NoName hackers use RansomHub in recent cyber campaigns – CySecurity News

Despite active attacks by gangs such as the NoName ransomware group, which has targeted small and medium-sized businesses globally over the past three years, the group has continued to grow by deploying custom malware and evolving its attack methods. A recent link pointing to NoName has led to the conclusion that the group is no longer independent, but is now affiliated with RansomHub. As a result of this development, cybersecurity levels are at risk worldwide, especially for small and medium-sized businesses.

A new affiliate has now joined the ranks of RansomHub, an emerging online criminal extortion group, and its main claim to fame so far is impersonating LockBit ransomware-as-a-service, which is based in the Netherlands. NoName has been well documented in exploiting vulnerabilities dating back many years.

Over the past three years, it has been well documented that the NoName ransomware gang, also known as CosmicBeetle, has been making waves worldwide by attacking small and medium-sized businesses. Recent observations have shown that the gang is using a new type of malware called RansomHub to carry out its crimes. To gain access to networks, the gang uses various custom tools, including those from the Spacecolon malware family, obtained from cybercriminals.

Some of the tools used to distribute these tools use brute force methods to deploy them, exploiting known vulnerabilities such as EternalBlue (CVE-2017-0144) and ZeroLogon (CVE-2020-1473). In recent attacks, the NoName gang has used the ScRansom ransomware to encrypt documents and digital files, replacing the Scarab encryptor they had previously used. Additionally, the gang has already started experimenting with the leaked LockBit 3.0 ransomware builder, creating a similar data leak site and issuing similar ransom messages based on the design of the released code.

A cybersecurity firm called ESET has been tracking the NoName gang’s activities since 2023, almost four years ago. While ScRansom is less sophisticated than other ransomware threats but still poses a significant threat to the operating system, it has been observed to evolve and become more sophisticated over time. Several aspects of ScRansom are complex, including AES-CTR-128 encryption and RSA-1024 decryption, which sometimes causes issues in decrypting the files. Victims have been reported to receive multiple decryption keys but still not be able to recover all the files they lost. ScRansom allows attackers to take advantage of different speed modes for partial encryption, which gives them flexibility.

An ‘ERASE’ mode can also be used to replace the file contents with a constant value, thus ensuring that the contents cannot be recovered. ScRansom enables file encryption on all drives, and the operator can decide which file extensions to encrypt and which folders to encrypt. ScRansom terminates several processes and services on the Windows host before invoking the encryptor. These include Windows Defender, the Volume Shadow Copy service, SVCHost, RDPclip, and LSASS, as well as processes related to VMware tools. There are several encryption schemes used by ScRansom to protect the public key, one of which is AES-CTR-128, which is combined with RSA-1024 to generate an additional AES key for security purposes.

Due to the multi-step process, there are times when errors occur in this process that can lead to the decryption process failing. As a result of running the ransomware on the same device a second time, or in a network with multiple systems running different versions of the virus, new sets of unique keys are generated for each victim, making the entire decryption process quite difficult to perform. Furthermore, in addition to brute force attacks used by the NoName gang to gain access to networks, several other vulnerabilities that are common in SMB environments are exploited by them. Some of the vulnerabilities include CVE-2017-0144 (also known as EternalBlue), CVE-2023-27532 (a vulnerability in Veeam Backup & Replication), CVE-2021-42278 and CVE-2021-42287 (vulnerabilities related to AD privilege escalation) via noPac, CVE-2022-42475 (a vulnerability in FortiOS SSL-VPN), and CVE-2020-1472 (also known as Zerologon).

ScRansom’s file encryption capabilities allow it to encrypt files on all types of drives, including fixed, external, removable and cloud storage, and users can customize the list of file extensions they want to encrypt. When ESET researchers investigated a ransomware attack that began with a failed ScRansom deployment in early June, they found the threat actor executing on the same machine less than a week later.

The EDR Killer tool, which provides privilege escalation and the ability to disable security agents by deploying legitimate and vulnerable drivers on target computers, was a tool released by RansomHub shortly after. The compromised computer was encrypted with ransomware by the hackers using the RansomHub ransomware two days later, on June 10th. There was an interesting way to extract the EDR Killer that the researchers described, a method that was specific to CosmicBeetle rather than to RansomHub affiliates.

It was noted that there had been no leak of RansomHub code and its builder in the past, so ESET researchers were “fairly confident” that CosmicBeetle had been signed up as a new RansomHub partner. While ESET does not claim to have any affiliation with RansomHub, they do state that the Ransom Encrypter is being actively developed by their engineers.