Executive Summary

GhostLocker - A “Work In Progress” RaaS

In recent years, there has been a noticeable uptick in threat actors venturing into the realm of Ransom-as-a-Service (RaaS). Some have emerged as significant threats, while others have faded into obscurity. What makes the current landscape unusual is the entry of hacktivist groups into this domain. One such group, GhostSec, has introduced a novel Ransom-as-a-Service encryptor known as GhostLocker. GhostSec's focus has predominantly been on well-established telecommunications companies, surveillance systems, and Internet of Things (IoT) devices.

GhostLocker is being marketed as a groundbreaking, enterprise-grade locking software that prioritizes safety and effectiveness above all else. Initially priced at $999 for the first 15 affiliates, GhostSec anticipates raising this fee to $4,999 in the future. This executive summary provides a snapshot of our investigation and key findings pertaining to this emerging ransomware variant.

GhostLocker - A “Work In Progress” RaaS
Figure 1 - GhostLocker announcement

GhostLocker RaaS was announced on October 8th, 2023 and since then several updates were made to the encryptor. Rapid7 researchers obtained several new GhostLocker samples and took a quick look at them. This blog — based on one of the first publicly available samples — and the analysis led us to the conclusion that the encryptor is still under development and lacks the basic capability to encrypt files.

GhostLocker - A “Work In Progress” RaaS
Figure 2 - GhostLocker update timeline

Technical Analysis

Announced by GhostSec, the new GhostLocker encryptor’s major features include:

  1. Military-grade encryption on runtime
  2. Undetectability by using a polymorphic stub, and guaranteeing zero detections out of all major antivirus (AV) solutions
  3. Protection against reverse engineering
  4. Self-delete
  5. Killing services
  6. Automatic privilege escalation
  7. Persistence mechanism
  8. Watchdog process
  9. Delayed encryption

GhostSec is also offering their affiliates a fully functional statistics and negotiation platform.


GhostSec used Python to create their encryptor. The first sample spotted by Rapid7 was a PyInstaller executable. PyInstaller is used to package Python code into standalone executable applications for various operating systems. It takes a Python script and generates a single executable file that contains all the necessary dependencies and can be run on computers that do not have Python installed. This allows for easy distribution and deployment of Python applications, as the user does not need to have Python and any required modules installed on their system in order to run the application. We extracted the python scripts from the installer. Most of the extracted files were legitimate public python libraries and the only one that caught our attention is the main.py script.

GhostLocker - A “Work In Progress” RaaS
Figure 3 - Main function of main.py

Main.py script seems to contain a hard-coded affiliate panel IP address and the fully implemented function that sends the infected machine name to the panel. The IP address is of a hosting company from which we have observed ransomware activity this year.

GhostLocker - A “Work In Progress” RaaS
Figure 4 - Hard-coded URL and the victim’s data sending function

By checking the main function we can follow the exact attack flow of the GhostLocker encryptor. First, the encryption key will be created by using a Fernet encryption module which uses the Advanced Encryption Standard (AES) to encrypt data. The generate_key() method from the Fernet library is used to create a 32-byte URL-safe base64-encoded key, which is later used in the AES encryption procedure.

GhostLocker - A “Work In Progress” RaaS
Figure 5 - Fernet key generation

Next, it will generate the victim ID and retrieve the victim's username by using getpass Python library. The function getpass.getuser() is used to return the "login name" of the user. After all key generation is done, GhostLocker will send a json data containing the victim’s ID, encryption key, and the victim’s PC name to the attacker’s panel. And here is the first hint of ‘work in progress’ encryptor: the ‘pcname’ passed is hard-coded ‘hi’:

GhostLocker - A “Work In Progress” RaaS
Figure 6 - Hard-coded ‘hi’ pcname

The victim's information and encryption key are sent in clear text via HTTP protocol, as shown in the image below:

GhostLocker - A “Work In Progress” RaaS
Figure 7 - From GhostLocker pcap

After sending the victim info to the attacker's panel, the GhostLocker is supposed to start the encryption process; however, in the sample we analyzed, the encryption function was not implemented:

