News

IT NEWS

Ransomware: February 2022 review

The Malwarebytes Threat Intelligence team continuously monitors the threat landscape to stay on top of existing and emerging attacks. In this February 2022 ransomware review, we go over some the most successful ransomware incidents based on both open source and dark web intelligence.

993c63a5 f054 445f a580 6d535d91e7f0

BlackByte

b2282f4d 3f8d 47fd b228 205c71c46c06
  • Observed since: July 2021
  • Ransomware note: BlackByteRestore.txt
  • Ransomware extension: .BlackByte
  • Kill Chain: Some victims reported that attackers used known Microsoft Exchange Server vulnerabilities to gain access to their networks. > BlackByte Ransomware 
  • Sample hash: 1df11bc19aa52b623bdf15380e3fded56d8eb6fb7b53a2240779864b1a6474ad
96787996 8ac2 4bac a7f7 09b5b6cc089e

HermeticRansom (PartyTicket)

adf5c70f 2c12 4a47 87b5 9c39e5b4ca0a
  • Observed since: February 2022
  • Ransomware note: read_me.html
  • Ransomware extension: <original file name>.[vote2024forjb@protonmail[.]com].encryptedJB
  • Kill Chain:  On Feb. 23, 2022, destructive attacks were conducted against Ukrainian entities. Industry reporting has claimed the Go-based ransomware dubbed PartyTicket (or HermeticRansom) was identified at several organizations affected by the attack
  • Sample hash: 4dc13bb83a16d4ff9865a51b3e4d24112327c526c1392e14d56f20d6f4eaf382
5e9cf988 4ee1 4f40 9477 3bd56d1afa39

SFile (Escal)

f21f3777 b931 4155 80fe 7c5d3e6211f5
  • Observed since: February 2022
  • Ransomware note: .<company_name>.!README.log
  • Ransomware extension: .<company_name>.<random>
  • Kill Chain:  Smaller ransomware strains used in targeted attacks
  • Sample hash: 6a7cef95a501cce16dce6f5a645fc97c4bcbb568c83dde5a7f2e4a0d7555dd98
6d2615e0 c882 4d24 9a1b 63fca3a49caa

LockBit 2.0

8c724752 9fa4 4c7b 9589 bcf77c87e406
  • Observed since: September 2019
  • Ransomware note: Restore-My-Files.txt
  • Ransomware extension: .lockbit
  • Kill Chain: Brute force attack on a web server containing an outdated VPN serviceLockBit
  • Sample hash: 9feed0c7fa8c1d32390e1c168051267df61f11b048ec62aa5b8e66f60e8083af
b9a18682 39f5 401c a162 40243054c1bf

Magniber

d9e96dbe a2f2 4da9 b71c f7cf8fe71186
  • Observed since: October 2017
  • Ransomware note: readme.txt
  • Ransomware extension: dihlxbl
  • Kill Chain:  Being Distributed via Microsoft Edge and Google Chrome (Korean users)
  • Sample hash: 06ea8f2b8b70b665cbecab797125733f75014052d710515c5ca2d908f3852349
e40ce10c 9137 43a9 bb30 d4b4ade5c5f0

Surtr

53d0495e 09f8 43e1 a40d 1bc736dcf4ae
c0ff547d 67c5 4b84 9c39 f38f861fc800
  • Observed since: December 2021
  • Ransomware note: SURTR_README.hta
  • Ransomware extension: .surtr
  • Kill Chain:  Spear-Phishing > MalDoc Surtr Ransomware
  • Sample hash: 40e5bb0526169c02126ffa60a09041e5e5453a24b26bc837036748b150fa3fae

Sugar

6b5bb64f 92d0 4793 ab5e 1cc1687bb029
  • Observed since: January 2021
  • Ransomware note: BackFiles_encoded01.txt
  • Ransomware extension: .Encoded01
  • Kill Chain:  Spear-Phishing > MalDoc Sugar Ransomware
  • Sample hash: 4a97bc8111631795cb730dfe7836d0afac3131ed8a91db81dde5062bb8021058
6cd03bf3 9673 4b3d b612 a498b7eece77

Conti

6c65b6a3 83a5 4e7a 819a 976ee0e35ed9
  • Observed since: June 2021
  • Ransomware ext: .CONTI
  • Ransomware notes: CONTI.txtR3ADM3.txtreadme.txtCONTI_README.txt
  • Kill Chain: Spear-Phishing > Bazar backdoor, or IcedID  > Cobalt Strike > Conti Ransomware 
  • Sample hash: 24ac73821de77cc9644d2ac40e97067ff63f625b5f20e085ad10535e47d7db59
70b1c0ea 2f13 4878 bace ad0c783b8b59

Mitigations

Source: IC3.gov

  • Implement regular backups of all data to be stored as air-gapped, password-protected copies offline. Ensure these copies are not accessible for modification or deletion from any system where the original data resides.
  • Implement network segmentation, such that all machines on your network are not accessible from every other machine.
  • Install and regularly update antivirus software on all hosts, and enable real-time detection.
  • Install updates/patch operating systems, software, and firmware as soon as updates/patches are released.
  • Review domain controllers, servers, workstations, and active directories for new or unrecognized user accounts.
  • Audit user accounts with administrative privileges and configures access controls with the least privilege in mind. Do not give all users administrative privileges.
  • Disable unused remote access/Remote Desktop Protocol (RDP) ports and monitor remote access/RDP logs for any unusual activity.
  • Consider adding an email banner to emails received from outside your organization.
  • Disable hyperlinks in received emails.
  • Use double authentication when logging into accounts or services.
  • Ensure routine auditing is conducted for all accounts.
  • Ensure all the identified IOCs are input into the network SIEM for continuous monitoring and alerts.

How Malwarebytes protects against ransomware

Malwarebytes can protect systems against all ransomware variants in several ways.

The Malwarebytes Anti-Malware technology detects malicious files, browser modifications, and system modifications on Windows PCs using a combination of signature-based and signatureless technologies. This layer of protection detects the Ransomware binary itself. Detections can happen in real-time as the binary is run or the infection can be rooted out from an already-compromised machine by conducting a full system scan.

Anti-Ransomware is a signatureless technology in charge of monitoring system activity of processes against a certain subset of data in specific locations on the endpoint. Using patented technology, Anti-Ransomware assesses changes in those data files. If an internal scoring threshold is crossed by a monitored process, it triggers a detection from the Anti-Ransomware component.

For those already infected, Ransomware Rollback can help recover encrypted files within 72 hours of the attack. Rollback creates a local cache on the endpoint to store changes to files on the system. It can use this cache to help revert changes caused by a threat. The Rollback feature is dependent on activity monitoring available in Malwarebytes Endpoint Detection and Response.

Recommended reading: How to protect your RDP access from ransomware attacks

The post Ransomware: February 2022 review appeared first on Malwarebytes Labs.