Updates on Royal, LockBit 3.0, Hunters International & ALPHV Ransomware Groups
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) have issued an updated cybersecurity advisory about Royal ransomware, which is thought to be about to shut down and rebrand.
Royal ransomware first emerged in September 2022 and is thought to have split from the Conti ransomware operation, with a brief spell operating as Quantum in between. Royal ransomware has been a prolific ransomware operation, having conducted more than 350 attacks since September 2022 and has issued ransom demands in excess of $275 million, according to the FBI. Royal ransomware is a private ransomware group that has targeted organizations in healthcare and public health (HPH), education, manufacturing, and communications. The number of attacks on HPH sector organizations prompted an earlier cybersecurity advisory from CISA, the FBI, and the HHS, which shared the latest tactics, techniques, and procedures (TTPs) used by the group and Indicators of Compromise (IoCs). They have been updated in the latest advisory.
In May 2023, a new ransomware variant was detected that had several coding similarities to Royal ransomware, and similar intrusion techniques were used. Researchers at Trend Micro found the two ransomware variants were almost identical, with 98% similar functions, 98.5% similarities in blocks, and 98.9% similarities in jumps based on BinDiff. The two groups have been observed using similar software and open source tools in their attacks such as Chisel and Cloudflared for network tunneling, Secure Shell (SSH) Client, OpenSSH, and MobaXterm for SSH connections, Mimikatz and Nirsoft for credential harvesting, and the attacks involved similar remote access tools.
Along with those similarities was the timing of the emergence of the new ransomware variant – Blacksuit – which led security researchers to believe that Royal was about to rebrand. Royal has just conducted a major attack on the city of Dallas which attracted considerable attention from law enforcement and, as is common after major attacks, ransomware groups often rebrand. Royal did not rebrand immediately, and it has been suggested that all did not go well with the new ransomware variant, and the rebrand was delayed. Alternatively, Blacksuit could be a spinoff variant of Royal. CISA and the FBI are convinced that the two ransomware variants are linked.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
LockBit 3.0 Exploiting Citrix Bleed Vulnerability
The LockBit 3.0 group has been exploiting the critical Citrix Bleed vulnerability that affects Citrix NetScaler ADC and Gateway to gain access to the systems of its victims. The vulnerability, tracked as CVE-2023-4966, was patched by Citrix in October 2023; however, many organizations have been slow to patch and are running vulnerable appliances.
According to Security researcher Kevin Beaumont, who has been tracking the group’s attacks, several of the group’s recent victims had exposed Citrix servers that were vulnerable to the Citrix Bleed flaw, and that appears to have been exploited using a publicly available exploit.
Currently, there are more than 3,000 Citrix servers in the United States that are exposed to the Internet and vulnerable to the Citrix Bleed flaw which can be exploited remotely with no user interaction. Immediate patching is strongly recommended to prevent exploitation of the flaw. The Healthcare Cybersecurity Coordination Center (HC3) has issued an HPH Sector alert about the activity.
Hunters International Ransomware Group Takes over from Hive
Hive, one of the most notorious ransomware groups in recent years, was shut down in January this year following an international law enforcement operation. The group had obtained more than $100 million in ransom payments and conducted more than 1,500 attacks worldwide, including many attacks on healthcare organizations.
Following law enforcement takedowns, ransomware groups often go quiet and then reemerge months later with a new ransomware variant. A new threat group, Hunters International, has since emerged and several similarities have been found with Hive, including coding overlaps and a 60% match between the group’s code, according to security researcher BushidoToken.
According to a recent report from Martin Zugec, technical solutions director at Bitdefender, a member of the Hunter’s International group issued a statement confirming that Hive and Hunter’s International are two separate groups and Hive’s source code and infrastructure were acquired. The Hive spokesperson said Hive sold their source code, website, and old Goland and C versions, and Hunter’s purchased them. The spokesperson for Hunter’s said encryption isn’t its primary goal, which is why the group didn’t develop everything from scratch. Bitdefender’s research uncovered evidence to suggest the adoption of Hive’s code rather than a rebrand, thus corroborating Hunter’s International’s statement. Bitdefender’s analysis, recommendations, and IoCs can be found here.
ALPHV/BlackCat Ransomware Group Reports Victim to SEC
The ALPHV/Blackcat ransomware group has been observed using Google Ads to infect victims with malware to gain initial access to their systems, according to recent research from eSentire. According to eSentire, the group has been targeting business professionals by promoting popular software such as Advanced IP Scanner and Slack via Google Ads,; however, the ads lead them to malicious websites where Nitrogen malware is downloaded. “The Nitrogen malware leverages obfuscated Python libraries that compile to Windows executables,” said Keegan Keplinger, senior threat intelligence researcher at ESintre’s Threat Response Unit. “These libraries are useful for legitimate use cases – such as optimizing Python code – but they are also being used to develop malicious malware loaders that can load intrusion tools directly into memory.”
The ALPHV/Blackcat ransomware group has also upped the ante in its attempts to get victims to pay the ransom. The group recently conducted an attack on MeridianLink, a provider of a loan origination system and digital lending platform for financial institutions. The group did not encrypt files but exfiltrated data and issued a ransom demand and a threat to release the stolen data if the ransom was not paid within 24 hours. When no response was received the group filed a complaint with the U.S. Security and Exchange Commission (SEC), claiming that MeridianLink had suffered a major data breach and failed to report it to the SEC, as required in Form 8-K, under Item 1.05. “It has come to our attention that MeridianLink, in light of a significant breach compromising customer data and operational information, has failed to file the requisite disclosure under Item 1.05 of Form 8-K within the stipulated four business days, as mandated by the new SEC rules.” wrote the group in its complaint. Ransomware groups have threatened to report publicly traded companies to the SEC before, although this is the first known time that a group has followed through on that threat.
“Based on our investigation to date, we have identified no evidence of unauthorized access to our production platforms, and the incident has caused minimal business interruption,” said MeridianLink in a statement about the incident.
