all Microsoft Windows environments, the exploit will remain effective on any unpatched system. Thus the availability and far reach of the exploit will likely make it a common tool among attackers conducting wide-spread malicious email campaigns. 

Analyzing the exploits

ReaQta analyzed the use of both the exploits found in the wild and proof of concepts available to the public, and found glaring red flags instantly among the telemetry. To include techniques known on the MITRE ATT&CK Framework such as T1129, Shared Modules.

ReaQta mapped the use of exploits to the MITRE ATT&CK Framework

In loading the module, the attack leverages Microsoft’s URL protocol handler but for control panel files, “.cpl://”, followed by a relative path traversal. Aside from the loading of the module, the use of .cpl:// in the URL is conspicuous and in particular its use in loading an INF file.

Of course, besides the very unusual activity around loading the malicious module, overall behaviour of Microsoft Office triggers numerous actions resembling known techniques mapped to the MITRE ATT&CK framework as well as spawning child processes.

The attack chain generates numerous events mapped to known techniques.

Even without a patch covering CVE-2021-40444, similar exploits — even against zero day vulnerabilities — cannot be executed without generating activity on target machines that is not highly anomalous thus detectable by an effective EDR protection. While attackers must first work to evade standard security features in the OS, such as additional warnings and restrictions for users like with Protected Mode, living off the land attacks require atypical use of legitimate tools and protocols available on the target machine. Additionally, the attack cycle does not end with successful exploitation of CVE-2021-40444. The attackers must still conduct follow-on activity to gain wider access to the target’s network.

New call-to-action

In-depth monitoring and threat detailing with ReaQta-Hive

ReaQta-Hive is designed to detect such activity immediately, but agents can more specifically detail the threat through the use of ReaQta’s DeStra engine. The DeStra engine allows for an additional layer of monitoring capabilities, allowing blue teams to craft simple yet sophisticated correlations based on the insights of the HIVE agents. While exploits against CVE-2021-40444 already trigger alerts in HIVE, a DeStra rule can mark the specific attacks in an alert. In this case matching the observed user agent in the HTTP request for the second stage payload (“Microsoft Office Discovery Protocol”) or matching the use of .cpl:// with a relative path traversal in the command line of an event.


[1] ​​Microsoft. 2021. “Microsoft MSHTML Remote Code Execution Vulnerability.” Microsoft Security Response Center.

[2]Microsoft. 2021. “Analyzing attacks that exploit the CVE-2021-40444 MSHTML vulnerability.” Microsoft Threat Intelligence Center.

To learn more about what makes ReaQta unique, please visit Why ReaQta and apply for a demonstration.

BlackMatter Ransomware: A New Ransomware-as-a-Service (RaaS)

Following the recent trend in ransomware affiliates, BlackMatter has emerged as the latest ransomware-as-service (RaaS). According to Threat Intelligence company Recorded Future, BlackMatter has announced that they have “incorporated in itself the best features of DarkSide, REvil, and LockBit” as mentioned in an interview. Black Matter cited the following inspirations from each of their partner programs: 

  • From REvil: The implementation of SafeMode was thought of as weak and not well thought through. BlackMatter then built upon this idea before thoroughly implementing it. They also implemented the PowerShell version of the ransomware variant.
  • From LockBit: BlackMatter drew on LockBit’s approach for the implementation of a codebase as well as other minute details.
  • From DarkSide: The idea of impersonation (namely, the encryptor’s ability to use the domain administrator’s account to encrypt shared drives with maximum rights) and the structure of the admin panel were borrowed.

With reference to the hacker blog, BlackMatter targets organisations with a revenue of $100 million and more, and minimally 500-15,000 hosts in the network. The threat actor has also disclosed that they will not be targeting industries such as healthcare and state institutions. BlackMatter actively advertises the purchase of network access into organizations, offering a price range of $3,000-$100,000, including a percentage of the potential ransom amount. This modus operandi is gaining notoriety, aligned with other threat actor groups like Lockbit 2.0. 

