Weekly Dark Web Trends/Advisory

04.04.2022

Every week, CYFIRMA Intelligence and Research Team will highlight additional high-level information gathered while monitoring various dark web forums. This information encompasses various industries across multiple countries which could be directly/indirectly related and relevant to your organization.

Ransomware

Detailed below are the three most prolific ransomware. Additional information as to victims has been obtained from the Data Leak Sites (DLS) of each ransomware strain.

List of Data Leak Sites

 

RANSOMWARE UPDATE

1) SunCrypt Ransomware Group

SunCrypt was first observed in October 2019 and operates a ransomware-as-a-service (RaaS) operation that uses a closed affiliate program on the dark web. Initially, the ransomware was written in Go language that targeted Windows machines but in mid-2020 the threat actor shifted from Go language to C/C++ language which was followed by an increase in attacks. The ransomware shares connections with QNAPCrypt ransomware as both families were using identical code logic for the file encryption compiled from the same source code.

SunCrypt News:

SunCrypt Ransomware has evolved with enhanced capabilities and was one of the first groups to use the “triple extortion” approach. The latest variant of SunCrypt (2022 version) has acquired advanced capabilities like terminating processes, stopping services, and wiping the machine clean for ransomware execution. SunCrypt ransomware has a unique encryption process as it uses an I/O Completion Ports model to accomplish faster encryption, while other ransomware groups use the multi-threading technique.

The variant is still in the development phase and is believed to increase its target list and compete with other ransomware groups. It is suspected that the ransomware operators could implement Anti-VM features in a future variant, as there were signs of such features being present in the latest observed sample.

 

New Victims:

2) Hive Ransomware Group

Hive ransomware group operates a ransomware-as-a-service (RaaS) operation that uses different mechanisms to compromise business networks, exfiltrate data, encrypt data on the networks, and will attempt to collect a ransom in exchange for access to the decryption software. First seen in 2021, the group adopts a double-extortion model threatening to leak the information stolen from the victims on their leak site.

Hive News:

A new obfuscation technique used by the Hive ransomware gang includes IPv4 addresses and translations that lead to Cobalt Strike beacon downloads. Code obfuscation helps threat actors hide the malicious nature of code from humans or security software in order to evade detection.

A new technique was found while analyzing a 64 -bit Windows executable that contained the payload that deployed Cobalt Strike. The payload is obfuscated using the ASCII IPv4 address array format, so it looks like a harmless list of IP addresses. It is believed that depending solely on static signatures for malicious payload detection is insufficient so other detection methods and security measures should be implemented that aggregates suspicious elements from multiple points.

 

New Victims:

  • Konradin Mediengruppe GmbH
    • Publishing Group based in Germany.
  • Pollmann
    • Manufacturing company based in Germany.
  • Ministry For Foreign Affairs Of The Republic Of Indonesia
    • Indonesian interests in the UN Headquartered in Jakarta

3) Conti Ransomware Group

Conti ransomware stands out as one of the most ruthless of the dozens of ransomware gangs. The group has spent more than a year attacking organizations where IT outages can have life-threatening consequences. Ireland has yet to recover from an attack in mid-May 2021 that prompted the shutdown of the entire information technology network of the nation's healthcare system.

Conti News:

Even after the group's source code and chat logs were leaked online, Conti continues to operate, upgrade, and attack organizations. Conti update introduced several new features and changes to the ransomware code

  • New command-line arguments.
  • Reboot the system in Safe Mode with networking enabled and begin file encryption. 
  • Doing so allows Conti to maximize file encryption since business applications are likely to remain closed in the Safe Mode.

Avoiding Detection

  • Conti uses the Murmur3 hashing algorithm, which produces different hash values for all API functions used, which helps avoid security software that searches for related hash values.
  • Further, a new set of file extensions (includingZG7Ak, .wjzPe, .LvOYK, .C5eFx, and .fgM9X) is believed to be used for bypassing endpoint security solutions, which may spot the previous Conti pattern that used five uppercase letters.
  • Conti also updated the ransom note and TOR hidden service URL.

It is suspected that Conti will continue to conduct ransomware attacks against large organizations by adding new features in an attempt to stay ahead of other ransomware groups.

New Victims:

  • OCA Global
    • Private business group based in Spain.
  • Rettenmeier Holding AG
    • Woodworking Company based in Europe.
  • Scott Manufacturing, LLC
    • Equipment Manufacturer Company based in the United States.
Top