Exclusive! Analysis of 3 Ransomware Threats Active Right Now
Cyber Security News ?
#1 World's Most Followed Cyber Security News Platform
Ransomware continues to loom large over the cybersecurity landscape, causing significant damage to individuals and organizations alike.
With the difficulty of recovering encrypted files and the potential exposure of stolen data, it is essential to keep track of active ransomware families. Let's explore three notable threats that are on the rise right now and show how sandbox analysis can help proactively identify them.
Bluesky Ransomware
The BlueSky ransomware, first identified during Q2 of 2022, remains a significant cybersecurity threat in the current landscape. It is designed to exploit the Windows multithreading architecture, allowing it to encrypt files more rapidly.
This malicious software employs sophisticated encryption methods, using the symmetric encryption algorithm ChaCha20. It is also capable of lateral movement and can infect multiple endpoints belonging to the same network.?
Once the encryption process is complete, the ransomware modifies the names of the affected files, adding the .bluesky extension. It also creates a ransom instruction file requiring victims to pay a ransom by visiting a page hosted on Tor.
Recent attacks involving this ransomware have been traced back to initial infiltrations of Microsoft SQL Servers, as ransomware attackers often target vulnerabilities in these systems, including through brute forcing.?
The BlueSky ransomware incorporates defenses against analysis attempts, making it difficult for cybersecurity researchers to study and develop countermeasures.?
Detecting and Analyzing BlueSky Ransomware in a Sandbox
Despite BlueSky’s anti-analysis functionality, we can easily expose it by uploading its sample to a free malware sandbox like ANY.RUN , which offers a safe virtual environment for detonating it.
See this analysis session for more details.
The service instantly detects the malware and notifies us about its presence by adding the corresponding tags “bluesky” and “ransomware”. It also lists the activities carried out by the program including:
Once the analysis is finished, we are provided with a detailed report that contains all the crucial information collected during the file execution, including indicators of compromise.
Are You From SOC/DFIR Teams? - Analyze Files and Links with no Limit in ANY.RUN Sandbox for Free!
Lockbit Ransomware
Lockbit ransomware has been a prominent cybersecurity threat since its emergence in 2019. It operates as a Ransomware-as-a-Service (RaaS), providing its software to affiliates who then execute attacks. One of its most significant targets was the Royal Mail, with the attackers demanding an unprecedented ransom fee of $80 million.
Lockbit ransomware encrypts files using the Advanced Encryption Standard (AES) and then encrypts the AES key with the RSA algorithm. This double encryption makes it extremely challenging for victims to recover their data without the decryption key.?
However, before encryption, the malware extracts all the data from the infected machines, adding an extra layer of extortion.
The Lockbit group maintains a website listing their victims, applying pressure on companies to pay the ransom. If the victims refuse to comply, their stolen data is made public.
The Lockbit ransomware has consistently evolved, with the most recent version being Lockbit v3, also known as Lockbit Black.?
Despite a coalition of law enforcement agencies dismantling its infrastructure in early 2024, Lockbit has now resumed its operations.?
领英推荐
One recent campaign involved the distribution of phishing emails with the assistance of the Phorpiex botnet. The malware was disseminated within archives attached to these emails.
Detecting and Analyzing LockBit Black Ransomware in a Sandbox
To avoid a LockBit infection, we can proactively analyze all suspicious files, including email attachments, in a sandbox.
As part of the analysis , we can observe:
The sandbox provides a conclusive verdict, classifying the analyzed file as exhibiting malicious activity.
Beast Ransomware
Beast ransomware is built on the Delphi programming language. It first emerged in March 2022 and was first known as Monster ransomware. Unlike many ransomware variants that target only Windows systems, Beast ransomware can also attack Linux machines.
The malware is designed to exempt users located in CIS countries, suggesting that its creators may be based in this region. Beast ransomware employs an advanced encryption method, which includes additional modules such as archiving each encrypted file.
The malware is primarily distributed via email attachments and links, exploiting human vulnerability to phishing attacks. Despite being an emerging ransomware, Beast has the potential to become a serious and widespread threat, similar to LockBit.?
Detecting and Analyzing Beast Ransomware in a Sandbox
By running suspicious files and URLs in a sandbox, we can easily expose Beast and other malware.
Consider this analysis session .
Some of the Beast activities detected by the service include:
Analyze Suspicious Files and URLs in ANY.RUN
The ANY.RUN sandbox offers an interactive approach to malware analysis. You can engage with the files and links in a safe virtual environment and perform all the necessary actions to investigate each threat's true extent.
The service automatically detects and lists all activities across network traffic, registry, file system, and processes and extracts indicators of compromise.
Explore all features of ANY.RUN, including the private mode and extra VM settings, by requesting a 14-day Free Trial!?
Hardware/Software Specialist || Networker || Windows/Linux Administrator || Junior Python Dev || Cyber Security
4 个月Useful tips
Solutions/Security Architect
4 个月While your analysis on detection is essential, incorporating preventive measures can offer a more comprehensive approach to combating ransomware. Here are a few strategies to consider: ·??????Regular Backups. ·??????Patch Management. ·??????User Training. ·??????Access Controls. ·??????Endpoint Protection. By combining these preventive measures with robust detection and analysis strategies, organizations can significantly strengthen their defences against ransomware.
BSc | MSc | Cyber Security Analyst -SOC| CompTIA Sec+ Certified | ICS/OT Security Expert (OOSE) | OEHE | Armis Certified |Proofpoint Certified | Crowdstrike | SentinelOne | Splunk | IBM QRadar
4 个月Most ransomwares use symmetric encryption because you don’t need internet connection to do that even though they are less secure that asymmetric encryption
Networking Engineer Analyst/Cyber Security/EndPoint Security/OSCP=Ethical Hacker
4 个月Why is all #RansomwareAttacks runs through a #SymetricEncryption?
Sales Manager at SentryBox ?? Building strong client relationships ?? Passionate about leveraging technology
4 个月Bluesky uses multi threading. So with faster CPUs and hard drives it encrypts very faster then I can call an IT specialist.