Recent estimates suggest that North Korea has amassed approximately $3 billion through a series of ransomware attacks targeting businesses and other cyber-attacks on cryptocurrency trading platforms. These illicit gains are believed to be directed towards supporting Kim Jong Un’s nuclear ambitions.
A UN report, corroborated by Reuters News Agency, indicates that the Democratic People’s Republic of Korea has engaged in the theft of cryptocurrency and proceeds from ransom payments, channeling these funds into the development of its nuclear infrastructure.
Under mounting sanctions from nations like the UK and the USA, the North Korean regime appears to be intensifying its cyber warfare efforts. It is projected to expand its range of attack vectors in order to double its earnings over the next two years, with purported agreements in place with nations led by Putin and Xi Jinping.
In response to these revelations, the UK’s GCHQ arm, NCSC, has issued a cautionary advisory to Western nations, urging them to reinforce their critical infrastructure. Concerns have been raised regarding espionage activities, such as the planting of malware (as seen in the Volt Typhoon campaign) within critical infrastructure components supplied by certain Asian nations, notably China. This infiltration reportedly dates back to 2017, during Boris Johnson’s tenure as Prime Minister.
Additionally, the US law enforcement, under the leadership of President Joe Biden, has intensified its pursuit of the Hive Ransomware group. The State Department has recently announced a formal reward of up to $10 million for individuals providing actionable intelligence on key leaders associated with the Hive Ransomware operations.
Although the FBI had partially dismantled Hive’s computer network in July 2022, the criminal group managed to resume its activities from October 2023 on-wards, targeting victims across more than 80 countries. The FBI aims to disrupt these operations and is offering substantial rewards for information leading to the apprehension of the perpetrators, ensuring anonymity and confidentiality for informants.
Is this the real life? Is this just fantasy? A company in Hong Kong suffers a sophisticated deepfake duping, be one your guard from pig butchers as Valentine's Day approaches, and spare a moment to feel sorry for poor ransomware gangs.
All this and much much more is discussed in the latest edition of the "Smashing Security" podcast by cybersecurity veterans Graham Cluley and Carole Theriault, joined this week by Lianne Potter from the "Compromising Positions" podcast.
In the year 2023 alone, hackers behind the rampant spread of ransomware amassed a staggering $1 billion in ransom payments, as disclosed by a comprehensive study conducted by blockchain research firm Chainalysis. This alarming figure, equivalent to the annual budget of several small Asian nations, marks a significant spike compared to previous years, doubling from $500 million in 2022. Experts warn that if law enforcement agencies and governments fail to implement effective measures, this amount could triple or even quadruple by 2026, as the proliferation of file-encrypting malware continues unabated with increasingly sophisticated tactics.
Chainalysis’s Crypto Crime Report 2024 highlighted a notable surge in ransomware payments following the 2023 MoveIT data breach, which saw major multinational corporations such as BBC and British Airways fall victim to the clop ransomware gang, believed to be backed by actors in Russia. According to insights shared by Recorded Future, a substantial portion of the payments can be attributed to the 639 officially reported ransomware victims, with half of them falling prey to cyber-attacks exploiting vulnerabilities in the MoveIT file transfer software.
The pressing question arises: Can banning crypto payments mitigate the ransomware epidemic? While imposing a ban could potentially restrict the flow of funds to criminal enterprises, the nature of cryptocurrency, being decentralized and largely untraceable, renders it difficult for governments to enforce such measures universally.
Instead, organizations are advised to prioritize robust data backup and application recovery systems to minimize downtime in the event of an attack. Furthermore, in cases of double and triple extortion ransomware tactics, prompt reporting to law enforcement becomes crucial, with hopes of apprehending the perpetrators before they can leverage their infrastructure and ensure the permanent deletion of stolen data from their servers.
It seems like every week, the cybersecurity landscape sees the emergence of yet another ransomware variant, with Black Hunt being one of the latest additions. Initially reported by cybersecurity researchers in 2022, this new threat has quickly made its presence known. In a recent incident, Black Hunt ransomware wreaked havoc by compromising around 300 companies in Paraguay.
