Source: www.cybertalk.org – Author: slandau EXECUTIVE SUMMARY: Cyber security experts have recently uncovered a sophisticated cyber attack campaign targeting U.S-based organizations that are involved in artificial intelligence (AI) projects. Targets have included organizations in academia, private industry and government service. Known as UNK_SweetSpecter, this campaign utilizes the SugarGh0st remote access trojan (RAT) to infiltrate networks. […]

La entrada SugarGh0st RAT variant, targeted AI attacks – Source: www.cybertalk.org se publicó primero en CISO2CISO.COM & CYBER SECURITY GROUP.

WTH? DPRK IT WFH: Justice Department says N. Korean hackers are getting remote IT jobs, posing as Americans.

The post North Korea IT Worker Scam Brings Malware and Funds Nukes appeared first on Security Boulevard.

Hackers can find templates for DocuSign and other companies for their phishing campaigns on dark web marketplaces for as little as $10.

The post Hackers Use Fake DocuSign Templates to Scam Organizations appeared first on Security Boulevard.

One in three office workers who use GenAI admit to sharing customer info, employee details and financial data with the platforms. Are you worried yet?

The post Risks of GenAI Rising as Employees Remain Divided About its Use in the Workplace appeared first on Security Boulevard.

Source: securityboulevard.com – Author: Wajahat Raja In the digital realm, security is paramount, especially when it comes to the applications we use daily. Recently, concerns have surfaced regarding vulnerabilities in popular Android applications available on the Google Play Store. Revelations by the Microsoft Threat Intelligence team have unearthed a WPS Office exploit dubbed the Dirty […]

La entrada Xiaomi and WPS Vulnerabilities: File Overwrite Risks Alert – Source: securityboulevard.com se publicó primero en CISO2CISO.COM & CYBER SECURITY GROUP.

Source: securityboulevard.com – Author: Jeffrey Burt The operators behind the Ebury server-side malware botnet have been doing business since at least 2009 and, according to the threat researchers who have been tracking it for the last decade, are stronger and more active than ever. The malware has compromised at least 400,000 Linux servers over the […]

La entrada 15-Year-Old Ebury Botnet Compromised 400,000 Linux Servers – Source: securityboulevard.com se publicó primero en CISO2CISO.COM & CYBER SECURITY GROUP.

In the digital realm, security is paramount, especially when it comes to the applications we use daily. Recently, concerns have surfaced regarding vulnerabilities in popular Android applications available on the Google Play Store. Revelations by the Microsoft Threat Intelligence team have unearthed a WPS Office exploit dubbed the Dirty Stream attack, casting a spotlight on […]

The post Xiaomi and WPS Vulnerabilities: File Overwrite Risks Alert appeared first on TuxCare.

The post Xiaomi and WPS Vulnerabilities: File Overwrite Risks Alert appeared first on Security Boulevard.

The operators behind the Ebury server-side malware botnet have been doing business since at least 2009 and, according to the threat researchers who have been tracking it for the last decade, are stronger and more active than ever. The malware has compromised at least 400,000 Linux servers over the past 15 years, with about 100,000..

The post 15-Year-Old Ebury Botnet Compromised 400,000 Linux Servers appeared first on Security Boulevard.

Phish Ahoy! Hacker took advantage of Dell’s lack of anti-scraping defense.

The post Dell Hell Redux — More Personal Info Stolen by ‘Menelik’ appeared first on Security Boulevard.

New account passwords, often used during onboarding, are vulnerable to sophisticated attacks from malicious actors.

Good idea to check: What’s your company using?

The post Easily Guessed Passwords for New Accounts Include “User”, “Temp”, “Welcome” appeared first on Security Boulevard.

It was probably inevitable. Threat researchers detected bad actors using stolen credentials to target LLMs, with the eventual goal of selling the access to other hackers.

The post Novel LLMjacking Attacks Target Cloud-Based AI Models appeared first on Security Boulevard.

Будет! Russian ransomware rascals riled a Roman Catholic healthcare organization.

The post FBI/CISA Warning: ‘Black Basta’ Ransomware Gang vs. Ascension Health appeared first on Security Boulevard.

Source: securityboulevard.com – Author: Richi Jennings Dark web sale of leaked data exposes Dell users to phishing phraud. Dell customer data from the past six or more years has been stolen. It looks like scrotes unknown broke into the company support portal and sold scads of personal information to the highest bidder. Again? In today’s […]

La entrada Dell Hell: 49 Million Customers’ Information Leaked – Source: securityboulevard.com se publicó primero en CISO2CISO.COM & CYBER SECURITY GROUP.

Source: securityboulevard.com – Author: Nathan Eddy An advanced persistent threat (APT) group backed by Iran has been stoking divisions within Israeli society for the past three years. It has been using generative AI deepfake tools and social media accounts to craft disinformation campaigns. According to research from Recorded Future’s Insikt Group, the group, known as […]

La entrada Emerald Divide Uses GenAI to Exploit Social, Political Divisions in Israel Using Disinformation – Source: securityboulevard.com se publicó primero en CISO2CISO.COM & CYBER SECURITY GROUP.

Bad actors are always ready to exploit political strife to their own ends. Right now, they’re doing so with the conflict in the Middle East. A holistic defense against influence networks requires collaboration between government, technology companies and security research organizations.

The post Emerald Divide Uses GenAI to Exploit Social, Political Divisions in Israel Using Disinformation appeared first on Security Boulevard.

DUDE! You’re Getting Phished.

Dell customer data from the past six (or more?) years was stolen. It looks like someone sold scads of personal information to the highest bidder.

The post Dell Hell: 49 Million Customers’ Information Leaked appeared first on Security Boulevard.

Recently, a wave of malware attacks has surfaced, exploiting vulnerabilities in the update mechanism of the eScan antivirus software. This eScan antivirus backdoor exploit distributes backdoors and cryptocurrency miners, such as XMRig, posing a significant threat to large corporate networks. In this blog, we’ll look into the details of this eScan antivirus backdoor exploit and […]

The post Backdoors and Miners Amid eScan Antivirus Backdoor Exploit appeared first on TuxCare.

The post Backdoors and Miners Amid eScan Antivirus Backdoor Exploit appeared first on Security Boulevard.

Source: securityboulevard.com – Author: Nathan Eddy Houston, we may have a problem. NASA’s cybersecurity framework for spacecraft development is inconsistent and must be improved, according to a 34-page review by the U.S. Government Accountability Office (GAO). The GAO report highlighted the need for mandatory cybersecurity updates throughout the space agency’s $83 billion space development project […]

La entrada NASA Must Improve Spacecraft Cybersecurity, GAO Report Finds – Source: securityboulevard.com se publicó primero en CISO2CISO.COM & CYBER SECURITY GROUP.

A GAO review of NASA projects found that, while some cybersecurity challenges have been addressed, many security policies and standards remain optional.

The post NASA Must Improve Spacecraft Cybersecurity, GAO Report Finds appeared first on Security Boulevard.

Google has brought together its Gemini AI model with its Mandiant cybersecurity unit and VirusTotal threat Intelligence to enhance threat landscape accessibility and efficiency. The company also plans to use its Gemini 1.5 Pro large language model, released in February, to ease the understanding of threat reports for a broader audience. At the RSA Conference in San Francisco, Google unveiled their latest AI-based solution to add more value to threat intelligence. Tackling the long-standing challenges of fragmented threat landscapes and cumbersome data collection processes, Google Threat Intelligence integrates Mandiant's frontline expertise, real-time contributions from VirusTotal's global community and Google's visibility into extensive user and device footprint to deliver a comprehensive defense against evolving cyber threats. Bernardo Quintero, founder of VirusTotal called this initiative a “sharing knowledge, protecting together” mission, which it has embraced with Google and Mandiant.

“I want to assure our entire community, from security researchers and industry partners to individual users, that VirusTotal's core mission remains unchanged. We remain deeply dedicated to collective intelligence and collaboration, fostering a platform where everyone can come together to share knowledge, access valuable threat information, and contribute to the fight against cyber threats,” Quintero said.

“VirusTotal remains committed to a level playing field, ensuring all partners, including Google Threat Intelligence, have equal access to the crowdsourced data VirusTotal collects. We also want to assure you that the core features and functionalities of VirusTotal will remain free and accessible to everyone, as always,” he added, clearing the air around VirusTotal’s future. “The strength of VirusTotal lies in its network of contributors and the vast amount of data they provide. This data serves as a valuable resource for the entire security industry, empowering our partners and others to enhance their products and contribute to a more secure digital world. This collaborative approach, based on transparency and equal access, strengthens the industry as a whole, ultimately leading to better protection for everyone.”

Challenges Addressed and Google’s Gemini AI Integration

For years, organizations have grappled with two primary hurdles in threat intelligence: a lack of holistic visibility into the threat landscape and the arduous task of collecting and operationalizing intelligence data. Google's new offering aims to address these challenges head-on providing insights and operational efficiency to security teams worldwide. The integration of Gemini, Google's AI-powered agent, enhances the operationalization of threat intelligence, streamlining the analysis process and accelerating response times. Using the Gemini 1.5 Pro large language model, Google claims to significantly reduce the time required to analyze malware attacks. For instance, the model took only 34 seconds to dissect the WannaCry virus and identify a kill switch, demonstrating its efficacy in threat analysis. Another key feature of Gemini AI is its ability to summarize threat reports into natural language, aiding companies in assessing potential attacks' impact and prioritizing responses. Threat Intelligence also offers a comprehensive threat monitoring network, empowering users to gain insights into the cybersecurity landscape and prioritize their defense strategies. Mandiant's experts, acquired by Google in 2022, play a vital role in assessing security vulnerabilities in AI projects through the Secure AI Framework. They conduct rigorous testing to fortify AI models against potential threats like data poisoning, ensuring their resilience against malicious exploitation. While Google is pioneering the integration of AI into cybersecurity, other tech giants like Microsoft are also exploring similar avenues, underscoring the growing significance of AI in safeguarding digital assets against evolving threats. As cyber threats continue to evolve, proactive defense strategies are more critical than ever. With Google Threat Intelligence, organizations can leverage cutting-edge technology to detect, analyze, and mitigate threats effectively, ensuring the security and resilience of their digital infrastructure in an increasingly complex threat landscape.  Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

The new Google Threat Intelligence cloud service draws from Mandiant, VirusTotal, and its own insights and combines them with generative AI.

