The Week in Ransomware – December 23rd 2022 – Targeting Microsoft Exchange

Reports this week illustrate how threat actors consider Microsoft Exchange as a prime target for gaining initial access to corporate networks to steal data and deploy ransomware.

CrowdStrike researchers reported this week that the Play ransomware operation utilized a new Microsoft Exchange attack dubbed ‘OWASSRF’ that chained exploits for CVE-2022-41082 and CVE-2022-41080 to gain initial access to corporate networks.

The ransomware operation then used this access to steal data and encrypt devices on the network.

As another example of Microsoft Exchange being heavily targeted by threat actors, ProDaft revealed this week that the FIN7 hacking group created an auto-attack platform called ‘Checkmarks’ that targets Microsoft Exchange.

This platform automatically scans for Exchange servers, exploits vulnerabilities to gain access, and then downloads data from the server.

FIN7 would then evaluate the company to determine if it was valuable enough to deploy ransomware.

TrendMicro also confirmed this week our September report that a Conti cell known as Zeon rebranded to Royal Ransomware.

Other reports this week shed light on various ransomware operations:

• A report on how Reveton was the precursor to Ransomware-as-a-Service operations.
• A report on the Nokoyawa ransomware operation.
• Vice Society finally gets its own custom ransomware encryptor instead of relying on other operations’ malware.
• A technical report on the Play ransomware, which has expanded its operations recently.

Contributors and those who provided new ransomware information and stories this week include: @BleepinComputer, @FourOctets, @billtoulas, @DanielGallagher, @demonslay335, @struppigel, @jorntvdw, @LawrenceAbrams, @malwrhunterteam, @VK_Intel, @PolarToffee, @fwosar, @Ionut_Ilascu, @Seifreed, @malwareforme, @serghei, @IBMSecurity, @PRODAFT, @CrowdStrike, @LabsSentinel, @Fortinet, @zscaler, @TrendMicro, and @pcrisk.

December 19th 2022

Play ransomware claims attack on German hotel chain H-Hotels

The Play ransomware gang has claimed responsibility for a cyber attack on H-Hotels (h-hotels.com) that has resulted in communication outages for the company.

How Reveton Ransomware-as-a-Service Changed Cybersecurity

In 2012, Reveton ransomware emerged. It’s considered to be the first Ransomware-as-a-Service (RaaS) operation ever. Since then, RaaS has enabled gangs with basic technical skills to launch attacks indiscriminately. Now, nearly anyone can create highly effective malware campaigns.

December 20th 2022

Ransomware gang uses new Microsoft Exchange exploit to breach servers

Play ransomware threat actors are using a new exploit chain that bypasses ProxyNotShell URL rewrite mitigations to gain remote code execution (RCE) on vulnerable servers through Outlook Web Access (OWA).

Nokoyawa Ransomware: Rust or Bust

Nokoyawa ransomware was discovered in February 2022, sharing code with another ransomware family known as Karma. Nokoyawa ransomware’s lineage can further be traced back to Nemty ransomware. The original version of Nokoyawa ransomware was written in the C programming language and file encryption utilized asymmetric Elliptic Curve Cryptography (ECC) with Curve SECT233R1 (a.k.a. NIST B-233) using the Tiny-ECDH open source library combined with a per file Salsa20 symmetric key. Nokoyawa ransomware 2.0 still uses Salsa20 for symmetric encryption, but the elliptic curve was replaced with Curve25519.

New STOP ransomware variants

PCrisk found new STOP ransomware variants that append the .isal or .isza extensions.

December 21st 2022

Conti Team One Splinter Group Resurfaces as Royal Ransomware with Callback Phishing Attacks

Royal ransomware may have been first observed by researchers around September 2022, but it has seasoned cybercriminals behind it: The threat actors running this ransomware — who used to be a part of Conti Team One, according to a mind map shared by Vitali Kremez — initially dubbed it Zeon ransomware, until they rebranded it to Royal ransomware.

New HardBit 2.0 ransomware

PCrisk found the HardBit 2.0 ransomware that appends the .hardbit2 extension and drops ransom notes named How To Restore Your Files.txt.

New STOP ransomware variant

PCrisk found a new STOP ransomware variant that appends the .iswr extension.

December 22nd 2022

Vice Society ransomware gang switches to new custom encryptor

The Vice Society ransomware operation has switched to using a custom ransomware encrypt that implements a strong, hybrid encryption scheme based on NTRUEncrypt and ChaCha20-Poly1305.

FIN7 hackers create auto-attack platform to breach Exchange servers

The notorious FIN7 hacking group uses an automated attack system that exploits Microsoft Exchange and SQL injection vulnerabilities to breach corporate networks, steal data, and select targets for ransomware attacks based on financial size.

Ransomware Roundup – Play Ransomware

Play is a relative newcomer to the ransomware game, having been detected for the first time in June 2022. In this report, Play refers to both the group developing and distributing it and the name of the ransomware executable. Like many other operators in this space, Play has adopted the double-extortion methodology of encrypting endpoints and/or other infrastructure of value within an organization and then threatening to release exfiltrated data from those machines on the internet if a ransom is not paid.

That’s it for this week! Hope everyone has a nice holiday and we will return after the new year!

Source: https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-december-23rd-2022-targeting-microsoft-exchange/