Ransomware Roundup – RA World
2024-3-15 23:0:0 Author: feeds.fortinet.com(查看原文) 阅读量:8 收藏

On a bi-weekly basis, FortiGuard Labs gathers data on ransomware variants of interest that have been gaining traction within our datasets and the OSINT community. The Ransomware Roundup report aims to provide readers with brief insights into the evolving ransomware landscape and the Fortinet solutions that protect against those variants.

This edition of the Ransomware Roundup covers the RA World ransomware.

Affected platforms: Microsoft Windows
Impacted parties: Microsoft Windows Users
Impact: Steals and encrypts victims' files and demands ransom for file decryption and not releasing the stolen data.
Severity level: High

RA World Ransomware Overview

The RA World ransomware was first submitted to a publicly available file scanning service in early December 2023. The threat actor steals victims' data before deploying and running its ransomware malware for file encryption. The group operates both TOR and non-TOR sites where victims' stolen data has been leaked.

The ransomware is also designed to delete Volume Shadow Copies and system backups to inhibit system recovery.

Infection Vector

Information on the infection vector used by the RA World ransomware threat actor is unavailable. However, it is not likely to differ significantly from other ransomware groups.

Victimology

The RA World ransomware samples were submitted to a publicly available file scanning service from the Netherlands, France, the United Kingdom, the Czech Republic, Poland, Colombia, and Japan.

The ransomware's data leak sites list 23 victims at the time of this writing. The listed victims are located in Germany, the UK, the US, Italy, Poland, India, Taiwan, Mexico, France, Thailand, and Korea.

Attack Method

The first available RA World sample (SHA2: 4866d6994c2f8b4dadfaabc2e2b81bd86c12f68fdf0da13d41d7b0e30bea0801) performs the following actions:

It stops the following services:

vss

svc$

memtas

sophos

veeam

backup

mepocs

GxVss

GxBlr

GxFWD

GxCVD

GxCIMgr

DefWatch

ccEvtMgr

ccSetMgr

SavRoam

RTVscan

QBFCService

QBIDPService

Intuit.QuickBooks.FCS

QBCFMonitorService

YooBackup

YooIT

zhudongfangyu

stc_raw_agent

VSNAPVSS

VeeamTransportSvc

VeeamDeploymentService

VeeamNFSSvc

PDVFSService

BackupExecVSSProvider

BackupExecAgentAccelerator

BackupExecAgentBrowser

BackupExecDiveciMediaService

BackupExecJobEngine

BackupExecManagementService

BackupExecRPCService

AcrSch2Svc

AcronisAgent

CASAD2DWebSvc

CAARCUpdateSvc

It terminates the following processes:

sql.exe

oracle.exe

ocssd.exe

dbsnmp.exe

synctime.exe

agntsvc.exe

isqlplussvc.exe

xfssvccon.exe

mydesktopservice.exe

ocautoupds.exe

encsvc.exe

firefox.exe

tbirdconfig.exe

mydesktopqos.exe

ocomm.exe

dbeng50.exe

sqbcoreservice.exe

excel.exe

infopath.exe

msaccess.exe

mspub.exe

onenote.exe

outlook.exe

powerpnt.exe

steam.exe

thebat.exe

thunderbird.exe

visio.exe

winword.exe

wordpad.exe

notepad.exe

The ransomware uses the following commands to delete Volume Shadow Copies:

  • vssadmin.exe delete shadows /all /quiet

The malware encrypts files on the victims’ machines and adds the following extension to the encrypted files:

  • .RAWLD

It then drops the ransom note “Data breach warning.txt,“ which includes the following information:

  • The ransomware threat actor has provided the victim with two methods of contact; one is Tox and the other is Telegram.
  • The attacker will make some of the victim's stolen files available via the Gofile file-sharing service if the victim does not make contact within three days.
  • The attacker will make the stolen files available in batches if no contact is made within seven days.
  • The attacker operates both TOR and non-TOR sites for publishing stolen data.
  • The ransom note includes a list of victims who have not paid the ransom. The list is hardcoded into the ransomware code, rather than being retrieved externally.

The ransomware excludes the following filetypes from file encryption:

.exe

.dll

.RAWLD

.iso

.msi

.bin

It excludes the following files and folders from file encryption:

AppData

Boot

Windows

SYSVOL

Tor Browser

Internet Explorer

Google

Opera

Opera Software

Mozilla

Mozilla Firefox

$Recycle.Bin

ProgramData

All Users

autorun.inf

boot.ini

bootfont.bin

bootsect.bak

bootmgr

bootmgr.efi

bootmgfw.efi

desktop.ini

$windows.~ws

system volume information

intel

msocache

perflogs

iconcache.db

ntldr

ntuser.dat

ntuser.dat.log

ntuser.ini

thumbs.db

Program Files

Program Files (x86)

#recycle

config.msi

$windows.~bt

The ransomware uses the following specific mutex:

  • For whom the bell tolls, it tolls for thee.

Based on this RA World ransomware sample, the following assumption can be made:

  • The ransom note includes a list of victims who have already been affected and have not paid the ransom. The earliest sample was publicly made available in early December 2023, suggesting that the ransomware group began operations in November or earlier.

    Note that the compilation time of the sample, although easily changed, is "Sat Nov 18 11:32:32 2023 GMT".

For example, another RA World ransomware sample (SHA2: 51da3acc6c7089bd0f1df9d9902e183db0d1342552404c3c1b898b168399b0bc) claims to have been compiled on Aug 24 17:56:57 2022 GMT, however this sample did not appear on the file scanning site until February 2, 2024. Its ransom note lists fewer unpaid victims, indicating that the sample was created after 4866d6994c2f8b4dadfaabc2e2b81bd86c12f68fdf0da13d41d7b0e30bea0801.