The post Google Continues Mixing Generative AI into Cybersecurity appeared first on Security Boulevard.

AI is rapidly increasing the pace of API creation within organizations, leading to API security becoming as significant as traditional application security.

Here’s what you can learn from the top five API breaches of the last quarter.

The post API Vulnerabilities Found Across AI Infrastructure Projects at NVIDIA, Mercedes appeared first on Security Boulevard.

It takes 4.76 days between public disclosure of a vulnerability and its first exploitations to appear.

The post Fortinet Report Sees Faster Exploitations of New Vulnerabilities appeared first on Security Boulevard.

The wireless communications provider announced the new company at RSA, promising that Level Blue will include managed security services and consulting services.

The post AT&T Spins Out Its Cybersecurity Business to Create LevelBlue appeared first on Security Boulevard.

War of the words: Fancy Bear actions are “intolerable and unacceptable,” complains German foreign minister Annalena Baerbock.

The post Germany Warns Russia: Hacking Will Have Consequences appeared first on Security Boulevard.

The centralized system helps organizations identify, track, and reduce risks, addressing the challenges of incomplete risk visibility and manual processes.

The post Critical Risk Launches Critical Start Cyber Risk Register  appeared first on Security Boulevard.

A report found more than 40 million exposures are impacting 11.5 million critical business entities, with more than half related to cloud platforms.

The post Identity, Credential Misconfigurations Open Worrying Security Gaps appeared first on Security Boulevard.

Six Australian Members of the Parliament confirmed today that they were targeted by Chinese-state hackers APT31 in a brazen cyberattack whose aim was to gather intelligence on these individuals. The Inter-Parliamentary Alliance on China whose members were victims of this hacking attempt said, “The politicians confirmed details with both the IPAC Secretariat and the Australian Government.”

“The apparent intention [of the cyberattack] was to garner sufficient information to mount more sophisticated follow-on attacks, escalating in severity.”

Those targeted included Senator James Paterson, Senator Claire Chandler, Senator Alex Antic, David Smith MP, Daniel Mulino MP and Tim Wilson MP.

Security Agencies Chose to Remain Tight-Lipped

Australia’s security agencies reportedly received two warnings about Chinese hackers targeting Australian MPs, but they chose not to inform the lawmakers about the cyberattacks. “It is staggering that both the targeted members of parliament and the broader Australian public have been kept in the dark about a direct attempt at cyber interference against Australian parliamentarians,” Senator Claire Chandler said.

“Incredibly, despite Australian authorities being notified of this hacking attempt in 2022, agencies did not alert my colleagues and I that we had been targeted.It’s unacceptable that this information was withheld from us for two years,” Chandler added.

The Five Eyes intelligence agency reportedly alerted Australia’s security agencies in mid-2021 about attacks that occurred earlier in January. Then, in June 2022, the FBI officially notified Australian authorities about attempts by the Chinese hacking group APT31 to target six Australian MPs. However, the agencies opted against informing the Government or the affected MPs. The IPAC, consisting of 20 Australian MPs, only became aware of the attempted attack when the US Department of Justice indicted seven Chinese hackers in April this year -three years after the initial warning. The National Cyber Security Centre of the United Kingdom also called out the Chinese APT31 actors for their malicious cyber targeting of UK’s democratic institutions and parliamentarians earlier in March. Following this revelation, MPs demanded an explanation from the Australian Security Intelligence Organisation regarding the lack of notification. After receiving a briefing, they released a joint statement today expressing outrage and demanding a robust response to protect Australian sovereignty. “We were not informed by Australian agencies at any time since 2021 about this targeting,” the statement from IPAC members targeted by APT31 said.

“This was not an attack on any single party or House of Parliament. This was an attack on Australian parliamentarians from both Houses and both parties who have dared to exercise their legitimate democratic right to criticize Beijing. As such, it was an attack on Parliament as a whole and demands a robust and proportionate response,” the IPAC members’ statement said.

“It is very worrying for our democracy that elected members of parliament have been targeted by PRC-state sponsored hacking attempts specifically because we have expressed concern about the behavior of the PRC, including human rights violations in Xinjiang and coercive behavior against Australia,” Senator Claire Chandler said. “It is in Australia’s national interest for Australians to be properly informed about the behavior of the PRC government. The withholding of information about the targeting of Australian elected representatives by state-affiliated cyber criminals means that Australians have been given a misleading impression of the PRCs behavior towards our country,” Chandler added. The targeted IPAC members insisted on being informed about future attempts to target them by state-sponsored groups, for which they have received an assurance from the government.

“I welcome the assurance that in future agencies will inform MPs about any attempts by state-sponsored cyber actors to target parliamentarians,” Senator Claire Chandler said.

The Australian agencies likely refrained from informing MPs because they considered the attacks crude and unsuccessful, according to Austrlian news agency The Nightly. Moreover, they occurred during a period when MPs and the public were already being cautioned to enhance their cybersecurity. Paterson, who is also the co-chair of IPAC Australia, denounced the attempted hack.

“Targeting parliamentarians, as the CCP has done, is not the act of a friend. It is yet another obstacle to a normal bilateral relationship. We should never hesitate to call out this behavior or be afraid to impose real costs to deter it,” he tweeted.

APT31 Used Pixel Tracking Emails

APT31 hackers targeted MPs with pixel tracking emails from a domain pretending to be a news outlet. If opened, these emails tracked the recipients' online behavior. According to the FBI's indictment released last month, the hackers spammed various government individuals worldwide associated with IPAC, with more than 10,000 malicious emails that also exploited zero-days and resulted in potential compromise of economic plans, intellectual property and trade secrets. Last month, FBI Director Christopher Wray highlighted the magnitude of Chinese hacking, stating that it surpassed that of every other major nation combined. He underscored the overwhelming scale of Chinese cyber operations, indicating the challenges faced by law enforcement in countering these threats. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

Mandiant's M-Trends 2024 report shows that defenses are improving – and that may be true. But the reality remains that these same statistics demonstrate that if anything, the attackers still retain the upper hand.

The post The Battle Continues: Mandiant Report Shows Improved Detection But Persistent Adversarial Success appeared first on SecurityWeek.

In the past couple of weeks, we have observed an ongoing campaign targeting system administrators with fraudulent ads for popular system utilities. The malicious ads are displayed as sponsored results on Google’s search engine page and localized to North America.

Victims are tricked into downloading and running the Nitrogen malware masquerading as a PuTTY or FileZilla installer. Nitrogen is used by threat actors to gain initial access to private networks, followed by data theft and the deployment of ransomware such as BlackCat/ALPHV.

We have reported this campaign to Google but no action has been taken yet. This blog post aims to share the tactics, techniques and procedures (TTPs) as well as indicators of compromise (IOCs) so defenders can take action.

Step 1: Luring victims in via malicious ads

The initial intrusion starts from a malicious ad displayed via Google search. We have observed several different advertiser accounts which were all reported to Google. The lures are utilities commonly used by IT admins such as PuTTY and FileZilla.

Online ads from search engine result pages are increasingly being used to deliver malware to corporate users. ThreatDown users that have DNS Filtering can enable ad blocking in their console to prevent such malvertising attacks:

Step 2: Directing users to lookalike sites

The malvertising infrastructure deployed by Nitrogen threat actors uses a cloaking page that can either redirect to a decoy site or the infamous Rick Astley video. The redirect to a decoy page can be activated if the campaign is not weaponized yet or if the malicious server detects invalid traffic (bot, crawler, etc.).

The Rick Astley redirect is mostly to mock security researchers investigating this campaign:

Actual lookalike pages are meant for potential victims. They are often good-looking copycats which could easily fool just about anyone:

ThreatDown blocks these malicious websites to prevent your users from being social-engineered into downloading malware:

Step 3: Deploying malware via a fraudulent installer

The final step in this malvertising chain consists of downloading and running the malware payload. Nitrogen uses a technique known as DLL sideloading whereby a legitimate and signed executable launches a DLL. In this case, setup.exe (from the Python Software Foundation) sideloads python311.dll (Nitrogen).

ThreatDown via its EDR engine quarantines the malicious DLL immediately. System administrators can log into their console and use the AI-assisted engine to quickly search and review the detection:

Recommendations

While there are many phishing training simulations for email threats, we aren’t aware of similar trainings for malvertising. Yet, the threat has become prevalent enough to warrant better user education.

Endpoints can be protected from malicious ads via group policies that restrict traffic coming from the main and lesser known ad networks. Click here for more information about DNS filtering via our Nebula platform.

Endpoint Detection and Response (EDR) is a cornerstone in your security posture, complemented by Managed Detection and Response (MDR) where analysts can quickly alert you of an impending intrusion.

Indicators of Compromise

Cloaking domains:

kunalicon[.]com
inzerille[.]com
recovernj[.]com

Lookalike sites:

file-zilla-projectt[.]org
puuty[.]org
pputy[.]com
puttyy[.]ca

Nitrogen payloads (URLs):

amplex-amplification[.]com/wp-includes/FileZilla_3.66.1_win64.zip
newarticles23[.]com/wp-includes/putty-64bit-0.80-installer.zip
support[.]hosting-hero[.]com/wp-includes/putty-64bit-0.80-installer.zip
mkt.geostrategy-ec[.]com/installer.zip

Nitrogen payloads (SHA256):

ecde4ca1588223d08b4fc314d6cf4bce82989f6f6a079e3eefe8533222da6281
2037ec95c91731f387d3c0c908db95184c93c3b8412b6b3ca3219f9f8ff60945
033a286218baca97da19810446f9ebbaf33be6549a5c260889d359e2062778cf

Nitrogen C2s:

94.156.65[.]98
94.156.65[.]115

Most of the malicious search ads we have seen have originated from Google, but threat actors are also abusing other search engines. Microsoft Bing is probably the second best target due to its close ties to the Windows ecosystem and Edge browser.

