Cybersecurity firm Sophos reported that ,”The similarities are in the software packer used to conceal the ransomware code, in the malware subroutines designed to find and obfuscate commands (API calls), and in the subroutines used to decrypt encrypted text.
The attack on the media company employed the ProxyShell attack to infect a vulnerable Exchange Server with a web shell, which was then used to spread Cobalt Strike Beacons throughout the network. The attacker is said to have spent four months doing reconnaissance and data theft before launching the ransomware attack in early December 2021.
During a forensic investigation, we discovered multiple instances of Dridex, a well-known general-purpose malware that its operators can use to spread other malware.
The second attack on the regional government agency was made possible through a malicious email attachment carrying the Dridex virus, which was used to distribute additional payloads for lateral movement. Notably, within 75 hours of the initial detection of the breach, redundant exfiltration of sensitive data to multiple cloud storage providers – in the form of compressed RAR packages – occurred.
Similarities between the Dridex general-purpose malware and a little-known ransomware strain called Entropy have been discovered, indicating that the operators are continuing to rebrand their extortion operations under a different name.
The US Treasury Department sanctioned Evil Corp in December 2019, filing criminal charges against two key members, Maksim Yakubets and Igor Turashev, as well as a $5 million reward for information leading to their arrests. In November 2021, the BBC conducted an investigation into the “claimed hackers living wealthy lifestyles, with little possibility of ever being apprehended.
DoppelPaymer is linked to a splinter gang known as Doppel Spider, which uses forked malware code built by Indrik Spider as the foundation for its big game hunting operations, including the BitPaymer ransomware.
Eventually, the attackers dropped a set of files onto an Active Directory server they had taken control of. The threat actor dropped these files in C:\share$:
- comps.txt – List of hosts to attack.
- pdf.dll – The ransomware payload
- PsExec.exe – a legitimate application by Microsoft
- COPY.bat – Instructions to copy pdf.dll to all the hosts using PsExec
- EXE.bat – Instructions to execute pdf.dll to all the hosts using PsExec
WastedLocker, Hades, Phoenix, PayloadBIN, Grief and Macaw are only a few of the e-crime gang’s ransomware branding changes in the intervening years to get around the sanctions.
SentinelOne researchers identified the “evolutionary” ties in a standalone analysis, claiming nearly identical design, implementation, and functionality amongst successive iterations of the ransomware, with the file-encrypting malware buried using a packer named CryptOne.
Finally the researchers concluded that ,” The attackers took advantage of a lack of attention in both situations – both targets had vulnerable Windows PCs that were missing current patches and updates, Attackers would have had to work harder to gain initial access into the firms they attacked if equipment like the Exchange Server had been properly patched.”