The NoName ransomware gang has been making an attempt to construct a popularity for greater than three years concentrating on small and medium-sized companies worldwide with its encryptors and will now be working as a RansomHub affiliate.
The gang makes use of customized instruments referred to as the Spacecolon malware household, and deploys them after having access to a community by way of brute-force strategies in addition to exploiting older vulnerabilities like EternalBlue (CVE-2017-0144) or ZeroLogon (CVE-2020-1472).
In more moderen assaults NoName makes use of the ScRansom ransomware, which changed the Scarab encryptor. Moreover, the risk actor tried to make a reputation by experimenting with the leaked LockBit 3.0 ransomware builder, creating an analogous information leak website, and utilizing comparable ransom notes.
ScRansom ransomware
Cybersecurity firm ESET tracks the NoName gang as CosmicBeetle and has been monitoring its actions since 2023, with the emergence of the ScRansom, a Delphi-based file-encrypting malware.
In a report right this moment, the researchers word that though ScRansom (a part of the Spacecolon malware household) shouldn’t be as subtle as different threats on the ransomware scene, it’s a risk that continues to evolve.
The malware helps partial encryption with totally different pace modes to permit attackers some versatility, and likewise options an ‘ERASE’ mode that replaces file contents with a continuing worth, making them unrecoverable.
ScRansom can encrypt information throughout all drives, together with fastened, distant, and detachable media, and permits the operator to find out what file extensions to focus on by way of a customizable checklist.
Earlier than launching the encryptor, ScRansom kills a listing of processes and providers on the Home windows host, together with Home windows Defender, the Quantity Shadow Copy, SVCHost, RDPclip, LSASS, and processes related to VMware instruments.
ESET notes that ScRansom’s encryption scheme is fairly sophisticated, utilizing a combo of AES-CTR-128 and RSA-1024, and an additional AES key generated to guard the general public key.
Supply: ESET
Nonetheless, the multi-step course of that includes a number of key exchanges generally introduces errors which will result in failure to decrypt the information even when utilizing the right keys.
Additionally, if the ransomware is executed a second time on the identical gadget, or in a community of a number of distinct techniques, new units of distinctive keys and sufferer IDs will likely be generated, making the decryption course of fairly advanced.
One case that ESET highlights is of a sufferer that obtained 31 decryption IDs and AES ProtectionKeys after paying ScRansom, and so they had been nonetheless unable to recuperate all of the encrypted information.
NoName has been utilizing brute power to realize entry to networks however the risk actor additionally exploits a number of vulnerabilities which can be extra prone to be current in SMB environments:
• CVE-2017-0144 (aka EternalBlue),
• CVE-2023-27532 (a vulnerability in a Veeam Backup & Replication part)
• CVE-2021-42278 and CVE-2021-42287 (AD privilege escalation vulnerabilities) by way of noPac
• CVE-2022-42475 (a vulnerability in FortiOS SSL-VPN)
• CVE-2020-1472 (aka Zerologon)
A latest report from Pure7, a cybersecurity firm in Turkey, additionally mentions that CVE-2017-0290 has additionally been exploited in NoName assaults by way of a batch file (DEF1.bat) that makes modifications in Home windows Registry to disable Home windows Defender options, providers, or duties.
NoName deploying RansomHub instruments
NoName’s ascension to the standing of RansomHub affiliate was preceded by a set of strikes exhibiting the gang’s dedication to the ransomware enterprise. Since ScRansom was not a longtime title on the scene, the gang determined to take a special method to extend its visibility.
In September 2023, CosmicBeetle arrange an extortion website on the darkish internet branded ‘NONAME,’ which was a modified copy of the LockBit information leak website (DLS) that included victims truly compromised by LockBit, not ScRansom, the researchers found after checking on a number of DLS-tracking providers.
Supply: ESET
In November 2023, the risk actor stepped up its impersonation effort by registering the area lockbitblog[.]data and branding the DLS with the LockBit theme and emblem.
Supply: ESET
The researchers additionally found some latest assaults the place a LockBit pattern was deployed however the ransom word had a sufferer ID that they’d already linked to CosmicBeetle. Moreover, the toolset within the incident overlapped with the malware attributed to the CosmicBeetle/NoName risk actor.
Whereas investigating a ransomware incident that began in early June with a failed ScRansom deployment, ESET researchers discovered that the risk actor executed on the identical machine lower than every week later RansomHub’s EDR killer, a software that enables privilege escalation and disabling safety brokers by deploying a reputable, susceptible driver on focused gadgets.
Two days later, on June 10, the hackers executed the RansomHub ransomware on the compromised machine.
The researchers word the tactic for extracting the EDR killer, which was typical of CosmicBeetle and never a RansomHub affiliate.
Since there aren’t any public leaks of the RansomHub code or its builder, ESET researchers “consider with medium confidence that CosmicBeetle enrolled itself as a brand new RansomHub affiliate.”
Though the affiliation with RanssomHub shouldn’t be sure, ESET says that the ScRansom encrypter is below lively improvement. Mixed with the swap from ScRansom to LockBit, it signifies that CosmicBeetle shouldn’t be exhibiting any indicators of giving up.