Dubbed Coreid, the group has adopted a new version of its data exfiltration tool and is offering more advanced capabilities to profitable affiliates, says Symantec.
The ransomware known as Darkside gained a level of infamy in May of 2021 when it was used in a devastating attack against Colonial Pipeline, a company responsible for delivering oil and gas across the East Coast. Now the cybercriminals behind Darkside are using new ransomware with new tools and tactics that make them even more of a threat.
What is Coreid?
In a report published Thursday, security firm Symantec detailed the latest activities and methods used by Coreid to victimize organizations with ransomware. Also known in some circles as FIN7 or Carbon Spider, Coreid is a ransomware-as-a-service (RaaS) operation that develops ransomware tools and services and then collects money from affiliates who use these tools to carry out the actual attacks.
After the Colonial Pipeline incident brought undue attention to Darkside, its creators rebranded their offering as BlackMatter, allowing them to continue business as usual without the publicity surrounding the Darkside name. But in November of 2021, the group shut down its BlackMatter operation in response to pressure from law enforcement officials. However, the operation quickly resurfaced, this time using the name Noberus to describe its ransomware offering. And it’s Noberus that poses a greater threat with more sophisticated tools and technologies.
SEE: Mobile device security policy (TechRepublic Premium)
How Noberus is more dangerous than other ransomware
First seen in November of last year, Noberus boasts several features designed to highlight its superiority over other types of ransomware. To challenge its victims and law enforcement, Noberus offers two different encryption algorithms and four encryption modes, any of which can be used to encrypt stolen files from a victim. The default encryption method uses a process called “intermittent encryption” to encrypt data quickly and securely yet at the same time avoid detection.
To extract the stolen files, Noberus uses a tool called Exmatter, which Symantec says is designed to steal specific types of files from selected directories and then upload them to the attacker’s server even before the ransomware is deployed. Continually being refined and enhanced, Exmatter can exfiltrate files via FTP, SFTP (Secure FTP) or WebDav. It can create a report of all the exfiltrated files processed. And it can self-destruct if run in a non-corporate environment.
Noberus also is capable of using info-stealing malware to grab credentials from Veeam backup software, a data protection and disaster recovery product used by many organizations to store credentials for domain controllers and cloud services. Known as Infostealer.Eamfo, the malware can connect to the SQL database in which the credentials are stored and steal them through a specific SQL query.
Money-making affiliates who use Noberus to carry out attacks also pose a greater threat due to the tools at their disposal. While Coreid will get rid of affiliates who aren’t generating enough money, they’ll reward those who prove profitable. Any affiliate who brings in more than $1.5 million gains access to DDoS attack tools, files for phone numbers of victims to contact them directly, and free brute force attack methods against specific systems.
“In most ways, this report simply reinforces the fact that while there are a few monolithic ‘full stack’ cybercrime gangs, many players in the cybercriminal ecosystem are specialized into different functions,” said Chris Clements, VP of Solutions Architecture for Cerberus Sentinel. “There are initial access brokers reselling footholds into networks, ransomware as a service developers that build the tools to escalate privileges, exfiltrate data, and launch mass encryption operations, and their customers who leverage those toolsets to extort victims.”
SEE: Password breach: Why pop culture and passwords don’t mix (free PDF) (TechRepublic)
How to protect your organization from ransomware
With more advanced tools and tactics employed by such ransomware as Noberus, how can organizations better defend themselves from attack?
“To remain safe against such powerful tools, organizations must adopt a true culture of cybersecurity that focuses on the fundamentals of awareness, prevention, monitoring, and validation,” Clements said. “Against a quickly evolving threat landscape it’s far more important that defenders focus efforts on prevention and detection, not against cybercriminal tooling, but rather methods and behaviors that attackers employ. Individual exploits can change daily, but the goals of cybercriminals change much more slowly. The primary aims of rapidly finding and exfiltrating sensitive data and launching mass-scale encryption campaigns are reliable targets to focus efforts on prevention and detection.”