Ransomware With an Identity Crisis Targets Small Businesses, Individuals

  /     /     /  
Publicated : 23/11/2024   Category : security


Ransomware With an Identity Crisis Targets Small Businesses, Individuals


TZW is the latest version of Adhubllka, which has been active since 2019 but has gone largely unreported due to its lower ransom demands.



Researchers have identified a new strain of
ransomware
that dates back to 2019 and targets individuals and small businesses, demanding small ransoms from each client rather than the often million-dollar sums that typical ransomware actors ask.
TZW is the latest strain of the Adhubllka ransomware family, which first appeared in January 2020 but already was active the year before, researchers from security and operations analytics firm Netenrich revealed in a blog post published this week.
Even more important than the discovery of the strain is the process that researchers undertook to identify it correctly. Over the years, many of the samples of Adhubllka have been misclassified and/or mistagged into some other ransomware family, says Rakesh Krishnan, senior threat analyst at Netenrich.
This would confuse threat hunters/security researchers while doing an incident report, he says. Indeed, researchers report that multiple engines had previously detected TZW but found traces of other malware, such as CryptoLocker, in the sample.
Further, other names had already been assigned to the same piece, including ReadMe, MMM, MME,
GlobeImposter2.0
, which all actually belong to the Adhubllka ransomware family. All this confusion required further digging into the genealogy of the ransomware strain to identify it with proper attribution, Krishnan says.
This research also sheds light on the tracing of a family of ransomware to its origin using [threat actors] communication channels and other means, including contact emails, ransom notes, and execution method, which all played a vital role in analysis, he adds.
Adhubllka first
gained more attention
in January 2020, but had been highly active the previous year, the researchers noted. Threat group TA547 used Adhubllka variants in their campaigns targeting various sectors of Australia in 2020.
A key reason it was so tricky for researchers to identify TZW as a spinoff of Adhubllka is because of the small ransom demands the group typically makes — $800 to $1,600. At that low level, victims often pay attackers and the attackers continue to fly under the radar.
This ransomware, like others, is being delivered via
phishing
campaigns, but the uniqueness lies as they only target individuals and small-sized companies, hence they wont make a big news on the media channel, Krishnan says. However, this doesnt mean [Adhubllka] wont grow bigger in coming time, as they had already made necessary updates on their infrastructure.
In fact, in the future, the researchers anticipate that this ransomware may be rebranded with other names; other groups may also use it to launch their own ransomware campaigns.
However, as long as the threat actor does not change their mode of communication, we will be able to trace all such cases back to the Adhubllka family, Krishnan says.
Indeed, the key that researchers used to tie the latest campaign to Adhubllka was to track previously linked Tor domains used by the actor, with the team uncovering clues from within the ransom note dropped to victims to trace it back to the source.
In the note, the threat actor asks victims to communicate via a Tor-based victim portal to obtain decryption keys following ransom payment. The note indicated that the group changed its communication channel from v2 Tor Onion URLs to v3 Tor URL, because the Tor community deprecated v2 Onion domains, according to the post.
Further, an additional sentence in the note — the server with your decryptor is in a closed network Tor — was only seen in two new Adhubllka variants: TZW and U2K, according to the researchers, which further narrowed down attribution.
Other clues that pointed clearly to the latest variant of Adhubllka were the campaigns use of the email address [email protected], reported widely as belonging to the ransomware group, and its link to the MD5 variant sample of Adhubllka spotted in 2019.
The research overall demonstrates how
ransomware
is carefully crafted to throw threat hunters off the trail of cybercriminals, reinforcing the importance of defending against attacks by setting up an endpoint security solution, Krishnan says.
However, when a ransomware is newly formed/coded, it can only be thwarted by basic security education, like not to click on malicious links delivered via email, he says.
Indeed, the most important protections for organizations lie in
preventing ransomware
from entering an environment in the first place, which means looking for behavior anomalies, privilege escalation, and the introduction of suspicious removable media into an environment, Krishnan adds.

Last News

▸ Security Problem Growing for Dairy Queen, UPS & Retailers, Back off ◂
Discovered: 23/12/2024
Category: security

▸ Veritabile Defecte de Proiectare a Securitatii in Software -> Top 10 Software Security Design Flaws ◂
Discovered: 23/12/2024
Category: security

▸ Sony, XBox Targeted by DDoS Attacks, Hacktivist Threats ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Ransomware With an Identity Crisis Targets Small Businesses, Individuals