Rapid7 Labs consistently monitors emerging threats, and this new ransomware variant caught our attention for several reasons. The behavior and potential impact of this new variant raised concerns among our team, prompting us to conduct a thorough analysis to better understand its capabilities and potential risks.
During our analysis we found notable similarities between Black Hunt ransomware and LockBit, which suggested that it uses leaked code of Lockbit. In addition, it uses some techniques similar to REvil ransomware.
Technical Analysis
In this analysis we examined the Black Hunt sample shared on X (formerly Twitter), by MalwareHunterTeam. In our investigation we found some interesting techniques and features used by this malware. The recent Black Hunt sample is a C++ executable, which widely reuses the leaked Lockbit ransomware code and shares similarities with several other recently spotted ransomware families.The execution of the ransomware on an infected machine starts with a check for a file named Vaccine.txt under directory C:\ProgramData path
Figure 1 - Check for the existence of Vaccine.txt file
If the file is found, malware terminates its execution. This file detection acts as an anti-exploitation flag for the ransomware. As this is not a well-known anti-sandbox/anti-VM technique, we assume that this file is in use by the threat actor (TA) itself. It is either created by the victim which is instructed to create it after the ransom is paid or dropped by the decryptor, if one is sent to the victim to decrypt the encrypted data. Adding that check is logical if the ransomware operators consider scenarios where their persistence mechanism and the ransomware binary remain on the system even after the ransom is paid and files are decrypted. Moreover, the fact that all files dropped by the ransomware are placed in the C:\ProgramData directory further supports our assessment that this file is associated with the Black Hunt operation.
Next, the malware adjusts the following privileges to processes Access Token by using the `AdjustTokenPrivileges` API function:
Privilege Setting
Description
SeDebugPrivilege
Monitor and manipulate other processes.
SeRestorePrivilege
Bypass file system security to restore files.
SeBackupPrivilege
Read any file, regardless of permissions.
SeTakeOwnershipPrivilege
Take control of critical system resources.
SeAuditPrivilege
Manipulate security audit logs.
SeSecurityPrivilege
Modify security settings of objects.
SeIncreaseBasePriorityPrivilege
Gives service privilege to increase scheduling priority.
After modifying process privileges, the malware hides its window by invoking the `ShowWindow` function with the `nCmdShow` parameter set to 0, which corresponds to `SW_HIDE`. This action ensures that the malware's window is not visible to the user, allowing it to operate stealthily in the background without drawing attention.
Figure 3 - Malware hiding its present from the user
The execution flow continues as the malware invokes the `GetCommandLineW` function. This function retrieves the command-line string for the current process, including the program name and any arguments passed during startup. This function is commonly used by malware and helps to gather information about command-line flags. Following this, another function call is made to `CMD_ARGS`.
Figure 4
The function processes a command-line string and checks if any of the following arguments were passed:
Argument
Description
-local
If passed, the ransomware will skip shared or network drives encryption.
-network
If passed, the ransomware will encrypt only the network drives
If passed, the ransomware will only encrypt the files with .000, .cab, .zip and .rar extensions.
-noencrypt
if passed, the malware will skip encryption.
-p
If passed, specifies a path to be encrypted
-nologs
If passed - If the flag is not set, the ransomware creates a log file named #BlackHunt_Logs.txt under C:\ProgramData directory. Otherwise no log files will be created.
-status
If passed, sets the ransomware console windows to ‘SW_SHOW’ and shows the encryption status in the ransomware console window. The status information contains the System ID, running time, the amount of encrypted files and encrypted volume, as well as errors, alive workers and the code location. The status window constantly updated by the ransomware as long as it runs
-update
If passed, the ransomware shows a fake Window Update screen
-kill
If passed, the ransomware terminates processes from hardcoded process list and stops services from hardcoded service list
-scanner
If passed, the ransomware scans for network shares
-cipher
If passed, when all the encryption process is completed the ransomware uses Windows tool Cipher.exe on all drives to overwrite the deleted data. Same capability was utilized by Vohuk ransomware.