In this blog post, we look at a very recent malvertising campaign impersonating the popular VPN software NordVPN. A malicious advertiser is capturing traffic from Bing searches and redirecting users to a decoy site that looks almost identical to the real one.

The threat actors went ever further by trying to digitally sign a malicious installer as if they were the official vendor. Victims will have the impression they are getting NordVPN as it is part of the package, but will also inadvertently install a Remote Access Trojan known as SecTopRAT on their computer.

We have reported the malicious Bing ad to Microsoft, and other parts of the distribution infrastructure to their respective provider. We want to reiterate that NordVPN is a legitimate VPN provider and they are being impersonated by threat actors.

Fraudulent Bing ad

When searching for “nord vpn” via the Bing search engine, we identified a malicious ad that impersonates NordVPN. The ad itself looks suspicious because of the URL in the ad snippet. The domain name nordivpn[.]xyz was created one day ago (April 3, 2024). It was probably chosen as it looks quite similar to the official name and can deceive users who aren’t looking too closely.

As we often see, the ad URL is simply used as a redirection mechanism to a fake website that is meant to look identical to the one being impersonated. This is true here as well, where we have a redirect to besthord-vpn[.]com (note again the spelling chosen with the ‘h‘ looking like an ‘n‘) which was created today, only a few hours ago.

The website looks incredibly convincing, and victims will be tricked into downloading the app from there. Unlike the legitimate NordVPN that goes through a sign up process, here you can directly download the installer from Dropbox.

Here’s a summary of the traffic flow from the malicious ad to the download link:

Malware payload

The downloaded file is called NordVPNSetup.exe and is digitally signed, as if it was from its official vendor; however, the signature is not valid.

The file contains both an installer for NordVPN and a malware payload. The installer for NordVPN is meant to give victims the illusion that they are actually installing a real file.

The payload is injected into MSBuild.exe and will connect to the malware author’s command and control server at 45.141.87[.]216 on port 15647.

That network traffic is detected by Emerging Threats as Arechclient2 Backdoor, an alias for SecTopRAT.

Conclusion

Malvertising continues to show how easy it is to surreptitiously install malware under the guise of popular software downloads. Threat actors are able to roll out infrastructure quickly and easily to bypass many content filters.

ThreatDown customers who have DNS Filtering can proactively block online ads by enabling the rule for advertisements. This is a simple, and yet powerful way to prevent malvertising across an entire organization or in specific areas.

The malicious ad and related indictors have been reported as we work with industry partners to take down this campaign. Dropbox has already taken action to take down the malicious download.

Indicators of Compromise

Malicious domains

nordivpn[.]xyz
besthord-vpn[.]com

Fake NordVPN installer

e9131d9413f1596b47e86e88dc5b4e4cc70a0a4ec2d39aa8f5a1a5698055adfc

SecTopRAT C2

45.141.87[.]216

Educational institutions may face a range of cyberthreats in 2024, but our 2024 State of Malware in Education report identifies the six most critical ones.

Ransomware, for example, stands out as a key threat for schools and universities. The report covers how last year, we witnessed a 92% increase in ransomware attacks in K-12 schools and a 70% increase in Higher Education. The trend appears set to continue, partly due to specialized ransomware groups like Rhysida (formerly Vice Society) targeting educational sectors.  

Another major threat our 2024 State of Malware in Education covers is the reduction of conventional malware in favor of Living off The Land (LOTL) attacks. LOTL attacks exploit legitimate system tools to remain undetected while conducting harmful activities.

Our report suggests that educational institutions must employ expert staff to manually identify LOTL activities, which traditional malware detection tools miss. For example, we recently wrote how one K-12 district used MDR to uncover malicious PowerShell activity and stop an ongoing infection.

Some other trends and threats educational institutions can expect in the report to cover include:

• Why targeting Macs has become an easy choice for criminals 
• How CL0P is rewriting the ransomware playbook and why Big Game ransomware remains the most serious threat.
• How cybercriminals use ‘malvertising’ to target educational institutions with malicious ads for popular for remote learning such as Zoom. 

As we progress into 2024, the reality is that educational institutions’ success in pairing state of the art security software with skilled security staff will be a deciding factor in their ability to take down the most serious cyberthreats. 

To understand the complete list of threats facing educational institutions in 2024 and how to tackle them, get the full 2024 State of Malware in Education report—tailored to either K-12 or Higher Ed—below.

---

In early 2024, a large K-12 school district partnered with ThreatDown MDR to strengthen its cybersecurity posture. Shortly after onboarding, ThreatDown MDR analysts detected unusual patterns of activity subsequently identified as the work of SolarMarker, a sophisticated backdoor. It became evident that SolarMarker had been present in the district’s system since at least 2021, likely exfiltrating data over several years.

Let’s dive further into the investigation’s findings and the steps taken to mitigate the threat.

SolarMarker infection

Background

The incident began with the detection of an anomalous instance of PowerShell attempting to establish an outbound network connection to a suspicious IP address (188.241.83.61). This connection attempt was thwarted by Malwarebytes Web Protection (MWAC), signaling the first indication of a potential security breach.

Initial challenges

Upon investigation, it was discovered that Endpoint Detection and Response (EDR) settings were disabled in the client’s endpoint policy. This limitation prevented the use of Fast Response Scanning (FRS) to capture and analyze detailed endpoint data, necessitating a manual approach to the investigation utilizing Active Response Scanning (ARS).

Investigation and analysis

The first step involved querying active network connections with netstat, which revealed an instance of PowerShell in operation. To further understand the nature of this PowerShell instance, its command line was examined using Windows Management Instrumentation Command-line (WMIC) with the process ID (PID), which unveiled obfuscated code.

Decoding and understanding SolarMarker

The obfuscated PowerShell code was extracted and refactored for clarity. The analysis revealed the following components of the malware’s operation:

powershell

$decodeKey = '<Base64_encoded_string>'

$encodedFilePath = 'C:\Users\akeith\AppData\Roaming\micROSoft\wbpgVnSBjsytaokm\JqdVQplHfgwxyNmtaPX.gvzPlATqFe'

$decodedPayload = [System.IO.File]::ReadAllBytes($encodedFilePath)

for ($payloadIndex = 0; $payloadIndex -lt $decodedPayload.Count; $payloadIndex++) {

 $decodedPayload[$payloadIndex] = $decodedPayload[$payloadIndex] -bxor $decodeKey[$payloadIndex % $decodeKey.Length]

 if ($payloadIndex -ge $decodeKey.Length) {

 $payloadIndex = $decodeKey.Length

 }

}

[System.Reflection.Assembly]::Load($decodedPayload)

[ab821408b424418fa94bb4d815b4e.ad0682a943e4859ef35309cc0a537]::a1f5abfa214411baa77e25f6ceaa6()

This code reveals the malware’s methodology:

• It utilizes a Base64-encoded string as a decryption key.
• It targets a specific file path for encoded data.
• It reads, decodes, and executes the encrypted payload.

The command line shows signs of the malicious script execution, with parameters indicative of a desire to hide the window (-WindowStyle Hidden), bypass execution policies (-Ep ByPass), and run encoded commands (-ComMand “sa43…). 

Further investigation uncovered randomly named folders within the AppData\Roaming\Microsoft directory, each containing encoded payloads. These discoveries suggested a more widespread infection than initially anticipated.

Response and mitigation

The response involved several steps to contain and eliminate the threat:

• Terminating the malicious PowerShell instance.
• Deleting the identified folders containing encoded payloads.
• Conducting a thorough search for persistence mechanisms, which fortunately yielded no findings.

A comprehensive threat scan was executed, and the incident was escalated for visibility with the client. Post-reboot checks confirmed the absence of persistence, no spawn of new PowerShell instances, and blocking of suspicious network connections, indicating successful remediation of the infection.

Conclusion

As we’ve seen in our 2024 State of Ransomware in Education report, the educational sector continues to be a prime target for attackers. In this case, attackers used SolarMarker, a sophisticated backdoor, to lurk within the school district’s network for years, likely stealing data in the process. Its presence went undetected until the district onboarded with ThreatDown MDR. Despite facing initial obstacles, such as disabled EDR settings, the ThreatDown MDR team successfully identified and neutralized the SolarMarker infection through manual intervention.

Discover how ThreatDown MDR can safeguard your K-12 institution.

Malware loaders (also known as droppers or downloaders) are a popular commodity in the criminal underground. Their primary function is to successfully compromise a machine and deploy one or multiple additional payloads.

A good loader avoids detection and identifies victims as legitimate (i.e. not sandboxes) before pushing other malware. This part is quite critical as the value of a loader is directly tied to the satisfaction of its “customers”.

In this blog post, we describe a malvertising campaign with a loader that was new to us. The program is written in the Go language and uses an interesting technique to deploy its follow-up payload, the Rhadamanthys stealer.

Malicious ad targets system administrators

PuTTY is a very popular SSH and Telnet client for Windows that has been used by IT admins for years. The threat actor bought an ad that claims to be the PuTTY homepage and appeared at the top of the Google search results page, right before the official website.

In this example, the ad looks suspicious simply because the ad snippet shows a domain name (arnaudpairoto[.]com) that is completely unrelated. This is not always the case, and we continue to see many malicious ads that exactly match the impersonated brand.

Fake PuTTY site

The ad URL points to the attacker controlled domain where they can easily defeat security checks by showing a “legitimate” page to visitors that are not real victims. For example, a crawler, sandbox or scanner, will see this half finished blog:

Real victims coming from the US will be redirected to a fake site instead that looks and feels exactly like putty.org. One of the big differences though is the download link.

