Ransomware Industry Sees Three New EntrantsGroup Using Payload.bin Joins the Fray, Along With Prometheus and Grief
Three new ransomware groups - Prometheus, Grief and an unidentified group using Payload.bin - have separately threatened to release or have already put on sale stolen data from government and private entities, according to cybersecurity solutions provider Resecurity.
The unidentified group that claims to operate TOR resource Payload.bin has threatened to release stolen data from Polish video game developer CD Projekt Red, Resecurity told Information Security Media Group on Wednesday.
Resecurity adds that it claims to have released the first archive with 122GB of data, to be followed by another 92GB of data. It says that the actors may be related to Babuk or HelloKitty ransomware, citing undisclosed underground sources.
The development comes months after CD Projekt Red disclosed a ransomware attack on encrypted devices on its network:
Important Update pic.twitter.com/PCEuhAJosR— CD PROJEKT RED (@CDPROJEKTRED) February 9, 2021
Tech publication ZDNet reports that the source code for Cyberpunk 2077, Witcher 3, Gwent and an unreleased version of Witcher 3 were stolen.
The actors failed to receive payment from the company, which led them to auction the data in the underground marketplace, according to a February Bleeping Computer report.
The report describes the hack as possibly one of the most notable ransomware deals known in the underground, comparable to recent Quanta/Apple extortion activity, adding: “It is likely they are trying to continue 'pressing' CD Projekt Red to get paid or to leak their data because it became useless for them after possible deals in the underground."
Two Other Groups in the Fray
The other two ransomware additions this week are dubbed Prometheus and Grief.
Prometheus found its latest victim on Tuesday, in Singapore-based FMCG sales and distribution company Bhavna, Resecurity told ISMG.
The same day, it also released data of 27 victims, including Ghana National Gas, Tulsa Cardiovascular Center of Excellence and Hotel Nyack in New York, as well as enterprises in France, Norway, Switzerland, Netherlands, Brazil, Malaysia and the UAE, according to Resecurity.
The leaks come on the back of the alleged attack on the Mexican government, in which Resecurity reports Prometheus stole and put on sale data from email accounts via business email compromise (BEC) and account takeover (ATO). Nearly half of all affected victims paid ransoms or had their data sold to interested parties, though the exact figures are not provided.
The Prometheus group reportedly claimed ties with ransomware peer REvil through its updated logo, which ISMG has not been able to substantiate. But Resecurity notes, “Some ransomware actors are not new groups at all in practice, but existing affiliates of a well-established groups like REvil.”
Resecurity data shows that initially Prometheus leveraged Sonar, a secure data transfer tool deployed in TOR networks providing API. It switched to an automated ticket-based system in which the victim can provide ID and submit payment in BTC or XMR cryptocurrency for further decryption process automatically.
“We saw several different samples of Prometheus which presumably have been developed at different times, the majority of them using AES 256-bit encryption and appended specific extension (typically, "PROM"). A 'brute-force' type of attack is useless against the AES algorithm on typical victim computers, as it would potentially take billions of years to crack it,” says Resecurity.
“The group attacks victims chosen in a selective way. It focuses on companies in market verticals that may express significant difficulties if their network is blocked and business processes interrupted. Typically, these companies actively use IT for their business," Resecurity adds.
The claim that nearly half of Prometheus' victims paid ransoms shows “an astoundingly high success rate,” says Paul Bischoff, privacy advocate at security, privacy and networking services testing firm Comparitech.
Why is Prometheus so successful? “It’s good at picking its targets. Second, the attack is two-pronged: First, data is stolen from compromised servers. Then, ransomware is planted on the server to encrypt the original files, making them unusable. A traditional ransomware attack only includes the latter, but more often (now), we see attacks that steal and encrypt data. This allows the attacker to collect ransom from the victim in exchange for the decryption key and sell the stolen data on the dark web," Bischoff says.
Grief claims to have data stolen from five organizations, including those in Mexico, the U.S. and Italy.
Security Affairs reported that the Grief website in the TOR network has an "anti-crawl" protection preventing cybersecurity researchers from automated indexing of its content by various cyberthreat intelligence platforms and their bots.
“The ransomware actors include speculative tactics related to GDPR regulations, attempting to convince them to pay ransoms to avoid a GDPR fine, which can be much higher," Resecurity says.
“Attackers might promise victims that their data won't be sold on the dark web if they pay up quickly. ... Many governments levy fines on companies that are breached, and those fines can dwarf the ransom payment. In effect, laws aimed at preventing data breaches could result in more companies paying ransoms to criminals to avoid fines," Bischoff says.
Infected email attachments (macros), torrent websites and malicious ads are the main delivery vectors for the new groups, Resecurity reports. “Ransomware actors are focusing on 'hack-and-leak' operations and double extortion. In addition to ransomware deployment, they exfiltrate data from victims’ network to manipulate them,” it says.
Crossovers of new strains with well-established tools point at experienced hackers breaking off from previous operations to “develop new, unfamiliar strains with their successful coding, in the hope that they will not been detected," Natalie Page, threat intelligence analyst at cybersecurity services and managed security services provider Talion, suggests.