therecord.media Open in urlscan Pro
2606:4700:4400::ac40:9b4b  Public Scan

Submitted URL: https://avnn.co/3ffz5kb
Effective URL: https://therecord.media/colonial-pipeline-hackers-add-startling-new-capabilities-to-ransomware-operation?utm_content=222...
Submission: On June 07 via api from US — Scanned from DE

Form analysis 1 forms found in the DOM

<form><span class="text-black text-sm icon-search"></span><input name="s" placeholder="Search…" type="text" value=""><button type="submit">Go</button></form>

Text Content

This website stores cookies on your computer. These cookies are used to improve
your website experience and provide more personalized services to you, both on
this website and through other media. To find out more about the cookies we use,
see our Privacy Policy.

Accept

 * Leadership

 * Cybercrime

 * Nation-state

 * Elections

 * Technology

 * Cyber Daily®

 * Click Here Podcast

Go
Subscribe to The Record

✉️ Free Newsletter


Sebastian Stam, The Record
Jonathan Greig
September 22nd, 2022
 * Malware
 * News
 * Cybercrime

 * 
 * 
 * 
 * 
 * 

Get more insights with the
Recorded Future
Intelligence Cloud.
Learn more.
What is Threat Intelligence?


COLONIAL PIPELINE HACKERS ADD STARTLING NEW CAPABILITIES TO RANSOMWARE OPERATION

The ransomware group behind the Colonial Pipeline hack recently added a slate of
new tactics, tools, and procedures to its operation, making it even simpler for
members to encrypt, steal and sort data.

In a report from the Symantec Threat Hunter Team, researchers examined the
latest evolutions of a group they named Coreid.

Symantec researchers outlined how the group has evaded law enforcement by
deploying new ransomware strains, having now settled on Noberus — which is
shorthand for the BlackCat ALPHV ransomware that has been used in attacks on
several U.S. universities. 

The criminal gang has existed in some form since 2012, according to the
researchers, who said it began using the Carbanak malware to steal money from
organizations in the banking, hospitality and retail sectors.

Three members of the group were arrested in 2018 before it evolved into a
ransomware-as-a service (RaaS) operation around 2020.

Coreid has repeatedly updated its ransomware operation since the
headline-grabbing attack on Colonial Pipeline — in which it used Darkside
ransomware to cripple gas stations across the East Coast in May 2021. 

Scrutiny from law enforcement forced the group to shelve the ransomware and
create a new one named BlackMatter, which was used to target agricultural
companies during harvest season in the fall of 2021. 

That spate of attacks attracted a similarly high level of law enforcement
scrutiny, prompting the group to move from using the BlackMatter ransomware to a
new brand called Noberus.

“Noberus sparked interest when it was first seen in November 2021 because it was
coded in Rust, and this was the first time we had seen a professional ransomware
strain used in real world attacks coded in that programming language,” the
researchers said. 

“Rust is a notable language as it is crossplatform. Coreid claims that Noberus
is capable of encrypting files on Windows, EXSI, Debian, ReadyNAS, and Synology
operating systems.”


À LA CARTE RANSOMWARE

Coreid — known by some security firms as FIN7 or Carbon Spider — operates a RaaS
operation in which the group splits paid ransoms with the affiliate in charge of
the attack itself. 

In advertisements on the dark web, Coreid highlighted the many improvements to
Noberus that made it better than other ransomware — including encrypted
negotiation chats that can only be accessed by the intended victim.

Noberus offered cybercriminals two different encryption algorithms and four
different ways to encrypt systems, depending on needs around speed and the size
of data troves.

The group has shown it will cut off affiliates who don’t earn enough in ransoms,
according to Symantec, which noted that in December they added a “Plus” category
for affiliates who had extorted at least $1.5 million in attacks.

Those affiliates were given access to additional tools enabling them to cause
more significant damage to systems. The designation allowed affiliates to launch
distributed denial-of-service (DDoS) attacks, gave them phone numbers to
directly threaten victims and more technical tools to devastate networks. 

By June and July of 2022, Symantec says Coreid escalated things further,
introducing a way to encrypt non-standard architectures and several other
features. They even adopted another feature from other groups that allowed their
data leak sites to be searchable by keyword, file type, and more.