The malicious payload is downloaded via a 2 step redirection chain which is something we don’t always see.

puttyconnect[.]info/1.php
HTTP/1.1 302 Found
Location: astrosphere[.]world/onserver3.php

astrosphere[.]world/onserver3.php
HTTP/1.1 200 OK
Server: nginx/1.24.0
Content-Type: application/octet-stream
Content-Length: 13198274
Connection: keep-alive
Content-Description: File Transfer
Content-Disposition: attachment; filename="PuTTy.exe"

We believe the astrosphere[.]world server is performing some checks for proxies while also logging the victim’s IP address. This IP address will later be checked before downloading the secondary payload.

That PuTTy.exe is malware, a dropper written in the Go language (version 1.21.0).

Its author may have given it the name “Dropper 1.3“:

Follow-up payload

Upon executing the dropper, there is an IP check for the victim’s public IP address. This is likely done to only continue with users that have gone through the malicious ad and downloaded the malware from the fake site.

zodiacrealm[.]info/api.php?action=check_ip&ip=[IP Address]

If a match is found, the dropper proceeds to retrieve a follow-up payload from another server (192.121.16[.]228:22) as seen in the image below:

To get this data, we see it uses the SSHv2 (Secure Shell 2.0) protocol implemented via OpenSSH on a Ubuntu server. We can only think of using this protocol to make the malware download more covert.

That payload is Rhadamanthys which is executed by the parent process PuTTy.exe:

Malvertising / loader combo

We have seen different types of loaders via malvertising campaigns, including FakeBat which we profiled recently. Given how closely the loader is tied to the malvertising infrastructure it is quite likely that the same threat actor is controlling both. The service they offer to other criminals is one of malware delivery where they take care of the entire deployment process, from ad to loader to final payload.

We reported this campaign to Google. Malwarebytes and ThreatDown users are protected as we detect the fake PuTTY installer as Trojan.Script.GO.

ThreatDown users that have DNS Filtering can enable ad blocking in their console to prevent attacks that originate from malicious ads.

Indicators of Compromise

Decoy ad domain

arnaudpairoto[.]com

Fake site

puttyconnect[.]info

PuTTY

astrosphere[.]world
0caa772186814dbf84856293f102c7538980bcd31b70c1836be236e9fa05c48d

IP check

zodiacrealm[.]info

Rhadamanthys

192.121.16[.]228:22
bea1d58d168b267c27b1028b47bd6ad19e249630abb7c03cfffede8568749203

February was a particularly busy month for search-based malvertising with the number of incidents we documented almost doubling. We saw similar payloads being dropped but also a few new ones that were particularly good at evading detection.

One malware family we have been tracking on this blog is FakeBat. It is very unique in that the threat actor uses MSIX installers packaged with heavily obfuscated PowerShell code. For weeks, the malvertiser helping to distribute this malware was abusing the same URL shortener services which may have made the attack somewhat predictable. We saw them experimenting with new redirectors and in particular leveraging legitimate websites to bypass security checks.

Another interesting aspect is the diversity of the latest campaigns. For a while, we saw the same software brands (Parsec, Freecad) being impersonated over and over again. With this latest wave of FakeBat malvertising, we are seeing many different brands being targeted.

All the incidents described in this blog have been reported to Google.

New redirection chain

During the past several weeks, FakeBat malvertising campaigns used two kinds of ad URLs. As observed in other malvertising campaigns, they were abusing URL/analytics shorteners which are ideal for cloaking. That practice enables a threat actor to use a ‘good’ or ‘bad’ destination URL based on their own defined parameters (time of day, IP address, user-agent, etc.).

The other type of redirect was using subdomains from expired and sitting .com domains reassigned for malicious purposes. This is a common trick to give the illusion of credibility. However, in the most recent malvertising campaigns we see the threat actor abusing legitimate websites that appear to have been compromised.

It’s worth noting that the few examples we found were all Argentinian-based (.ar TLD):

Victims click on the ad which sends a request to those hacked sites. Because the request contains the Google referer, the threat actor is able to serve a conditional redirect to their own malicious site:

The full infection chain can be summarized in the web traffic image seen below:

Several active brand impersonations

There are currently several campaigns running including OneNote, Epic Games, Ginger and even the Braavos smart wallet application. A number of those malicious domains can be found on Russian-based hoster DataLine (78.24.180[.]93).

Each downloaded file is an MSIX installer signed with a valid digital certificate (Consoneai Ltd).

Once extracted, each installer contains more or less the same files with a particular PowerShell script:

When the installer is ran, this PowerShell script will execute and connect to the attacker’s command and control server. Victims of interest will be cataloged for further use. ThreatDown EDR detects the PowerShell execution and creates an alert:

Conclusion

FakeBat continues to be a threat to businesses via malicious ads for popular software downloads. The malware distributors are able to bypass Google’s security checks and redirect victims to deceiving websites.

It is as important to defend against the supporting infrastructure as the malware payloads. However, that is not always easy since legitimate websites may be used to defeat domain blocklists. As always, blocking ads at the source via system policies such as ThreatDown DNS Filter, remains one the most effective ways to stop malvertising attacks in their tracks.

Indicators of Compromise

Hacked sites

cecar[.]com[.]ar
estiloplus[.]tur[.]ar
disenoymas[.]com[.]ar
barcala[.]com[.]ar
elchubutense[.]com[.]ar
argentec[.]com[.]ar
culturabritanicacba[.]org[.]ar
starfirematafuegos[.]com[.]ar
tecnologiaag[.]com[.]ar
anelli[.]com[.]ar

Decoy sites

obs-software[.]cc
bandi-cam[.]cc
breavas[.]app
open-project[.]org
onenote-download[.]com
epicgames-store[.]org
blcnder[.]org
trelconf[.]com
trelconf[.]net
noitons[.]net

Download URLs

bezynet[.]com/OBS-Studio-30[.]0[.]2-Full-Installer-x64[.]msix
bezynet[.]com/Bandicam_7[.]21_win64[.]msix
church-notes[.]com/Braavos-Wallet[.]msix
church-notes[.]com/Epic-Games_Setup[.]msix
church-notes[.]com/Onenote_setup[.]msix
avr-energie[.]com/Trello-Full-Installer-x64.msix
avr-energie.com/Notion%20Setup%203.2.1.msix

File hashes

07b0c5e7d77629d050d256fa270d21a152b6ef8409f08ecc47899253aff78029
0d906e43ddf453fd55c56ccd6132363ef4d66e809d5d8a38edea7622482c1a7a
15ce7b4e6decad4b78fe6727d97692a8f5fd13d808da18cb9d4ce51801498ad8
40c9b735d720eeb83c85aae8afe0cc136dd4a4ce770022a221f85164a5ff14e5
f7fbf33708b385d27469d925ca1b6c93b2c2ef680bc4096657a1f9a30e4b5d18
d6a6b73c273c508417898c02a142c496158ad2d0432495bff3a4f94f574d5bc4
b2e8277064af7791a3a73479ff2f2c45be3591c96567addb9421faed3dc7e2be

Command and control servers

62.204.41[.]98
ads-pill[.]xyz
ads-pill[.]top
ads-tooth[.]top
ads-tooth[.]xyz
ads-analyze[.]top
ads-analyze[.]xyz
ads-analyze[.]site
ads-eagle[.]xyz
ads-eagle[.]top
ads-hoop[.]top
ads-hoop[.]xyz
ads-creep[.]xyz
ads-creep[.]top
ads-moon[.]top
ads-moon[.]xyz
ads-work[.]top
ads-work[.]site
ads-work[.]xyz
ads-star[.]top
ads-star[.]xyz
ads-star[.]online
ads-star[.]site
ads-strong[.]site
ads-strong[.]online
ads-strong[.]top
ads-strong[.]xyz
ads-change[.]online
ads-change[.]top
ads-change[.]xyz
ads-change[.]site

This article is based on research by Marcelo Rivero, Malwarebytes’ ransomware specialist, who monitors information published by ransomware gangs on their Dark Web sites. In this report, “known attacks” are those where the victim did not pay a ransom. This provides the best overall picture of ransomware activity, but the true number of attacks is far higher.

In February, there were 376 ransomware victims, marking an unusually active month for the historically subdued time period. But February didn’t just bring unprecedented numbers, but unprecedented developments as well: law enforcement shut down LockBit, the largest ransomware gang, while ALPHV, the second-largest, appeared to fake its demise and abscond with its own affiliates’ funds.

Before we dive into the two biggest stories of the month, however, let’s start with a quick overview of other significant ransomware developments, including a new Coveware report revealing a record low of 29% of victims paying ransoms in the last quarter of 2023.

A few years ago, paying ransomware attackers was almost a given—85% of hit organizations in early 2019 felt they had no choice. But fast forward to 2024, and Coveware data suggests that that trend has completely reversed—not only have the number of victims paying dropped but so have the dollar amounts of actual ransom payments. In other words, we’re seeing fewer and smaller ransomware payouts than ever before. 

At first glance, the trend appears counterintuitive: with global ransomware attacks hitting record highs annually, one might expect a proportional increase in the number of victims choosing to pay a ransom. But as it turns out, all the attention on ransomware is effectively shooting attackers in the foot: the more these attacks make headlines, the more businesses understand ransomware as a prime threat, leading to improved security measures that can allow victims to recover from an attack without paying a ransom. Also discouraging payments are increasing doubts about cybercriminals’ reliability and stricter anti-ransom laws.

But all of this begs the question: with fewer payments, will ransomware gangs adapt their strategies to remain a threat, or will the decrease in successful ransoms lead to a decline in attacks as they seek more lucrative avenues? Will ransomware attacks always remain profitable, albeit less so over time? The report raises just about as many questions as it answers. 