-restart
if set in the end of encryption the following command will be executed to restart the pc ‘shutdown /r /t 15 /f’
The ransomware accepts additional arguments that modify its behavior, including disabling spreading capabilities, adjusting encryption speed, thread count for encryption, skipping mutex creation, and enabling debug mode to collect more information in the log file.
After verifying passed arguments and ensuring the absence of the -nomutex flag, the ransomware proceeds to create a `BLACK_HUNT_MUTEX`. Next, it elevates its process priority to `HIGH_PRIORITY_CLASS` using the `SetPriorityClass` API function.
The ransomware made 200 attempts to load `Fake.dll`, likely as a tactic to slow up/evade the execution in the sandbox. Following this, it employs the `IsDebuggerPresent` API call to detect if debugging is in progress. If a debugger is detected, the ransomware terminates.
Further analysis revealed that Black Hunt maintains a whitelist of 15 countries, as detailed in the table below.
Language Code
Language
Country
2092
Azeri (Cyrillic)
Azerbaijan
1068
Azeri (Latin)
Azerbaijan
1067
Armenian
Armenia
1059
Belarusian
Belarus
1079
Georgian
Georgia
1071
Macedonian
North Macedonia
1088
Kyrgyz
Kyrgyzstan
2073
Moldovan
Moldova (Russian language)
1064
Tajik (Cyrillic)
Tajikistan
1090
Turkmen
Turkmenistan
2115
Uzbek (Cyrillic)
Uzbekistan
1091
Uzbek (Latin)
Uzbekistan
1058
Ukrainian
Ukraine
1065
Persian
Iran
1055
Turkish
Turkey
The malware uses the `GetSystemDefaultUILanguage` function to identify one of 15 hardcoded languages. If it detects any of these languages, it terminates execution.
Figure 5 - Hardcoded list of languages
Following language detection, the malware attempts to establish an internet connection by calling the `getaddrinfo` function to resolve the domain ip-api.com.
The ransomware checks if `BlackKeys` mutex exists, and if not, it creates it by using `CreateMutexA` API.
Next,the malware begins a key initialization process. First, it attempts to load a key by using `CryptImportKey` with a buffer containing the key. It looks for the key in files named C:\ProgramData\#BlackHunt_Public.key and C:\ProgramData\#BlackHunt_Private.key, and also verifies the presence of C:\ProgramData\#BlackHunt_ID.txt. If the key loading fails, the malware switches to generating a 128-bit RSA key pair.
After initializing encryption keys, the ransomware creates a HKEY_LOCAL_MACHINE\Software\Classes\.Hunt2 registry key to define settings for files with `.Hunt2` extension.It adds a `DefaultIcon` registry key under `.Hunt2` and assigns a default value to the dropped icon file.
Next, the ransomware creates a new {2C5F9FCC-F266-43F6-838DAE269E11} value under HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run registry key and sets it data to C:\ProgramData\#BlackHunt_ReadMe.hta that will make the `.hta` file be executed on reboot.This file is a Black Hunt ransom note. Here we can notice additional proof of reuse of Lockbit ransomware code by BlackHunt operators, the value name is identical to the one LockBit 2.0 used in their attacks.
The Black Hunt ransomware makes several modifications to the Windows registry to disable security measures, alter system functionality, and potentially limit user control over the system. Below are the commands used
Adds an entry to the Windows startup registry key to run C:\ProgramData#BlackHunt_ReadMe.hta
SHChangeNotify(0x8000000, 0, 0, 0);
Notifies the system of changes that might require refreshing icons or interface elements
The list of modified registries can be found in the IOC section or on the Rapid7 Labs GitHub page.
Afterward, the malware checks for various command-line arguments, and its execution flow depends on which arguments are set.
`-p` flag
If set, it proceeds to sets persistence by creating scheduled tasks to execute the malware upon system startup using the command /c SCHTASKS.exe /Create /RU "NT AUTHORITY\SYSTEM" /sc onstart /TN "Windows Critical Update" /TR "%s" /F.