“The continuous updating and refining of Noberus’ operations shows that Coreid
is constantly adapting its ransomware operation to ensure it remains as
effective as possible,” the researchers said, noting that in April, the FBI sent
out an alert saying the group had compromised at least 60 organizations around
the world between November 2021 and March 2022.

Last month, Coreid added a powerful data exfiltration tool targeted at the most
popular file types: .pdf, .doc, .docx, .xls, .xlsx, .png, .jpg, .jpeg, .txt and
more.

The tool — named Exmatter — was updated to give cybercriminals the ability to
not only create a report of all the stolen files but corrupt the files that had
already been processed. It now can even be enabled to self-destruct under
certain parameters. 

Some affiliates of the criminal group are also using a special
information-stealing malware that is designed to steal credentials stored by
Veeam backup software — used by thousands of the biggest companies in the
world. Veeam is typically used to store credentials, giving cybercriminals
access to data that would allow them to get deeper into a system. 

Like some other groups, Coreid has laid out four main groups that affiliates are
not allowed to attack: Commonwealth of Independent States, Russia-affiliated
countries, healthcare organizations and non-profits. 

Symantec said the affiliates are “advised to avoid attacking the education and
government sectors” — an edict they appear to be lenient about given several
attacks on colleges around the world.

The group drew headlines late last month after attacking Accelya — a technology
firm providing services to Delta, British Airways, JetBlue, United, Virgin
Atlantic, American Airlines and many of the world's largest airlines.

 * 
 * 
 * 
 * 
 * 

Tags
 * Ransomware
 * Darkside
 * Colonial Pipeline

Previous articleNext article
CISA: Iranian hackers spent 14 months in Albanian gov’t network before launching
ransomware
CISA: Iranian hackers spent 14 months in Albanian gov’t network before launching
ransomware

Jonathan Greig

is a Breaking News Reporter at Recorded Future News. Jonathan has worked across
the globe as a journalist since 2014. Before moving back to New York City, he
worked for news outlets in South Africa, Jordan and Cambodia. He previously
covered cybersecurity at ZDNet and TechRepublic.


BRIEFS

 * Sapphire Werewolf hackers spy on Russian education, defense and aerospace
   industriesJune 7th, 2024
 * Russia-linked Vermin hackers target Ukrainian military in new espionage
   campaignJune 7th, 2024
 * FCC launches $200 million program to bolster cybersecurity for schools and
   librariesJune 6th, 2024
 * Chinese nationals plead guilty to running Zambia scam operationJune 5th, 2024
 * Four arrested for allegedly attempting to sabotage Interpol criminal search
   systemJune 5th, 2024
 * Suspected state-sponsored hackers hit 22 Canadian provincial government
   inboxesJune 4th, 2024
 * Privacy abuses will meet ‘full force of the law’ from new Texas unit,
   attorney general saysJune 4th, 2024
 * Mix of federal cyber laws hurts security and competitiveness, businesses tell
   White HouseJune 4th, 2024
 * Cyberattack on telecom giant Frontier claimed by RansomHubJune 3rd, 2024


HURDLING OVER HAZARDS: MULTIFACETED THREATS TO THE PARIS OLYMPICS


Hurdling Over Hazards: Multifaceted Threats to the Paris Olympics


GRU'S BLUEDELTA TARGETS KEY NETWORKS IN EUROPE WITH MULTI-PHASE ESPIONAGE
CAMPAIGNS


GRU's BlueDelta Targets Key Networks in Europe with Multi-Phase Espionage
Campaigns


GITCAUGHT: THREAT ACTOR LEVERAGES GITHUB REPOSITORY FOR MALICIOUS INFRASTRUCTURE


GitCaught: Threat Actor Leverages GitHub Repository for Malicious Infrastructure


EXPLORING THE DEPTHS OF SOLARMARKER'S MULTI-TIERED INFRASTRUCTURE


Exploring the Depths of SolarMarker's Multi-tiered Infrastructure


RUSSIA-LINKED COPYCOP USES LLMS TO WEAPONIZE INFLUENCE CONTENT AT SCALE


Russia-Linked CopyCop Uses LLMs to Weaponize Influence Content at Scale
 * 
 * 
 * 
 * 
 * 

 * Privacy

 * About

 * Contact Us

© Copyright 2024 | The Record from Recorded Future News