A minor variant of the RA World ransomware (SHA2: 9479a5dc61284ccc3f063ebb38da9f63400d8b25d8bca8d04b1832f02fac24de) became available at the end of January 2024.

This variant performs the identical actions as 4866d6994c2f8b4dadfaabc2e2b81bd86c12f68fdf0da13d41d7b0e30bea0801 except for the following:

  • It excludes the following additional files and folders from file encryption:
  • The ransom note includes seven additional victims who have not paid the ransom.
  • The attacker removed the Telegram channel from the ransom note.

A few days later, yet another minor RA World ransomware variant (SHA2: 31ac190b45cc32c04c2415761c7f152153e16750516df0ce0761ca28300dd6a4) became available.

This variant also performs the identical actions as the previously mentioned RA World ransomware samples except for the following:

  • It adds the hardcoded extension “.yM8Yl” instead of “.RAWLD” to the encrypted files:

Data Leak Sites

As mentioned above, the RA World ransomware group operates both TOR and non-TOR sites to publish stolen data.

The site includes the following statement, which provides a clue to the group's location:

War is death’s feast.

I survived, but my friend didn’t.

Fortinet Protections

The RA World ransomware described in this report are detected and blocked by FortiGuard Antivirus as:

  • W64/Rook.B!tr.ransom
  • W64/Filecoder_Rook.B!tr.ransom
  • W32/Kryptik.HVRA!tr

FortiGate, FortiMail, FortiClient, and FortiEDR support the FortiGuard AntiVirus service. The FortiGuard AntiVirus engine is a part of each of those solutions. As a result, customers who have these products with up-to-date protections are protected.

IOCs

RA World Ransomware File IOCs

SHA2

Note

4866d6994c2f8b4dadfaabc2e2b81bd86c12f68fdf0da13d41d7b0e30bea0801

RA World ransomware

51da3acc6c7089bd0f1df9d9902e183db0d1342552404c3c1b898b168399b0bc

31ac190b45cc32c04c2415761c7f152153e16750516df0ce0761ca28300dd6a4

9479a5dc61284ccc3f063ebb38da9f63400d8b25d8bca8d04b1832f02fac24de

FortiGuard Labs Guidance

Due to the ease of disruption, damage to daily operations, potential impact on an organization’s reputation, and the unwanted destruction or release of personally identifiable information (PII), etc., it is vital to keep all AV and IPS signatures up to date.

Since the majority of ransomware is delivered via phishing, organizations should consider leveraging Fortinet solutions designed to train users to understand and detect phishing threats:

The FortiPhish Phishing Simulation Service uses real-world simulations to help organizations test user awareness and vigilance to phishing threats and to train and reinforce proper practices when users encounter targeted phishing attacks.

Our FREE Fortinet Certified Fundamentals (FCF) in Cybersecurity training. The training is designed to help end users learn about today's threat landscape and will introduce basic cybersecurity concepts and technology.

Organizations will need to make foundational changes to the frequency, location, and security of their data backups to effectively deal with the evolving and rapidly expanding risk of ransomware. When coupled with digital supply chain compromise and a workforce telecommuting into the network, there is a real risk that attacks can come from anywhere. Cloud-based security solutions, such as SASE, to protect off-network devices; advanced endpoint security, such as EDR (endpoint detection and response) solutions that can disrupt malware mid-attack; and Zero Trust Access and network segmentation strategies that restrict access to applications and resources based on policy and context, should all be investigated to minimize risk and to reduce the impact of a successful ransomware attack.

As part of the industry's leading fully integrated Security Fabric, delivering native synergy and automation across your security ecosystem, Fortinet also provides an extensive portfolio of technology and human-based as-a-service offerings. These services are powered by our global FortiGuard team of seasoned cybersecurity experts.

FortiRecon is a SaaS based Digital Risk Prevention Service backed by cybersecurity experts to provide unrivaled threat intelligence on the latest threat actor activity across the dark web, providing a rich understanding of threat actors’ motivations and TTPs. The service can detect evidence of attacks in progress allowing customers to rapidly respond to and shut down active threats.

Best Practices Include Not Paying a Ransom

Organizations such as CISA, NCSC, the FBI, and HHS caution ransomware victims against paying a ransom partly because the payment does not guarantee that files will be recovered. According to a US Department of Treasury's Office of Foreign Assets Control (OFAC) advisory, ransom payments may also embolden adversaries to target additional organizations, encourage other criminal actors to distribute ransomware, and/or fund illicit activities that could potentially be illegal. For organizations and individuals affected by ransomware, the FBI has a Ransomware Complaint page where victims can submit samples of ransomware activity via their Internet Crimes Complaint Center (IC3).

How Fortinet Can Help

FortiGuard Labs’ Emergency Incident Response Service provides rapid and effective response when an incident is detected. Our Incident Readiness Subscription Service provides tools and guidance to help you better prepare for a cyber incident through readiness assessments, IR playbook development, and IR playbook testing (tabletop exercises).

Additionally, FortiRecon Digital Risk Protection (DRP) is a SaaS-based service that provides a view of what adversaries are seeing, doing, and planning to help you counter attacks at the reconnaissance phase and significantly reduce the risk, time, and cost of later-stage threat mitigation.


文章来源: https://feeds.fortinet.com/~/873693212/0/fortinet/blog/threat-research~Ransomware-Roundup-%e2%80%93-RA-World
如有侵权请联系:admin#unsafe.sh