New call-to-action

Analyzing BlackMatter

BlackMatter Blog

BlackMatter breaches organizations via purchased network access. Once initial access is secured, the threat actor moves laterally to key value targets and exfiltrates sensitive data, thereafter deploying ransomware in a centralised fashion, for instance, via the Domain Controller onto every single endpoint. Upon execution, BlackMatter encrypts files on the victim’s machine in a matter of seconds, disabling file recovery and system restore, and leaving a ransom note on the victim’s machine.

BlackMatter ransom note

Aside from just leaving a ransom note, BlackMatter alters the background image of the machine and directs the instruction to the README.txt file. 

BlackMatter background image change

Running the attack
Within seconds of an infection, ReaQta-Hive reconstructs the breach, providing pertinent information related to the behaviours and techniques exhibited. 

ReaQta-Hive’s Behavioural Tree showing the BlackMatter ransomware

Leveraging ReaQta’s ransomware protection capabilities, ransomware is autonomously stopped once ransomware behaviour is detected, preventing potential data encryption on the endpoint.

BlackMatter is automatically stopped by ReaQta-Hive within seconds

In the case of BlackMatter, ReaQta was effective within seconds, effectively mitigating potential business disruptions and downtime. In addition to stopping the threat, ReaQta’s AI automatically terminated all malicious processes involved in the incident, thereafter closing off the alert and reducing extra actions needed to be taken by the security team.

As ransomware attacks become increasingly rampant, organizations should not treat such attacks as an afterthought but instead have mitigation plans devised and ready.

New call-to-action

Ways to defend against a ransomware attack

According to Gartner Analyst, Paul Webber, “organizations need to focus on preparation and early mitigation if they want to cut losses to ransomware.” This mitigation strategy mentioned by Gartner covers the following six points:

  1. Perform initial ransomware assessments. Engage risk assessments and penetration tests to determine your organization’s attack surface and present state of security readiness in terms of tools, processes and skills to mitigate attacks.
  2. Ensure ransomware governance. Processes and execution contingency plans need to be in place to ensure swift response in the event of an actual crisis. It is also imperative for key stakeholders to be involved in this preparation.
  3. Having operational readiness at all times. Routinely stress test security systems that are put in place to ensure ransomware activities can be detected and prevented. Incorporate incident response scenarios into these ransomware response plans, so as to ensure that   the systems and processes put in place are not reliant on security systems that may be rendered unavailable in crisis time.
  4. Maintain backups for internal systems. Back up both data and all applications within the infrastructure. Ensure that backups are done frequently and cannot be compromised in a ransomware attack.
  5. Employ a Zero Trust security model. Restrict permissions and deny unauthorized access to devices. Remove local administrator rights from end users and block application installation for standard users. Instead, replace this with a centrally managed software distribution facility.
  6. Instill employee ransomware education. All employees should understand the ransomware threat and should be educated on the steps to take during a ransomware attack. 

To learn more about what makes ReaQta unique, please visit Why ReaQta and apply for a demonstration.

The resurgence of RansomEXX

RansomEXX recently gained notoriety due to its attack on Gigabyte, a well-known hardware manufacturer from Taiwan and an attack against Italy’s Lazio Region. The result of the first attack was the theft of 112GB of business data, and the second crippled the national COVID-19 Vaccination Registration Portal for 6 million people. Though it initially started out targeting Windows operating systems, RansomEXX has been seen targeting Linux servers via a separate Linux variant.

While RansomEXX has remained relatively low-profile over the past few years, its latest activities point to its potential resurgence now.

Analysing RansomEXX  

ReaQta’s analysis of RansomEXX found that – like most human-operated ransomware operations – RansomEXX breaches networks and organisations through emails, Spear Phishing, Bruteforce Remote Desktop Protocol (RDP) or stolen credentials.

Upon execution, RansomEXX encrypts files on the victim’s machine, thereafter disabling file recovery and system restore, leaving a ransom note on the victim’s machine.

RansomEXX ransom note

In some instances, RansomEXX operators have also made use of a double extortion method post-hit by threatening to leak victims’ data publicly if payment was not received.

ReaQta-Hive’s Behavioural Tree showing the RansomEXX ransomware

Within seconds of an infection, ReaQta-Hive gathers pertinent information to reconstruct the breach. At a glance, analysts are enabled to swiftly identify associated malicious behaviours and techniques applied by attackers and address the entire infection – including complete remediation and clean-ups.