`-safemode` flag
If it is, the malware configures the safe mode setting to ensure its execution after the system boots in safe mode, after which it restarts the machine. For more information on that technique check the Safe Mode section of this article.
If the `-safemode` flag is not set, the malware creates ransom note, primary and secondary contact emails `Teikobest@gmail.com` and `Loxoclash@gmail.com`, respectively, a placeholder ID for infected machines, and the Tor address http[:]//sdif9821kjsdvcjlksaf2kjhlksvvnktyoiasuc921f.
`-update` flag
If set, the malware drops `#BlackHunt_Update.hta` to the C:\ProgramData directory and executes it. The purpose of that flag is to create a fake Windows Update screen while encrypting the victim's data. After that, the malware empties the recycle bin by calling `SHEmptyRecycleBinW`.
`-kill` flag
If set, the malware enumerates running processes and terminates 130 predefined processes and services. The full list of processes and services can be found in the IOC section or on the Rapid7 Labs GitHub page.
After completing its service termination routine, the malware tries to access the registry key SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System, known for storing system policies such as User Account Control (UAC) settings. If successful, it modifies two registry values: `EnableLUA` and `EnableLinkedConnections`.
Figure 6-UAC settings modification
By setting`EnableLUA` to 0, the malware effectively disables this security feature, granting itself elevated privileges without user intervention. Additionally, the malware sets the `EnableLinkedConnections` registry key, allowing any user to see network drives that were mapped for other users. This gives ransomware the ability to gain access to sensitive network resources.The malware invokes the `RefreshPolicyEx` API function to enforce the modifications made.
Next, the malware manipulates shadow storage. For conventional disk types, such as DRIVE_FIXED, it executes commands like /c vssadmin resize shadowstorage /for=C:\ /on=C:\ /maxsize=401MB. For disk types not explicitly specified, such as DRIVE_RAMDISK, it uses /c vssadmin resize shadowstorage /for=C:\ /on=C:\
Afterwards , the malware removes the shadow copies using vssadmin.exe Delete Shadows /all /quiet and disables automatic repair by executing bcdedit /set {default} recoveryenabled No.
Figure 7- Shadow storage manipulation
Next, the attackers execute a sequence of commands to clean up the system and implement critical modifications.
Adjusts boot status policy for normal booting despite failures, blocking access to System Image Recovery
fsutil.exe usn deletejournal /disks (D and C)
Deletes Volume USN Journal on disks D and C, disrupting file system change tracking
wbadmin.exe delete catalog -quiet
Silently removes backup catalogs, erasing backup data
Disables System Restore tasks with sc
Halts System Restore functionality, limiting recovery options
If the `-scanner` flag is set the ransomware will attempt to retrieve the ARP cache table and scan the addresses using the servername as a parameter. This function utilizes `NetShareEnum` to gather information about network shares on a given server.
Finally, the encryption routine starts. Encrypted files renamed with `.Hunt2` extension. After the encryption, the ransomware deletes itself, and the ransom note is displayed to the user.
Figure 8 - Black Hunt ransomware note
Additional functionality
Spreading mechanism
Ransomware tries to enumerate shares on the localhost (127.0.0.1) using `NetShareEnum`. If shares are found and no error occurs, the malware tries to process drive paths. It checks each path for specific conditions met and that the path is not a remote path. If these conditions are met, it processes the argument as a local drive path by extracting the drive letter and formatting it as \127.0.0.1{drive_letter}.
The malware attempts to locate a NAS server and paths to files on removable drives. Additionally, it searches for shared folders and attempts to spread by enumerating local shared folders using `NetShareEnum`. If a network share is found, it copies itself to the share using `CopyFileW`. After spreading, it clears setup event logs by executing cmd /c wevtutil.exe.
Safe mode
If the `-safemode` argument is set, the malware executes the encryption process in Safe Mode. To ensure execution after rebooting in Safe Mode, the malware sets up the system as follows:
1) Obtains a user environment variable.