GhostLocker - A “Work In Progress” RaaS
Figure 8 - File encryption function

After the supposed encryption is done, GhostLocker will drop a ransom note to the Document folder:

GhostLocker - A “Work In Progress” RaaS
Figure 9 - Ransom note content in the main.py file

The ransom note html file name is Imao which is an acronym to ‘Laughing My Ass Off’, although there is nothing funny for the victim in that note. It is either the attacker is meant to be laughing at the victim or that name is used just for the developer’s checks and will be changed in the future. The ransom note is pretty straightforward; it explains to the victim what happened to their files and how to contact the attacker. Weirdly, it dropped only to the `Documents` folder which makes it difficult to notice. It was observed that the attackers employed an end-to-end encrypted messaging platform, Session, as a source of communication between victims and the ransomware developers. The link to this messenger is embedded into the body of the ransom note, providing victims with a direct path to download the application.

GhostLocker - A “Work In Progress” RaaS
Figure 10 - Imao.html ransom note

After a closer look at the ransom note written in HTML format, it became evident that the ransom note was handcrafted rather than generated, as it contained syntax errors. A clear example of such an error can be seen in the word "paty" instead of "party," showing that most likely a human wrote it: “DO NOT try to decrypt your data using third paty software, it may cause permanent data loss.”

Additionally, the main.py contains the sendWebhook(msg) function. That function is designed to send a message or data to a Discord Webhook. The webhook URL is hardcoded in the code; however, we did not see the function being called and what kind of message is being sent to the attacker's discord channel. Though being fully implemented, this function was never called.

GhostLocker - A “Work In Progress” RaaS
Figure 11 - Unused sendWebhook function

When executed for the first time, several embedded files are dropped into a new folder created in the user's temp directory. One of the files is a second stage executable that is executed as a child process of the installer. The installer waits until the child process exits by using WaitForSingleObject API call. When the child process exits, the installer implements the self delete feature and deletes all the dropped files.

The newer versions of GhostLocker are compiled with Nuitka. Nuitka compiles a Python program to a C binary — not by packaging the CPython runtime with the program bytecode, but by translating Python instructions into C. Compiling the malware with Nuitka makes it harder to investigate.

Rapid7 Customers

For Rapid7 MDR and InsightIDR customers, all executed binaries will undergo comprehensive analysis against the hash reputation service to determine if it is a known malicious file and will alert on malicious hashes. Additionally, through our behavior-based detection rules we will be able to recognize patterns of activity associated with these threat actors in order to provide customers coverage and alerts to safeguard their systems before ransomware gets deployed.

MITRE ATT&CK Techniques

GhostLocker - A “Work In Progress” RaaS
Table 1. File Characteristics Table

GhostLocker - A “Work In Progress” RaaS
GhostLocker - A “Work In Progress” RaaS

IOCs

GhostLocker - A “Work In Progress” RaaS

References

https://docs.aspose.com/cells/python-java/pyinstaller-python/

https://github.com/pyca/cryptography/blob/main/src/cryptography/fernet.py#L66

https://getsession.org/download

https://nuitka.net/doc/user-manual.html

A recent study conducted by the cybersecurity firm Rapid7 has revealed that multiple ransomware groups are actively targeting vulnerabilities in Atlassian Confluence Servers. One such criminal group, responsible for the distribution of Cerber Ransomware, is exploiting these vulnerabilities in Confluence and Apache ActiveMQ servers.

In response to this emerging threat, Atlassian swiftly issued a statement confirming the release of a fix for the CVE-2023-22518 vulnerability one week ago. The company has urged its customers to apply the patch as soon as possible due to the increased risk of data loss resulting from the actions of threat actors.

As of now, there have been no reported instances of these vulnerabilities being exploited in the wild. However, cybersecurity experts warn that cyber threat actors may have already launched attacks on unpatched servers, with the consequences potentially surfacing shortly or early next year. Notably, GreyNoise’s data indicates that attacks are originating from three distinct IP addresses situated in France, Hong Kong, and Russia, leading researchers to suspect that the hackers may be concealing their true identities.