Our prediction? Ransomware gangs aren’t backing down any time soon; in fact, they’ll likely continue getting more inventive in pressuring companies to pay up. Our coverage on “big game ransomware” showed ransomware gangs aren’t just hiking up demands when companies resist paying, they’re also turning to more aggressive tactics. “Threats to leak data, sell it online, break other parts of the business, attack related firms, or even harass employees are all tactics gangs can make use of” to force reluctant businesses to pay, writes former Malwarebytes Labs author Christopher Boyd.

In other words, despite fewer companies paying up, we foresee ransomware attackers compensating with higher ransom demands and more sophisticated, aggressive negotiation tactics.

In other February news, new reports highlighted ALPHV’s surge of targeted attacks against the healthcare sector. Coincidentally, a day after these reports were published, there was news of ALPHV’s severe attack on Change Healthcare, one of the largest healthcare technology companies in the US.

The report indicated that since mid-December 2023, out of nearly 70 leaked victims, the healthcare sector has been ALPHV’s most frequent target. This seems to be a response to the ALPHV Blackcat administrator’s encouragement for its affiliates to target hospitals following actions against the group and its infrastructure in early December 2023.

The Roman historian Tacitus once said, “Crime, once exposed, has no refuge but in audacity.” Well, the exposure of ALPHV’s crimes has seemingly emboldened them further, pushing them to undertake even more brazen acts of revenge against the very institutions aiming to curb their criminal activities. At the end of the day, ALPHV’s actions are unsurprisingly petty, pointless, and endanger human lives, but they at the very least they hint at the group’s last desperate gasps for relevance.

On the vulnerability front, ransomware gangs like Black Basta, Bl00dy, and LockBit were seen exploiting vulnerabilities in ConnectWise ScreenConnect last month that exposed servers to control by attackers. It appears that almost every other month, our ransomware reviews uncover a new vulnerability being exploited with great success—whether it was MOVEit in the summer of 2023 or Citrix Bleed at the end of 2023. The vulnerabilities in ScreenConnect are once again part of this broader trend we’ve noticed of ransomware gangs finding ever-new points of entry—perhaps even more quickly and extensively than in previous years.

LockBit down, ALPHV out

February 2024 is likely to be remembered for years as the month when two of the most dangerous ransomware gangs in the world suffered some serious turbulence.

LockBit has been the preeminent ransomware menace since the demise of Conti in spring 2022, but for the first time there are serious reasons to doubt its status and longevity. On February 19, the ransomware gang’s dark web site announced “This site is now under the control of The National Crime Agency of the UK, working in close cooperation with the FBI and the international law enforcement task force, ‘Operation Cronos’.”

What followed was something quite unique in the annals of ransomware takedowns. Alongside the usual dry press releases, the law enforcement agencies responsible used the site it had acquired to showcase the details of what it had done.

It was an act of exquisite trolling that looked designed to damage the LockBit brand by humiliating it in the eyes of its peers and affiliates.

There was substance to the disruption too—some arrests, “a vast amount of intelligence” gathered, infrastructure seized, cryptocurrency accounts frozen, decryption keys captured, and the revelation that LockBit administrator LockBitSupp “has engaged with law enforcement.”

LockBit quickly established a new site and insisted everything was fine in exactly the way that people do when things aren’t fine, by releasing a stream of concious 3,000-word essay that explained precisely how fine things were, thanks. It remains to be seen if LockBit’s rebound will last. When ransomware gangs start to feel the hot breath of law enforcement on their neck a rebrand normally follows.

LockBit’s main rival, ALPHV, used February to demonstrate an alternative ending. It decided to leave the ransomware world behind by ripping off its own customers (which are really just affiliates in crime) in a sloppily executed exit scam. ALPHV had suffered its own brush with law enforcement in December and, like LockBit, appeared to have recovered.

Perhaps it was spooked by its brush with the feds, or perhaps the $22 million ransom an affiliate extracted from its devastating attack on Change Healthcare was just too hard to resist. Whatever the reason, ALPHV cut and ran, taking the cash and leaving its criminal affiliates high and dry. A half-hearted attempt to pin the blame for its disappearance on the FBI fooled no one.

Preventing Ransomware

Fighting off ransomware gangs like the ones we report on each month requires a layered security strategy. Technology that preemptively keeps gangs out of your systems is great—but it’s not enough. 

Ransomware attackers target the easiest entry points: an example chain might be that they first try phishing emails, then open RDP ports, and if those are secured, they’ll exploit unpatched vulnerabilities. Multi-layered security is about making infiltration progressively harder and detecting those who do get through. 

Technologies like Endpoint Protection (EP) and Vulnerability and Patch Management (VPM) are vital first defenses, reducing breach likelihood. 

The key point, though, is to assume that motivated gangs will eventually breach defenses. Endpoint Detection and Response (EDR) is crucial for finding and removing threats before damage occurs. And if a breach does happen—ransomware rollback tools can undo changes.

How ThreatDown Addresses Ransomware

ThreatDown bundles take a comprehensive approach to these challenges. Our integrated solutions combine EP, VPM, and EDR technologies, tailored to your organization’s specific needs. ThreatDown’s select bundles offer:

• Advanced Web Protection: Blocking phishing websites ransomware gangs use for initial access.
• RDP Shield: Securing remote access points with Brute Force Protection.
• Continuous Vulnerability Scanning and Patch Management: Identifying and patching weaknesses before ransomware gangs can exploit them.
• Sophisticated EDR: Detecting and neutralizing advanced threats such as LockBit within the network.
• Ransomware Rollback: Reversing the impact of any successful attacks.

ThreatDown EDR detecting LockBit ransomware

ThreatDown automatically quarantining LockBit ransomware

For resource-constrained organizations, select ThreatDown bundles offer Managed Detection and Response (MDR) services, providing expert monitoring and swift threat response to ransomware threats—without the need for large in-house cybersecurity teams.

---

Our business solutions remove all remnants of ransomware and prevent you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

A new type of malware is being used by ransomware gangs in their attacks, and its name is PikaBot.

A relatively new trojan that emerged in early 2023, PikaBot is the apparent successor to the infamous QakBot (QBot) trojan that was shut down in August 2023. QBot was used by many ransomware gangs in the past for its versatile ability to facilitate initial access and deliver secondary payloads.

After QBot got shut down, there was a vacuum in the ransomware gang tool box—but with PikaBot, that’s beginning to change: last month we wrote about the first recorded instance of PikaBot being used by ransomware gangs, specifically Black Basta, in their attacks.

Let’s dig into how PikaBot works, how it’s distributed, how ransomware gangs use it in their attacks, and how to stop it with ThreatDown.

A closer look at PikaBot

To get a better idea of how PikaBot works, we need to first understand what a modular trojan is.

Simply put, a modular trojan is a type of malware designed to be flexible and extensible, allowing attackers to add or update its functionalities easily without needing to replace the whole malware.

The modular nature of trojans like QBot and PikaBot are what makes them so dangerous. Unlike simpler malware, PikaBot can execute arbitrary commands, download additional payloads, and inject malicious shellcode into legitimate processes running on a victim’s computer. Think of it like a backdoor that allows attackers to set up for the next stages of their attacks.

Once it’s installed onto a system, PikaBot has a whole host of ways to stay under the radar, evading detection by most conventional security tools through techniques like indirect system calls and advanced obfuscation methods.

How Pikabot is distributed

The distribution of PikaBot, like many other malicious loaders such as QBot and DarkGate, is heavily reliant on email spam campaigns. Even so, ThreatDown Intelligence researchers have seen PikaBot being delivered via malicious search ads as well (also known as “malvertising”).

PikaBot’s initial access campaigns are meticulously crafted, utilizing geolocalized spam emails that target specific countries. The emails often contain links to external SMB (Server Message Block) shares, which host malicious zip files.

SMB shares are network folders leveraging the SMB protocol—a network file sharing protocol designed for sharing files and printers across devices on a network. Attackers often use SMB shares to distribute malware. In this case, downloading and opening the hosted zip file results in PikaBot infection.

For example, consider the below phishing email containing a link to a zip file containing the PikaBot payload.

Source: ANY.RUN (Translation: I sent you some paperwork the other day. Did you get it?)

Once the recipient interacts with these emails by clicking on the link, they are taken to the SMB share hosting the malicious zip files.

Extracting a zip and double-clicking on the executable within it will install PikaBot.

Source: ANY.RUN

How ransomware gangs use PikaBot

Ransomware gangs commonly use modular trojans like PikaBot for their attacks.

Before it was shut down, for example, Qbot allowed ransomware gangs to seamlessly integrate various attack techniques into their operations, including stealing credentials, moving laterally across networks, and ultimately deploying ransomware or other malicious payloads.

PikaBot is being used by ransomware attackers in a similar way.

Once PikaBot has established a foothold in a network, it allows attackers to engage in a wide range of follow-up activities.

For example, researchers have noted affiliates of the BlackBasta ransomware gang using PikaBot to use encrypted communications with command and control (C&C) servers. Pikabot can also assist gangs in getting detailed information about infected systems, helping them tailor their ransomware for maximum impact.

How to stop PikaBot with ThreatDown

Besides preventing initial access through things such as a web content filter and phishing training, choosing an Endpoint Detection and Response (EDR) platform that automatically detects and quarantines threats like PikaBot is crucial.

ThreatDown EDR automatically detects and blocks PikaBot

However, given the constant evolution of malware, identifying dynamic threats like Pikabot boils down to two words: threat hunting.

At ThreatDown, we talk a lot about the importance of threat hunting for SMBs—and not for no good reason, either. Just consider the fact that, when an attacker breaches a network, they don’t attack right away. The median amount of time between system compromise and detection is 21 days.

By that time, it’s often too late. Data has been harvested or ransomware has been deployed.

Threat hunting helps find and remediate highly-obfuscated threats like PikaBot that can quietly lurk in the network, siphoning off confidential data and searching for credentials to access the “keys to the kingdom.”

