Cybersecurity
New ransomware variants arrive
What do LockBit, BlueSky, Deno, RedAlert, Dark Web Hacker, Hive, and Again have in common? All are new or evolving forms of ransomware spotted in the wild, says FORTIGUARD LABS
Over the past few weeks, FortiGuard Labs has observed several new ransomware variants that have been gaining traction within the Open source intelligence community. We provide this technical guide to the emerging and evolving threats:
LockBit, targeting both Windows and Linux, has been in the wild since December 2019. This ransomware employs a Ransomware-as-a-Service (RaaS) model in which ransomware operators develop the ransomware and all the necessary tools and infrastructure to support it, and then offer these solutions and user support to their ‘affiliates’.
Affiliates carry out the actual attacks using tools and support from operators, for which they earn 20% of the ransom paid by victims. This underground channel structure also offers affiliates support via TOX (a RaaS framework), as well as additional services such as ransom negotiation.
The latest version of LockBit, LockBit 3.0 debuted in March 2022 and made the news again at the end of June when the ransomware gang introduced a “bug bounty” program offering rewards of between $1000 and $1,000,000 (USD) for detecting flaws and weaknesses in its portfolio.
LockBit rules prohibit affiliates from encrypting files in critical infrastructure environments, such as nuclear power plants or gas and oil industries, but affiliates are allowed to steal data without encrypting critical files and or the infrastructure of these organisations.
Prior to file encryption, data on victim machines are exfiltrated using “StealBit,” an information stealer tool developed by the LockBit gang. Files encrypted by the ransomware typically have a “.lockbit” file extension. The ransomware also leaves a ransom note in Restore-My-Files.txt.
Some variants of LockBit also replace desktop wallpaper with a message to let victims know that they are a victim of the ransomware, asking them to check the ransom note for how to reach out to the LockBit threat actor. LockBit employs a double-extortion tactic that demands victims pay their ransom in Bitcoin to recover affected files and not have stolen information leaked to the public.
New ransomware variants
Also evident in recent weeks is BlueSky, a recently discovered variant, with some BlueSky ransomware samples distributed online as “MarketShere.exe” and “SecurityUpdate.exe.” BlueSky encrypts files on a compromised machine and then adds a “.bluesky” file extension. It then drops a ransom note in “# DECRYPT FILES BLUESKY #.txt“and “# DECRYPT FILES BLUESKY #.html,” in which victims are asked to visit a BlueSky TOR site and follow provided instructions.
Deno is a new variant that encrypts files and adds a “.DENO” file extension to targeted files. It then drops a ransom note in “readme.txt” which provides two ProtonMail email addresses for victims to contact the attacker to recover affected files. Interestingly, there is no information on how much this will cost and if payment is what the threat actor is ultimately after.
RedAlert, also known as N13V, was discovered in early July. It affects Windows and Linux VMWare (ESXi) servers, encrypting files on the compromised machine and stealing data from it. One reported file extension that this ransomware variant adds to affected files is “.crypt658”, but this may change depending on the victim.
This ransomware uses a double-extortion tactic, which demands a ransom payment to recover affected files and prevents the release of stolen data to its data leak site for anyone to download. To pressure victims into paying a ransom, the authors also ask the victim to contact the attacker within 72 hours, or else the threat actor will publish part of the stolen data to their leaked site.
Additional threats include launching Distributed Denial of Service (DDoS) attacks and making phone calls to the victim’s employees as a shame tactic.
Dark Web Hacker is another recently discovered ransomware. It encrypts files on a compromised machine and appends “.[4 random characters}” to target files and the end of the file name. It also leaves a ransom note in “read_it.txt” containing an attacker’s contact email address and Bitcoin address. Ransom demand is $3,000 worth of Bitcoin.
The ransomware also replaces any desktop wallpaper with its own wallpaper that includes a Bitcoin QR code to “help” victims to pay a ransom. The ransomware also deletes shadow copies, which makes file recovery difficult.
Hive ransomware is another Ransomware-as-a-Service (RaaS) that attempts to encrypt files on victims’ machines, steal data, and demand a payment to recover affected files and prevent stolen data from being published to their data leak site, called “HiveLeaks,” on the DarkWeb.
This ransomware notoriously affected Costa Rica’s public health system, which was reportedly disrupted by the ransomware. The latest iterations are written in the Rust programming language. Older variants are written in Go.
The Again ransomware is another new ransomware variant that seems to have its origins in Babuk. It appears to share the same source code as Babuk (which had its entire source code leaked in 2021) and can safely be considered a fork of that variant.
The Again ransomware seeks out files to encrypt and appends “.again” to the filename, rendering them inoperable. Victims are presented with a text file entitled “How To Restore Your Files.txt.” It contains information on contacting the bad actor(s) behind the ransomware using a predefined TOR website.
On this site, the page has a submit message page to the ransom actor, who will likely seek something in return from the victim in exchange for their files.