In this version of the Hacker’s Playbook Threat Coverage round-up, we are highlighting newly added coverage for several recently discovered or analyzed ransomware and malware variants, including Akira ransomware, 8base ransomware, and Rorschach (BabLock) ransomware, amongst others. SafeBreach customers can select and run these attacks and more from the SafeBreach Hacker’s Playbook™ to ensure coverage against these advanced threats. Additional details about the threat and our coverage can be seen below.
Akira Ransomware: What you need to know
In March 2023, threat researchers from Arctic Wolf identified a new ransomware group known as Akira that leveraged the ransomware-as-a-service (RaaS) model to deploy its namesake ransomware, Akira ransomware. Since its discovery, the group has compromised more than 60 victims (80% of whom are small and medium businesses).
Like other groups that leverage the RaaS model, Akira threat actors leverage double extortion to first exfiltrate victim data before encrypting their devices and demanding a ransom. It has been observed that the Akira group does not insist on a company paying for both decryption assistance and the deletion of data. They offer victims the option to pick and choose what they would like to pay for (typical ransom ranges between $200k and $4m USD).
Researchers observed that most Akira intrusions begin with threat actors leveraging compromised credentials (potentially purchased on the dark web). Akira commonly infiltrates targeted Windows and Linux systems through VPN services, especially where users haven’t enabled multi-factor authentication. Once a system is infected with Akira, the malware attempts to delete backup folders that could be used to restore lost data. Then, the ransomware encrypts files with certain extensions and adds the “.akira” extension to each of them.
The hackers’ ransom note is written in English but contains many mistakes. The group claims that it doesn’t want to cause severe financial harm and will determine ransoms based on a victim’s income and savings. The hackers also offer guidance on using cyber insurance for those who have it. Each Akira victim has a unique negotiation password that is entered into the threat actor’s site on the dark web. The group promises to restore access to victims’ data within 24 hours after receiving the ransom payment.
SafeBreach Coverage of Akira Ransomware
The SafeBreach platform has been updated with the following attacks to ensure our customers can validate their security controls against Akira ransomware.
- #9041 – Email Akira (e612b4) ransomware as a compressed attachment (INFILTRATION)
- #9040 – Email Akira (e612b4) ransomware as a compressed attachment (LATERAL_MOVEMENT)
- #9039 – Transfer of Akira (e612b4) ransomware over HTTP/S (INFILTRATION
- #9038 – Transfer of Akira (e612b4) ransomware over HTTP/S (LATERAL_MOVEMENT)
- #9037 – Pre-execution phase of Akira (e612b4) ransomware (Windows) (HOST_LEVEL)
- #9036 – Write Akira (e612b4) ransomware to disk (HOST_LEVEL)
8Base Ransomware: What you need to know
Initially observed in March 2022, the 8Base ransomware gang has been leveraging double extortion to target organizations around the world. Starting in June 2023, researchers observed a spike in activity associated with this gang. The group has listed 35 victims (across multiple verticals) on its dark web extortion site.
The group members claim to be simple and honest pen-testers. They claim that their victims are only those companies that have neglected the privacy and importance of the data of their employees and customers. 8Base appears to be a customized version of Phobos v2.9.1 ransomware that is loaded via SmokeLoader. Analysis of recent attacks revealed that the ransomware will append the .8base extension to encrypted files. This is in addition to the .eight extension that was previously appended. 8Base uses the “admlogs25[.]xyz” domain for payload hosting, which is associated with SystemBC, a proxy malware used by several ransomware groups for C2 obfuscation. 8Base operators have been conducting encryption attacks for at least a year but only recently made a name for themselves after launching their data leak site.
SafeBreach Coverage of 8Base Ransomware
The SafeBreach platform has been updated with the following attacks to ensure our customers can validate their security controls against the ransomware variant.
- #8996 – Email 8Base (c1b19c) ransomware as a compressed attachment (INFILTRATION)
- #8995 – Email 8Base (c1b19c) ransomware as a compressed attachment (LATERAL_MOVEMENT)
- #8994 – Transfer of 8Base (c1b19c) ransomware over HTTP/S (INFILTRATION)
- #8993 – Transfer of 8Base (c1b19c) ransomware over HTTP/S (LATERAL_MOVEMENT)
- #8992 – Pre-execution phase of 8Base (c1b19c) ransomware (Windows) (HOST_LEVEL)
- #8991 – Write 8Base (c1b19c) ransomware to disk (HOST_LEVEL)
ThirdEye Infostealer: What you need to know
Researchers from FortiGuard Labs recently discovered a previously unseen infostealer that they named “ThirdEye”. This tool is designed to steal information from compromised machines that can be used in future attacks. Though not considered sophisticated, its capabilities include harvesting BIOS and hardware data, enumerating files and folders, identifying running processes, and collecting network information.