The criminal groups associated with Cerber Ransomware are notorious for engaging in double extortion attacks. In a notable incident that occurred in July this year, a victim’s servers were entirely wiped clean as they refused to comply with the hackers’ demands.

On a different note, Atlassian Corporation has received recognition in the latest Forrester Wave report for Q4 2023 as a leader in providing Enterprise Service Management. This acknowledgment is largely attributed to Atlassian’s commitment to delivering top-tier Jira Service Management to approximately 50,000 companies worldwide. Jira Service Management continues to evolve with regular updates, introducing innovative features that aim to provide a swift return on investment and empower IT teams to proactively manage and mitigate a wide range of risks.

The post Cerber Ransomware hackers target Atlassian Confleunce servers appeared first on Cybersecurity Insiders.

1.) A recent cyber attack targeted Infosys subsidiary, Infosys McCamish Systems, which was initially detected last week but only officially acknowledged this Tuesday. According to sources within our Cybersecurity Insiders, this incident appears to involve a ransomware variant, with further details to be disclosed following a comprehensive investigation.

Infosys McCamish Systems, an advocate for robust data protection and security, is actively implementing measures to mitigate the risks stemming from this incident. Speculation has arisen on platforms like Reddit, with some tech enthusiasts humorously suggesting that the attack may be in response to a statement by Infosys CEO Narayana Murthy, who advocated that India’s younger generation, particularly those in the IT and software sector, should work 70 hours a week to demonstrate their dedication and competitiveness.

2.) Second is the news related to Ace hardware that supplies computing goods to over 5700 retailers across United States, China, Panama and UAE. Currently, the business is experiencing disruption for key operations such as ACENET-Warehouse inventory management systems, Retailer Mobile Assistant, Hot sheets, invoices, Ace Rewards and to Phone lines. The timeline for recovery of the 196 affected servers within the company remains uncertain. Nevertheless, the IT team is working diligently to maintain business continuity and has enlisted the support of security experts to navigate this challenging situation.

The incident is suspected to be orchestrated by the Russia-based Evil Corp group, and investigators are in the process of collecting evidence to substantiate these ongoing suspicions.

3.) In a separate incident, the healthcare company Henry Schein fell victim to the BlackCat ransomware, also known as ALPHV, on October 15th. This attack resulted in the theft of a substantial amount of data, including employee payroll information and shareholder details. The threat actors behind the attack are now employing double extortion tactics to pressurize the company.

Henry Schein has responded by isolating the compromised systems and engaging forensic experts to minimize losses resulting from the data breach. A company insider revealed that they successfully recovered 35 terabytes of stolen data from their backup database and are planning to involve law enforcement authorities in addressing the data security threat.

The post Ransomware hits Infosys, Ace Hardware and Henry Schein appeared first on Cybersecurity Insiders.

Another example of a large and influential state doing things the federal government won’t:

Boards of directors, or other senior committees, are charged with overseeing cybersecurity risk management, and must retain an appropriate level of expertise to understand cyber issues, the rules say. Directors must sign off on cybersecurity programs, and ensure that any security program has “sufficient resources” to function.

In a new addition, companies now face significant requirements related to ransom payments. Regulated firms must now report any payment made to hackers within 24 hours of that payment.

Boeing, the American multinational corporation most known for the manufacturing of aircrafts, rockets, satellites, and missiles, has confirmed a cyber breach on their systems. Last week, the infamous and prolific ransomware gang, LockBit, announced that “a tremendous amount of sensitive data was exfiltrated” from Boeing’s systems and was ready to be published if the company did not make contact within the deadline. 

The announcement has since been removed from LockBit’s website, but a screenshot shared by Dominic Alvieri on X shows that LockBit demanded a response from Boeing before November 2nd.  

On October 28th, the malware research group VX-Underground claimed to have spoken with a LockBit representative about the then alleged breach. According to this statement, LockBit claimed to have gained access to Boeing systems through a Zero-Day Vulnerability exploit.  