Attack information is also mapped against the MITRE ATT&CK cyber kill chain framework, so that analysts can easily understand the current stage of a compromise.

RansomEXX is automatically stopped by ReaQta-Hive within seconds

With ReaQta’s real-time protection capabilities, threats like ransomware are automatically detected and stopped, preventing organisations from becoming the next victim of a ransomware attack. 

In the case of RansomEXX, ReaQta was effective within seconds, effectively mitigating hits that would have otherwise led to costly damages and sensitive data exfiltration. In addition to stopping the threat, ReaQta’s AI automatically terminates all malicious processes involved in the incident, thereafter closing off the alert and reducing extra actions needed to be taken by the security team.

AI & ML-powered solutions needed to stay ahead of attackers

Considering the rise of ransomware attacks, solutions that augment behavioral detection capabilities are increasingly becoming a necessity to detect and stop zero day and unknown threats that range from ransomware to file-less and in-memory attacks. 

Behavioural solutions, together with proactive threat hunting capabilities, are starting to become the centerpiece of any organization’s security strategy. This ensures that no dormant or hidden threats are allowed to lurk within your infrastructure. 

Relying on traditional protection methods alone today may no longer suffice, as visibility is limited, which increases the risks of a cyber breach.

Using unmatched levels of automation, AI & Machine Learning, ReaQta autonomously detects ransomware behaviour and actively handles the threat as they unfold so that organizations can stay protected against ransomware.

New call-to-action

ReaQta’s recommendations

  1. Cybersecurity awareness is imperative. Employees are the first line of defense, but they are also the most vulnerable. Organizations should make sure that employees are properly trained to flag anything that is potentially suspicious. All staff should be equipped to identify and flag possible phishing emails and be aware of how various business scams work.
  2. Enable 2-Factor Authentication(2FA)/ Multi-factor Authentication(MFA) as this protects your mails, cloud documents and VPN accesses. What is becoming increasingly obvious is that most attacks start off via email. This is a low cost option that is highly effective. For those leveraging Microsoft O365 or other platforms, do follow best practices guides that are readily available. This will strengthen the overall security posture of your organization.
  3. Ensure that Ransomware Behavior Protection policy is enabled. This will help prevent interruptions to your business.
  4. Constantly test your defences. Do not just focus on implementing security measures, but ensure that the entire process works from early detection to incident response. Should there be a lack of resources to provide for consistent threat monitoring and mitigation, ReaQta-MDR provides 24/7 round the clock security monitoring and will provide an immediate response when a new potential threat is being discovered.

To learn more about what makes ReaQta unique, please visit Why ReaQta and apply for a demonstration.

A New Era of Ransomware and its Affiliates: LockBit 2.0

Following REvil’s sudden disappearance, the empty niche in the RaaS (Ransomware as a Service) ecosystem has quickly been occupied by a new actor: LockBit that recently unveiled their LockBit 2.0 ransomware, capable of impressive encryption speeds – according to their own benchmarks – a full-fledged exfiltration service and a new affiliate program.

Soon after its announcement, the affiliate program has been joined by several parties making LockBit the most active ransomware actor throughout June, July and so far August.Gaining insights into LockBit operations is essential to keeping larger infrastructure secure and understanding their modus operandi also helps to understand the reason for such a sudden success.

New call-to-action

Understanding LockBit 2.0

LockBit operates as a Ransomware as a Service where affiliates, once accepted into the program, are given access to the ransomware and related exfiltration infrastructure. Affiliates take on the burden of gaining (or purchasing) access to the victim’s infrastructure, obtain data of interest and deploy the ransomware and the stealer. In exchange for the access to such services & tools, LockBit’s authors require the payment of a fee.

Lockbit 2.0 touts enhancements in encryption speeds and the added capability of manipulating the configuration of Windows Group Policies. By adjusting these settings, the ransomware reduces the affected system’s security profile, lowering the chance of detection and recovery. As with all other modern ransomware, LockBit2.0 Ransomware often adopts a dual-extortion scheme where cyber criminals exert additional pressure by threatening to release stolen content to the public.

