Welcome to the ransomware weekly across multiple sectors – A summary   

The fact that October is designated as a month of cybersecurity awareness has unquestionably motivated a few businesses to strengthen their security posture and focus on specific cybersecurity aspects in order to enhance detection and response. From the 22nd to the 28th of October, a number of notable attacks have come to light, and these attacks have been linked to well-known brands. These noteworthy events have occurred in a variety of industries, including but not limited to the IT Services, BFSI, and Healthcare sectors. The TommyLeaks and Schoolboys gangs, which have primarily focused on data extortion and the deployment of ransomware, are among few of these hacking groups that have been involved in these attacks. For a summary of various groups and ransomwares used, as well as some of these attackers’ TTPs, check the full article below

Source : Reference

Microsoft disclosed that Vice Society uses multiple ransomware families in attacks, including BlackCat, Quantum, Zeppelin, and a Vice Society-branded variant of Zeppelin ransomware. Additionally, BleepingComputer is also aware of the group using the HelloKitty ransomware in attacks. Furthermore, insights  about upcoming and past ransomware attacks, like the alleged demand for 60 million LockBit on Pendragon, Hive’s claim of the Tata Power attack, Medibank’s announcement that the hackers had accessed all of its customers’ personal data, a ransomware attack on the Indianapolis Housing Agency, and Australian Clinical Labs’ announcement that patient data had been stolen. The summary of these attacks have been presented in the table below:

DateRansomware groupImpact
Oct 24thCuba ransomware targets Ukrainian govt agenciesAn alert about potential Cuba Ransomware attacks against critical networks in the country
Oct 24thLockbit RansomwarePendragon Group, with more than 200 car dealerships in the U.K., was breached in a cyberattack from the LockBit ransomware gang, who allegedly demanded $60 million to decrypt files and not leak them.
Oct 24thChaos ransomware & KillNet ransomwarePCrisk found a new KillNet ransomware that appears to be tied to pro-Russia hacking group. When encrypting files it will append the .killnet and drops a ransom note named Ru.txt.
Oct 25thHive ransomwareHive ransomware group has claimed responsibility for a cyber attack disclosed by Tata Power this month.
Oct 25thVice Societyswitching ransomware payloads in attacks targeting the education sector across the United States and worldwide.
Oct 25thLV Ransomware & New ZeppelinAll data encrypted globally affecting a JOrdan-based company
Oct 26thUnknown groupAustralian insurance firm Medibank has confirmed that hackers accessed all of its customers’ personal data and a large amount of health claims data during a recent ransomware attack.
Oct 26thNew Chaos variantappends a random extension and drops a ransom note named lisezmoi.txt.
Oct 26thSPARTA BLOG, BIANLIAN, Donuts, ONYX, and YANLUOWANGIndustrial Ransomware 
Oct 27th Unkown groupAustralian Clinical Labs (ACL) has disclosed a February 2022 data breach that impacted its Medlab Pathology business, exposing the medical records and other sensitive information of 223,000 people.
Oct 27th Clop RansomwareMicrosoft says a threat group tracked as DEV-0950 used Clop ransomware to encrypt the network of a victim previously infected with the Raspberry Robin worm.
Oct 28th Drinik trojanTargets 18 Indian banks, masquerading as the country’s official tax management app to steal victims’ personal information and banking credentials.
Source : Reference

Of these above-mentioned attacks, one thing that’s becoming evident is that there is a constant increase in the number of these threat  groups, their attack methodology is becoming more sophisticated and the most challenging issue being their detection as soon as they’ve infiltrated. Most of the ransomware groups have designed malware which is known to reside in the victim’s system and wait for the right time to take things down. The last example of Drinik trojan is a classic example. Drinik has been circulating in India since 2016, operating as an SMS stealer, but in September 2021, it added banking trojan features that target 27 financial institutes by directing victims to phishing pages.  Some of the key behavior analytics has been as follows:

  • The latest version of the malware comes in the form of an APK named ‘iAssist,’ which is supposedly India’s Income Tax Department’s official tax management tool.
  • Upon installation, it requests permissions to receive, read, and send SMS, read the user’s call log, and read and write to external storage.
  • Next, it requests the user to allow the app to (ab)use the Accessibility Service. If granted, it disables Google Play Protect and uses it to perform navigation gestures, record the screen, and capture key presses.

Drinik will also check if the victim ended up on a URL that indicates a successful login to ensure that the exfiltrated details (user ID, PAN, AADHAR) are valid.

At this stage, the victim is served a fake dialogue box saying that the tax agency found they’re eligible for a refund of Rs 57,100 ($700) due to previous tax miscalculations and are invited to tap the “Apply” button to receive it.

This action takes the victims to a phishing page that is a clone of the real Income Tax Department site, where they are directed to enter financial information, including account number, credit card number, CVV, and card PIN. 

Source : Cyble

What’s interesting about this screenshot above is that if you don’t check the URL, anyone can fall for it. That’s how smartly this page has been crafted. Drinik has a large target pool because it targets Indian taxpayers and banking customers. As a result, every successful feature may result in significant financial gains for the malware’s creators. Studying the behaviour analytics of such attacks is going to be quintessential to ensure an effective detection mechanism design and mitigation strategies. In a span of a week’s time, one can see if this is the result and the impact, the effort to thwart such groups needs utmost attention and high levels of urgency at the earliest to avoid major data breaches as far as possible.

Published by The Art of Cyber-Space

I am a security professional specializing in network security. With vivid experience in different industries, I am looking to explore the current cyberspace and discuss the ideology of neuroscience and neurotechnology research from a security perspective. I love exploring various blog posts and share knowledge about the current threat landscape to instill more cybersecurity awareness.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: