According to Symantec, the organization, known as Coreid, has updated its data exfiltration tool and is now providing more sophisticated capabilities to successful affiliates. When Colonial Pipeline ransomware, a firm in charge of distributing oil and gas over the East Coast, was the target of a devastating attack in May 2021, the ransomware known as Darkside attained a certain level of notoriety. The crooks behind Darkside now employ new malware along with new tools and strategies, increasing their menace.
What is Coreid?
Security company Symantec described the most recent actions and strategies taken by Coreid to target businesses with ransomware in a study released on Thursday. Coreid is a ransomware-as-a-service (RaaS) operation that creates ransomware tools and services and then collects money from affiliates who use these tools to carry out the actual attacks. In some areas, Coreid is also known as FIN7 or Carbon Spider.
Darkside‘s inventors changed the name of their product to BlackMatter after the Colonial Pipeline incident brought the brand unwanted attention. This allowed them to carry on with business as normal without the negative publicity associated with the Darkside name. However, the organisation ended its BlackMatter activity in November 2021 as a result of pressure from law police.
The operation swiftly reappeared, describing its ransomware offering under the moniker Noberus this time. And with more advanced tools and technologies, Noberus poses a larger threat.
How Noberus is more dangerous than another ransomware
Noberus, which first surfaced in November of last year, has a number of features that emphasise its superiority to another ransomware. Noberus provides two alternative encryption algorithms and four encryption modes. All of these can be used to encrypt stolen material from a victim, to challenge its victims and law enforcement. The standard encryption approach encrypts data rapidly and securely while also avoiding discovery using a technique known as “intermittent encryption.”
Noberus employs a programme called Exmatter to recover the stolen data. According to Symantec, Exmatter is made to take particular kinds of files from particular directories and upload them to the attacker’s site even before the ransomware is activated.
Exmatter, which is constantly improved and improved, may exfiltrate files through FTP, SFTP (Secure FTP), or WebDav. It can produce a report of all the processed exfiltrated files. And if used in a non-corporate setting, it has the potential to self-destruct.
Noberus is also capable of collecting credentials from Veeam backup software, a data protection and disaster recovery product that many organizations use to store login information for domain controllers and cloud services, utilizing information-stealing malware. called Infostealer. By using a specific SQL query, the malware known as Eamfo can connect to the SQL database containing the credentials and steal them.
The resources at their disposal make money-making affiliates who utilize Noberus to conduct assaults a larger threat. While Coreid will fire affiliates who don’t produce enough revenue, they’ll reward those who do. Any affiliate who generates over $1.5 million in revenue has access to DDoS attack tools, files for the victims’ phone numbers so they may call them directly, and free brute force attack techniques against particular systems.
The Key
According to Chris Clements, vice president of solutions architecture for Cerberus Sentinel. In most ways, this report simply reinforces the fact that while there are a few monolithic “full stack” cybercrime gangs. Many players in the cybercriminal ecosystem have specializations in different functions.
“Ransomware as a service developers build the tools to escalate privileges, exfiltrate data, and start bulk encryption operations. Their customers employ such toolsets to extort victims.”
How to protect your organization from ransomware
How can businesses better protect themselves from attack given the more sophisticated tools and techniques used by ransomware like Noberus?
“Organizations must establish a proper cybersecurity culture that focuses on the principles of awareness, prevention, monitoring, and validation to stay safe against such potent tools,” Clements added. “Against a rapidly changing threat landscape, it’s considerably more crucial that defenses concentrate their efforts on prevention and detection, rather than against the tactics and behaviors used by attackers rather than cybercriminal tooling. The objectives of cybercriminals change considerably more slowly than individual exploits, which can alter on a daily basis. Rapidly locating and removing sensitive data and initiating widespread encryption campaigns are reliable targets on which to concentrate prevention and detection efforts.