At this point Boeing had yet to confirm or deny any claims.  

However, on November the 2nd, Boeing confirmed with various publications that their systems had been compromised in a cyber incident. 

Boeing spokesperson Jim Proulx told TechCrunch that while elements of parts and safety business were targeted in this incident, flight safety was not affected. Additionally, he said, “We are actively investigating the incident and coordinating with law enforcement and regulatory authorities. We are notifying customers and suppliers.” 

While Boeing has yet to confirm whether the LockBit group was truthfully behind the incident, the fact that the listing was removed from the website before the deadline suggests that it is the case.  

At this time, the Boeing Services website is down for technical issues.  

According to Erfan Shadabi, cybersecurity expert with data security specialists comforte AG, “Boeing’s acknowledgement of the cyber incident and its cooperation with law enforcement are commendable steps in addressing the breach. The aerospace and defence sector, similar to various other industries, heavily depends on an extensive network of suppliers and partners. It’s a common occurrence for threat actors to target vulnerabilities within these expansive ecosystems.” 

Erich Kron, Security Awareness Advocate at KnowBe4, added, “Ransomware can be a significant issue for organizations such as Boeing who need to provide parts quickly and often in a just-in-time manner. In the event their systems are down due to the ransomware encryption, significant delays could occur that may stop commercial aircraft from flying. In addition, organizations such as this have a tremendous amount of intellectual property that spans both commercial and military industries, and the theft of that information and threat to leak it publicly could be a significant issue for the company and any impacted military services. These cyber criminals know this and use it to their advantage to request what is often a huge ransom from the victims.”  

According to Shadabi, the data at risk is the real concern in a scenario like this. He commented, “One key takeaway from this incident is the importance of a proactive approach to cybersecurity that revolves around the safeguarding of data itself. Traditional cybersecurity measures often focus on perimeter defence and incident response. However, the concept of data-centric security, particularly tokenization, offers an additional layer of protection. Tokenization involves replacing sensitive data with non-sensitive placeholders, or tokens, rendering the stolen data useless to malicious actors. By utilizing tokenization, organizations can minimize the impact of data breaches, safeguard their intellectual property, and protect customer information. This proactive approach reduces the incentive for cybercriminals to target an organization and demand ransoms, as they are less likely to obtain valuable information. Cyberthreats are evolving and as we move forward in the digital age, organizations of all types must invest in comprehensive cybersecurity strategies that safeguard their most valuable asset – data.” 

 Indeed, Kron also raised some caution. He explained that, “Generally speaking, the attackers will guarantee that the information is deleted if the ransom is paid, however, that simply means we have to trust the very criminals that broke into our systems, stole the data, and oftentimes disrupted critical business, to do as they promise. When it comes to extremely valuable information, such as potentially sensitive information about military equipment, the odds are pretty good that other nation states will be willing to pay a significant amount for this information and the victim would never know it has been sold.” 

While there has been some discussion that LockBit gained access to Boeing systems by exploiting a Zero-Day Vulnerability, Kron warned that it could have just as easily been a result of a social engineering attack. He said, “Since most ransomware starts with a social engineering attack that targets humans, organisations that deal in information such as this or have critical manufacturing or logistical time frames should ensure that their employees are educated on how to spot and report phishing attacks to their security team. In addition, strong Data Loss Prevention (DLP) controls should be in place to limit the possibility of data being exfiltrated by bad actors.” 

The post Aerospace Giant Boeing Confirms Cyber Compromise, LockBit Claims Responsibility first appeared on IT Security Guru.

The post Aerospace Giant Boeing Confirms Cyber Compromise, LockBit Claims Responsibility appeared first on IT Security Guru.

