This article is based on research by Marcelo Rivero, Malwarebytes’ ransomware specialist, who monitors information published by ransomware gangs on their Dark Web sites. In this report, “known attacks” are those where the victim did not pay a ransom. This provides the best overall picture of ransomware activity, but the true number of attacks is far higher.

In October, 318 new victims were posted on ransomware leak sites. The top active gangs were LockBit (64), NoEscape (40), and PLAY (36). Major stories for the month included the takedown of several high-profile groups, including alleged Sony Systems attacker RansomedVC, new data shedding light on Cl0p’s education sector bias, and a deep-dive revealing the danger of the group behind September’s infamous casino attacks.

Last month three major ransomware groups—RansomedVC, Ragnar, and Trigona—were shut down, the first two by law enforcement and the third by Ukrainian hacktivists. Let’s dive into RansomedVC, a group which burst onto the scene in August and quickly gained notoriety for allegedly breaching several well-known companies. In late October, the lead hacker behind the group was seen on Telegram trying to sell the operation. Just days later, the account announced that it was “putting an end to” the group after learning that six of its affiliates may have been arrested. The group had posted 42 victims on their leak site at the time of their take down.

While law enforcement is yet to come forward confirming the RansomedVC arrests, the same is not true for RagnarLocker group, which Europol and Eurojust announced they had taken down last month. RagnarLocker started in 2019 and was responsible for numerous high-profile attacks against municipalities and critical infrastructure across the world. At the time of the takedown action, the group had posted a total of 42 victims on their leak site.

Trigona’s demise, on the other hand, was not at the hands of investigators but activists, highlighting the impact that broader geopolitical struggles can have on the ransomware landscape. In mid-October, the Ukrainian Cyber Alliance (UCA) breached the Trigona Confluence server and completely deleted and defaced their sites. Formed around 2016 to defend Ukraine’s cyberspace against Russian interference, the UCA used a public exploit for CVE-2023-22515 to gain access to Trigona infrastructure. Trigona is responsible for at least 30 attacks across various sectors since first emerging in October 2022.

Known ransomware attacks by ransomware group, October 2023

Known ransomware attacks by country, October 2023

Known ransomware attacks by industry sector, October 2023

In other October news, Resilience, a cyber insurance company, reported that 48% of all MOVEit cyberattack victims in its client base during the first half of 2023 were from the education sector. This suggests a possible targeting preference of the Cl0p campaign towards educational institutions. However, this figure might not fully represent the situation.

For instance, if Resilience has a higher proportion of clients in the education sector, it could bias the data towards that sector. On the other hand, data from Malwarebytes indeed indicates that while the education sector comprises only 3% of all MOVEit hosts, they account for 6% of the victims. However, this trend is likely not due to a deliberate focus by Cl0p, whose attacks were more opportunistic in scope, but rather because educational sectors often have fewer resources to promptly address vulnerabilities like those in MOVEit. Thus, the bias observed is more circumstantial than intentional. At any rate, given that the education sector frequently relies on third-party applications like MOVEit, the impact of Cl0p’s activities serves as a stark reminder for these institutions to adopt robust third-party security best practices.

Microsoft’s deep dive into Scattered Spider last month shed new light on the relatively new, albeit dangerous, ransomware gang who made headlines in September for attacking MGM Resorts and Caesar Entertainment. For small security teams, one of the most important findings about the group is their use of Living Of The Land (LOTL) techniques to avoid detection: Scattered Spider employs everyday tools like PowerShell for reconnaissance and stealthily alters network settings to bypass security measures. They also exploit identity providers and modify security systems, blending their malicious activities with normal network operations.

With the success of groups like Scattered Spider increasingly relying on LOTL attacks, it’s vital for defenders to focus on detecting anomalous activities within legitimate tools and network configurations. Strengthening monitoring and analysis capabilities can help identify and counter the subtle, sophisticated techniques employed by these ransomware gangs.

New(?) player: Hunters International

Hunters International is a new ransomware player suspected to be a rebrand of the Hive ransomware, which was shutdown in January 2023 by law enforcement. Despite Hunters International’s denial, claiming they are a distinct entity that purchased Hive’s source code, the overlap in their malware’s coding and functionality suggests a direct lineage from Hive.

Their activity, though limited, includes a notable attack on a UK school.

How to avoid ransomware

Block common forms of entry. Create a plan for patching vulnerabilities in internet-facing systems quickly; and disable or harden remote access like RDP and VPNs.

Prevent intrusions. Stop threats early before they can even infiltrate or infect your endpoints. Use endpoint security software that can prevent exploits and malware used to deliver ransomware.

Detect intrusions. Make it harder for intruders to operate inside your organization by segmenting networks and assigning access rights prudently. Use EDR or MDR to detect unusual activity before an attack occurs.

Stop malicious encryption. Deploy Endpoint Detection and Response software like Malwarebytes EDR that uses multiple different detection techniques to identify ransomware, and ransomware rollback to restore damaged system files.

Create offsite, offline backups. Keep backups offsite and offline, beyond the reach of attackers. Test them regularly to make sure you can restore essential business functions swiftly.

