A newly recognized customized backdoor deployed in a number of current ransomware assaults has been linked to a minimum of one RansomHub ransomware-as-a-service (RaaS) operation affiliate.
Symantec researchers who named this malware Betruger describe it as a “uncommon instance of a multi-function backdoor” that was seemingly engineered to be used in ransomware assaults.
The malware’s capabilities embrace a variety of capabilities that overlap with options generally present in malicious instruments dropped earlier than deploying ransomware payloads, together with keylogging, community scanning, privilege escalation, credential dumping, screenshotting, and importing information to a command and management (C2) server.
“The performance of Betruger signifies that it could have been developed with a view to reduce the variety of new instruments dropped on a focused community whereas a ransomware assault is being ready,” Symantec’s Menace Hunter Staff stated.
“The usage of customized malware aside from encrypting payloads is comparatively uncommon in ransomware assaults. Most attackers depend on reputable instruments, residing off the land, and publicly out there malware corresponding to Mimikatz and Cobalt Strike,” Symantec’s Menace Hunter Staff stated.
Attackers behind the Betruger backdoor are dropping it utilizing the ‘mailer.exe’ and ‘turbomailer.exe’ filenames to camouflage it as a reputable mailing-related app.
Though different ransomware gangs have additionally developed customized malicious instruments, they’ve primarily been designed to assist exfiltrate delicate information from victims’ compromised methods. Such instruments embrace BlackMatter’s Exmatter stealer and BlackByte’s Exbyte information theft instrument for importing stolen information to the Mega.co.nz cloud storage service.
The RansomHub ransomware gang
The RansomHub ransomware-as-a-service (RaaS) operation (beforehand generally known as Cyclops and Knight) emerged over a 12 months in the past, in February 2024, and has been linked to data-theft-based extortion reasonably than encrypting information on victims’ breached methods.
Because it surfaced, the ransomware gang has claimed a number of high-profile victims, together with oil companies large Halliburton, the Christie’s public sale home, US telecom supplier Frontier Communications, the Ceremony Support drugstore chain, Kawasaki’s EU division, the Deliberate Parenthood sexual well being nonprofit, and the Bologna Soccer Membership.
RansomHub has additionally leaked Change Healthcare’s stolen information after the BlackCat/ALPHV ransomware operation’s $22 million exit rip-off, following essentially the most vital healthcare breach in recent times that impacted over 190 million people.
Extra lately, it claimed the breach of BayMark Well being Companies, North America’s largest US dependancy remedy supplier. BayMark Well being Companies supplies medication-assisted remedy (MAT) companies to over 75,000 sufferers day by day in over 400 service websites throughout 35 US states and three Canadian provinces.
The FBI says RansomHub associates breached over 200 victims from a number of vital US infrastructure sectors, together with authorities, vital infrastructure, and healthcare, till August 2024.
Primarily based on an evaluation of 14M malicious actions, uncover the highest 10 MITRE ATT&CK methods behind 93% of assaults and learn how to defend towards them.
