Woburn, MA – August 24, 2022 — In line with the trend for the cross-platform ransomware, Kaspersky has discovered new ransomware gangs that have adapted their malware to different operating systems at the same time causing damage to more organizations. This recent investigation by Kaspersky experts uncovered the activity of RedAlert and Monster, two groups that managed to perform attacks on different operating systems without resorting to multiplatform languages. Additionally, experts uncovered 1-day exploits that may be executed by ransomware groups in order to achieve their financial ambitions.
Throughout 2022, Kaspersky security researchers have been witness to the prolific use of cross-platform amenities by the ransomware groups. Recently, their goal is to damage as many systems as possible by adapting their malware code to several OS at the time. Kaspersky has already described such groups that used Rust or Golang multiplatform languages such as Luna or BlackCat. This time, however, the reported ransomware groups deploy malware that is not written in a cross-platform language but can still target various OS simultaneously.
One group, RedAlert, employs malware written in plain C as it was detected in Linux sample. However, the malware developed by RedAlert does explicitly support ESXi environments. Moreover, the RedAlert onion website offers a decryptor for download. Unfortunately, there is no extra data available whether it’s written in cross-platform language or not. Another aspect that sets RedAlert apart from other ransomware groups is that they only accept payments in Monero cryptocurrency making the money harder to trace. Although such an approach might be reasonable from criminals’ point of view, Monero is not accepted in every country and by every exchange, so victims might face a problem with paying off the ransom.
Another ransomware group detected in July 2022 is Monster, a gang that applies Delphi, a general-purpose programming language to write their malware and expands on different systems. What makes this group especially peculiar is that it has a graphical user interface (GUI), a component that has never been implemented by ransomware groups before. Moreover, cybercriminals executed ransomware attacks through the command line in an automated way during an ongoing targeted attack. According to the sample extracted by Kaspersky experts, the Monster ransomware authors included the GUI as an optional command line parameter.
The report issued by Kaspersky also covers 1-day exploits used to attack on Windows 7-11. The 1-day exploit usually refers to an exploit of already patched vulnarability, and always raise a question of patching policy within the affected organization. The given example is about the CVE-2022-24521 vulnerability that allows an attacker to gain system privileges on the infected device. It took attackers two weeks after the vulnerability was disclosed in April 2022 to develop the two exploits. What is particularly interesting about these exploits is that they support a variety of Windows versions. This usually indicates that the attackers are aiming at commercial organizations. Further, both exploits share many debug messages. One detected case includes attacks on a retail chain in APAC region, however, there’s no extra data on what the cybercriminals were trying to achieve.
“We’ve got quite used to the ransomware groups deploying malware written in cross-platform language,” said Jornt van der Wiel, senior security researcher at Kaspersky’s Global Research and Analysis Team. “However these days, cybercriminals learned to adjust their malicious code written in plain programming languages for joint attacks making security specialists elaborate on ways to detect and prevent the ransomware attempts. We also draw attention to the importance of constant reviewing and updating patch policies that are applied by companies.”
To learn more about RedAlert and Monster ransomware groups as well as 1-day exploits, please check the full report on Securelist.
To protect yourself and your business from ransomware attacks, consider following the rules proposed by Kaspersky:
Kaspersky is a global cybersecurity company founded in 1997. Kaspersky’s deep threat intelligence and security expertise is constantly transforming into innovative security solutions and services to protect businesses, critical infrastructure, governments and consumers around the globe. The company’s comprehensive security portfolio includes leading endpoint protection and a number of specialized security solutions and services to fight sophisticated and evolving digital threats. Over 400 million users are protected by Kaspersky technologies and we help 240,000 corporate clients protect what matters most to them. Learn more at usa.kaspersky.com.
Cassandra Faro
Cassandra.Faro@Kaspersky.com
781-503-1812