Showcase of LockBit 2.0 features available to affiliates

Following a scheme commonly adopted by regular commercial companies, LockBit 2.0 has started to provide comparative tables against its competitors, emphasizing their ransomware encryption speed and their new stealer service that requires only 1 minute and 59 seconds to steal 10Gb of data. 

Stealer benchmarks showcased on LockBit’s affiliate program page

Through its affiliate program, Lockbit2.0 incentivises other threat actors to leverage their tools to compromise networks and systems. This approach is promoting the emergence of highly specialized threat actors focusing on specific areas: initial access, lateral movement, data exfiltration, data encryption etc. LockBit2.0 has since garnered world-wide attention and gained significant traction.

MSP Compromise

In August 2021 LockBit affiliates were particularly active, targeting large Managed Security Providers and using them as a pivot point to attack their customers. While assisting one of the victims, ReaQta and its partners tracked the initial access to a privileged maintenance account used by the MSP and reused by attackers  to access the victim’s infrastructure and exfiltrate information before encrypting it. The ransomware, upon activation, removed and disabled the system’s shadow copies and cleaned up the event logs.

ReaQta-Hive’s Behavioural Tree showing removal and disabling of the system shadow copies and cleaning up of event logs.

MSP compromise is a high-reward strategy for ransomware actors, normally MSPs enjoy privileged access to their customers’ networks, presenting a very appealing path for actors looking to coordinate multiple attacks from a single point and reducing the risk of discovery. This approach is not new and it’s been widely explored by sophisticated state actors, such as APT10 during the CloudHopper campaign that followed a similar set of TTPs, namely: initial access via spear-phishing and credentials reuse to move from the MSP network into the victims’ infrastructure. 

New call-to-action

Attackers Keep Innovating

The profitability of ransomware attacks is creating strong incentives for criminal groups to specialize. The influx of money is enabling access to a larger pool of talents in different areas and more sophisticated tools, including 0-day exploits or vulnerabilities, As threat actors continue to innovate and develop new attack vectors, it is crucial for organizations to adopt technologies that can detect and stop sophisticated and unknown threats – ranging from ransomware to fileless and in-memory attacks. Ransomware has evolved quickly since 2018, moving from regular users to the large enterprise and adopting a sophisticated attack scheme where the ransomware itself is only the last step of a complex breach.

Through the use of dedicated AI and ML engines, ReaQta-Hive provides real-time visibility over the infrastructure, for early detection of compromise and it natively detects the ransomware’s behaviour and actively mitigates threats as they unfold. Providing an all-around protection from the initial stages of the attack to the final ransomware deployment.

We can see LockBit 2.0 ransomware in action below:

ReaQta-Hive’s Behavioral Tree showing the Lockbit 2.0 ransomware

Upon execution, ReaQta-Hive reconstructs the infection chain in no time, presenting process and behavioral information in a storyline-like way to help analysts identify associated malicious and anomalous techniques swiftly. Via the behavioural tree, complete response options are also presented to aid quickly remediate and contain the threat.

Lockbit2.0 is automatically detected and blocked by ReaQta-Hive

ReaQta-Hive’s proprietary ransomware detection engines automatically identify and block the threat without any user intervention and without requiring any data restoration to a prior point in time. ReaQta’s AI automatically terminates all malicious processes involved in the incident, thereafter closing off the alert, reducing the need and workload for additional actions by the security team.

ReaQta Hive-Cloud’s Layered Defense Approach

Hive-Cloud Trigger Activation

When new security threats are identified, Hive-Cloud is automatically activated, providing additional analysis, seamlessly via cloud intelligence. Lockbit2.0 was initially detected as ransomware and blocked by the first layer of defense. Simultaneously, Hive-Cloud investigates the behaviors with ReaQta’s integrated threat intelligence sources, providing additional confirmation of the threat. Within external intervention, Hive-Cloud confirmed that Lockbit 2.0 was indeed malicious and activated an additional level of protection. With ReaQta’s AI engines and a comprehensive multi-layered defense approach organizations can obtain real-time visibility, protection and automated response with no delays.