For example, as detailed in one case study, the ThreatDown Managed Detection and Response (MDR) team employed threat hunting techniques to uncover and neutralize a sophisticated QBot attack on a reputable oil and gas company. The team’s approach involved meticulously examining Indicators of Compromise (IoCs), analyzing network traffic, and scrutinizing unusual patterns of behavior within the company’s IT infrastructure, ultimately resulting in Qbot’s discovery on the network and isolation of infected systems.

ThreatDown MDR workflow

Stop threats like PikaBot today

Want to learn more about how ThreatDown stops new threats like PikaBot? Fill out this form to speak with an expert and get a custom quote.

In late January 2024, the ThreatDown Managed Detection and Response (MDR) team found and stopped a three-month long malware campaign against a Managed Service Provider (MSP) based in Europe. In line with our observations of attackers increasingly relying on legitimate software in their attacks, the attacker employed various Living Off the Land (LOTL) techniques to avoid detection.

MSPs are a prime target of cyberattacks for two main reasons. One, they provide services to multiple clients, giving attackers access to a broader network of targets through a single breach. Two, MSPs often operate on tight security budgets, making them more vulnerable to attacks.

Almost immediately after onboarding the MSP in mid-January, the ThreatDown MDR team found extensive evidence of an ongoing malware campaign. The attackers, who targeted the MSP’s network from October 2023 to January 2024, silently monitored and manipulated the network for months, leveraging legitimate remote access tools like AnyDesk and TeamViewer and attempting to install malware like Remcos RAT and AsyncRAT.

Let’s dive into the details of this incident and how ThreatDown MDR neutralized the threat.

Initial discovery and evidence of compromise

In late October 2023, ThreatDown Endpoint Detection and Response (EDR) flagged multiple suspicious outbound connections on the MSP’s network. These were attempts to communicate with known malicious external sites and IPs, involving several endpoints within the network.

This activity was immediately blocked by ThreatDown, marking the first documented evidence of a security breach. The nature of these attempts—targeting sites associated with RDP-based attacks and other malicious activities—indicated a possible compromise.

List of malicious sites automatically blocked by ThreatDown MDR.

Expanding presence and evasion

Following the initial detections in October, the attacker quietly expanded their presence within the network. On December 8th, network scanning activity was detected from an endpoint, indicative of the attacker’s efforts to map out the network for further exploitation. This activity went beyond mere exploration, suggesting a systematic approach to identify additional targets or vulnerabilities within the MSP’s digital environment.

Escalation and discovery of malware

The situation escalated in January 2024 with the discovery of malware on several endpoints, linked to unauthorized remote access tools like ScreenConnect and AnyDesk.

This pointed towards a more aggressive phase of the attack, with the attackers deploying malware to maintain and expand their access. An attempt to uninstall McAfee via PowerShell, observed on an endpoint, further underscored the attackers’ intentions to weaken the network’s defenses.

Detection of malware leveraging RMM tools.

Ongoing surveillance and response

The implementation of ThreatDown MDR services on January 18th, 2024, was a strategic move by the MSP to gain deeper insights into the attackers’ movements. By this time, the attackers had already established a significant presence within the network, as evidenced by the attempted communications with a known AsyncRAT botnet C2 server and the discovery of additional remote management and monitoring (RMM) tools on the network.

Connections to AsyncRAT were detected and automatically blocked by ThreatDown MDR

Fortunately, the ThreatDown MDR team caught the attack in action and made several immediate recommendations for the MSP, including:

• Isolating the compromised endpoints to halt the infection spread and re-imaging them for a clean slate.
• Changing all administrative and local passwords three times to fortify security.
• Restoring all infected endpoints from secure backups, eliminating the use of local administrator accounts, and implementing application and DNS filtering to control software usage and web access.

Threat hunting with ThreatDown MDR

How ThreatDown MDR works

MSPs continue to be a prime target in cyber attacks—and as we’ve seen in this case study, attackers are in it for the long-haul, able to remain undetected for several months after compromising a network.

The attacker’s use of legitimate tools such as TeamViewer, ScreenConnect, and PowerShell, in their months-long attack on the MSP underscores a key theme we’ve been writing about on the blog recently: attackers are increasingly relying on LOTL techniques in their attacks to avoid detection.

In this example, if the attack had been allowed to continue, the MSP could have suffered a ransomware attack, data breach, or both. Fortunately, however, by hunting down LOTL techniques for the MSP based on suspicious activity and past indicators of compromise (IOCs), the ThreatDown MDR team successfully stopped the threat.

Protecting your MSP from stealthy LOTL threats takes an elite team of security professionals scouring your systems 24×7 for IOCs and suspicious activity observed on endpoints. Learn more about ThreatDown today.

It was just a little over a year ago that the Rhadamanthys stealer was first publicly seen distributed via malicious ads. Throughout 2023, we observed a continuation in malvertising chains related to software downloads.

Fast forward to 2024 and the same malvertising campaigns are still going on. After a lull last summer, we noticed an increase since the fall which so far has been sustained. The most recent targeted searches are for Parsec and FreeCad, followed by WinSCP, Advanced IP Scanner, Slack and Notion.

Threat actors are targeting business users with payloads such as FakeBat, Nitrogen or Hijackloader. One other malware family we have seen here and there is Rhadamanthys. In this blog post, we detail the latest distribution chain related to this malware.

Key points

• Rhadamanthys is an infostealer distributed via malspam and malvertising.
• Google searches for popular software such as Notion return malicious ads.
• Threat actors are using decoy websites to trick users into downloading malware.
• The initial payload is a dropper that retrieves Rhadamanthys via a URL pasted online.
• The TexBin paste site shows the URL was seen/accessed 8.5K times.

Malicious ad

Threat actors continue to impersonate well-known brands via sponsored search results. As can be seen below in a search for Notion (productivity software), an extremely deceiving ad is shown. Because it includes the official logo and website for Notion, most users will not think twice and click on the link.

While the ad looks real on the surface, the Google Ads Transparency Center page (which can be accessed by clicking on the menu right next to the ad’s URL) shows this ad was created by a certain ‘BUDNIK PAWEŁ’ from Poland. According to the same report, the first ad first appeared on January 23, 2024.

As a matter of fact, we have been tracking this fraudulent advertiser for a few weeks and had reported it to Google in early February, when we first ran into it. At the time, victims who clicked the ad and visited the site were tricked with a download for NetSupport RAT.

In this more recent campaign, the threat actor is pushing Rhadamanthys as the final payload, after an initial dropper. In the web traffic seen below, we can see that the threat actor uses a number of redirects to evade detection. URL shorteners and redirectors are quite common for the initial ad click, often followed by an attacker-controlled domain responsible for cloaking traffic.

There is one more check within the browser via JavaScript to detect virtual machines before the actual landing page is displayed to the victim.

Landing page and payload

The landing page is the decoy site that victims will see after they click on the ad. Apart from the URL in the address bar, it looks very similar to the official web site for Notion, although somewhat simplified. There are two download buttons, one for Mac and the other for Windows.

The Mac payload (Notion.dmg) is a new variant of Atomic Stealer. Thanks to Luis Castellanos from Block for sharing a sample with us.

The Windows binary is a signed file but its digital signature is not valid. The name of the signer that shows here is from the inventor of PuTTY, a popular admin tool. This digital certificate is likely fake or was revoked, but it may evade detection in some cases.

This dropper contacts the paste site TextBin where it retrieves a URL for the followup payload, Rhadamanthys. If the numbers are correct this unlisted paste was viewed 8.5k times already.

Rhadamanthys attempts to steal credentials stored in applications such as PuTTY, WinSCP and mail programs (screenshot from Joe Sandbox):

Upon execution, Rhadamanthys reports to its command and control server, sends and receives data.

Conclusion

Not a lot has changed with malvertising campaigns focused on software downloads as we enter the second year of actively tracking them. Sponsored search results continue to be highly misleading due to the fact that any verified individual is able to impersonate popular brands by using their logo and official site within the ad itself.

We are aware of reports shared within private circles, that businesses were compromised after an employee clicked on a malicious ad. Follow-up activities post infection include the usual ‘pentesting tools’ that precede a company-wide breach or ransomware deployment.

The infrastructure used in this particular attack was reported to the relevant parties. Malwarebytes and ThreatDown customers are protected against the payloads and distribution sites.

Additionally, EDR customers who have DNS Filtering can proactively block online ads by enabling the rule for advertisements. This is a simple, and yet powerful way to prevent malvertising across an entire organization or in specific areas.

Endpoint users will see a customizable message when they click on an ad such as those that appear on a search engine results page:

Indicators of Compromise

Malvertising chain

pantovawy.page[.]link
cerisico[.]net
notione.my-apk[.]com
alternativebehavioralconcepts[.]org

Dropper

6f4a0cc0fa22b66f75f5798d3b259d470beb776d79de2264c2affc0b5fa924a2

Dropper IP

185[.]172[.]128[.]169

Rhadamanthys download URL

yogapets[.]xyz/@abcmse1.exe
birdarid[.]org/@abcnp.exe

Rhadamanthys

e179a9e5d75d56140d11cbd29d92d8137b0a73f964dd3cfd46564ada572a3109
679fad2fd86d2fd9e1ec38fa15280c1186f35343583c7e83ab382b8c255f9e18

Rhadamanthys C2

185[.]172[.]128[.]170

For many households, energy costs represent a significant part of their overall budget. And when customers want to discuss their bills or look for ways to save money, scammers are just a phone call away.

Enter the utility scam, where crooks pretend to be your utility company so they can threaten and extort as much money from you as they can.

This scam has been going on for years and usually starts with an unexpected phone call and, in some cases, a visit to your door. Obviously the phone call side of the scam is much more scalable and means the scam can be done from overseas.

