Ransomware continues to loom large over the cybersecurity landscape, causing significant damage to individuals and organizations alike.
With the difficulty of recovering encrypted files and the potential exposure of stolen data, it is essential to keep track of active ransomware families. Let’s explore three notable threats that are on the rise right now and show how sandbox analysis can help proactively identify them.
Bluesky Ransomware
The BlueSky ransomware, first identified during Q2 of 2022, remains a significant cybersecurity threat in the current landscape. It is designed to exploit the Windows multithreading architecture, allowing it to encrypt files more rapidly.
This malicious software employs sophisticated encryption methods, using the symmetric encryption algorithm ChaCha20. It is also capable of lateral movement and can infect multiple endpoints belonging to the same network.
Once the encryption process is complete, the ransomware modifies the names of the affected files, adding the .bluesky extension. It also creates a ransom instruction file requiring victims to pay a ransom by visiting a page hosted on Tor.
Recent attacks involving this ransomware have been traced back to initial infiltrations of Microsoft SQL Servers, as ransomware attackers often target vulnerabilities in these systems, including through brute forcing.
The BlueSky ransomware incorporates defenses against analysis attempts, making it difficult for cybersecurity researchers to study and develop countermeasures.
Detecting and Analyzing BlueSky Ransomware in a Sandbox
Despite BlueSky’s anti-analysis functionality, we can easily expose it by uploading its sample to a free malware sandbox like ANY.RUN, which offers a safe virtual environment for detonating it.
See this analysis session for more details.
The service instantly detects the malware and notifies us about its presence by adding the corresponding tags “bluesky” and “ransomware”. It also lists the activities carried out by the program including:
- File renaming.
- Creation and dropping of a ransom note containing instructions on how to decrypt the locked files. Thanks to its interactivity, the sandbox lets us open this note manually and read its contents.
- Analysis also reveals that the note contains a TOR network URL, which the victim is instructed to visit to make the ransom payment.
Once the analysis is finished, we are provided with a detailed report that contains all the crucial information collected during the file execution, including indicators of compromise.
Are You From SOC/DFIR Teams? – Analyze Files and Links with no Limit in ANY.RUN Sandbox for Free!
Lockbit Ransomware
Lockbit ransomware has been a prominent cybersecurity threat since its emergence in 2019. It operates as a Ransomware-as-a-Service (RaaS), providing its software to affiliates who then execute attacks. One of its most significant targets was the Royal Mail, with the attackers demanding an unprecedented ransom fee of $80 million.
Lockbit ransomware encrypts files using the Advanced Encryption Standard (AES) and then encrypts the AES key with the RSA algorithm. This double encryption makes it extremely challenging for victims to recover their data without the decryption key.
However, before encryption, the malware extracts all the data from the infected machines, adding an extra layer of extortion.
The Lockbit group maintains a website listing their victims, applying pressure on companies to pay the ransom. If the victims refuse to comply, their stolen data is made public.
The Lockbit ransomware has consistently evolved, with the most recent version being Lockbit v3, also known as Lockbit Black.
Despite a coalition of law enforcement agencies dismantling its infrastructure in early 2024, Lockbit has now resumed its operations.
One recent campaign involved the distribution of phishing emails with the assistance of the Phorpiex botnet. The malware was disseminated within archives attached to these emails.
Detecting and Analyzing LockBit Black Ransomware in a Sandbox
To avoid a LockBit infection, we can proactively analyze all suspicious files, including email attachments, in a sandbox.
As part of the analysis, we can observe:
- CMSTMLUA process that performs privilege escalation, allowing the ransomware to gain higher-level access to the system.
- The desktop wallpaper change is a common tactic ransomware operators use to notify victims of compromised systems.
- A ransom note file containing instructions and Tor URLs for communicating with the attackers.
The sandbox provides a conclusive verdict, classifying the analyzed file as exhibiting malicious activity.
Beast Ransomware
Beast ransomware is built on the Delphi programming language. It first emerged in March 2022 and was first known as Monster ransomware. Unlike many ransomware variants that target only Windows systems, Beast ransomware can also attack Linux machines.
The malware is designed to exempt users located in CIS countries, suggesting that its creators may be based in this region. Beast ransomware employs an advanced encryption method, which includes additional modules such as archiving each encrypted file.
The malware is primarily distributed via email attachments and links, exploiting human vulnerability to phishing attacks. Despite being an emerging ransomware, Beast has the potential to become a serious and widespread threat, similar to LockBit.
Detecting and Analyzing Beast Ransomware in a Sandbox
By running suspicious files and URLs in a sandbox, we can easily expose Beast and other malware.
Consider this analysis session.
Some of the Beast activities detected by the service include:
- Installation of a mutex characteristic of the Beast malware.
- Attempt to obtain the host’s IP address.
- Connection to an external SMB server.
Analyze Suspicious Files and URLs in ANY.RUN
The ANY.RUN sandbox offers an interactive approach to malware analysis. You can engage with the files and links in a safe virtual environment and perform all the necessary actions to investigate each threat’s true extent.
The service automatically detects and lists all activities across network traffic, registry, file system, and processes and extracts indicators of compromise.
Explore all features of ANY.RUN, including the private mode and extra VM settings, by requesting a 14-day Free Trial!
The post Exclusive! Analysis of 3 Ransomware Threats Active Right Now appeared first on Cyber Security News.
