Newly Named Crusader Malware Targeting Healthcare and Enterprises Globally
An examination of a fresh ransomware variation named RansomHub has exposed it as an enhanced and rebranded edition of Crusader malware, itself a transformation of another ransomware called Cyclops.
The Crusader (also known as Cyclops 2.0) ransomware initially emerged in May 2023, utilizing dual extortion strategies to purloin and encrypt victims’ data for monetary purposes. It’s active on multiple systems, including Windows, Linux, macOS, ESXi, and Android.
Marketed and merchandised on the RAMP cybercrime forum, incidents involving the ransomware have been identified to utilize phishing and spear-phishing schemes as a dispersal channel through malevolent attachments.
The ransomware-as-a-service (RaaS) venture has ceased operations by late February 2024, when its source code was offered for sale, suggesting the possibility that it might have shifted to a different entity, who subsequently opted to upgrade and reintroduce it under the RansomHub banner.
RansomHub, which declared its first victim during that period, has been associated with a series of ransomware assaults in recent times, including those on Change Healthcare, Christie’s, and Frontier Communications. It has also promised to avoid targeting organizations in the Commonwealth of Independent States (CIS) nations, Cuba, North Korea, and China.
“Both payloads are coded in Go and the majority of variations in each group are obscured using Gobfuscate,” Symantec, a part of Broadcom, stated in a report shared with The Hacker News. “The level of code similarity between the two groups is notable, making it extremely challenging to distinguish between them.”
Both exhibit identical aid menus on the command-line, with RansomHub introducing a new “rest” choice that keeps it inactive for a specified duration (in minutes) before execution. Comparable rest orders have been spotted in Chaos/Yashma and Trigona ransomware groups.
The similarities between Crusader and RansomHub also encompass the obscuring method used to encrypt strings, the ransom messages left post file encryption, and their capability to reboot a device in safe mode before initiating encryption.
The sole main contrast lies in the set of instructions executed via cmd.exe, although the “manner and sequence in which they are summoned concerning other functions is identical,” as per Symantec.
RansomHub onslaughts have been noticed utilizing known security vulnerabilities (e.g., ZeroLogon) to seize initial entry and introduce remote desktop software like Atera and Splashtop ahead of ransomware activation.
As per reports shared by Malwarebytes, the ransomware syndicate has been correlated with 26 validated assaults solely in the month of April 2024, positioning it behind Play, Hunters International, Black Basta, and LockBit.
Mandiant, owned by Google, in a report issued this week, disclosed that RansomHub is endeavoring to enlist affiliates who have been affected by recent halts or exit frauds such as that of LockBit and BlackCat.
“One former Noberus affiliate dubbed Notchy is reportedly presently collaborating with RansomHub,” Symantec declared. Furthermore, tools previously affiliated with another Noberus associate named Scattered Spider were used in a recent RansomHub assault.
“The swift establishment of RansomHub’s operations indicates that the group may comprise experienced operatives with expertise and contacts in the cybercriminal underworld.”
This evolution unfolds amidst a surge in ransomware activities in 2023 compared to aA slight downturn occurred in 2022, with around one-third of the 50 new families identified during the year being discovered as variations of previously known ransomware families. This signals a growing trend of code recycling, actor overlaps, and rebranding.
Researchers from Mandiant stated that ransomware was deployed in nearly one-third of incidents within 48 hours of the initial attacker gaining access. Furthermore, 76% of ransomware deployments occurred outside of regular working hours, with most taking place in the early morning.
These attacks are characterized by the use of legitimate remote desktop tools which are commercially available to aid intrusion operations, rather than relying on Cobalt Strike.
Mandiant pointed out that the increasing reliance on legitimate tools reflects attackers’ efforts to hide their activities from detection systems and streamline the development and maintenance of custom tools.
The resurgence in ransomware attacks coincides with the emergence of new ransomware strains such as BlackSuit, Fog, and ShrinkLocker. The latter has been observed using a Visual Basic Script (VBScript) to leverage Microsoft’s BitLocker utility for unauthorized file encryption in extortion attacks targeting Mexico, Indonesia, and Jordan.
ShrinkLocker is named for its capability to create a new boot partition by decreasing the size of existing non-boot partitions, allocating unutilized space for a new primary partition, and installing boot files to facilitate recovery.
According to Kaspersky’s analysis of ShrinkLocker, the threat actor behind it possesses significant expertise in VBScript, Windows internals, and utilities like WMI, diskpart, and bcdboot, suggesting that they already held full control over the target system when executing the script.
If you found this article intriguing, make sure to follow us on Twitter and LinkedIn for more exclusive content we share.
About Author
