The Federal Bureau of Investigation (FBI) in the United States has unveiled the shutdown of web infrastructure connected to an emerging ransomware faction named Extorter (identified as Radar as well).
The operation involved the disabling of three servers in the USA, three servers in the United Kingdom, 18 servers in Germany, eight criminal domains based in the USA, and one criminal domain in Germany. The Extorter group is believed to be overseen by individual(s) who are known by the online alias “Brain.”
“Having taken form in August 2023, Radar/Extorter has rapidly advanced into a ransomware cluster with global implications, concentrating on breaching and assaulting small-to-medium sized enterprises and establishments in sectors such as production, development, education, healthcare, financial services, and transportation,” as stated by the FBI announced in an official statement.
Up to 43 businesses have been pinpointed as targets of Extorter assaults, encompassing entities situated in Argentina, Australia, Belgium, Brazil, Canada, Croatia, Germany, Honduras, India, Peru, Poland, the U.A.E., the U.K., and the U.S.
Extorter, recognized for its close resemblance to LockBit, materialized as a ransomware-as-a-service (RaaS) brigade following the same dual-extortion approach initiated by other cybercrime gangs. Such attacks function by extracting victim data to demand ransom alongside encrypting their systems. Individuals who refuse to comply face the threat of data exposure.
Chains of assaults orchestrated by the malevolent actors have been witnessed making use of systems with security vulnerabilities or feeble passwords as an entry point to infiltrate targets and secure elevated access to encrypt their information behind security barriers.
“Upon launching an attack on the company, if they didn’t engage with the criminal actor, the group would then initiate contact with other personnel within the targeted organization, either through electronic mail or phone communication,” disclosed the FBI.
“The emails provided links to video platforms displaying the previously filched files. This tactic was consistently designed to ramp up the extortion pressure and boost willingness to pay.”
Earlier revelations from cybersecurity enterprise SentinelOne uncovered the Extorter faction advertising previously leaked data for download and sale, underscoring that it “seems to be redistributing data previously attributed to other operations, with instances ranging from Cl0p, Hunters International, and 8Base.”
The surge in such interventions is another sign that enforcement agencies worldwide are stepping up endeavors to counter the relentless ransomware threat, even as the malevolent actors continue to find innovative ways to thrive in the ever-evolving cyberspace.
This encompasses a rise in assaults executed through subcontractors and service providers, spotlighting how malicious actors are exploiting trusted relationships to their advantage, as “this mode enables large-scale attacks with reduced effort, often remaining undetected until data breaches or encrypted data are unearthed.”
Data obtained by Palo Alto Networks Unit 42 from leak platforms indicates that the sectors most affected by ransomware in the first half of 2024 were manufacturing (16.4%), healthcare (9.6%), and construction (9.4%).
Leading countries targeted during this period were the USA, Canada, United Kingdom, Germany, Italy, France, Spain, Brazil, Australia, and Belgium.
“Revealed vulnerabilities were predominantly responsible for the surge in ransomware actions as attackers hastened to exploit these openings,” the firm mentioned. “Threat actors habitually target vulnerabilities to penetrate victim networks, escalate privileges, and traverse laterally through breached environments.”
An evident trend is the rise of new (or refurbished) ransomware groups, constituting 21 out of the total 68 unique factions initiating extortion schemes, along with heightened focus on smaller entities, according to Rapid7.
“This may be attributed to various causes, most notably being that these smaller bodies house much of the identical data that threat actors are after, yet generally have less mature security measures in place,” it stated.
Another crucial aspect is the commercialization of the RaaS business frameworks. Ransomware factions are not only more refined but they are also expanding their operations to resemble legitimate business entities.
“They possess their personal marketplaces, vend their own products, and in particular instances provide round-the-clock customer service,” articulated Rapid7. “Furthermore, they appear to be forging a network of cooperation and consolidation concerning the types of ransomware they deploy.”
About Author
