The Next Ransomware Wave

Welcome to Trend Micro’s monthly newsletter, The Strategic CISO. Discover the latest and most popular blogs from the CISO Resource Center, a dedicated space for the latest strategic insights, best practices, and research reports to help security leaders better understand, communicate, and minimize cyber risk across the enterprise.

CISO Resource Center

Our goal is to inform security leaders about best practices, the latest industry insights, and more. Let us know what you would like to see from The Strategic CISO newsletter.

LockBit Attempts to Stay Afloat With a New Version

Recently, we came into possession of a sample that we believe represents a new evolution of #LockBit: an in-development version of a platform-agnostic malware-in-testing that is different from previous versions. The sample appends a “locked_for_LockBit” suffix to encrypted files which, being part of the configuration and therefore still subject to change, leads us to conclude that this is an undeployed upcoming version from the group.

Based on its current developmental state, we are tracking this variant as LockBit-NG-Dev, which we further believe could form the basis of a LockBit 4.0 that the group is almost certainly working on. The criminal group behind the LockBit ransomware has proven to be successful in the past, having consistently been among the top impactful #ransomware groups during their whole operation. In the last couple years, however, they seem to have had a number of logistical, technical, and reputational problems.

This has forced LockBit to take action by working on a new much-awaited version of their #malware. However, with the seeming delay in the ability to get a robust version of LockBit to the market, compounded with continued technical issues — it remains to be seen how long this group will retain their ability to attract top affiliates and hold its position. In the meantime, it is our hope that LockBit is the next major group to disprove the notion of an organization being too big to fail.

Find out more on how LockBit is staying afloat in our blog, "LockBit Attempts to Stay Afloat With a New Version"

#SXSW Recap: AI's Role in Virtual Kidnapping

As early adopters of emerging technology and fast-rising social platforms, young people and public figures are more prone to having their #biometrics harvested for use in virtual kidnapping attacks. Social networking sites such as #TikTok, Facebook, and Instagram make it even more convenient for criminals to search for victims and get targeted context to make the scam as believable as possible.

Virtual kidnapping, in essence, is a deception campaign that uses misinformation for the purpose of tricking victims into paying a ransom. Victims don’t just lose money from this scheme, they also suffer from great emotional distress. Even if they don’t pay the ransom and are quickly able to debunk the fraud, believing one’s child has been kidnapped — no matter how momentary — is deeply unsettling to parents. Unfortunately, virtual kidnappers can launch attacks on countless victims (and, sadly, subject all of them to extreme and only need to succeed very infrequently to make a lot of money.

The typical elements of a virtual kidnapping attack are as follows:

• Identifying a potential victim (relative of a kidnapee): This is someone who is capable of paying ransom. In the previously mentioned real-life virtual kidnapping case, this would be Mrs. DeStefano.
• Identifying a potential virtual kidnapping victim (kidnapee): In the same real-life virtual kidnapping, this would be the 15-year-old daughter.
• Creating a story: The more emotionally manipulative the story is, the more impaired a victim’s judgment and critical thinking would be. It is highly likely that a frightened person will behave with more immediacy and less forethought.
• Harvesting voice biometrics from the virtual kidnapping victim’s social media posts: Malicious actors can also harvest a movie actor’s voice from a frightening kidnapping movie scene and use deepfake technology to make audio that sounds like the subject has been kidnapped and is saying words from a movie.
• Identifying time and logistic elements: Based on social media updates from the virtual kidnapping victim, the malicious actors will launch the scam when the subject is physically away from the ransom victim for a long enough period. This can hinder the ransom victim from quickly verifying if the child is safe, allowing the attack and ransom payment to go through successfully.
• Making the call: The attackers may use free voice modulation software to make their voice more scary or menacing. During the call, the attackers will simultaneously run the deepfake audio of the supposed kidnapee to grant credibility to their request for ransom payment.
• Initiating post-call activities: These include, but are not limited to, money laundering of the ransom payment, deleting all relevant files, and discarding of the burner phone used. In the future, or with a large enough research investment at present, malicious actors can even create audio files of #ChatGPT texts using a text-to-speech app or software. In doing so, both the attacker and the virtual kidnapping victim (a voice clone of an actual person) are fully virtual. When these virtual files are distributed using a mass calling service, virtual kidnapping can become more effective and far-reaching.

See how AI is playing a role in virtual kidnapping here.

Agenda Ransomware Group's Use of its Latest Rust Variant

Since its discovery in 2022, the Agenda Ransomware group (also known as Qilin) has been active and in development. #Agenda, which Trend Micro tracks as Water Galura, continues infecting victims globally with the US, Argentina, and Australia, and Thailand being among its top targets (based on the threat actor’s leak site data). Meanwhile the Agenda #ransomware was used to target several industries, such as finance and law.

Furthermore, based on Trend threat intelligence data, Agenda ransomware detections increased beginning December 2023, in contrast to the number of detections in November, which shows that its operators are either becoming more active, or are reaching a greater number of targets.

We recently encountered updated versions of the ransomware, specifically for its Rust variant. Based on what we’ve observed, Agenda ransomware group uses Remote Monitoring and Management (RMM) tools, as well as Cobalt Strike for deployment of the ransomware binary. As for the Agenda ransomware executable, it can also propagate via PsExec and SecureShell, while also making use of different vulnerable SYS drivers for defense evasion.

Find out more in our blog, "Agenda Ransomware Propagates to vCenters and ESXi via Custom PowerShell Script"

NIST Launches Cybersecurity Framework (CSF) 2.0

The most noteworthy change is the introduction of Governance as a sixth pillar in the #CSF Framework. This shift sees governance being given significantly more importance from just a mention within the previous five Categories to now being its owna separate Function.

According to #NIST the Govern function refers to how an organization’s, “cybersecurity risk management strategy, expectations, and policy are established, communicated, and monitored.” This is a positive and needed evolution, as when governance is weak, it often isn’t restricted to a single function (e.g. IAM) and can be systemic.

Governance aligns to a broader paradigm shift where we see cybersecurity becoming highly relevant within the business context as an operational risk. The Govern expectation is cybersecurity is integrated into the broader enterprise risk management strategy and requires dedicated accountability and oversight.

There are some other reassignments and minor changes in the remaining five Categories. CSF version 1.0 was published in 2014, and 1.1 in 2018. A lot has changed in security since then. The 2.0 update acknowledges that a review has been conducted.

As a framework, the CISO domain has not radically changed. Yes, the technology has radically evolved, but the greatest evolution in the CISO role really has been around governance: greater interaction with C-suite and board, while some activities have been handed off to operations.

Learn more about the new Cybersecurity Framework 2.0 in our blog, "NIST Launches Cybersecurity Framework (CSF) 2.0"

Women's History Month - The Power of Listening

In honor of Women's History Month we want to highlight our Trend Talks Life mini-series where host Erin Tomie talks with Technical Account Manager Team Lead for India, Nutan Savani, about her journey at Trend Micro.

In this special Trend Talks Life mini-series, we are spotlighting some of our exceptional female Trenders, who were nominated for their invaluable contributions. In each video we explore this year’s theme: Inspire Inclusion.

Watch the full video here to learn more about how Nutan and other inspiration women leaders at Trend Micro inspire inclusion. #WHM

Before you go:

Check out our new episode of #TrendTalksThreats on Spotify. Jon Clay, VP of Cybersecurity breaks down some of the most notable stories from Trend Micro’s recently released 2023 Annual Cybersecurity Report.

TrendTalksThreats | 2023 Annual Cybersecurity Report Highlights