Research Saturday 10.15.22
Ep 254 | 10.15.22

Noberus ransomware: evolving tactics.


Dave Bittner: Hello, everyone, and welcome to the CyberWire's "Research Saturday." I'm Dave Bittner, and this is our weekly conversation with researchers and analysts tracking down the threats and vulnerabilities, solving some of the hard problems of protecting ourselves in a rapidly evolving cyberspace. Thanks for joining us.

Brigid O Gorman: Noberus is probably one of the most kind of prevalent ransomware threats we've seen over the last year or so. So the fact that it's been around for a year is actually probably almost notable at this point because many ransomware families now have kind of a shorter lifespan than that at the moment. 

Dave Bittner: That's Brigid O Gorman. She's a senior intelligence analyst with Symantec's threat hunter team. The research we're discussing today is titled "Noberus Ransomware: Darkside and BlackMatter Successor Continues to Evolve its Tactics." 

Dave Bittner: Well, they also have an interesting history here. Can you walk us through some of the background? 

Brigid O Gorman: Yeah, sure. Yeah, Noberus definitely has an interesting history. For those who may not be familiar with the name, Noberus is a name we use for the ransomware that's also very commonly called BlackCat or ALPHV. And this ransomware, as I said, first appeared in November 2021. And it sort of sparked, I suppose, interest at the time because it was written in Rust, and that was the first time we'd seen a ransomware that was written in that language being kind of professionally deployed sort of in ransomware attacks like this. And Rust is kind of an interesting language. It's very secure, and it's also cross-platform. So it would mean the ransomware could potentially be ported over and used on other platforms if the attackers or the developers wanted to do that. 

Brigid O Gorman: But, also, yeah, the kind of background of Noberus, then, is that is essentially the successor to the Darkside and BlackMatter ransomware families and is going to be developed by the same group, which is a group that Symantec tracks as Coreid but which is also, you know, commonly known as FIN7 as well. And obviously, Darkside would be a name, I think, familiar to a lot of people - anyone who kind of follows cybersecurity news - because that is the group that was behind the Colonial Pipeline ransomware attack back in May 2021, which sort of drew a lot of heat to the group at the time, I suppose. And that's what led it to rebrand as BlackMatter. And then they subsequently rebranded now as Noberus - is basically the latest rebrand of that group's ransomware, essentially. 

Dave Bittner: So my understanding is that this is operated as a ransomware-as-a-service type of thing here, and they do have some specific rules for their affiliates. Can you take us through some of that? 

Brigid O Gorman: Yeah. So that's it. Noberus is operated as a ransomware-as-a-service, which I - you know, I'm sure, obviously, most listeners to this podcast will understand what that means. But basically, it means, you know, Coreid, or the developers of Noberus, they control the ransomware, control the malware, but then its attacks are essentially carried out by what is known as affiliates - so basically, other groups who actually infiltrate the victims, the companies and deploy the ransomware on their networks. And most ransomware developers who operate these kind of programs, they do tend to have rules about how the ransomware can be used. And that's generally in an effort to, you know, prevent them from coming under too much scrutiny, shall we say. 

Brigid O Gorman: So Noberus, like many ransomware families - one of its rules is that it can't be deployed in the Commonwealth of Independent States or neighboring countries, which essentially are the, you know, ex-Soviet states and Russia, basically. They also say it can't be deployed on health care organizations or nonprofits. They also advise against attacking the education and government sectors. And as you said, these are all essentially to avoid their attacks drawing, you know, too much attention. 

Brigid O Gorman: And obviously, Coreid, that develops Noberus, I suppose, was stung in the past with its attack on the Colonial Pipeline drawing so much attention on it at the time. So those are kind of the main rules. The gang is interesting. It doesn't seem to have any, you know, issue with kind of dropping affiliates if it feels they kind of aren't, you know, performing up to what they - the level they expect or bringing in enough money - basically fire them. They will get rid of affiliates, it seems, fairly easily if they feel they're not doing a good enough job, essentially. 

Dave Bittner: Well, let's dig into some of the technical capabilities here. Can you walk us through what exactly is it capable of? 

Brigid O Gorman: Yeah, well, Noberus is - it's kind of interesting. It sort of - it underlines, I guess, for its affiliates, you know, what it's capable of doing. So, you know, it creates a unique entrance to its own onion domain for each attack that takes place. It also offers, you know, encrypted negotiation chats that can only be accessed by the intended victim. And that's something that seems to have become kind of more of a priority for ransomware gangs over the last couple of months or the year, I would say, as well. They really want to keep these negotiations chats private and prevent them being infiltrated by law enforcement or security researchers. 