Apple dismisses political controversy over its security alert

Apple Inc has released a statement acknowledging attempts by state-sponsored actors to breach the devices of its users in various countries, including India. However, the company distanced itself from the ongoing espionage controversy within Indian politics, where the Opposition Congress has alleged that the ruling BJP government was conducting surveillance on its MPs and MLAs for several months. Apple has vehemently denied sending any official alerts related to this espionage to users connected with Indian politics, including prominent figures such as Mallikarjun Kharge, Shashi Tharoor, Rajiv Chandrashekar, Sitaram Yechury, Akhilesh Yadav, and Rahul Gandhi. Screenshots of these alerts sent by Apple Inc have been circulating on the internet.

Cyber Attack on British Library

In a recent development, the British Library experienced a significant IT disruption for the past two days. They confirmed that this disruption was the result of a cyberattack that occurred on October 29, 2023, the day before Halloween. Consequently, the British Library’s website is currently offline, with only its Yorkshire and London facilities open for studying. According to a Reuters report posted on X-Twitter, the incident appears to be linked to a ransomware attack in which hackers exploited a vulnerability in VMware ESXi servers to introduce malware into the library’s network.

Ransomware attack on Toronto public library

Toronto public library of Canada has also fallen victim to a ransomware attack this week, although officials have not yet confirmed the incident. Sources from the cybersecurity insiders suggest that publicly available computers and printing services at several branches were of Toronto Public Library affected, while services like Kanopy, offering online movies and digital archives, remained operational. Additionally, other reading materials were available for rent.

Ransomware payment stoppage initiative

In a global effort to combat ransomware attacks, the United States government, in collaboration with 48 other countries, has pledged not to pay ransoms when their digital assets are targeted by malware. The International Counter Ransomware Initiative, initially drafted in 2021, has received approval under the leadership of President Joe Biden, with the majority of the 48 nations agreeing to refrain from making cryptocurrency payments for ransoms. Notably, there is no plan to impose bans on transactions involving Monero and Bitcoins, as these cryptocurrencies do not effectively prevent the spread of file-encrypting malware. Anne Neuberger, the Deputy National Security Advisor in the Biden Administration, confirmed this development.

The post Trending Cybersecurity News headlines on Google appeared first on Cybersecurity Insiders.

1.) A ransomware group known as “Play” has recently issued a concerning statement. They have threatened to release the personal details of more than 8,600 Dallas County employees on the dark web unless their ransom demands are met. To add weight to their threat, the hackers have shared several screenshots that display personal information belonging to employees from various county departments.

The Play ransomware group is not new to the world of cybercrime and has a history of targeting corporate entities, often demanding large sums of money. In this latest incident, they have successfully infiltrated a government department in the early weeks of October and extracted sensitive employee data.

Dallas County’s IT department chose not to comply with the ransom demands, prompting the Play Ransomware Gang to issue a warning via Telegram. They have threatened to publicly auction the stolen data, leaving the personal information of over 8,000 employees vulnerable to social engineering attacks, such as phishing.

The exact method by which the “Play” group gained access to the network remains uncertain. However, some reports suggest that the breach occurred when the criminals obtained a staff member’s credentials through a brute force attack.

Dallas County officials have committed to taking all necessary steps to prevent such cyber incidents from recurring. They are closely monitoring the situation with the assistance of forensic experts and have implemented measures to mitigate the risks associated with the attack.

It is important to note that the “Play” group is known for disabling anti-malware solutions on target networks, stealing information, and encrypting files. Their modus operandi involves double extortion, where they demand payment from victims under the threat of publishing stolen data. They have a history of exploiting vulnerabilities in ProxyNotShell, OWASSRF, and Microsoft Exchange Servers to install malware. This group is not just an information thief; it can also function as a data wiper with a simple command from the hacker. There are also links between “Play” and now-defunct criminal groups such as Conti and Hive Ransomware, with their encryption code matching that of the Quantum Ransomware group.

2.) In another cyber incident, Stanford University is currently investigating a claim made by the Akira Ransomware group on October 27, 2023. The group stole approximately 430GB of sensitive data, marking another instance of a cyberattack on the university. Earlier in the year, the Clop Ransomware group exposed their theft of information from Stanford through a server compromise. In 2021, the university fell victim to a digital infiltration when hackers exploited a vulnerability in Accelion FTA to gain access to its servers.