However, criminals know that victims are more likely to be tricked if they were the ones who initiated the call. In a recent investigation, we discovered a prolific campaign of fraudulent ads shown to users via Google searches. To give an idea of scale, the number of ads we found exceeds what we have found in previous malvertising cases.

This blog post has two purposes: the first one is to draw awareness to this problem by showing how it works. Secondly, we’ve collected and shared as many ads and fake sites as we could in the hope that action will be taken, with hopefully some cost for the scammers.

Fraudulent utility scam ads

The scam begins when a user searches for keywords related to their energy bill. The ads are shown to mobile devices only, which makes sense given how often people use their phones. Also, the ads are geolocated, so that they are relevant to the user’s location.

We found 28 advertisers with over 300 ads, most of them registered by individuals from Pakistan. We have also seen legitimate but hacked advertiser accounts belonging to US entities that were abused. We didn’t investigate further into the whereabouts and identities of the scammers, but we should note that Pakistan is a possible location.

In most cases, tapping on the ad will not open a new website, but instead will prompt you to dial a phone number. This is exactly what the crooks want as many people will have no idea that an ad approved by Google could possibly be fraudulent.

The utility scam often works by threatening and scaring victims into making poor decisions. An unpaid bill, or an offer that is too good to be true and must be accepted immediately are some of their tactics. Once you’ve made that phone call, you’re already in their hands and very close to losing a significant amount of money.

The scammers may even redirect you to their website to “prove” that they are legitimate. Those sites are often credible enough for a victim to feel like they are doing the right thing, but that couldn’t be further from the truth.

Large scamming infrastructure

The crooks have registered dozens of different domains names and built templates that appear related to energy or utility savings. The sites are quite simple and consist of one main page with some customer-centric text and one or multiple phone numbers.

We can usually deduce they are fraudulent by looking up their registration date as well as connecting them with search ads.

However, that might not be enough to have them suspended without going through the whole process of calling the scammers, recording the interaction and showing that evidence. This type of investigation requires time and resources to be done properly. Perhaps one of the many scambaiters out there will look into it in the future.

In the meantime, we have tracked and reported as many domains as we could to the relevant registrars in the hope that some may take action and suspend them.

Keep your identity and money safe from scammers

This scam is widespread, and so our advice right now is to avoid clicking on any ad from search as the malicious ads largely outnumber the legitimate ones. You can tell it’s an ad as it will be labelled “Sponsored” or “Ad”.

Here are some additional tips:

• Watch out for a sense of urgency. Scammers will often threaten to cut your power immediately. This and similar scare tactics are meant to pressure you into making hasty decisions. Take the time to look things up or speak to a friend before you do anything.
• Never disclose personal details over the phone without being absolutely certain you are talking to the right person. If in doubt, hang up the phone and look for the official phone number from your energy company, perhaps from a past bill. Do not trust any phone number that appears on an online ad.
• Beware requests for money transfers or prepaid cards. These are a huge sign you are dealing with criminals. Again, take your time to think it over even if just for a few hours. Scammers tend to be so impatient they will make all sorts of claims to act right now, which should be a dead giveaway.
• Contact your bank immediately if you think you’ve been scammed and wired money,. Change all your passwords and add a notice with your utility company that someone may attempt to impersonate you.
• Report the scam to the proper authorities, which may be the FTC.

Malwarebytes protection

Malwarebytes is working with its partners to go after these scammers. We also provide protection if you are using our iOS app via the ad blocking feature which will disable search ads and other ads that may be targeting you.

Indicators of Compromise

Google advertiser accounts

Advertiser name	Advertiser ID	Number of ads
Telesoft	N/A	1
Digitron	04170244641179828225	4
Syed muhammad Adnan	08157637715521699841	15
Progressix	02149758434478653441	2
Umair Jameel	11899369518209695745	1
Laiba Mazhar	14248337572488019969	1
Syed Shahmeer Hussain	12265272419404480513	6
Snow Tech	N/A	1
Muhammad Pirzada	12480474916866490369	145
Eco Designs (Private) Limited	17013467067027816449	5
Right Path Solutions	11370048952557633537	21
Rehman Munawar	06906645958470139905	1
ANDREW PAUL GUZMAN	09045338907926855681	17
Economical Deals	09045708721790910465	4
Qasim Ahmed	15768816743289454593	20
Summaira	14596269127925497857	3
Citrex Solutions (Private) Limited	16648988995463675905	19
Get Energy Promo	08074609881656590337	6
Brightboost LLC	07744256527850012673	5
AA DIGITAL LABS (SMC-PRIVATE) LIMITED	10871392529253662721	1
Malik Muhammad Shahroz Ibrahim	N/A	1
HongKong AdTiger Media Co., Limited	14567350391567024129	1
Mah Noor	07681945004880691201	12
Usama Ashfaq	06711852389684477953	2
Ali Raza	04534984293432164353	15
Muhammad Usman Tariq	17723433991509377025	5
SHABNUM FATIMA SHAH	02536959185141104641	4
QASMIC L.L.C-FZ	11321807192694194177	1

Phone numbers

Scammer domains

---

We don’t just report on phone security—we provide it

Cybersecurity risks should never spread beyond a headline. Keep threats off your mobile devices by downloading Malwarebytes for iOS, and Malwarebytes for Android today.

Remote Monitoring & Management (RMM) software, including popular tools like AnyDesk, Atera, and Splashtop, are invaluable for IT administrators today, streamlining tasks and ensuring network integrity from afar. However, these same tools have caught the eye of cybercriminals, who exploit them to infiltrate company networks and pilfer sensitive data.

The modus operandi of these threat actors involves deceiving employees through sophisticated scams and deceptive online advertisements. Unsuspecting employees, misled by these tactics, may inadvertently invite these criminals into their systems. By convincing employees to download and run these seemingly benign RMM applications under the guise of fixing non-existent issues, these fraudsters gain unfettered access to the company’s network.

In this post, we explore a particular phishing scam targeting corporate users via the AnyDesk remote software and how ThreatDown can prevent the misuse of such programs by cybercriminals.

Phishing site hosts remote software

We believe victims are first targeted and then contacted via phishing emails or text messages (smishing) based on their position in the company.

Attackers could trick them by sending them to a typical phishing page or making them download malware, all of which are good options. However, they are instead playing the long game where they can interact with their victims.

Users are directed to newly registered websites that mimic their financial institution. In order to get support, they need to download remote desktop software disguised as a ‘live chat application’.

uk-barclaysliveteam[.]com/corp/AnyDesk.exe
uk-barclaysliveteam[.]com/corp/anydesk.dmg

It’s interesting to note that the downloaded software is not malware. For example, in this instance they are using a legitimate (although outdated) AnyDesk executable which would not be detected as malicious by security products.

Running the program will show a code that you can give to the person trying to assist you. This can allow an attacker to gain control of the machine and perform actions that look like they came directly from the user.

Threat actors have registered phishing domains for different financial institutions, following the same style of the ‘Live chat on Windows’. It’s unclear whether it is all the same group or whether several criminal gangs are operating this scam. However, most of these domains are hosted on AS200593 which has a number of ‘traditional’ phishing sites.

Certain banking sites try to detect if a customer is currently running a remote program, before allowing them to login. However, not all banks have this feature and there are certain cases where threat actors can evade such detection.

There are a number of RMM tools on the market which scammers and criminals will leverage. Ironically, the more popular and simple ones also tend to be the most abused.

AnyDesk recently got in the news for a security breach that allowed the attackers to compromise their production systems. The vendor has since revoked its code signing certificates and is urging customers to update their software.

RMM vendors are aware of the illicit use of their software and regularly remind users about common safety tips. AnyDesk also partnered with fraud fighters such as ScammerPayback to shut down call centers.

Blocking RMM tools with ThreatDown

Free with every ThreatDown Bundle, Application Block can easily protect organizations against the rising trend of legitimate RMM tools being exploited. Organizations can block RMM tools via Application Block by:

• Navigating to the ‘Monitor’ section within their Nebula console.
• Selecting ‘Application Block’
• Enabling the ‘Block RMM’ toggle switch provided by ThreatDown or customizing the list to fit their specific needs.

Saving the configuration to immediately block these RMM tools network-wide.

Adopt a robust defense stance by blocking all unnecessary applications, and for those you must use, the EDR/MDR layers of our ThreatDown Bundles will provide an additional safety net in the event of an infection.

Indicators of Compromise

Phishing domains

uk-barclaysliveteam[.]com
barclaysbusinesslivechat[.]com
boi-bb-onlineservice[.]com
santanderbusiness-helpcentre[.]com

Try ThreatDown bundles today

For IT teams plagued by the triad of complex deployment, scattered tooling, and excessive alert noise, ThreatDown bundles emerge as a superior solution that caters to the needs of today’s security teams.

Discover the difference with ThreatDown Bundles and elevate your organization’s defense against cyber threats. Get in touch for a free trial and experience the benefits of a simplified, yet robust, security framework.

Experience ThreatDown Bundles

This article is based on research by Marcelo Rivero, Malwarebytes’ ransomware specialist, who monitors information published by ransomware gangs on their Dark Web sites. In this report, “known attacks” are those where the victim did not pay a ransom. This provides the best overall picture of ransomware activity, but the true number of attacks is far higher.

In January, we recorded a total of 261 ransomware victims, the lowest number of attacks since February 2023. This is normal, as past data reveals that historical January months tend to be one of the least active periods for ransomware gangs. But don’t let the relatively low number of attacks fool you: there was plenty of important ransomware news last month. 

In January, researchers observed fake “security researchers” trying to trick ransomware victims into thinking that they can recover their stolen data. Described as “follow-on extortion” attacks, the goal of these scams is to get the victims to pay Bitcoin for supposed assistance.

The two examples we have of follow-on extortion attacks targeted victims of the Royal and Akira ransomware gangs, but it’s unclear if the fake security researchers are a part of either of those gangs. Our guess? It’s more likely that they are a fringe group simply seizing an opportunity to exploit victims already targeted by these gangs. 