Understanding PrintNightmare: The importance of having visibility over new attack vectors

What is PrintNightmare?

PrintNightmare (CVE-2021-34527) is a recently discovered vulnerability, affecting the Microsoft Windows Print Spooler Service. It allows threat actors to run arbitrary code on any device with Print Spooler service enabled with SYSTEM level privileges via Remote Code Execution (RCE) after obtaining initial access. The vulnerability allows attackers to load a DLL into a remote Windows Host, enabling users with local domain privileges to create accounts with administrative privileges. As the Print Spooler service is enabled by default, it has garnered immediate worldwide attention, as there is an urgent need for organizations to address this vulnerability. 

Microsoft has released security updates to resolve the PrintNightmare vulnerability, but to date, has been discovered to be effective only under certain configurations. In other instances, the patch can be bypassed, allowing attackers to exploit the machine and obtain system privileges rights. While this was initially classified as a low severity vulnerability, Microsoft has since upgraded the severity classification of the vulnerability to critical. 

New call-to-action

Running the attack

The figure below shows a Windows Server 2016 installation with a regular domain user account. 

Users list on the Domain Controller 

The exploit targets the Windows Server 2016 device using the available user’s credentials and passing as parameter a path to the reverse shell in the form of a DLL.

The reverse shell, obfuscated using msf venom is named “reverse1.dll” and is loaded into the victim’s system after a successful exploitation. 

Once the exploit is launched, a command shell is activated with “nt authority\system” access rights. We can now see that the attacker is running with elevated privileges on the Domain Controller. At this point, attackers have full freedom of operation and they can proceed to deploy additional stages, such as a RAT or a ransomware.

PrintNightmare Under the Lens

ReaQta-Hive’s Behavioural Tree showing the PrintNightmare exploit

The entire exploit is captured and displayed via the ReaQta-Hive behavioural tree, presenting the attack information enriched with all connected behaviors, allowing analysts and security teams to easily follow the incident as it unfolds. From the above image, we are able to see a series of events spawning from “spoolsv.exe”: first, the reverse shell is dropped to disk, then it is loaded via rundll32.exe and finally a cmd.exe instance is started, allowing the attacker to run arbitrary commands, in this case “whoami.exe”. The entire behavioral chain runs under elevated privileges as “NT AUTHORITY/SYSTEM”. 

The series of post-exploitation events leading to the instancing of the reverse shell

Maintaining continuous visibility over all assets allows security teams to quickly identify such exploitation attempts and react accordingly even in the presence of critical vulnerabilities like PrintNightmare.

New call-to-action

ReaQta’s Recommendations

ReaQta suggests that companies apply the revised update from Microsoft.

Speaking in response to PrintNightmare, ReaQta’s Security Architect Sam Lai recommends: “disable the Print Spooler service for domain controllers and Active Directory admin systems that do not require the print service”. Companies can look through the following options for additional mitigations if needed:

Option 1: Disable the Print Spooler service

Use the following PowerShell commands:

  • Stop-Service -Name Spooler -Force
  • Set-Service -Name Spooler -StartupType Disabled

Impact of workaround Printing will be disabled both locally and remotely. 

Option 2:  Disable inbound remote printing through Group Policy

Impact of workaround →  This prevents inbound remote printing operations, blocking the remote attack vector. System will no longer function as a print server, but local printing will still be possible through a direct device attachment. 

ReaQta-MDR ensures cyber resilience through Proactive Threat Hunting

As part of ReaQta’s commitment to our customers, the ReaQta SOC team has been working on the detection of this vulnerability since it first emerged, so as to ensure that our customers’ infrastructures remain safe and secure. Proactive Threat Hunting helps in the early detection of new threats and in the discovery of any weak spots that can be targeted by attackers to gain or maintain elevated access to any infrastructure. 

The Proactive Threat Hunting service, managed by experienced threat hunters and analysts, is available via ReaQta-MDR, providing 24/7 round-the-clock coverage across the infrastructure by responding to any suspicious or malicious activity.