Brigid O Gorman: I think - also one of the most interesting things, I think, about Noberus is that it offers - it actually offers four encryption modes. So it offers full encryption, fast encryption, DotPattern and SmartPattern encryption. Now, full encryption is obviously the most self-explanatory. It's the most secure, but it's also, obviously, the slowest mode of encryption. The most interesting one, I think, is the SmartPattern encryption because this, basically, is also known as intermittent encryption in other kind of - by other - in other iterations by other ransomware groups. And it basically offers encryption of a certain percentage of megabytes. The percentage increments now by default. 

Brigid O Gorman: And for Noberus, it encrypts with a strip of 10 megabytes every 10% of the file, starting from the header. And they say this is kind of the optimal mode for attackers in terms of both speed and also cryptographic strength. And SentinelLabs actually published a report about this kind of encryption recently, where they referred to it as intermittent encryption. And they said how it was used by Noberus. It's also used by Black Basta. It's also used by the PLAY ransomware, which is one of the newer ransomware families, as well. 

Brigid O Gorman: And I think it's quite interesting 'cause it nearly seems to be used at the moment by ransomware families as nearly a bit about selling point, the fact that their ransomware is capable of deploying this intermittent encryption - you know, they're kind of using it as a selling point to try and get affiliates to use their ransomware because they're saying, you know, they're capable of encrypting files quicker than other ransomware, if they have to deploy full ransomware - or full encryption, I should say, and that kind of thing. So and I think that's quite an interesting part of Noberus' operation. 

Dave Bittner: Yeah. That is really an interesting aspect of it. Help me understand here. I mean, so are they basically, you know, sprinkling the encryption throughout the files so they only have to encrypt a small percentage of it? Does that work on the flip side as well? If someone pays the ransom and wants to decrypt, do they get their files back faster? 

Brigid O Gorman: I presume they probably would because - now I'm not sure on that, but I presume because there will be less of the file to decrypt that it should decrypt faster. But, like, I guess the point of the intermittent encryption is that while the full file isn't encrypted, you know, the file is still useless, essentially. So from the perspective of you, as the victim, you know, the file is fully encrypted, and you can't access it. And so from your perspective, it's still just as serious as the full encryption. But from the attacker's perspective, it doesn't take as much time. 

Brigid O Gorman: And that's - like, that is the main point, we think, of the intermittent encryption because, obviously, the longer attackers are on a system, the longer it takes for them to encrypt these files, the more chance of their activity being intercepted and the more chance that they may not be able to complete the attack, which is obviously what they want to do. 

Dave Bittner: Now, is it correct that Noberus has, sort of, different tiers for the level of affiliates - they'll - if you do well for them, they'll give you access to some enhanced tools? 

Brigid O Gorman: Yeah. It - just seeing that Noberus are quite focused on attracting, I suppose, you know, strong affiliates to their team, affiliates that are capable of carrying out, you know, serious kind of high-money attacks because, as I said, they've no issue of culling affiliates if they're not bringing in enough money. And they did in December - last year, December 2021. They added a new - what they called a plus role, for affiliates that had brought in more than 1.5 million U.S. dollars. 

Brigid O Gorman: And this gave them access to, basically, I suppose, extra capabilities, gave them access to kind of a DDoS capability to - basically Noberus' botnet if they wanted to carry out DDoS attacks, as well as giving them access to their brute force kind of capabilities that make - made it possible for them to add brute force NTDS or Kerberos tickets and other hashes for free, and things like that. So it does seem that, yeah, Noberus is definitely focused on kind of attracting these highly skilled affiliates to work with them. Seems to be quite a - you know, a priority for them. 

Dave Bittner: One of the things that your research highlights here is the Exmatter data exfiltration tool. Walk us through that. What are the capabilities there? 

Brigid O Gorman: Yeah. I thought this was quite interesting. So we saw this activity in August, just - so not too long ago. We basically saw a heavily updated version of the Exmatter data exfiltration tool being used alongside Noberus in ransomware attacks. And Exmatter was actually discovered by Symantec researchers in November 2021. And at that point, it was being used alongside the BlackMatter ransomware. So this is also, obviously, another indication of the kind of links between Noberus and BlackMatter as well. 

Brigid O Gorman: And Exmatter is designed basically to steal specific file types from a number of selected directories, but then uploads these to an attacker-controlled server, and then the ransomware is deployed on victim networks. And even at the time when we found Exmatter, you know, first, back in November 2021, there were various variants of the two that exist since then - because even initially, its developers were kind of continuously refining it, it seemed, in order to optimize its operation, in order to expedite exfiltration of kind of, you know, a sufficient volume of this high-value data as quickly as they could. Again, you know, speed being an - like, one of the goals for ransomware actors, too. 

