Villains have been spotted misusing Amazon S3 (Simple Storage Service) Transfer Acceleration feature in ransomware assaults aimed at moving victim data to S3 buckets they control.
According to Trend Micro researchers Jaromir Horejsi and Nitesh Surana, cybercriminals have made efforts to cloak the Golang ransomware as the infamous LockBit ransomware. The intention seems to be leveraging LockBit’s infamous status to exert more pressure on their targets.
Traces of the ransomware reveal hardcoded Amazon Web Services (AWS) credentials to streamline data exfiltration to the cloud, showcasing how foes are increasingly exploiting popular cloud service providers for malicious activities.
The AWS account used in the attack is believed to either belong to the attackers or be compromised. After notifying the AWS security team, the identified AWS access keys and accounts were disabled.
Trend Micro identified over 30 samples containing the AWS Access Key IDs and the Secret Access Keys, indicating ongoing development. This ransomware has the capability to infect both Windows and macOS systems.
The method of delivery for this cross-platform ransomware remains unknown; however, when activated, it acquires the machine’s UUID and proceeds with generating the necessary master key for file encryption purposes.
The attacker proceeds to encrypt files that match a set list of extensions after enumerating the root directories, and uploads them to AWS using S3 Transfer Acceleration for quicker data transmission.
“Following encryption, the file’s name is changed to the format: <original file name>.<initialization vector>.abcd,” the researchers explained. As an example, a file named text.txt would be renamed as text.txt.e5c331611dd7462f42a5e9776d2281d3.abcd.
Lastly, the ransomware modifies the device’s wallpaper to exhibit an image referencing LockBit 2.0, likely in a bid to coerce victims into making the demanded payments.
The latest update involves Gen Digital releasing a decryption tool for a variant of Mallox ransomware observed in the wild from January 2023 to February 2024, which exploited a cryptographic flaw.
Ladislav Zezula, a researcher, mentioned that those affected by this particular Mallox variant might be able to recover their files for free. The flaw in the crypto system was fixed around March 2024, rendering decryption of data encrypted by later Mallox versions impossible.
It’s worth noting that an affiliate of the Mallox operation, also known as TargetCompany, has been discovered using a slightly modified version of the Kryptina ransomware, labeled Mallox v1.0, to infiltrate Linux systems.
“The Kryptina-derived variants of Mallox are unique to affiliates and distinct from other Linux forms of Mallox that have emerged. This illustrates how the landscape of ransomware has evolved into a complex mix of intermingled tools and tangled codebases,” mentioned SentinelOne researcher Jim Walter in a recent post.
Ransomware remains a significant threat, with Symantec’s data from ransomware leak sites indicating 1,255 attacks in the third quarter of 2024, slightly lower than the previous quarter’s figure of 1,325.
According to Microsoft’s Digital Defense Report covering the one-year period from June 2023 to June 2024, there was a 2.75x increase in human-operated ransomware-based incidents. However, the percentage of attacks reaching the encryption phase has decreased significantly over the past two years.
Following an operation by international law enforcement in February 2024 targeting LockBit’s infrastructure, RansomHub, Qilin (aka Agenda), and Akira have emerged as key beneficiaries. Akira has reverted to double extortion strategies after experimenting briefly with data exfiltration and extortion alone earlier in 2024.
“During this period, Akira ransomware-as-a-service (RaaS) developers began working on a Rust variant of their ESXi encryptor, progressively building on its functionality while transitioning away from C++ and exploring diverse programming methods,” as detailed by Talos.
Attacks linked to Akira have leveraged compromised VPN credentials and recently disclosed security flaws to infiltrate networks, gain elevated privileges, and move horizontally within breached environments to establish a deeper foothold.
Below are some of the vulnerabilities exploited by Akira affiliates:
“Throughout 2024, Akira has concentrated on a wide array of victims, showing a preference for entities in manufacturing and professional, scientific, and technical services sectors,” detailed Talos researchers James Nutland and Michael Szeliga.
“There are indications that Akira may be shifting back to earlier tactics utilizing Windows and Linux encryptors written in C++, following the Rust-based Akira v2 variant.”
About Author