The rising danger of ransomware: the Kaseya case, how it happened, and how to defend yourself

By Alberto Pelliccione, CEO – ReaQta

The Revil hacker group managed to obtain a 0-Day to gain access to Kaseya VSA, a management software for IT infrastructures, using it as a conduit to spread ransomware to those MSPs using the platform. Supply-chain attacks are extremely effective and such threats are rising in frequency and complexity. In response, our preventative monitoring capabilities must be substantially strengthened as well.

The supply-chain attack on Kaseya represents one of the largest attacks in this category, second – in terms of damage – only to what happened with WannaCry and then NotPetya in 2017. In this case, however, the attack was not conducted to acquire intelligence but only for extortion. The group known as REvil – which, in an interview last Saturday, claimed to generate $100 million a year in revenue – through an authentication bypass in Kaseya VSA, managed to compromise over 1500 businesses.

New call-to-action

The role of MSPs in the Kaseya attack

MSPs typically manage dozens or hundreds of businesses, so attackers were able to take advantage of the MSP’s privileged position to spread the ransomware to all of their customers, which, with the latest information available, would appear to be over 1,500. REvil has announced that it has compromised over 1 million devices, demanding $70M in ransom. This news, if confirmed, would bring this operation to the second place on the list of the largest ransomware attacks.

The ransom demand comes with a promise to publish a universal decryptor valid for all victims, meaning that REvil would be able to avoid having to individually negotiate with 1000+ different businesses.

With the information still fragmented, it’s difficult to immediately reconstruct the complete attack scenario. But let’s unpack what happened.

On 2/July Kaseya reported a possible attack on their platform:

How the cyber attack on Kaseya happened

However, the impact of the attack is still unclear, so much so that the company itself talks about “a small number of on-premise installations” and they recommend taking servers offline to avoid problems, since attackers immediately disable administrative access once they gain access to the VSA platform.

At the same time, the DIVD (Dutch Institute for Vulnerability Disclosure) gets in touch with Kaseya, as the institute was already working on the analysis of the VSA platform and had identified a number of critical vulnerabilities. One of these was reported as CVE-2021-30116. At the time of writing this piece, the vulnerability has not yet been publicly announced, but we know it is the same one used by REvil to breach MSPs using Kaseya VSA.

The vulnerability appears to be an SQL injection that allows to bypass the platform’s authentication flow, allowing anyone to log in with maximum privileges. It’s unclear how REvil got hold of the vulnerability. We only know that Kaseya was actively working on patching the issue but the group behind REvil managed to run their attack before a patch was distributed. It is possible that REvil identified the problem at the same time as the DIVD, as well as it is possible that the report provided to the company was leaked via other channels.

At this point, the DIVD, which had already performed a mass-scan of the entire internet to identify all open Kaseya VSA installations (2200 in that moment), started to contact both CERTs and potentially vulnerable customers, asking them to immediately shut down their servers. Within a few hours, the 2200 online installations became just 140. This operation managed to significantly reduce the total impact of the attack even though the numbers involved are still important.

While Kaseya and the DIVD took care of notifying potential victims, REvil proceeded to compromise the remaining online installations. The attackers exploited the authentication bypass to gain initial access and to start the transmission of a file called “Kaseya VSA Agent Hot-fix” that once started takes care of disabling some security components of the endpoint and then side-loads the actual ransomware. To reduce the detection profile, the ransomware was signed with a legitimate certificate from “PB03 TRANSPORT LTD.”

The Kaseya tool

Kaseya has released a tool to help possible victims identify their vulnerable instances and to identify possible compromised endpoints. The attack chain in any case carries the sign of an operation planned in a relative rush , suggesting that REvil may have gained access to the vulnerability extremely recently, perhaps right after the first reports. 

What we learn from this ransomware attack on Kaseya

This attack demonstrates how, as revenue grows – REvil is asking for $70 million to unlock everyone – ransomware groups manage to research or obtain 0-day vulnerabilities that are then used to launch high-impact attacks. This isn’t the first time we’ve seen ransomware use a 0-day vulnerability, and it certainly won’t be the last, but it’s the first time we’ve seen one used to carry out a supply-chain attack on such a scale.