The latest variant has a file name in Russian, suggesting a potential focus on Russian-speaking organizations. After collecting the compromised system’s information, the malware sends it to a command-and-control (C2) server. Notably, the infostealer uses a unique string, “3rd_eye,” to identify itself to the C2.
SafeBreach Coverage of ThirdEye Infostealer
The SafeBreach platform has been updated with the following attacks to ensure our customers can validate their security controls against the infostealer variant:
- #9002 – Email ThirdEye (e0c796) info stealer as a compressed attachment (INFILTRATION)
- #9001 – Email ThirdEye (e0c796) infostealer as a compressed attachment (LATERAL_MOVEMENT)
- #9000 – Transfer of ThirdEye (e0c796) infostealer over HTTP/S (INFILTRATION
- #8999 – Transfer of ThirdEye (e0c796) infostealer over HTTP/S (LATERAL_MOVEMENT)
- #8998 – Pre-execution phase of ThirdEye (e0c796) infostealer (Windows) (HOST_LEVEL
- #8997 – Write ThirdEye (e0c796) infostealer to disk (HOST_LEVEL) – Automation
Rorschach (BabLock) Ransomware: What you need to know
Trend Micro researchers have identified a ransomware variant that seems to be primarily based on LockBit but includes components from various other ransomware families. Their ransomware discovery (named BabLock) seemed to have a unique style of appending extensions – instead of the normal “one sample, one extension” method, these attackers were appending numerical increments from 00-99 on top of the fixed ransomware extension. As a result, even on a single infected machine, there could be multiple extension variations from a single execution.
When the ransomware is launched on a domain controller with administrator privileges, it can spread across the local area network by creating a Group Policy Object (GPO). Once the ransomware sample is launched, it will immediately delete three related files and then encrypt files in the system. Encrypted files are appended with the extension “k1k2k3”, and a random number between 00 and 99 is also added to the end of this extension. After encryption, a ransom note is released to instruct the victim on how to contact the attacker and pay the ransom. The ransom note is named “_r_e_a_d_m_e.txt” and includes the attacker’s email address but does not provide information regarding the ransom amount or payment method.
SafeBreach Coverage of Rorschach (BabLock) Ransomware
The SafeBreach platform has been updated with the following attacks to ensure our customers can validate their security controls against the ransomware variant:
- #9013 – Email BabLock (Rorschach) (3f3dc6) ransomware as a compressed attachment (INFILTRATION)
- #9012 – Email BabLock (Rorschach) (3f3dc6) ransomware as a compressed attachment (LATERAL_MOVEMENT)
- #9011 – Transfer of BabLock (Rorschach) (3f3dc6) ransomware over HTTP/S (INFILTRATION)
- #9010 – Transfer of BabLock (Rorschach) (3f3dc6) ransomware over HTTP/S (LATERAL_MOVEMENT)
- #9009 – Write BabLock (Rorschach) (3f3dc6) ransomware to disk (HOST_LEVEL) – Automation
Sardonic Backdoor: What you need to know
Threat researchers from Symantec recently observed the FIN8 threat group deploying a variation of the Sardonic backdoor to deliver the Noberus ransomware variant. FIN8 is a notorious threat group that is known to target organizations across several verticals, including finance, hospitality, insurance, retail, and technology.
The C++-based Sardonic backdoor has the ability to harvest system information and execute commands and has a plugin system designed to load and execute additional malware payloads delivered as DLLs. The new variant of the Sardonic backdoor (first discovered by Bitdefender in 2021) sports code that supports more plugin formats, expanding the attackers’ flexibility and capabilities.
SafeBreach Coverage of Sardonic Backdoor
The SafeBreach platform has been updated with the following attacks to ensure our customers can validate their security controls against the malware:
- #9035 – Email Sardonic (f95509) backdoor as a compressed attachment (INFILTRATION)
- #9034 – Email Sardonic (f95509) backdoor as a compressed attachment (LATERAL_MOVEMENT)
- #9033 – Transfer of Sardonic (f95509) backdoor over HTTP/S (INFILTRATION)
- #9032 – Transfer of Sardonic (f95509) backdoor over HTTP/S (LATERAL_MOVEMENT)
- #9031 – Write Sardonic (f95509) backdoor to disk (HOST_LEVEL)
RomCom CVE-2023-36884: What you need to know
Microsoft recently disclosed a zero-day Office and Windows HTML Remote Code Execution Vulnerability, CVE-2023-36884 (severity rating important), after observing its exploitation using specially crafted Microsoft Office documents.
