Keeping Up with Evolving Ransomware

The Threat Hunter Team with software company Symantec reported
that Noberus, which also goes by the names BlackCat/ALPHV, is leveraging new tools, tactics, and procedures (TTPs). The ransomware-as-a-service BlackCat/ALPHV has compromised at least 60 different entities across the world using the programing language RUST, according to a Federal Bureau of Investigation Cyber Division report from April 2022. The number of affected organizations has likely increased since then.

Noberus is using an updated data exfiltration tool, Exmatter and Eamfo malware designed to steal credentials, according to the Symantec report. Four cybersecurity experts dig into what the Noberus updates and evolving ransomware mean for IT leaders that need to help defend their organizations.

How Noberus Works

Noberus is a descendant of the Darkside and BlackMatter ransomware families; Darkside was used in the 2021 Colonial Pipeline attack. Symantec reports that ransomware-as-a-service operation Coreid is likely responsible for the development of these ransomware strains.

Noberus was initially discovered in November 2021, and since then, it has undergone a number of updates to improve its efficiency, including new encryption functionality. An updated version of the Exmatter tool was spotted in connection with Noberus attacks in August, according to Symantec. It also reports that attackers leveraging Noberus have been observed using Eamfo malware to steal credentials stored by Veeam software.

“What sets Noberus apart from other ransomware groups is its ability to design highly customizable ransomware executables for its intended target,” says Aaron Sandeen, CEO and co-founder of Cyber Security Works, a U.S. Department of Homeland Security-sponsored CVE Numbering Authority. “Rather than creating automated malware, Noberus ransomware dedicates a lot of manpower to understanding its target’s systems to find specific entry points.”

Responding to Evolving Ransomware

The updates to Noberus are concerning but expected. “This is the new normal. Criminal groups will continue to reinvest part of their profits in research and development to drive the innovation cycle of development and distribution of…