Ransomware-Groups-Ramping-Up-Their-Operations

Ransomware Groups Ramping Up Operations

Threat Actors resorting to even more unscrupulous extortion techniques

In a recent report, Cyble Research Labs discussed the new extortion techniques adopted by ALPHV ransomware and the Karakurt data extortion group. In these techniques, these groups created a searchable database out of the breached data on their leak sites. We have witnessed multiple ransomware groups adopting different extortion mechanisms to threaten their victims or damage their reputations.

After the launch of the Ransomware-as-a-Service model by SolidBit ransomware, we came across a post where the SolidBit ransomware was leveraging a cybercrime forum to extort its victims.

In another event, we came across a post made by LOCKBIT3.0 ransomware where they released the chat between them and their victims on their leak site. ALPHV ransomware also adopted a new technique where they published the email communication of their victims, which happened after ransomware attacks.   

SolidBit Ransomware in Action

SolidBit is a .NET-based ransomware that is suspected to be developed using the Yashma ransomware builder. Yashma ransomware builder was leaked on a cybercrime forum, and TA might have modified that for generating SolidBit ransomware.

The Threat Actors (TA)s behind SolidBit ransomware have posted on multiple Cybercrime forums regarding the launch of their R-a-a-S model. Per their advertisement, the profit generated from ransom payments will be divided into an 80:20 ratio, wherein affiliates will have 80% of the profit, and 20% will go to the developers. The figure below shows the initial R-a-a-S Post made by TA on a cybercrime forum.

Figure 1 – Initial R-a-a-S post made by SolidBit ransomware

The TA later made another post regarding their R-a-a-S on a different cybercrime forum, but in this post, the TA modified the profit-sharing to a 70:30 ratio. The figure below shows the post made by the TA.

Figure 2 – Recent R-a-a-S post made by SolidBit ransomware

On the same cybercrime forum, the TA released the login credentials of multiple Government departments of a Country for extorting their victim, as shown in the figure below. Using these credentials, other TAs can also access the victim’s network.

Figure 3 – SolidBit ransomware Leveraging Cybercrime forum

LOCKBIT3.0 Ransomware Leaks Victim’s Negotiation Chat

LockBit ransomware is currently one of the most popular and active ransomware groups in the wild. This ransomware variant was first detected in September 2019 and used by Threat Actors (TAs) to target multiple sectors and organizations worldwide. The TAs behind LockBit operate under the Ransomware-as-a-Service (RaaS) business model.

LOCKBIT ransomware released the chat of one of their victims on their leak site. These chats mainly contain the negotiations between the ransomware group and their victims. This was the first time we observed LOCKBIT using this technique.

Earlier, we had observed the Conti ransomware group doing this to one of their victims. The figure below shows the chat leaked by the ransomware group.

Figure 4 – Negotiation chat leaked by LOCKBIT ransomware

ALPHV ransomware Monitors the Mail Communications After Ransomware Attack:

ALPHV is a Rust-based ransomware variant and surfaced in November 2021. It’s also known as BlackCat ransomware. In one of the recent attacks, ALPHV ransomware leaked the victim’s mail communications after the ransomware attack.

Instead of leaking the sample data, the ALPHV ransomware used a new extortion technique of leaking mail communications. This case indicates how TAs might know what steps the victim organization takes to remediate the ransomware attack and might also intensify the remediation process. The figure below shows the leaked email messages.

Figure 5 – Email communication leaked by ALPHV ransomware

Conclusion

Ransomware groups are constantly adopting different extortion techniques to threaten their victims. The exposure of sensitive information can result in the loss of reputation of the victim organization. Exposure of login credentials for extortion might result in more attacks by other TAs.

Unfortunately, these extortion techniques are one of the preferred weapons used by TAs to threaten their victims. The extortion techniques these ransomware groups use further highlight how quickly victims need to start the Incident Response to contain the attack.

Our Recommendations   

  • Determine which systems were impacted and immediately isolate them.
  • Consult with your incident response team to develop and document an initial understanding of what has occurred based on the initial analysis.
  • Organizations should monitor for third-party breaches.  
  • Conduct security awareness training frequently for the employees of the organization.  
  • Segment the organization’s ecosystem to obfuscate access to all sensitive resources.  
  • Organizations are advised to secure all third-party systems to prevent vulnerable third parties from becoming attack vectors.  
  • Never open untrusted links and suspicious email attachments without verifying their authenticity.   
  • Backup data on different locations and implement Business continuity planning (BCP).  
  • Implement Data loss prevention (DLP), Anti-virus, Endpoint detection and response (EDR), Security Information and Event Management (SIEM), and other security solutions.  
  • Regularly perform audits and Vulnerability Assessment and Penetration Testing (VAPT) of organizational assets, including network and software.  
  • Implement a strict Identity and Access Management (IAM) policy. 
Scroll to Top