therecord.media
Open in
urlscan Pro
2606:4700:4400::ac40:9b4b
Public Scan
Submitted URL: https://avnn.co/3ffz5kb
Effective URL: https://therecord.media/colonial-pipeline-hackers-add-startling-new-capabilities-to-ransomware-operation?utm_content=222...
Submission: On June 07 via api from US — Scanned from DE
Effective URL: https://therecord.media/colonial-pipeline-hackers-add-startling-new-capabilities-to-ransomware-operation?utm_content=222...
Submission: On June 07 via api from US — Scanned from DE
Form analysis
1 forms found in the DOM<form><span class="text-black text-sm icon-search"></span><input name="s" placeholder="Search…" type="text" value=""><button type="submit">Go</button></form>
Text Content
This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy. Accept * Leadership * Cybercrime * Nation-state * Elections * Technology * Cyber Daily® * Click Here Podcast Go Subscribe to The Record ✉️ Free Newsletter Sebastian Stam, The Record Jonathan Greig September 22nd, 2022 * Malware * News * Cybercrime * * * * * Get more insights with the Recorded Future Intelligence Cloud. Learn more. What is Threat Intelligence? COLONIAL PIPELINE HACKERS ADD STARTLING NEW CAPABILITIES TO RANSOMWARE OPERATION The ransomware group behind the Colonial Pipeline hack recently added a slate of new tactics, tools, and procedures to its operation, making it even simpler for members to encrypt, steal and sort data. In a report from the Symantec Threat Hunter Team, researchers examined the latest evolutions of a group they named Coreid. Symantec researchers outlined how the group has evaded law enforcement by deploying new ransomware strains, having now settled on Noberus — which is shorthand for the BlackCat ALPHV ransomware that has been used in attacks on several U.S. universities. The criminal gang has existed in some form since 2012, according to the researchers, who said it began using the Carbanak malware to steal money from organizations in the banking, hospitality and retail sectors. Three members of the group were arrested in 2018 before it evolved into a ransomware-as-a service (RaaS) operation around 2020. Coreid has repeatedly updated its ransomware operation since the headline-grabbing attack on Colonial Pipeline — in which it used Darkside ransomware to cripple gas stations across the East Coast in May 2021. Scrutiny from law enforcement forced the group to shelve the ransomware and create a new one named BlackMatter, which was used to target agricultural companies during harvest season in the fall of 2021. That spate of attacks attracted a similarly high level of law enforcement scrutiny, prompting the group to move from using the BlackMatter ransomware to a new brand called Noberus. “Noberus sparked interest when it was first seen in November 2021 because it was coded in Rust, and this was the first time we had seen a professional ransomware strain used in real world attacks coded in that programming language,” the researchers said. “Rust is a notable language as it is crossplatform. Coreid claims that Noberus is capable of encrypting files on Windows, EXSI, Debian, ReadyNAS, and Synology operating systems.” À LA CARTE RANSOMWARE Coreid — known by some security firms as FIN7 or Carbon Spider — operates a RaaS operation in which the group splits paid ransoms with the affiliate in charge of the attack itself. In advertisements on the dark web, Coreid highlighted the many improvements to Noberus that made it better than other ransomware — including encrypted negotiation chats that can only be accessed by the intended victim. Noberus offered cybercriminals two different encryption algorithms and four different ways to encrypt systems, depending on needs around speed and the size of data troves. The group has shown it will cut off affiliates who don’t earn enough in ransoms, according to Symantec, which noted that in December they added a “Plus” category for affiliates who had extorted at least $1.5 million in attacks. Those affiliates were given access to additional tools enabling them to cause more significant damage to systems. The designation allowed affiliates to launch distributed denial-of-service (DDoS) attacks, gave them phone numbers to directly threaten victims and more technical tools to devastate networks. By June and July of 