Tag Archive for: extortion

Threat Spotlight: Triple Extortion Ransomware

/in


Executive Overview

Threat actors have escalated the single extortion ransomware attack model to double and even triple extortion. 

With the commodification of cybercrime, adversaries have significantly increased the sophistication levels of their operations, and therefore also the potential devastating impacts of a ransomware attack. 

Flare Director of Marketing Eric Clay and CTO & Co-Founder Mathieu Lavoie discussed the latest trends in ransomware attacks including: double/triple extortion, different types of ransomware, methods for stealing sensitive data, and more.

Check out our full webinar recording, Triple Extortion Ransomware & Dark Web File Dumps, and/or keep reading for the highlights.

Commodification of Ransomware Groups

Ransomware groups are becoming more like companies, such as with:

  • mission-oriented approaches
  • recruitment practices to seek new hires
  • specialization

The Karakurt group, after operating privately for a year, has recently published a recruitment post to attract new members. They pride themselves on their mission to hold companies accountable for existing vulnerabilities in their cybersecurity and for the negligence of their IT staff. These groups can be driven by both financial and political motives, often influenced by the shifting landscape of geopolitics.

In general, there are two distinct types of specialization within such groups. Similar to a company with various departments, a group can have internal specialization. For instance, within a ransomware group, some members might excel in negotiating the ransom, while others primarily focus on developing malware. Another form of specialization involves individual groups having their own areas of expertise, akin to specialized agencies within a larger company. One group might concentrate on distributing ransomware, collaborating with another group that specializes in extortion.

This organized and specialized collaboration among groups can lead to more intricate and scalable operations compared to individual threat actors.

Changes in Ransomware Groups

Ransomware groups are constantly changing their tactics, techniques, and procedures (TTPs) to optimize their strategy. One alarming trend that we’ve…

Source…

Stung by Free Decryptor, Ransomware Group Embraces Extortion

/in


Fraud Management & Cybercrime
,
Ransomware

BianLian Follows in Karakurt’s Footsteps by Moving Away From Crypto-Locking Malware

Mathew J. Schwartz
(euroinfosec)


March 22, 2023    

Stung by Free Decryptor, Ransomware Group Embraces Extortion
Ransomware group BianLian, which takes its name from the ancient Chinese face-changing drama, has found a new face. (Image: Shutterstock)

Not all ransomware groups wield crypto-locking malware. In their continuing quest for extortionate profits, some have moved away from encryption and pressure victims purely by threatening to leak stolen data unless they receive a ransom payment.

See Also: How to Use Risk Scoring to Propel Your Risk-Based Vulnerability Management Program Forward


This seems to have been the case for BianLian, a prolific ransomware group that emerged in the summer of 2022. At that point, threat intelligence firm Cyble reported the group was known for executing rapid-encryption attacks, especially against the media and entertainment sectors, as well as healthcare, energy and utilities, among others.


The group’s name refers to “bian lian” – an ancient Chinese dramatic art in which characters’ faces change in the blink of an eye. It’s apparently a reference to the speed of the group’s encryption.


Czech cybersecurity firm Avast threw a wrench in the group’s works in January by releasing a free decryptor for victims of the ransomware.


This didn’t go unnoticed by BianLian. “If you have questions about Avast’s decryptor, you need to know that for each company we create an unique key,” the criminals said in a snarky, grammatically incorrect message posted to their site dedicated to naming victims and leaking stolen data….

Source…

BianLian ransomware crew goes 100% extortion after free decryptor lands • The Register

/in


The BianLian gang is ditching the encrypting-files-and-demanding-ransom route and instead is going for full-on extortion.

Cybersecurity firm Avast’s release in January of a free decryptor for BianLian victims apparently convinced the miscreants that there was no future for them on the ransomware side of things and that pure extortion was the way to go.

“Rather than follow the typical double-extortion model of encrypting files and threatening to leak data, we have increasingly observed BianLian choosing to forgo encrypting victims’ data and instead focus on convincing victims to pay solely using an extortion demand in return for BianLian’s silence,” threat researchers for cybersecurity company Redacted wrote in a report.

A growing number of ransomware groups are shifting to relying more on extortion than data encryption. However, it seems the impetus for this gang’s move was that Avast tool.

When the security shop rolled out the decryptor, the BianLian group in a message on its leak site boasted that it created unique keys for each victim, that Avast’s decryption tool was based on a build of the malware from the summer of 2022, and that it would terminally corrupt files encrypted by other builds.

The message has since been taken down and BianLian changed some of its tactics. That includes not only moving away from ransoming the data, but also how the attackers post masked details of victims on their leak site to prove they have the data in hand in hopes of further incentivizing victims to pay.

Masking victim details

That tactic was in their arsenal before the decryptor tool was available, but “the group’s use of the technique has exploded after the release of the tool,” Redacted researchers Lauren Fievisohn, Brad Pittack, and Danny Quist, director of special projects, wrote.

Between July 2022 and mid-January, BianLian posted masked details accounted for 16 percent of the postings to the group’s leak site. In the two months since the decryptor was released, masked victim details were in 53 percent of the postings. They’re also getting the masked details up on the leak site even faster, sometimes within 48 hours of the compromise.

The group also is doing its research…

Source…

BianLian Ransomware Pivots From Encryption to Pure Data-Theft Extortion

/in


The BianLian ransomware group is ramping up its operations and maturing as a business, moving more swiftly than ever to compromise systems. It’s also moving away from encryption to pure data-theft extortion tactics, in cyberattacks that have so far bagged at least 116 victims, researchers have found.

BianLian, first discovered last July, hasn’t deviated much from its initial tactic: deploying a custom go-based backdoor once it infiltrates a network. The functionality of the malware essentially remains the same except for a few tweaks, researchers from Redacted said in a blog post published today.

However, the swiftness with which the group’s command-and-control server (C2) deploys the backdoor has increased, and the group notably has moved away from ransoming encrypted files to focusing more on pure data-leak extortion as a means to extract payments from victims, the researchers said.

“BianLian has discovered that they don’t need to actually encrypt victim networks to get paid,” Adam Flatley, vice president of intelligence at Redacted, says.

This shift to focus on data-leak extortion is “extremely dangerous,” because it allows the group to take the time and effort to tailor the threats to specific victims and exert more pressure to pay ransoms, he adds.

“BianLian will have an even stronger pressure position on trying to force their victims to not work with the FBI, to not report the incident, and just pay the ransom and move on,” Flatley says.

BianLian’s motivation for changing its encryption strategy is likely a response to Avast’s release of an encryption tool for organizations that have been targets of the group to unlock their files, the researchers noted.

Given that BianLian has used double-extortion methods from the outset — threatening to release a victim organization’s stolen data online if a ransom wasn’t paid by a certain deadline — the group decided to skip the encryption step and go right to extortion, according to Redacted.

Maturing As a Cyberattack Business

This shift is part of BianLian’s overall evolution and maturation as a business, the researchers said. While from its inception the group has had “a high level of operational security and skill in network…

Source…