Criminals have been seen abusing the Amazon S3 (Simple Storage Service) transfer acceleration feature in ransomware attacks designed to steal victims’ data and upload it to S3 buckets under their control.
“Attempts were made to disguise the Golang ransomware as the infamous LockBit ransomware,” Trend Micro researchers Yaromir Khareisi and Nitesh Surana said. “However, this is not the case, and it appears that the attacker is only using LockBit’s popularity to further tighten the noose on their victims.”
Ransomware artifacts have been found to embed hard-coded Amazon Web Services (AWS) credentials to facilitate cloud data extraction, suggesting that adversaries are increasingly using popular cloud providers for malicious schemes.
The AWS account used by the company is believed to be their own or compromised. After responsible disclosure to the AWS security team, the identified access keys and AWS accounts were suspended.
Trend Micro reported that it discovered more than 30 samples with embedded AWS access key IDs and secret access keys, indicating active development. The ransomware is capable of targeting both Windows and macOS systems.
It is not known exactly how the cross-platform ransomware is delivered to the target host, but once launched, it obtains a Universally Unique Machine Identifier (UUID) and performs a series of steps to generate the master key needed to encrypt files.
After the initialization step, the attacker enumerates the root directories and encrypts the files that match the given list of extensions, but not before transferring them to AWS via S3 transfer acceleration (S3TA) for faster data transfer.
“After encryption, the file is renamed in the following format:
In its final stage, the ransomware changes the device’s wallpaper to display an image that mentions LockBit 2.0, presumably in an attempt to force the victim to pay.
“Threat actors can also disguise their ransomware sample as another, more well-known variant, and it’s not hard to see why: the notoriety of high-profile ransomware attacks makes victims more likely to do the attackers’ bidding,” the researchers said.
The development came when Gen Digital released a decoder for a Mallox a ransomware variant that was spotted in the wild between January 2023 and February 2024 exploiting a flaw in a cryptographic scheme.
“Ransomware victims can recover their files for free if they have been attacked by this particular Mallox variant,” researcher Ladzisław Zezula said. “The cryptographic flaw was patched around March 2024, so it is no longer possible to decrypt data encrypted by later versions of the Mallox ransomware.”
It should be noted that a branch of Operation Mallox, also known as TargetCompany, was discovered using a slightly modified version of the Kryptina ransomware, codenamed Mallox v1.0, to compromise Linux systems.
“The Kryptina-derived Mallox variants are branch-specific and separate from other Linux Mallox variants that have appeared since, indicating how the ransomware landscape has evolved into a complex menagerie of cross-pollinated toolkits and non-linear codebases,” SentinelOne Researcher Jim Walter noted at the end of last month.
Ransomware continues be a serious threat: 1,255 attacks were reported in the third quarter of 2024, up from 1,325 in the previous quarter, according to Symantec’s analysis of data obtained from ransomware leak sites.
Microsoft in its digital security report for the annual period from June 2023 to June 2024. said saw a 2.75-fold year-over-year increase in human-driven ransomware encounters, while the percentage of attacks that reached the actual encryption phase has tripled over the past two years.
Some of the main beneficiaries of the decline of LockBit after an international law enforcement operation Its infrastructure has been targeted in February 2024 by RansomHub, Qilin (aka Agenda) and Akira, the latter of which has returned to dual extortion tactics after a brief flirtation with only data theft and extortion attacks in early 2024.
“During this period, we began to see ransomware-as-a-service (RaaS) operators Akira develop a Rust version of their ESXi encoder, iteratively building on payload features while moving away from C++ and experimenting with different programming techniques,” Talos said. said.
There were also attacks involving Akira loan funds compromised VPN credentials and newly discovered security vulnerabilities to penetrate networks and to elevate privileges and move sideways in compromised environments as part of efforts to establish a deeper foothold.
Some of the vulnerabilities used by Akira affiliates are listed below –
“During 2024, Akira targeted a significant number of victims, clearly favoring organizations in the manufacturing and professional, scientific and technical services sectors,” said Talos researchers James Nutland and Michael Seliga.
“Akira may be moving away from using a Rust-based variant of Akira v2 and reverting to previous TTPs using Windows and Linux encoders written in C++.”