Brigid O Gorman: But this latest version of Exmatter - it's actually reduced the number of file types - of attempts to exfiltrate, down further than even what it was. So, you know, it attempts to exfiltrate, you know, I suppose, surprising files with extensions like PDF, .doc, .xls, JPEG files, text files, SQL files, message files, ZIP files, all those kinds of files - they're still out looking to exfiltrate. They've also added some other new features. They've added a third exfiltration capability - FTP to the SFTP and WebDav capabilities that were present in older versions. They've also added the ability to build a report that can then solve process files. They've also added the ability to corrupt process files. 

Brigid O Gorman: Interestingly as well, they've added a self-destruct capability or configuration option, which, when it's enabled, will basically make a tool self-destruct and quit if it's executed in a non-corporate environment. So obviously, that's kind of a analysis step it's taking there to - in case it suspects it's being deployed in a sandbox or anything like that. And as well as this, the malware itself was extensively rewritten. And even its existing features are kind of implemented differently. 

Brigid O Gorman: So it's likely that that's all a bid to avoid detection, unsurprisingly, as obviously there's detections in place for the original ExMatter tool. But, yeah, it's quite an interesting tool. I mean, it's not 100% clear if ExMatter is developed by Coreid itself or if it's developed by one of the affiliates that use Coreid's ransomware. But it's obviously notable that it's been used alongside both BlackMatter and Noberus as well. 

Dave Bittner: Another thing that you all tracked here was evidently Noberus was trying to steal some credentials from some backup software. 

Brigid O Gorman: Yeah. This was kind of interesting as well. So this, again, at least one of the affiliates that was using a Noberus ransomware recently - again, this actually happened in August as well, so August seems to be kind of an active month for affiliates deploying Noberus. But they were using information-stealing malware that's specifically designed to steal credentials that are stored by the Veeam backup software. Now, Veeam is a software that's capable of storing credentials for a wide range of systems and including, notably, domain controllers and also cloud services. These credentials are stored to facilitate the backup of these systems. And the malware that was deployed was called Infostealer.Eamfo. 

Brigid O Gorman: And, basically, it's designed to connect to the SQL database where Veeam stores these credentials, and then it steals them with a SQL query essentially. It can then decrypt these credentials and then displays them to the attackers, of course. So Eamfo, it's not a new tool. It just seemed to have been around since last year, around August 2021. And there is evidence it has previously been used by attackers who have deployed the Yanluowang and the LockBit ransomware families. And there was also a report from BlackBerry recently, just a couple of weeks ago, that also detailed Eamfo being used alongside a new ransomware strain as well that it was calling Monti, which it says appears to be based on the leaked source code of the Conti ransomware. 

Brigid O Gorman: And the TTPs that were used in these Monti attacks so closely resemble former Conti attack chains. So it's possible that Conti was behind these Monti attacks as well. So they may be former affiliates of the group. And, of course, as we know, Conti was shut down in May. And many of the former affiliates are now working with other ransomware, other ransomware families. And I mean, among that is Noberus as well. 

Brigid O Gorman: Like, ex Conti affiliates are believed to be deploying Noberus as well. So it's possible that that's what we're seeing here. So stealing credentials Veeam - it is a known technique. It allows for privilege escalation, lateral movement, basically gives the attackers access to more data to exfiltrate to more machines to encrypt as well. 

Brigid O Gorman: And something notable as well in these attacks we saw where Eamfo was used was also that a relatively old rootkit scanner called GMER was also used. And this can be used by ransomware actors to kill processes. And it's interesting because it's quite an old tool, but it has been seen used in a few ransomware attacks recently. So it just seems to be something that ransomware attackers are leveraging a bit at the moment as well. 

Dave Bittner: Well, based on the information that you all have gathered here, what are your recommendations? How should folks best protect themselves? 

Brigid O Gorman: I think the usual, I suppose, kind of recommendations apply, you know, when it comes to ransomware attacks. I think the advice doesn't generally change about these kind of things. You know, it's ensuring you have your backups in place, so you have good, like, comprehensive security solution in place that can help protect you from - you know, it's not only a case of blocking the malware often for ransomware attacks. Like, sometimes if it's a case - if you're blocking the ransomware, it's nearly too late. It's kind of trying to spot the kind of pre-ransomware activity. That can be very important for preventing these ransomware attacks. So it's really to make sure you're taking all the steps to avoid these ransomware attacks that you have that good security solution in place that would hopefully spot this activity before the ransomware has a chance to be deployed on your systems, really. 

Dave Bittner: Our thanks to Brigid O Gorman from Symantec for joining us. The research is titled "Noberus Ransomware - Darkside and BlackMatter Successor Continues to Evolve its Tactics." We'll have a link in the show notes. 

Dave Bittner: The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Rachel Gelfand, Liz Irvin, Elliott Peltzman, Tre Hester, Brandon Karpf, Eliana White, Puru Prakash, Justin Sabie, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe. And I'm Dave Bittner. Thanks for listening. We'll see you back here next week.