Don’t get attacked twice. Once you’ve isolated the outbreak and stopped the first attack, you must remove every trace of the attackers, their malware, their tools, and their methods of entry, to avoid being attacked again.

Malwarebytes – ​Read More

Some people believe that if you don’t click on dangerous links, open suspicious files, or install programs from untrusted sources, you don’t have to worry about malware infections. Unfortunately, this isn’t entirely true. There are so-called zero-click exploits that don’t require any actions of the targeted user.

Creating zero-click exploits requires both serious expertise and significant resources. The vulnerabilities needed for zero-clicks to work are, to say the least, not easily discovered — information about such security issues can cost hundreds of thousands, if not millions of dollars on the black market.

However, this does not mean that attacks using zero-click exploits are rare. Information about vulnerabilities (including those suitable for creating zero-click exploits) is often published by researchers on the Internet, sometimes along with proof-of-concept code. That is, after some time, any cybercriminal who follows infosec news will be able to use this vulnerability in their malware. Yes, software developers try to fix such vulnerabilities ASAP, but as we know, not everyone promptly installs updates.

Also, we should not forget about vulnerabilities in IoT devices, servers, and other connected systems such as network attach storage (NAS). All this equipment operates without constant human control, and therefore exploits designed to attack them do not rely on any user action. Either way, it’s worth at least knowing about zero-click attacks; even better — to take some measures to protect your company against them.

Examples of zero-click attacks

Using real-life examples of zero-click attacks, let’s see how they work in practice, and what methods the creators of these exploits use to achieve their goals.

The Operation Triangulation espionage campaign

Not long ago, employees of our company were attacked by an unknown group using, among other things, a zero-click exploit. After discovering it, we named this espionage campaign Operation Triangulation. Using Apple’s iMessage service, the attackers sent a message to the victim’s iPhone with a special attachment containing an exploit. Thanks to a previously unknown vulnerability in iOS, this exploit, without any user input, triggered the execution of malicious code that connected to a C2 server and gradually loaded additional malicious payload. It first elevated privileges using additional exploits and then launched a full-blown APT platform.

To get around the iPhone’s internal security mechanisms, the platform operated exclusively in the device’s RAM. It allowed the attackers to collect information about the owner and launch additional plugins downloaded from С2 servers. The infection was only detected thanks to our network event monitoring and analyzing system.

Of course, Apple quickly fixed this vulnerability, but it is not the first exploitation of a bug in iMessage that allows attackers to infect an iPhone using an invisible malware. Since attackers are actively researching this service, there is no guarantee that they will not find some alternative method and use it (possibly even for mass attacks).

Intellexa Predator spyware and a zero-click vulnerability in Safari

Another fairly recent example: Apple recently released an important update for iOS, macOS, and some other software products, fixing several serious vulnerabilities. A vulnerability in the WebKit (a browser engine used by Apple Safari browser) was exploited by a zero-click exploit, part of Intellexa Predator spyware.

First, the attackers waited for the moment when the victim accessed a website whose connection didn’t use encryption (that is, HTTP rather than HTTPS). After that, they conducted a man-in-the-middle (MITM) attack by redirecting the victim to an infected site. Then, the aforementioned vulnerability in the Safari browser was exploited — it allowed the attackers to execute arbitrary code on the iPhone without any action from the victim. Subsequently, the criminals used additional vulnerabilities to install spyware on the compromised iPhone.

Researchers also discovered a similar exploit chain that the creators of Predator used to infect Android smartphones. In this case, the zero-click attack was executed in the Chrome browser.

Earlier this year, we reported other vulnerabilities of this kind in both Apple Safari and Google Chrome. All of them enable the creation of malicious web pages that, in turn, infect with malware the smartphones or computers of users who visit them — again without any additional actions on the part of the victims.

How to defend against zero-click attacks

Since the primary danger of zero-clicks lies in the fact that their creators don’t require any active action at all by the victim, the usual principles of online hygiene aren’t very helpful here. However, there are still some things you can do to protect devices:

Keep software up to date — especially the operating system and all browsers installed on it.
If you have any reason to be concerned about attacks using high-level commercial spyware (such as NSO Pegasus), see our dedicated post with recommendations on how to defend against them.
For iPhone users, it’s good to use Lockdown Mode. This mode helps partially protect against serious attacks, but should by no means be considered a panacea.
Supply all corporate devices with a reliable protective solution that will take care of security during periods when new vulnerabilities are already being exploited, but the corresponding patches haven’t yet been released.
This also applies to iOS. Yes, due to Apple’s policy, there are no full-fledged antivirus solutions for this operating system. However, Kaspersky Endpoint Security for Business includes an application that does at least block dangerous web pages, thereby reducing the likelihood of vulnerabilities being exploited in the browser.