3.) Lastly, the White House is in the process of formulating a policy to share ransomware-related data with its international allies. This policy will encompass information about collected ransoms, attribution of the attacks, and the associated risks. It will also emphasize that victims should refrain from paying ransoms, as such payments encourage criminal activities and do not guarantee the return of decryption keys.

The post Ransomware news trending on Google appeared first on Cybersecurity Insiders.

LockBit, a notorious ransomware gang, has recently set its sights on the aerospace giant Boeing, initiating a double extortion attack and threatening to unveil stolen data on or after November 2, 2023. In a brazen move, the criminal group has publicly disclosed that they’ve gained access to sensitive company information and are prepared to auction off this valuable data unless Boeing’s IT department complies with their demand for a multimillion-dollar ransom.

According to the United States Cybersecurity and Infrastructure Security Agency (CISA), LockBit stands out as one of the most active Russian-speaking cybercriminal organizations in 2023. Their audacious exploits have targeted over 1,700 American multinational corporations, accumulating an astonishing $93 million in ill-gotten gains from January 2020 to January 2023.

Boeing, a prominent commercial aircraft manufacturer, has not yet officially responded to LockBit’s claims. However, the company has pledged to provide a comprehensive update by the coming weekend, citing ongoing internal investigations as the reason for the delay.

This incident is reminiscent of LockBit’s earlier breach of the technology firm CDW in August of this year. The breach may have led to the exposure of additional data belonging to CDW’s clients and partners, with Boeing potentially being among the affected parties, now ensnared in a ransomware quagmire.

Boeing, known for its role in designing, manufacturing, and distributing airplanes, rotorcraft, satellites, telecom equipment, and missiles worldwide, also provides critical product support services to numerous government defense contractors across the globe.

The extent and nature of the data in the possession of the LockBit criminal gang remain uncertain. The full scope of the breach may only become apparent when the group decides to release a selection of screenshots or other evidence of their ill-gotten information.

The post LockBit Ransomware Group Targets Boeing with Data Threat appeared first on Cybersecurity Insiders.

A newly emerging ransomware group, known as Hunter International, has recently targeted a plastic surgeon’s office, raising concerns by threatening to expose sensitive photographs of patients who have undergone facial surgery procedures at the clinic’s branches in Beverly Hills and Dubai.

Dr. Jaime Schwartz, the US-based surgeon, has reached out to law enforcement agencies to report the cyber-crime and is offering full cooperation to aid in the pursuit of the criminals. Dr. Schwartz remains resolute in refusing to comply with the ransom demands. Unfortunately, the situation is complicated by the fact that while the stolen data can be restored from backup systems, once the criminals gain access to it, there is no guarantee they will delete the information, despite their initial promises to do so in exchange for a payment.

Sources close to our Cybersecurity Insiders have revealed that the attackers infiltrated the clinic’s computer network several months ago and seized over 249,000 files, including sensitive patient information such as names, addresses, photos, and video clips.

The Hunter International Group, which appears to have ties to the now-defunct Hive Ransomware, has taken an aggressive stance. They have begun sending mass emails to the doctor’s clinic and have posted before-and-after photos of patients who underwent surgery. These tactics are intended to exert pressure on Dr. Schwartz to meet their demands. Adding to the distress, the group has also threatened to directly contact the affected patients to extort money if the doctor and his staff fail to meet the ransom demands promptly.

It remains uncertain whether the group’s claims about the leaked data are accurate, as the identities of the patients have not been disclosed. Moreover, there is no confirmation that the leaked photos and videos are indeed from Dr. Jaime Schwartz’s clinic, known for its reputation in reconstructing the facial features of patients who have experienced accidental damage.

Cyber-criminals are highly motivated to seize and sell this sensitive data due to the potential for lucrative extortion. As a result, victims are placed under significant pressure to pay the ransom at any cost. The situation is ongoing, and law enforcement agencies are actively working to trace the attackers and secure the compromised data.

The post Hunter International Ransomware Group hacks plastic surgery clinic appeared first on Cybersecurity Insiders.