Tag Archive for: analysis

New BlackCat ransomware analysis published as leak site goes dark

/in


Amid news that the ALPHV/BlackCat ransomware gang is shutting down operations in a likely exit scam, researchers published a new technical breakdown of the ransomware’s binary.

The Trustwave SpiderLabs report published Wednesday dives into remote access and stealth tactics used in deployment of BlackCat ransomware since the group’s resurgence, after its initial disruption by the FBI in December.

ALPHV/BlackCat’s leak site went down for a second time on Friday and is now replaced with an FBI takedown notice that security experts say is likely fake.

Inspecting the site shows the takedown banner is extracted from an archive, and Europol and the National Crime Agency (NCA) deny being involved in the takedown despite their logos appearing on the page, BleepingComputer reports.  

The cybergang’s operators claim they plan to cease operations and sell the BlackCat ransomware source code for $5 million due to law enforcement interference — but this move comes after allegations it stole a $22 million ransom from one of its own affiliates after claiming responsibility for the attack against Change Healthcare. This has led the gang’s actions to be labeled by many as an “exit scam.”

“Based on our experience, we believe that BlackCat’s claim of shutting down due to law enforcement pressure is a hoax. We anticipate their return under a new guise or brand after the hiatus,” Reegun Jayapaul, principal threat hunter at Trustwave, told SC Media in an email. “This tactic serves as a means for them to execute one final significant scam before resurfacing with less scrutiny.”

Whether ALPHV/BlackCat returns under a different name — or the ransomware-as-a-service (RaaS) strain is sold and brought under new management — organizations should stay alert for BlackCat’s ransomware tactics despite the bizarre shakeup.

“Regardless if BlackCat sells their source code or not, threat actors are always honing and evolving their craft,” Shawn Kanady, global director of the Trustwave SpiderLabs Threat Hunt Team, told SC Media.

New stealth features discovered in BlackCat ransomware ‘Version 3’

The BlackCat variant studied by Trustwave researchers is more elusive than previous versions…

Source…

RiskInDroid: Open-source risk analysis of Android apps

/in


RiskInDroid (Risk Index for Android) is an open-source tool for quantitative risk analysis of Android applications based on machine learning techniques.

RiskInDroid

How RiskInDroid works

“A user should be able to quickly assess an application’s level of risk by simply glancing at RiskInDroid’s output, and they should be able to compare the app’s risk with others easily,” Gabriel Claudiu Georgiu, developer of RiskInDroid, told Help Net Security.

Unlike other tools, RiskInDroid does not take into consideration only the permissions declared into the app manifest but carries out reverse engineering on the apps to retrieve the bytecode and then infers (through static analysis) which permissions are used, extracting four sets of permissions for every analyzed app:

1. Declared permissions – Extracted from the app manifest.
2. Exploited permissions – Declared and used in the bytecode.
3. Ghost permissions – Not declared but with usages in the bytecode.
4. Useless permissions – Declared but never used in the bytecode.

“The precision and reliability of RiskInDroid have been tested on a large dataset made of more than 6,000 malware samples and 112,000 apps. We released everything to the public so our results could be easily reproduced and verified,” Georgiu added.

Future plans and download

“Currently there are no future versions planned, I just make sure everything works with the latest versions of Python and occasionally update the underlying libraries. Probably the most straightforward improvement would be to include other features in the analysis. Now, only permissions are considered, but we could also consider API calls and URLs that can be extracted through static analysis as we did for permissions, Georgiu concluded.

RiskInDroid is available for free on GitHub.

Must read: 15 open-source cybersecurity tools you’ll wish you’d known earlier

More open-source tools to consider:

Source…

MrB Ransomware (.mrB Files) – Analysis & File Decryption – Gridinsoft Blog

/in


MrB ransomware is a new Dharma ransomware sample, discovered on February 21, 2024. It is distinctive for applying a complex extension to the encrypted files that ends up with “.mrB”. This ransomware primarily attacks small corporations and asks the ransom only for decrypting the files, i.e. it does not practice double extortion. Jakub Kroustek was the first to discover and report this ransomware sample.

What is mrB Ransomware?

As I’ve described in the introduction, mrB is a sample of Dharma ransomware, a malware family active since 2016. It is known for adding a long extension to every file it encrypts; it consists of the victim ID, contact email and the extension itself. At the end, the encrypted file name starts looking like this:

Media1.mp3 → Media1.mp3.id-C3B22A85.[mirror-broken@tuta[.]io].mrB

mrB ransomware files
Files encrypted by mrB ransomware

MrB ransomware encrypts a wide range of file formats, from images and documents to files of some specific software suites. After finishing the encryption, it opens a pop-up ransom note in a form of HTA file, and also spawns a readme text file. The latter appears in every folder that contains the encrypted files. Below, you can see the contents of both ransom notes.

MrB ransomware note

Contents of the readme text file:


Your data has been stolen and encrypted!

email us

mirror-broken@tuta[.]io

How to Recover Encrypted Files?

Unfortunately, there are no recovery options available for mrB ransomware. The imperfections in its early Dharma samples were used to make the decryptor, though the flaws were fixed, and it is not effective nowadays. Options you can find online, like “professional hackers” or file recovery services will at best act as a medium between you and the hackers. At worst, they will take your money and disappear.

The most effective option for file recovery is a decryptor tool, dedicated to the specific ransomware family. Those are usually released when a vulnerability in the encryption mechanism is found, or when ransomware servers are seized. It may sound like it is unlikely to happen, but there were 4 such decryptors released in the first months of 2024. Be patient, do not lose hope – and you get the files back.

File recovery options

For now, your best…

Source…

Dragos Shares Ransomware Analysis | Manufacturing.net

/in


While international law enforcement’s relentless efforts have resulted in arrests and the dismantling of ransomware operations, the battle against ransomware groups continues. During the fourth quarter of 2023, we witnessed a slight decline in reported incidents, yet saw a surge in actions that kept the ransomware threat landscape dynamic. 

Ransomware groups consistently adapt by evolving their strategies, embracing new techniques, and even reconfiguring or rebranding their operations to bolster their earnings and evade detection. Yet international law enforcement has achieved noticeable results in fighting ransomware operations, including arresting members of ransomware groups, such as the arrest of a Ragnar Locker developer in Paris, and dismantling their infrastructure.

Additionally, the U.S. Justice Department, in collaboration with international agencies including Germany, Denmark, and Europol, disrupted the activities of the AlphaV ransomware group. The U.S. Federal Bureau of Investigation’s (FBI) developed a decryption tool that aided over 500 victims, preventing approximately $68 million in ransom payments. This operation is part of a broader initiative to combat major ransomware operations and apprehend key figures involved in global cyber disruptions. 

As ransomware groups have consistently demonstrated their capacity to innovate and refine their methods, active groups such as LockBit, BlackCat, Royal, and Akira adopted new techniques known as remote encryption or remote ransomware during the last quarter. This technique involves compromising an endpoint connected to the victim’s network and using it to launch the ransomware attack within the victim’s environment, thereby increasing the likelihood of a successful attack.

As Dragos assessed with moderate confidence in last quarter’s blog, ransomware groups continue to prioritize zero-day vulnerabilities in their operations. This strategic focus was evident in the actions of the LockBit ransomware group as they exploited a vulnerability known as ‘Citrix Bleed’ (CVE-2023-4966) during their attacks. LockBit leveraged this flaw to hijack authenticated sessions, gaining temporary access to various…

Source…