2) Executes the net user username `Black_Hunt_2.0` command to set a new user password.
3) Adds a new `AutoAdminLog` value under the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon and sets it to 1, enabling auto login in Windows.
4) Creates a `DefaultUserName` value under the same registry key and sets it.
5) Creates a `DefaultPassword` registry value and sets it to the changed password.
6) Executes the /c bootcfg /raw /a /safeboot:network /id 1 and /c bcdedit /set {current} safeboot network commands to force the computer to boot into Safe Mode with Networking.
7) Creates a new`BackToNormal` value under HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce and sets it to bcdedit /deletevalue {current} safeboot" /f.
8) Sets an additional value under the `RunOnce` key named `BlackHunt` and sets it to the current malware running path.
9) Finally, restarts the system by executing shutdown /r /t 7 /f
Rapid7 Customers
For Rapid7 MDR and InsightIDR customers, the following Attacker Behavior Analytics (ABA) rules are currently deployed and alerting on the activity described in this blog:
Suspicious Process - Delete File Shadow Copies With PowerShell
Attacker Technique - Rundll32 Running DLL in Root of ProgramData
Suspicious Process - Regsvr32.exe Registering DLL in ProgramData
Persistence - Run Key Added by Reg.exe
Suspicious Registry Event - Unusual Registry Run Keys
AnyDesk, a widely-used platform for remote access software, fell victim to a ransomware attack, exposing its source code and private code sign keys to hackers. The enterprise software company detected malicious activity within its computer networks on a Friday afternoon and promptly initiated remediation efforts.
Although the identity of the threat actor remains officially undisclosed, AnyDesk staff confirmed the incident as a ransomware attack and pledged to share more details as the investigation unfolds. Reports suggest that the infiltration may have occurred on January 29th of the current year, with identification taking place on February 2nd. In response, the company promptly disabled user login access.
There are suspicions that a state-funded actor, Midnight Blizzard, may be behind the incident, potentially linked to Russian Intelligence.
Meanwhile, content delivery services provider Cloudflare revealed that its corporate computer network had been targeted by cybercriminals around Thanksgiving the previous year. The company disclosed that the attack leveraged stolen passwords obtained during the Okta data breach in October 2023.
Preliminary investigations by security experts from CrowdStrike indicated successful access to the company’s AWS environment and Atlassian Jira and Confluence modules. However, they were unable to breach the Cloudflare dashboard and other instances of Okta’s software.
As a precautionary measure, Cloudflare tested over 5000 systems and replaced 15 in its Sao Paulo Data Center, although experts have not confirmed whether these systems were compromised in the incident.
The primary objective of the cyber attack appears to be straightforward—gather intelligence and share it with interested parties, including state-funded actors and competitors.
Data and software services firm Blackbaud's cybersecurity was criticised as "lax" and "shoddy" by the United States Federal Trade Commission (FTC) in a damning post-mortem of the business’s February 2020 data breach.
Read more in my article on the Hot for Security blog.
Orange España, the second-largest mobile operator in Spain, fell victim to a cyber-attack earlier this month, resulting in a disruption of mobile services lasting over three hours. Subsequent investigations by a group of security researchers unveiled that the assailants, identified as the hacking group “Snow,” successfully breached Orange España’s RIPE Network Coordination Centre. This intrusion led to configuration errors in the public key infrastructure and border gateway protocol.
In the aftermath, a study conducted by Resecurity uncovered that the cyber-attack also resulted in the compromise of credentials for more than 1572 computer networks. Among the affected entities were a Kenya-based IT firm, a sizable IT firm in Azerbaijan, and a multinational data center in Africa.
The attackers executed a password theft campaign by deploying data-stealing malware such as Lumma, Azorult, Vidar, Redline, and Taurus within the organizational networks. These malicious programs targeted credentials used by data center administrators, ISP engineers, telecom administrators, network engineers, IT managers, and technology outsourcing companies.
Such network compromises often pave the way for ransomware attacks and the unauthorized extraction of intellectual property.
