At a glance.
- A look at the ransomware threat landscape.
- BlackMatter affiliate connected to BlackCat.
- EXOTIC LILY provides initial access for ransomware actors.
A look at the ransomware threat landscape.
Red Canary has published a report on the threat landscape in 2021. The researchers found that ransomware "dominated the threat landscape" last year, with double-extortion becoming the norm. The report explains that while some ransomware gangs appeared to retire last year, many of their members appeared to resurface under different branding:
"Challenges in understanding the ransomware landscape are not limited to tracking affiliates and payloads. Defenders must also contend with new groups emerging and others seemingly disappearing (often to be reincarnated in a different form as another group). Some of the ransomware families we bid farewell to in 2021 were Egregor, Sodinokibi/REvil, BlackMatter, and Doppelpaymer. While some seemed to fade away due to law enforcement actions, others disappeared for reasons that researchers haven’t pinned down.
"Where one ransomware family disappeared, however, another was ready to step into its place. 2021 saw the dawn of many new ransomware families, including BlackByte, Grief, Hive, Yanluowang, Vice Society, and CryptoLocker/ Phoenix Locker. Many new ransomware families displayed close similarities to old families that 'disappeared,' leading analysts to assess that known adversaries simply resurfaced using a new name. For example, Grief ransomware displayed many similarities to Doppelpaymer, including its deployment following Dridex malware."
BlackMatter affiliate connected to BlackCat.
Researchers at Cisco Talos describe the operations of the ransomware-as-a-service (RaaS) operation "BlackCat," which appears to be made up of affiliates of other RaaS groups, including BlackMatter:
"While researching a BlackCat ransomware attack from December 2021, we observed a domain (and respective IP addresses) used to maintain persistent access to the network. This domain had also been used in a BlackMatter attack in September 2021. Further analysis revealed more commonalities, such as tools, file names and techniques that were common to both ransomware variants.
"Affiliates are responsible for compromising systems and deploying ransomware, so it is likely that attacks carried out by the same ransomware family may differ in techniques and procedures. On the other hand, RaaS operators are known to make training materials and general techniques and tools available to their affiliates, like the leaked Conti ransomware playbook covered by Talos in a previous blog. This may suggest there are some similarities across affiliates.
"One difference we would expect to see across RaaS affiliates is the command and control (C2) infrastructure used for certain attacks. However, the overlapping C2 address found used in the BlackMatter and BlackCat attacks lead us to assess with moderate confidence that the same affiliate was responsible for both attacks. This connection suggests that a BlackMatter affiliate was likely an early adopter — possibly in the first month of operation — of BlackCat. This is further evidence to support the rumors that there are strong ties between BlackMatter and BlackCat."
EXOTIC LILY provides initial access for ransomware actors.
Google's Threat Analysis Group (TAG) is tracking a financially motivated actor that works with the Russia-based cybercriminal group FIN12 (also known as Wizard Spider), and serves as an initial access broker (IAB) for ransomware groups such as Conti. TAG tracks this IAB group as "EXOTIC LILY," noting that the actor relies on targeted social engineering attacks to gain access to organizations:
"EXOTIC LILY is a resourceful, financially motivated group whose activities appear to be closely linked with data exfiltration and deployment of human-operated ransomware such as Conti and Diavol. At the peak of EXOTIC LILY’s activity, we estimate they were sending more than 5,000 emails a day, to as many as 650 targeted organizations globally. Up until November 2021, the group seemed to be targeting specific industries such as IT, cybersecurity and healthcare, but as of late we have seen them attacking a wide variety of organizations and industries, with less specific focus.
"We have observed this threat actor deploying tactics, techniques and procedures (TTPs) that are traditionally associated with more targeted attacks, like spoofing companies and employees as a means of gaining trust of a targeted organization through email campaigns that are believed to be sent by real human operators using little-to-no automation. Additionally and rather uniquely, they leverage legitimate file-sharing services like WeTransfer, TransferNow and OneDrive to deliver the payload, further evading detection mechanisms. This level of human-interaction is rather unusual for cyber crime groups focused on mass scale operations."