Let’s analyze why, using two scenarios, assuming that the follow-up extortioners really are Royal or Akira.  

In scenario one, Royal or Akira steals data, prompting a ransom payment from the victim for data deletion. Then, Royal or Akira sends a splinter group to the same victim claiming Royal didn’t delete the data, offering deletion services for an additional fee. This scenario is pretty unlikely, as it undermines Royal’s credibility from the victim’s perspective, damaging the gang’s reputation.

In scenario two, Royal or Akira steals data, but the victim hasn’t paid for deletion yet. The Royal or Akira splinter group then offers to recover the data for a fee. This predicament forces the victim to choose who to trust, likely deciding that it might be more logical to rely on Royal since they have more incentive to maintain a semblance of reliability. So, it then just becomes a normal double-extortion case but with an unnecessary extra step.

In the first case, the “initial ransomware gang” has no leverage for a second round of extortion without contradicting their own claims and damaging their reputation. In the second case, the initial ransomware gang just does more work to get the same outcome, namely payment for data deletion. 

Neither option presents a guaranteed connection to the original attackers.

In other January news, the UK’s National Cybersecurity Centre (NCSC) released a report suggesting that AI will boost ransomware attack volume and severity in the next two years, particularly through lowering the entry barrier for novice hackers. A simple example is an affiliate using generative AI to create more persuasive phishing emails. This could decrease affiliates’ dependence on Initial Access Brokers for accessing networks, leading to more attacks by individuals enticed by the lower initial investment.

In general, however, we should be cautious about these predictions. Incorporating AI into cybercrime—especially for automated discovery of vulnerabilities or efficient high-value data extraction, as NCSC’s report suggests—is extremely complex and costly. For major gangs like LockBit and CL0P, who manage multimillion-dollar operations, adopting these AI advancements might be more feasible, yet it is still far too early to speculate upon.

In our view, RaaS groups will maintain their current operations in the short term. AI may introduce new methods and techniques for cybercriminals, to be sure, but the core principles of ransomware gangs—based on access, leverage, and profit—will likely continue unchanged for the foreseeable future.

In other news, researchers last month witnessed Black Basta affiliates leveraging a new phishing campaign aimed at delivering a relatively new loader named PikaBot. 

PikaBot, an ostensible replacement for the notorious OakBot malware, is an initial access tool that we first wrote about in mid-December—and it looks like it didn’t take ransomware gangs long to start using it. While our original post about PikaBot focused on its distribution via malicious search ads and not phishing emails, ransomware gangs are known to use both attack vectors to gain initial access. 

A typical distribution chain for PikaBot, writes ThreatDown Intelligence researcher Jérôme Segura, usually starts with an email (within an already-hijacked thread) containing a link to an external website. Users are then tricked to download a zip archive containing malicious JavaScript that downloads Pikabot from an external server. 

As this news marks the first time that PikaBot has been publicly connected with any ransomware operations, it’s safe to assume that the malware is actively being used by other gangs as well—or that if it’s not, it will be soon.

New leak site: MYDATA

Mydata is a new leak site from Alpha ransomware, a distinct group not to be confused with ALPHV ransomware. The site published the data of 10 victims in January.

MYDATA leak data

Preventing Ransomware

Fighting off ransomware gangs like the ones we report on each month requires a layered security strategy. Technology that preemptively keeps gangs out of your systems is great—but it’s not enough. 

Ransomware attackers target the easiest entry points: an example chain might be that they first try phishing emails, then open RDP ports, and if those are secured, they’ll exploit unpatched vulnerabilities. Multi-layered security is about making infiltration progressively harder and detecting those who do get through. 

Technologies like Endpoint Protection (EP) and Vulnerability and Patch Management (VPM) are vital first defenses, reducing breach likelihood. 

The key point, though, is to assume that motivated gangs will eventually breach defenses. Endpoint Detection and Response (EDR) is crucial for finding and removing threats before damage occurs. And if a breach does happen—ransomware rollback tools can undo changes.

How ThreatDown Addresses Ransomware

ThreatDown bundles take a comprehensive approach to these challenges. Our integrated solutions combine EP, VPM, and EDR technologies, tailored to your organization’s specific needs. ThreatDown’s select bundles offer:

• Advanced Web Protection: Blocking phishing websites ransomware gangs use for initial access.
• RDP Shield: Securing remote access points with Brute Force Protection.
• Continuous Vulnerability Scanning and Patch Management: Identifying and patching weaknesses before ransomware gangs can exploit them.
• Sophisticated EDR: Detecting and neutralizing advanced threats such as LockBit within the network.
• Ransomware Rollback: Reversing the impact of any successful attacks.

ThreatDown EDR detecting LockBit ransomware

ThreatDown automatically quarantining LockBit ransomware

For resource-constrained organizations, select ThreatDown bundles offer Managed Detection and Response (MDR) services, providing expert monitoring and swift threat response to ransomware threats—without the need for large in-house cybersecurity teams.

---

Our business solutions remove all remnants of ransomware and prevent you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

This article is based on research by Marcelo Rivero, Malwarebytes’ ransomware specialist, who monitors information published by ransomware gangs on their Dark Web sites. In this report, “known attacks” are those where the victim did not pay a ransom. This provides the best overall picture of ransomware activity, but the true number of attacks is far higher.

2023 was an explosive year for ransomware.

While some ransomware trends hardly changed over the last year, such as LockBit’s continued dominance, ransomware criminals also challenged our fundamental assumptions on how ransomware gangs work, such as by exploiting zero-day vulnerabilities. Through thec onsistenciess and evolutions over the last year, one fact remains clear: 2023 broke records with its total number of 4475 ransomware attacks, a 70% increase from 2022.

Global ransomware attacks by month, 2022 vs 2023

Global ransomware attacks, 2022 vs 2023

Additionally, LockBit was responsible for a 22% of all ransomware attacks in 2023, over half as much as the next top five gangs combined. Together, the top 10 ransomware gangs were responsible for 70% of all ransomware attacks.

Top 10 ransomware gangs in 2023

Breaking 2023 ransomware attacks by sector reveals that 23% of all attacks were directed against the Services sector. Together, the top 10 sectors accounted for 80% of all ransomware attacks.

Top 10 industries attacked 2023

The USA was by far the most attacked country in 2023, with a whopping 45% of all ransomware attacks targeting the country.

Top 10 countries attacked 2023

Additionally, we’ve sifted through the backlog of our 2023 ransomware reviews to find the most important stories and trends from the last year. Here are five key takeaways from the ransomware world in 2023.

1. LockBit was… LockBit

LockBit remained the most prolific ransomware gang throughout 2023, responsible for several high-profile attacks (such as against Taiwanese chipmaker TSMC). As well, LockBit also unveiled a new variant, LockBit Green, and showed signs of expanding into macOS territory.  

2. Law enforcement worked overtime

Despite 2023 being the worst ransomware year on record, law enforcement notched notable successes in taking down big-name groups, including the FBI’s shutdown of the Hive ransomware group and the seizure of ALPHV’s infrastructure.

3. Gangs seized the day with zero-days

Ransomware gangs, including Cl0p and ALPHV, aggressively exploited zero-day vulnerabilities (e.g., in GoAnywhere MFT, MOVEit Transfer, and Citrix appliances) to launch attacks on a unprecedented scale.

4. Big blows dealt to critical infrastructure

Critical infrastructure (as defined by CISA) took a beating in 2023, with sectors such as logistics, manufacturing, healthcare, and education accounting for almost 30% of all ransomware attacks in 2023. Education alone (a subsector of the Government Facilities sector) experienced a 70% surge in attacks in the past year, increasing from 129 incidents in 2022 to 265 in 2023.

5. New tactics and rebrandings emerged

Besides an increased focus on exploiting zero-days, ransomware gangs introduced other new tactics in 2023 such as CL0P’s use of torrents for distributing stolen data and innovative social engineering techniques by groups like Scattered Spider. We also saw notable rebrands (i.e Vice Society to Rhysida) and shifts in focus from encryption to purely data theft and extortion.

Looking ahead

2023 was a whirlwind year for ransomware: Attacks spiked by 70%, law enforcement landed key victories, gangs pivoted to exploiting zero-day vulnerabilities, and much more.

Going into 2024 it’s safe to say that the threat of ransomware looms large for all organizations—especially those with shrinking security budgets and overtaxed IT teams, organizations located in the US, critical infrastructure sectors like education.

Fighting off ransomware gangs requires a layered security strategy. Technologies such as Endpoint Protection (EP) and Vulnerability and Patch Management (VPM), for example, are vital first defenses to reduce the attack surface breach likelihood.

The key point, though, is to assume that motivated gangs will eventually breach any defenses. Endpoint Detection and Response (EDR) is crucial for finding and removing threats before damage occurs. And for the ultimate assurance of uptime —choose an EDR solution with ransomware rollback to undo changes and restore files so that productivity continues.

How ThreatDown Addresses Ransomware

ThreatDown Bundles take a comprehensive approach to ransomware. Our integrated solutions combine EP, VPM, and EDR technologies, tailored to your organization’s specific needs, including:

• Advanced Web Protection: Blocking phishing websites ransomware gangs use for initial access. 
• RDP Shield: Securing remote access points with Brute Force Protection. 
• Continuous Vulnerability Scanning and Patch Management: Identifying and patching weaknesses before ransomware gangs can exploit them. 
• Sophisticated EDR: Detecting and neutralizing advanced threats such as LockBit within the network. 
• Ransomware Rollback: Reversing the impact of any successful attacks. 

ThreatDown EDR detecting LockBit ransomware

ThreatDown automatically quarantining LockBit ransomware

For resource-constrained organizations, select ThreatDown bundles offer Managed Detection and Response (MDR) services, providing expert monitoring and swift threat response to ransomware attacks—without the need for large in-house cybersecurity teams.

Experience ThreatDown Bundles