Double Extortion Ransomware Groups Make Headlines
In the ever-evolving landscape of cyber threats, the number of ransomware groups adopting double extortion is a concerning trend. This rising wave of ransomware attacks has taken the form of not only locking away valuable corporate data but also threatening to expose it to the world unless their demands are met.
In the past week alone, more than three newly identified ransomware strains have come to light, causing distress for over 200 victims worldwide. Additionally, within the last month, approximately 10 new ransomware groups have emerged, employing double extortion. A few of these groups are:
The rapid emergence of new ransomware strains and the formation of new ransomware groups highlight the scalability and profitability of these criminal operations. As criminals continue to refine their techniques and exploit vulnerabilities, they find new ways to maximize their financial gains.
Below, we delve into the ransomware strains that emerged last week, showcasing the new techniques that Threat Actors (TAs) adopted. These instances show how these TAs leverage ransomware to advance their goals.
Notably, the MalasLocker ransomware takes an unconventional approach by demanding that victims make a donation instead of requesting a traditional ransom, highlighting the involvement of hacktivists. Additionally, Rhysida ransomware stands out for its unique method of delivering the ransom note in PDF format.
Rhysida Ransomware
Rhysida ransomware was discovered by the MalwareHunter Team. The Rhysida ransomware (SHA256: a864282fea5a536510ae86c77ce46f7827687783628e4f2ceb5bf2c41b8cd3c6) is 64-bit binary and targets the Windows operating system.
The figure below shows the file details.
Execution
The ransomware binary can run without any command line arguments. Additionally, it offers two optional command line arguments that can be provided when executing the binary. The following optional command line arguments are accepted during execution:
| Parameter | Description |
| -d | Path of directory to encrypt |
| -sr | Self-Remove |
It uses the following command to remove itself when the “-sr” parameter is passed:
- “cmd.exe /c start powershell.exe -WindowStyle Hidden -Command Sleep -Milliseconds 500; Remove-Item -Force -Path”
This ransomware uses multiple threads to process files and directories. It opens directories recursively and performs operations on files. It also tracks statistics related to the processed files, directories, errors, access counts, and readme files.
This data is printed on the command prompt window, as shown in the figure below.
Encryption
The Rhysida ransomware employs a combination of RSA and AES algorithms to encrypt files.
The implementation of these cryptographic algorithms within the ransomware binary is depicted in the figure below.
The ransomware binary excludes the following directories from encryption:
\$Recycle.bin, \Documents and Settings, \PerfLogs, \Program Files, \Program Files (x86), \ProgramData\, \Recovery, \System Volume Information.
Furthermore, the ransomware does not encrypt files with the following extensions:
.bat, .bin, .cab, .cmd, .com, .cur, .diagcab, .diagcfg, .diagpkg, .drv, .dll, .exe, .hlp, .hta, .ico, .lnk, .msi, .ocx, .ps1, .psm1, .scr, .sys, .ini, .db, .url, .iso, .cab.
Once a file is successfully encrypted, the ransomware renames it by adding the “.rhysida” extension.
The figure below illustrates the encrypted files after this modification has been made.
In contrast to typical ransomware behavior, the Rhysida ransomware binary deploys a distinct approach by dropping the ransom note in the form of a PDF file named “CriticalBreachDetected.pdf”. This ransom note is placed in every directory the ransomware traverses during its operation.
The figure below showcases the content of the ransom note, providing further insight into the specific details and demands presented by the attackers.
The ransomware then generates a background image named “bg.jpg” using the ransom note content in the “C:\\Users\\Public” directory and sets it as the desktop background. It executes the following commands for modifying the necessary registry entries to change the victim’s background.