Kaspersky official blog – ​Read More

A question for many businesses these days isn’t “Will we get hacked?” but rather, “Might we have already been hacked unknowingly?” The stealthy nature of advanced cyberthreats means that organizations need to be continuously vigilant. To safeguard sensitive data and critical systems, many turn to various cybersecurity services – including compromise assessment services. While compromise assessment may sound similar to incident response, penetration testing, and/or managed detection and response (MDR), it serves a distinct purpose in the realm of cybersecurity. In this post, we explore the concept of a compromise assessment service and show how it differs from these other crucial cybersecurity operations.

What is a compromise assessment service?

A compromise assessment service is a proactive cybersecurity project-based measure designed to identify signs of compromise within an organization’s IT infrastructure. This assessment focuses on detecting threats or suspicious activities that may have gone unnoticed within an organization’s environment. The primary objectives of compromise assessment are typically the following:

To perform a tool-aided indicator of compromise (IoC) scan of all hosts in the IT infrastructure
To analyze network activity, including outgoing connections to potential attackers’ command and control servers
To conduct initial incident investigation to identify tools and techniques used for the attack (if signs of network compromise were found)
To reveal suspected sources of an attack and other likely compromised systems
To provide recommendations on further remediation actions

What’s the difference between compromise assessment (CA) and incident response (IR)?

Incident response is a reactive cybersecurity process, which comes into play once a security incident has been detected. IR teams are responsible for investigating the nature and scope of a breach, containing it, eradicating the threat, and restoring normal operations. Incident response aims to minimize the impact of security incidents and prevent their reoccurrence.

Both CA and IR share common approaches and methodologies – including collection and analysis of digital forensic artifacts (Prefetch, Amcache, etc.), usage of IoC-scanners to find compromised hosts, and binary reverse engineering to prove the presence of malicious functions in certain programs or scripts.

The primary differences between CA and IR are:

Aspect
Compromise assessment
Incident response

Primary goal
To identify missed/unknown incidents
To reduce the impact of an identified security breach or an attack on your IT environment

Input data
Doesn’t require technical data for the input
Requires technical data for the input: alert from security control, suspicious file, signal about data leakage, ransom note, etc., which obviously prove that an incident has occurred

Timing
– Periodic assessment project
– Precedes IR in identifying an incident
– Can follow IR to make sure of no other compromises
– Is initiated after security incident detection
– Follows compromise assessment if a breach is detected

Scope
Broad scan across entire organization’s network to find all signs of compromise

Only the network segments affected by the reported incident

What’s the difference between compromise assessment and penetration testing?

Penetration testing – often referred to as pentesting – is a simulated cyberattack on a system, network, or application to evaluate its security vulnerabilities. The primary goal of a pentest is to identify potential weak points that malicious hackers might exploit, thereby allowing organizations to strengthen their security posture.

Both penetration testing and compromise assessment activities require skilled professionals with a deep understanding of cyberthreats and defenses. While they have different primary objectives, both are proactive measures to understand and improve security.

The key differences between a penetration test and a compromise assessment.

Aspect
Penetration testing
Compromise assessment

Objective
To identify vulnerabilities before they’re exploited
To identify instances of successful exploitation of vulnerabilities

Scope
Predefined (e.g., specific systems, applications)
Typically, the whole organization

Methodology
Simulated cyberattacks using tools and manual techniques
To examine logs, network traffic, anomalies and system behaviors

What’s the difference between compromise assessment and managed detection and response

Managed detection and response services involve continuous monitoring, threat detection, and incident response by a third-party provider. MDR combines technology, human expertise, and threat intelligence to identify and respond to security threats in real time. The focus of MDR is on providing a holistic cybersecurity solution that includes both monitoring and response capabilities.

Both CA and MDR use a combination of advanced technologies, threat intelligence, and skilled analysts to identify potential security breaches and suspicious activities within an organization’s network.

The key differences between CA and MDR are as follows:

Aspect
Compromise Assessment
MDR

Timing
-Periodic assessment project (one-time assessment)
– no SLA for notifications
– Continuous 24/7 activity (ongoing service)
– Strict SLA for notifications

Analysis focus
– Past and current attacks
– Forensic state analysis
– Current attacks
– Behavioral monitoring

Sources of data for analysis
– EDR/NTA
– SIEM
– Digital footprint intelligence (darknet)
EDR/NTA

Conclusion

As cyberthreats become increasingly sophisticated, the traditional reactive approach to cybersecurity is no longer sufficient. A compromise assessment service offers a proactive solution, ensuring that organizations aren’t just waiting for the next breach but actively seeking out and neutralizing latent threats. By conducting such assessments, you can eliminate the residual risk of being breached without notice.

A compromise assessment service plays a critical role in proactively identifying potential compromises and security weaknesses within an organization’s network. While it may share some similarities with incident response, penetration testing, and managed detection and response services, it’s a project-flow activity whose primary focus is on proactive identification of unnoticed attacks that bypassed an organization’s security systems and processes.

Understanding the differences among these cybersecurity practices is crucial for organizations seeking to build a robust defense strategy. Each service has its place in an organization’s cybersecurity posture, and they can complement one another to create a comprehensive and effective corporate security framework. You can learn more or contact our Kaspersky Compromise Assessment experts at the service’s web page.

Kaspersky official blog – ​Read More