Threat Intelligence Report April 30 - May 6 2024

The Red Piranha Team actively collects information on organisations globally affected by ransomware attacks from various sources, including the Dark Web. In the past week alone, our team uncovered new ransomware victims and updates on previous victims across 20 different industries spanning 26 countries. This underscores the widespread and indiscriminate impact of ransomware attacks, emphasising their potential to affect organisations of varying sizes and sectors worldwide.

Play ransomware stands out as the most prolific, having updated a significant number of victims (15%) distributed across multiple countries. In comparison, LockBit3.0 ransomware updated 14% victims, in the past week. The following list provides the victim counts in percentages for these ransomware groups and a selection of others.

Team Underground Ransomware

Team Underground is a relatively new ransomware group that emerged in 2023. While not as notorious as some established actors, they have garnered attention for their tactics and the information they offer alongside their typical extortion attempts.

Tactics, Techniques, and Procedures (TTPs)

Delivery: The exact infection vector used by Team Underground is still under investigation. However, some reports suggest they might leverage spam campaigns with malicious attachments or exploit unpatched vulnerabilities in software to gain initial access.

Encryption: Team Underground utilises a custom-made ransomware executable built with Microsoft Visual C/C++ and designed for 64-bit systems. The ransomware encrypts victim files and unlike many strains, doesn't alter filenames or extensions.

Exfiltration: In a unique twist, Team Underground claims to steal data during the attack process. Their ransom note mentions exfiltrating sensitive information like financial records, employee data, and confidential agreements. This adds another layer of pressure on victims, as leaking such information could be disastrous.

Ransom Note: Team Underground's ransom note, titled "!readme!!!.txt", stands out for offering more than just a decryption key in exchange for a ransom payment (which can be as high as $3 million!). They promise to provide details on exploited network vulnerabilities and even offer recommendations for improved information security. It is unclear if these are genuine offers or simply a ploy to build trust with victims.

Leak Site: Team Underground maintains a leak site on the dark web where they threaten to publish stolen data if the ransom is not paid.

Exploited Vulnerabilities

Specific vulnerabilities exploited by Team Underground have not been publicly disclosed yet. However, their ability to gain access to systems suggests they target unpatched software vulnerabilities or weaknesses in network security.

Recommendations:

• Stay Updated: Regularly update your software and operating systems to patch known vulnerabilities.
• Educate Staff: Train employees on cybersecurity best practices, including phishing awareness, to avoid falling victim to social engineering attacks.
• Strong Backups: Maintain robust backup procedures and store backups securely, ideally offline. This allows for data recovery in case of an attack.
• Security Measures: Implement strong security measures like firewalls and endpoint detection and response (XDR/EDR) solutions to deter and identify threats.
• Remember: Paying the ransom does not guarantee data recovery and fuels the cybercrime ecosystem. Report any ransomware attack to the relevant authorities, such as the Australian Cyber Security Centre (ACSC).

Kill Chain:

Indicators of Compromise (IOCs)