Typically, threat actors either sell the pilfered data for $10 each or collaborate with other cybercriminals to profit from activities like phishing attacks. Notably, Orange España had previously disclosed details of the Aadhaar data breach affecting over 850 million Indian citizens in October 2023.
In response to these escalating cybersecurity challenges, Resecurity has initiated a partnership with Cybercrime Atlas to combat global cybercrime networks. This collaboration, announced at the World Economic Forum’s Center, involves expertise from more than 40 public and private entities working together to provide technical support for this groundbreaking project.
A 33-year-old man has been sentenced to two years in prison after admitting his part in a series of ransomware and malware attacks that hit more than one thousand individuals, businesses, and organisations — including three police departments.
Read more in my article on the Hot for Security blog.
In response to the surge in ransomware attacks over the last couple of years, the Australian government introduced legislation in 2022 prohibiting companies from making ransom payments.
Despite this prohibition, a recent survey conducted by Cohesity, a firm specializing in AI-backed data security and management services, revealed that almost 60% of respondents acknowledged opting to pay hackers’ ransom demands. Their rationale centered on the ease of data recovery and the substantial reduction in recovery time and downtime, reaching nearly 95%.
Surprisingly, the study found that 77% of the 300 participants admitted their organizations had fallen victim to file-encrypting malware, and the situation is anticipated to worsen in 2024.
Cybercriminals demonstrate no preference for the size or scope of targeted companies, as they target both large and small enterprises with the primary goal of maximizing financial gains.
Remarkably, only 4% of respondents stated that their organizations were incapable of recovering from a cyber incident within a three-day timeframe. The majority, however, conceded that their assets remained unrecoverable unless a ransom was paid to the perpetrators of the malware.
The implications of the study underscore the imperative for Chief Information Officers (CIOs) and Chief Technology Officers (CTOs) to be well-versed in the dos and don’ts during and after a cyber attack. Failure to comply with government-mandated rules may result in legal consequences.
While some security experts argue that paying a ransom is financially justifiable when considering recovery and downtime costs during a cyber incident, there remains a crucial caveat. The scenario arises when hackers, after receiving payment, claim to have deleted stolen data only to later threaten victims with a potential data spill in the future. This raises questions about the efficacy and reliability of ransom payments as a guaranteed solution.
Schneider Electric, a French-based company specializing in automation and energy management, recently fell victim to a Cactus Ransomware attack, resulting in the unauthorized access and theft of corporate data. The breach targeted Schneider Electric’s Electric Resource Advisor Cloud Platform, leading to the compromise of terabytes of sensitive information. This particular strain of ransomware, known as Cactus, has been operational since March 2023 and has gained notoriety for infiltrating various corporate networks through the illicit purchase of credentials on the dark market, phishing attacks, and exploitation of software vulnerabilities.
In a related incident, the Freehold Township schools had to be closed on Monday due to disruptions in their IT infrastructure, suspected to be caused by a ransomware attack. The Assistant Superintendent, Dianne Martello, revealed on Sunday that the closure was prompted by technical difficulties arising in the early hours of Sunday. The exact nature of the cyber attack is yet to be officially confirmed.
Meanwhile, Fulton County in Georgia also experienced a debilitating attack from file-encrypting malware over the past weekend. The digital services, including court filings, tax payments and processing, websites, and communication systems, were all targeted by hackers. Interestingly, this incident occurred concurrently with the legal prosecution of Donald Trump by District Attorney Fani Willis. However, evidence linking the attack to the 2020 election subversion case is yet to be established.
Furthermore, Huber Heights, which faced a ransomware attack in November of the previous year, has conducted an investigation into the breach. The findings suggest that information belonging to over 6,000 individuals may have been accessed and stolen by the hackers. Notably, the IT staff has invested nearly $350,000 in recovery efforts, and it remains unclear whether they acceded to the ransomware hackers’ demands. The insurance firm involved asserts that additional financial assistance is required within a three-month time-frame to rebuild the compromised cyber network.