2022, Symantec says Coreid escalated things further, introducing a way to encrypt non-standard architectures and several other features. They even adopted another feature from other groups that allowed their data leak sites to be searchable by keyword, file type, and more. “The continuous updating and refining of Noberus’ operations shows that Coreid is constantly adapting its ransomware operation to ensure it remains as effective as possible,” the researchers said, noting that in April, the FBI sent out an alert saying the group had compromised at least 60 organizations around the world between November 2021 and March 2022. Last month, Coreid added a powerful data exfiltration tool targeted at the most popular file types: .pdf, .doc, .docx, .xls, .xlsx, .png, .jpg, .jpeg, .txt and more. The tool — named Exmatter — was updated to give cybercriminals the ability to not only create a report of all the stolen files but corrupt the files that had already been processed. It now can even be enabled to self-destruct under certain parameters. Some affiliates of the criminal group are also using a special information-stealing malware that is designed to steal credentials stored by Veeam backup software — used by thousands of the biggest companies in the world. Veeam is typically used to store credentials, giving cybercriminals access to data that would allow them to get deeper into a system. Like some other groups, Coreid has laid out four main groups that affiliates are not allowed to attack: Commonwealth of Independent States, Russia-affiliated countries, healthcare organizations and non-profits. Symantec said the affiliates are “advised to avoid attacking the education and government sectors” — an edict they appear to be lenient about given several attacks on colleges around the world. The group drew headlines late last month after attacking Accelya — a technology firm providing services to Delta, British Airways, JetBlue, United, Virgin Atlantic, American Airlines and many of the world's largest airlines. * * * * * Tags * Ransomware * Darkside * Colonial Pipeline Previous articleNext article CISA: Iranian hackers spent 14 months in Albanian gov’t network before launching ransomware CISA: Iranian hackers spent 14 months in Albanian gov’t network before launching ransomware Jonathan Greig is a Breaking News Reporter at Recorded Future News. Jonathan has worked across the globe as a journalist since 2014. Before moving back to New York City, he worked for news outlets in South Africa, Jordan and Cambodia. He previously covered cybersecurity at ZDNet and TechRepublic. BRIEFS * Sapphire Werewolf hackers spy on Russian education, defense and aerospace industriesJune 7th, 2024 * Russia-linked Vermin hackers target Ukrainian military in new espionage campaignJune 7th, 2024 * FCC launches $200 million program to bolster cybersecurity for schools and librariesJune 6th, 2024 * Chinese nationals plead guilty to running Zambia scam operationJune 5th, 2024 * Four arrested for allegedly attempting to sabotage Interpol criminal search systemJune 5th, 2024 * Suspected state-sponsored hackers hit 22 Canadian provincial government inboxesJune 4th, 2024 * Privacy abuses will meet ‘full force of the law’ from new Texas unit, attorney general saysJune 4th, 2024 * Mix of federal cyber laws hurts security and competitiveness, businesses tell White HouseJune 4th, 2024 * Cyberattack on telecom giant Frontier claimed by RansomHubJune 3rd, 2024 HURDLING OVER HAZARDS: MULTIFACETED THREATS TO THE PARIS OLYMPICS Hurdling Over Hazards: Multifaceted Threats to the Paris Olympics GRU'S BLUEDELTA TARGETS KEY NETWORKS IN EUROPE WITH MULTI-PHASE ESPIONAGE CAMPAIGNS GRU's BlueDelta Targets Key Networks in Europe with Multi-Phase Espionage Campaigns GITCAUGHT: THREAT ACTOR LEVERAGES GITHUB REPOSITORY FOR MALICIOUS INFRASTRUCTURE GitCaught: Threat Actor Leverages GitHub Repository for Malicious Infrastructure EXPLORING THE DEPTHS OF SOLARMARKER'S MULTI-TIERED INFRASTRUCTURE Exploring the Depths of SolarMarker's Multi-tiered Infrastructure RUSSIA-LINKED COPYCOP USES LLMS TO WEAPONIZE INFLUENCE CONTENT AT SCALE Russia-Linked CopyCop Uses LLMs to Weaponize Influence Content at Scale * * * * * * Privacy * About * Contact Us © Copyright 2024 | The Record from Recorded Future News