New Threat Detection Added | 4 (Akira Ransomware, Wagner Ransomware, EarlyRAT, and Warzone RAT) |
New Threat Protections | 4 |
New Ransomware Victims Last Week | 89 |
Weekly Detected Threats
The following threats were added to Crystal Eye XDR this week:
Threat name: | Akira Ransomware | ||||||||||||||||||
Researchers have recently unveiled significant insights into the operations of a newly discovered ransomware group called "Akira." This group is actively engaging in a relentless pursuit of various organisations, compromising their invaluable data. Notably, Akira ransomware has broadened its scope to encompass the Linux platform. Since its emergence in April 2023, Akira ransomware has already infiltrated and victimised 46 entities that have been publicly disclosed, with an additional 30 victims identified subsequent to our previous blog post. The majority of these victims are situated in the United States. Akira ransomware has targeted a diverse array of industries, spanning Education, Banking, Financial Services and Insurance (BFSI), Manufacturing, Professional Services, and others. Initially focusing on Windows systems, Akira ransomware has now expanded its repertoire to include Linux platforms. This strategic shift exemplifies an emerging trend among ransomware groups, indicating an imminent upsurge in assaults aimed at Linux environments. The fact that a formerly Windows-centric ransomware group has redirected its focus towards Linux highlights the growing vulnerability of these systems to cyber threats. | |||||||||||||||||||
Threat Protected: | 01 | ||||||||||||||||||
Rule Set Type: |
| ||||||||||||||||||
Class Type: | Trojan-activity | ||||||||||||||||||
Kill Chain: | Initial Access T1566/T1078/T1190 - Execution T1059/T1569/T1106 - Persistence T1078/T1055/T1547 - Credential Access T1557/T1555 - Discovery T1087/T1040/T1135/T1518 - Command-and-Control T1001/T1573/T1071 |
Threat name: | Wagner Ransomware | ||||||||||||||||||
A new ransomware variant known as Wagner has emerged in the cybersecurity landscape, believed to be a derivative of the Chaos ransomware. What sets this ransomware apart is its ransom note, which deviates from the usual demand for money and instead encourages users to join the PMC Wagner. The ransom note intriguingly begins with the phrase "Official Wagner PMCs Employment Virus." PMC Wagner refers to the Wagner Group, a Russian paramilitary organisation recognised as a private military company consisting of mercenaries. The ransomware sample was initially submitted from Russia, and the ransom note itself is written in Russian, indicating a possible focus on targets within Russia. The intentions of this ransomware appear to be centred around spreading messages of rebellion and incitement against the Russian authorities. | |||||||||||||||||||
Threat Protected: | 01 | ||||||||||||||||||
Rule Set Type: |
| ||||||||||||||||||
Class Type: | Trojan-activity | ||||||||||||||||||
Kill Chain: | Execution T1204 - Persistence T1547 - Discovery T1082/T1083/T1057 - Impact T1486 /T1490 |
Threat name: | EarlyRAT | ||||||||||||||||||
EarlyRAT is a remote access trojan (RAT) that has emerged as a sophisticated and stealthy malware threat. Initially identified in 2020, EarlyRAT is designed to infiltrate systems and gain unauthorised access, enabling attackers to remotely control infected machines and steal sensitive information. Known for its advanced evasion techniques and modular architecture, EarlyRAT poses a significant risk to organisations and individuals, highlighting the need for robust cybersecurity measures to detect, prevent, and mitigate its impact. | |||||||||||||||||||
Threat Protected: | 01 | ||||||||||||||||||
Rule Set Type: |
| ||||||||||||||||||
Class Type: | Malware | ||||||||||||||||||
Kill Chain: | Reconnaissance T1590 - Weaponisation T1588 - Delivery T1566 Exploitation T1203 - Installation T1059 – Command-and-Control T1090 - Lateral Movement T1071 - Data Exfiltration T1041 - Persistence T1060 - Evasion T1027 |
Threat name: | Warzone RAT | ||||||||||||||||||
Warzone RAT is a remote access trojan (RAT) that has gained notoriety for its potent capabilities and malicious intent. Operating stealthily in the background, Warzone RAT infiltrates systems undetected and establishes a covert connection between the attacker and the compromised machine. By providing remote control access, Warzone RAT enables threat actors to execute malicious commands, exfiltrate sensitive data, and carry out various malicious activities, making it a significant cybersecurity threat. Its advanced features and evasive techniques highlight the critical need for robust security measures to protect against such sophisticated RAT attacks. | |||||||||||||||||||
Threat Protected: | 01 | ||||||||||||||||||
Rule Set Type: |
| ||||||||||||||||||
Class Type: | Trojan | ||||||||||||||||||
Kill Chain: | Reconnaissance T1590 - Weaponisation T1588 - Delivery T1566 - Exploitation T1203 - Installation T1059 - Command-and-Control T1090 - Lateral Movement T1071 - Collection T1119 - Exfiltration T1048 - Impact T1499 |
Known exploited vulnerabilities (Week 5 - June 2023):
For more information, refer to the Forum – Security Advisory
Vulnerability | Description | |
CVE-2021-25372 | Samsung Mobile Devices Improper Boundary Check Vulnerability | |
CVE-2021-25371 | Samsung Mobile Devices Unspecified Vulnerability | |
CVE-2021-25395 | Samsung Mobile Devices Race Condition Vulnerability | |
CVE-2021-25394 | Samsung Mobile Devices Race Condition Vulnerability | |
CVE-2021-25489 | Samsung Mobile Devices Improper Input Validation Vulnerability | |
CVE-2021-25487 | Samsung Mobile Devices Out-of-Bounds Read Vulnerability | |
CVE-2019-20500 | D-Link DWL-2600AP Access Point Command Injection Vulnerability | |
CVE-2019-17621 | D-Link DIR-859 Router Command Execution Vulnerability |
Updated Malware Signatures (Week 5 - June 2023)
Threat | Description | |
Kuluoz | A backdoor for a botnet. It executes commands from a remote malicious user. | |
Tofsee | A malware that is used to send spam emails, conduct click frauds as well as cryptomining. | |
XtremeRAT | A remote access trojan interacts with the infected machine via a remote shell, uploads/downloads files, and records from a webcam/microphone. | |
Zeus | Also known as Zbot and is primarily designed to steal banking credentials. | |
Valyria | A Microsoft Word-based malware which is used as a dropper for second stage malware. |
New Ransomware Victims Last Week: | 89 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Red Piranha proactively gathers information about organisations impacted by ransomware attacks through various channels, including the Dark Web. In the past week, our team identified a total of 89 new ransomware victims from 21 distinct industries across 34 countries worldwide. This highlights the global reach and indiscriminate nature of ransomware attacks, which can affect organisations of all sizes and sectors. Clop, a specific ransomware, has affected the largest number of new victims (33) spread across various countries. Akira and 8base groups follow closely with each hitting 11 and 7 new victims respectively. Below are the victim counts (%) for these ransomware groups and a few others. | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Name of Ransomware Group | Percentage of new Victims last week | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
8base | 7.87% | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Akira | 12.36% | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Alphv | 4.49% | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Bianlian | 5.62% | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Blackbasta | 3.37% | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Clop | 37.08% | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Karakurt | 3.37% | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Lockbit3 | 3.37% | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Mallox | 3.37% | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Medusa | 2.25% | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Play | 4.49% | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Ra group | 2.25% | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Ransomexx | 1.12% | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Ransomware blog | 3.37% | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Rhysida | 5.62 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||