The vulnerability requires the user to open a document containing malicious code. After the user opens the malicious document, it downloads a file containing a script that initiates an iframe injection, resulting in the download of a malicious payload. This vulnerability is being heavily used by the threat group Storm-0978 AKA: RomCom to target European government officials with phishing emails containing lure documents framed around the current political climate around NATO and the situation in Ukraine. The attack is carried out once the user opens the attached email file, in this case, “Overview_of_UWCs_UkraineInNATO_campaign.docx”. The remote code execution vulnerability is triggered once the document is opened. Unlike traditional Office document attacks, this attack does not leverage VBA macros.
SafeBreach Coverage of CVE-2023-36884
The SafeBreach platform has been updated with the following attacks to ensure our customers can validate their security controls against the vulnerability:
- #9030 – Email RomCom CVE-2023-36884 (a1163f) exploit as a compressed attachment (INFILTRATION)
- #9029 – Email RomCom CVE-2023-36884 (a1163f) exploit as a compressed attachment (LATERAL_MOVEMENT)
- #9028 – Transfer of RomCom CVE-2023-36884 (a1163f) exploit over HTTP/S (INFILTRATION)
- #9027 – Transfer of RomCom CVE-2023-36884 (a1163f) exploit over HTTP/S (LATERAL_MOVEMENT)
- #9026 – Write RomCom CVE-2023-36884 (a1163f) exploit to disk (HOST_LEVEL)
Rhysida Ransomware: What you need to know
In early August, the Health and Human Services (HHS)’ Health Sector Cybersecurity Coordination Center (HC3) issued an alert for a new ransomware variant called Rhysida that has been active since May 2023. This ransomware variant has targeted several organizations in the education, government, manufacturing, and technology verticals.
Analysis of the malware encryptor has revealed that the ransomware is still being developed and is missing standard features like persistence mechanisms, volume shadow copy wiping, process termination, etc. It is believed that Rhysida is behind a recent cyberattack on Prospect Medical Holdings, which still experiences a system-wide outage impacting 17 hospitals and 166 clinics across the United States.
Researchers have also revealed that Rhysida threat actors use phishing emails to achieve initial access, then deploy Cobalt Strike and PowerShell scripts, and eventually drop the locker. The PowerShell scripts used by Rhysida operators terminate AV processes, delete shadow copies, and modify RDP configurations, indicating the locker’s active development.
SafeBreach Coverage of Rhysida Ransomware
The SafeBreach platform has been updated with the following attacks to ensure our customers can validate their security controls against the ransomware variant:
- #9077 – Email Rhysida (8cd3c6) ransomware as a compressed attachment (INFILTRATION)
- #9076 – Email Rhysida (8cd3c6) ransomware as a compressed attachment (LATERAL_MOVEMENT)
- #9075 – Transfer of Rhysida (8cd3c6) ransomware over HTTP/S (INFILTRATION)
- #9074 – Transfer of Rhysida (8cd3c6) ransomware over HTTP/S (LATERAL_MOVEMENT)
- #9073 – Pre-execution phase of Rhysida (8cd3c6) ransomware (Windows) (HOST_LEVEL)
- #9072 – Write Rhysida (8cd3c6) ransomware to disk (HOST_LEVEL)
Interested In Protecting Against Advanced Ransomware?
SafeBreach now offers a complimentary and customized real-world ransomware assessment (RansomwareRx) that can allow you to gain unparalleled visibility into how your security ecosystem responds at each stage of the defense process. This ransomware assessment includes:
- Training – Understand the methodology around ransomware attacks, persistent threats, and malware attacks.
- Assessment – Review goals and ensure simulation connections to our management console and all configurations are complete.
- Attack Scenario – Run safe-by-design, real-world ransomware attacks across the cyber kill chain on a single device of your choice.
- Report – Receive a custom-built report with simulation results and actionable remediation insights.
Empower your team to understand more about ransomware attacks, methodologies, and behaviors—all through the lens of the attacker. Request your complimentary RansomwareRx assessment today.