Welcome to the ransomware weekly across multiple sectors – A summary

The Art of Cyber-Space

Oct 31

The fact that October is designated as a month of cybersecurity awareness has unquestionably motivated a few businesses to strengthen their security posture and focus on specific cybersecurity aspects in order to enhance detection and response. From the 22nd to the 28th of October, a number of notable attacks have come to light, and these attacks have been linked to well-known brands. These noteworthy events have occurred in a variety of industries, including but not limited to the IT Services, BFSI, and Healthcare sectors. The TommyLeaks and Schoolboys gangs, which have primarily focused on data extortion and the deployment of ransomware, are among few of these hacking groups that have been involved in these attacks. For a summary of various groups and ransomwares used, as well as some of these attackers' TTPs, check the full article below

Microsoft disclosed that Vice Society uses multiple ransomware families in attacks, including BlackCat, Quantum, Zeppelin, and a Vice Society-branded variant of Zeppelin ransomware. Additionally, BleepingComputer is also aware of the group using the HelloKitty ransomware in attacks. Furthermore, more insights about upcoming and past ransomware attacks, like the alleged demand for 60 million LockBit on Pendragon, Hive's claim of the Tata Power attack, Medibank's announcement that the hackers had accessed all of its customers' personal data, a ransomware attack on the Indianapolis Housing Agency, and Australian Clinical Labs' announcement that patient data had been stolen. The summary of these attacks have been presented in the table below:

Date	Ransomware group	Impact
Oct 24th	Cuba ransomware targets Ukrainian govt agencies	An alert about potential Cuba Ransomware attacks against critical networks in the country
Oct 24th	Lockbit Ransomware	Pendragon Group, with more than 200 car dealerships in the U.K., was breached in a cyberattack from the LockBit ransomware gang, who allegedly demanded $60 million to decrypt files and not leak them.
Oct 24th	Chaos ransomware & KillNet ransomware	PCrisk found a new KillNet ransomware that appears to be tied to pro-Russia hacking group. When encrypting files it will append the .killnet and drops a ransom note named Ru.txt.
Oct 25th	Hive ransomware	Hive ransomware group has claimed responsibility for a cyber attack disclosed by Tata Power this month.
Oct 25th	Vice Society	switching ransomware payloads in attacks targeting the education sector across the United States and worldwide.
Oct 25th	LV Ransomware & New Zeppelin	All data encrypted globally affecting a JOrdan-based company
Oct 26th	Unknown group	Australian insurance firm Medibank has confirmed that hackers accessed all of its customers' personal data and a large amount of health claims data during a recent ransomware attack.
Oct 26th	New Chaos variant	appends a random extension and drops a ransom note named lisezmoi.txt.
Oct 26th	SPARTA BLOG, BIANLIAN, Donuts, ONYX, and YANLUOWANG	INdustrial Ransomware
Oct 27th	Unkown group	Australian Clinical Labs (ACL) has disclosed a February 2022 data breach that impacted its Medlab Pathology business, exposing the medical records and other sensitive information of 223,000 people.
Oct 27th	Clop Ransomware	Microsoft says a threat group tracked as DEV-0950 used Clop ransomware to encrypt the network of a victim previously infected with the Raspberry Robin worm.
Oct 28th	Drinik trojan	Targets 18 Indian banks, masquerading as the country's official tax management app to steal victims' personal information and banking credentials.

Source : Reference

Of these above-mentioned attacks, one thing that's becoming evident is that there is a constant increase in the number of these threat groups, their attack methodology is becoming more sophisticated and the most challenging issue being their detection as soon as they've infiltrated. Most of the ransomware groups have designed malware which is known to reside in the victim's system and wait for the right time to take things down. The last example of Drinik trojan is a classic example. Drinik has been circulating in India since 2016, operating as an SMS stealer, but in September 2021, it added banking trojan features that target 27 financial institutes by directing victims to phishing pages. Some of the key behavior analytics has been as follows:

The latest version of the malware comes in the form of an APK named 'iAssist,' which is supposedly India's Income Tax Department's official tax management tool.
Upon installation, it requests permissions to receive, read, and send SMS, read the user's call log, and read and write to external storage.
Next, it requests the user to allow the app to (ab)use the Accessibility Service. If granted, it disables Google Play Protect and uses it to perform navigation gestures, record the screen, and capture key presses.

Drinik will also check if the victim ended up on a URL that indicates a successful login to ensure that the exfiltrated details (user ID, PAN, AADHAR) are valid.

At this stage, the victim is served a fake dialogue box saying that the tax agency found they're eligible for a refund of Rs 57,100 ($700) due to previous tax miscalculations and are invited to tap the "Apply" button to receive it.

This action takes the victims to a phishing page that is a clone of the real Income Tax Department site, where they are directed to enter financial information, including account number, credit card number, CVV, and card PIN.

What's interesting about this screenshot above is that if you don't check the URL, anyone can fall for it. That's how smartly this page has been crafted. Drinik has a large target pool because it targets Indian taxpayers and banking customers. As a result, every successful feature may result in significant financial gains for the malware's creators. Studying the behaviour analytics of such attacks is going to be quintessential to ensure to design an effective detection mechanism and mitigation strategies. In a span of week's time, one can see if this is the result and the impact, the effort to thwart such groups needs utmost attention and high levels of urgency at the earliest to avoid major data breaches as far as possible.

Comment