New call-to-action

MSPs remain highly desirable targets, whether for espionage operations or extortion purposes, given the level of access they have to their customers’ infrastructure. By now, when it comes to ransomware, we know that these are no longer opportunistic attacks, but rather targeted operations with an increasing level of sophistication that increasingly resemble the high-profile attacks we are used to seeing with APT groups.

Businesses, especially medium and small ones, are now facing a rapidly growing threat that is proving increasingly difficult to eradicate. Supply-chain attacks are extremely effective, as we’ve seen in the case of SolarWinds, and securing an infrastructure from these types of threats is an extremely complex path that we can no longer underestimate.

How do you protect against a supply-chain attack and ransomware?

This attack opens the door to a series of questions that still have no concrete answer: How do you protect yourself from supply-chain attacks and ransomware? Why do ransomware groups operate unpunished on the international scene?

The answer to these questions is far from immediate and, as it happens more frequently, is formed by a mix of technologies, processes and policies that must become part of the DNA of every entity that manages data and infrastructures. Supply-chain attacks are extremely complex to identify because they exploit the trusted channel that exists between the vendor and the customer. Vendors have no interest in harming their customers and customers have no reason not to trust them. A viable, albeit complex, route is to profile every single application in an infrastructure and alert the security team whenever an update changes the application’s behavior significantly.

In 2018 at ReaQta, during a study on mitigating supply-chain attacks through behavioral analysis, we compiled a statistic finding that a generic infrastructure of 1000 computers, comes in contact with an average of 6000 new executable files (new or as a result of updates) every 30 days.

This number puts application profiling beyond the reach of most facilities, and requires a highly automated approach to avoid overwhelming analysts who have to identify high-impact but rare events. But this approach is certainly not a panacea; ransomware follows every available path and attacks whatever location they are able to reach.

Part of the problem is fundamentally geopolitical, in fact, these groups operate with impunity from a very restricted set of territories, with a more or less tacit pact to not cause damage to the country they belong to. This is a modus operandi that seems to work well because it creates an asymmetry that makes the host country safe from a series of problems, and disturbs the operations of other countries, which must spend time and resources to make themselves safe from these threats, losing resources and competitiveness. Such operations can also support local intelligence services by sharing sensitive information that has been stolen from victims.

Therefore, it is necessary to act in a strong way when the origin of an attack can be attributed with a high level of security to a specific country. The threat of severe and coordinated sanctions, as is the case for some states that finance or protect terrorist organizations, is a strong disincentive to offer asylum to attack structures that are no longer limited to stealing data but create massive damage with major repercussions.

Ransomware attacks are evolving faster and faster. REvil has hinted that even the modalities themselves are about to change to make ransomware faster and more efficient than it already is. Service and security providers are being attacked and used to amplify the attack power of such groups, so right now we are on the weaker side of the fence, but this is not the time to shake. As we’ve just seen, the DIVD approach helped reduce the impact of the attack significantly. Those one million devices claimed by REvil could have become 10M or 100M if there wasn’t a coordinated effort to take vulnerable machines offline.

The key to reducing these risks is to develop a real-time threat-sharing infrastructure, followed by identification, response and remediation tools, along with training to teach how to handle disaster scenarios like the ones we’ve just seen. Protection must therefore come from two fronts, an internal one, putting together the factors just seen, and an external one aimed at making the ground under the feet of attackers much less stable. If the attacker does not have the certainty of impunity, he will have one more problem to worry about.

New call-to-action

Delivering security without complexity

ReaQta’s active defense intelligence platform, ReaQta-Hive, aims to solve for the rising number of businesses falling victim to malicious activities from cyber criminals and threat actors. While traditional legacy protection methods stand vulnerable to sophisticated attack techniques, ReaQta’s revolutionary platform stops threats – both known and unknown – in real-time. Through deep learning, the platform constantly improves on defining normal behavior tailored to each business per endpoint, allowing it to block any anomalous behavior.  

ReaQta-Hive not only detects threats, but also delivers a seamless, automated threat response in real-time. ReaQta was recently named a 2020 Cool Vendor by Gartner in Network and Endpoint Security for its unique approach in tackling cyber threats of all forms.

To learn more about what makes ReaQta unique, please visit Why ReaQta and apply for a demonstration.

Close Bitnami banner