- system(“cmd.exe /c reg delete \”HKCU\\Conttol Panel\\Desktop\” /v Wallpaper /f”);
- system(“cmd.exe /c reg delete \”HKCU\\Conttol Panel\\Desktop\” /v WallpaperStyle /f”);
- system(“cmd.exe /c reg add \”HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\ActiveDesktop\” /v NoChangingWall”
“Paper /t REG_SZ /d 1 /f”);
- system(
“cmd.exe /c reg add \”HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\ActiveDesktop\” /v NoChangingWall”
“Paper /t REG_SZ /d 1 /f”);
- system(“cmd.exe /c reg add \”HKCU\\Control Panel\\Desktop\” /v Wallpaper /t REG_SZ /d \”C:\\Users\\Public\\bg.jpg\” /f”);
- system(
“cmd.exe /c reg add \”HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\” /v Wallpaper /t REG_SZ /”
“d \”C:\\Users\\Public\\bg.jpg\” /f”);
- system(
“cmd.exe /c reg add \”HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\” /v WallpaperStyle /t REG_SZ /d 2 /f”);
- system(“cmd.exe /c reg add \”HKCU\\Control Panel\\Desktop\” /v WallpaperStyle /t REG_SZ /d 2 /f”);
- system(“rundll32.exe user32.dll,UpdatePerUserSystemParameters”);
The figure below shows the background set by the ransomware.
Currently, there are no victims posted on Rhysida ransomware’s leak site.
The figure below shows the leak site of Rhysida ransomware.
8Base ransomware
Zscaler recently uncovered the 8Base ransomware, which has been actively targeting victims. The group behind this ransomware has adopted a double extortion strategy, wherein they first steal the victim’s data and then encrypt it.
If the victim refuses to pay the ransom, the attackers publish the stolen data on their leak site. The group has already disclosed information about 66 victims on its website.
The figure below shows the 8Base ransomware leak site.
The figure below shows the guidelines given to victims on the 8Base ransomware leak site.
The leak site associated with this ransomware group contains posts that can be traced back to April 2022, indicating that the group has potentially been active for at least a year without publicly disclosing its victims.
However, it is worth noting that the group’s Telegram channel was only created in May 2023, suggesting that they may have recently begun to publicly disclose their victims.
The figure below shows the ransom note of 8Base ransomware.
MalasLocker
A recently discovered ransomware known as MalasLocker has been observed targeting Zimbra servers. This particular ransomware group has publicly disclosed approximately 169 victims on their leak site.
Like many other ransomware groups, MalasLocker ransomware employs the double extortion technique to target its victims. However, what sets MalasLocker apart is that instead of demanding a ransom, they ask their victims to make a donation.
Conclusion
Various TAs are increasingly turning to ransomware to carry out malicious attacks. One possible reason behind this trend is the accessibility of leaked source code and builders from previous ransomware groups.
These tools empower even less sophisticated TAs to engage in ransomware attacks. The recent rise in ransomware groups utilizing double extortion techniques highlights the evolving nature of ransomware as a lucrative business, attracting numerous new threat actors.
Our Recommendations
We have listed some essential cybersecurity best practices that create the first line of control against attackers. We recommend that our readers follow the best practices given below:
- Define and implement a backup process and secure those backup copies by keeping them offline or on a separate network.
- Monitor darkweb activities for early indicators and threat mitigation.
- Enforce password change policies for the network and critical business applications or consider implementing multi-factor authentication for all remote network access points.
- Reduce the attack surface by ensuring that sensitive ports are not exposed to the Internet.
- Conduct cybersecurity awareness programs for employees, third parties, and vendors.
- Implement a risk-based vulnerability management process for IT infrastructure to identify and prioritize critical vulnerabilities and security misconfigurations for remediation.
- Instruct users to avoid opening untrusted links and email attachments without verifying authenticity.
- Deploy reputed anti-virus and internet security software packages on your company-managed devices, including PCs, laptops, and mobile devices.
- Turn on the automatic software update features on computers, mobiles, and other connected devices.
MITRE ATT&CK® Techniques
| Tactic | Technique ID | Technique Name |
| Execution | T1204 T1059 | User Execution Command and Scripting Interpreter |
| Discovery | T1057 T1082 T1083 | Process Discovery System Information Discovery File and Directory Discovery |
| Impact | T1486 | Data Encrypted for Impact |
Indicators of Compromise (IOCs)
| Indicators | Indicator Type | Description |
| 0c8e88877383ccd23a755f429006b437 69b3d913a3967153d1e91ba1a31ebed839b297ed a864282fea5a536510ae86c77ce46f7827687783628e4f2ceb5bf2c41b8cd3c6 | MD5 SHA1 SHA256 | Rhysida Windows Executable |
