MyCERT : Advisories

MA-993.112023: MyCERT Alert - Cyber Security Best Practices against Ransomware LockBit 3.0

29 Nov 2023
Alert
lockbit, ransomware

1.0 Introduction

The Cyber999 Incident Response Centre observed an increase in various ransomware-related attacks, including attacks executed by well-identified ransomware known as LockBit 3.0. Lately, we have been receiving incidents involving a number of organisations in Malaysia hit by the LockBit 3.0 ransomware. Hence, this advisory is released to alert and advise organisations to apply necessary measures on prevention and mitigations if they are targeted or fall victim.

LockBit 3.0 operates as an affiliate-based Ransomware-as-a-Service (RaaS) and employs a wide variety of tactics, techniques, and procedures (TTP), creating significant challenges for defence and mitigation. LockBit 3.0 ransomware compromises victim networks through a variety of techniques, including, but not limited to, purchased access, unpatched vulnerabilities, insider access, and zero-day exploits. The attackers associated with the Lockbit 3.0 are believed to originate from Russia. According to a detailed analysis, the ransomware checks the default system language, avoids encryption and stops the attack if the victim system’s language is Russian or one of the countries nearby Russia.

We have previously released an advisory on Lockbit 3.0 ransomware, available at:

https://www.mycert.org.my/portal/advisory?id=MA-907.012023

Additionally, it was also reported recently by security researchers and security organisations that the infamous LockBit 3.0 ransomware group was observed exploiting a critical unpatched Citrix NetScaler ADC and NetScaler Gateway vulnerability – CVE-2023-4966, referred to as "Citrix Bleed," increasing the urgency for enterprises to patch. Citrix Bleed was disclosed on October 10 2023, as a critical security issue that affects Citrix NetScaler ADC and Gateway, enabling unauthorised access to sensitive device information.

A joint advisory by CISA, FBI, MS-ISAC, and ASD’s ACSC was released on LockBit affiliates exploiting Citrix Bleed, available at:

https://www.cisa.gov/news-events/alerts/2023/11/21/cisa-fbi-ms-isac-and-asds-acsc-release-advisory-lockbit-affiliates-exploiting-citrix-bleed

2.0 Impact
The impacts of LockBit 3.0 are:

Operations disruption with essential functions coming to a sudden halt.
Extortion by the hackers for financial gain.
Data theft and illegal publication as blackmail if the victim does not comply.

3.0 Recommendations
MyCERT recommends network defenders apply the following mitigations to reduce the risk of compromise by LockBit 3.0 ransomware:

1) Require all accounts with password logins (e.g., service accounts, admin accounts, and domain admin accounts) to have strong, unique passwords. Passwords should not be reused across multiple accounts or stored on the system where an adversary may have access.

Note: Devices with local administrative accounts should implement a password policy requiring strong, unique passwords for each administrative account.

2) Require multi-factor authentication for all services to the extent possible, particularly for webmail, virtual private networks, and accounts that access critical systems.

3) Keep all operating systems and software up to date. Prioritize patching known exploited vulnerabilities. Timely patching is one of the most efficient and cost-effective steps an organization can take to minimize its exposure to cybersecurity threats.

4) Apply security updates released by Citrix to address CVE-2023-4966 in NetScaler ADC and NetScaler Gateway.

https://support.citrix.com/article/CTX579459/netscaler-adc-and-netscaler-gateway-security-bulletin-for-cve20234966-and-cve20234967

5) Remove unnecessary access to administrative shares, especially ADMIN$ and C$. If ADMIN$ and C$ are deemed operationally necessary, and these restrict privileges to only the necessary service or user accounts and perform continuous monitoring for anomalous activity.

6) Use a host-based firewall to only allow connections to administrative shares via server message block (SMB) from a limited set of administrator machines.

7) Enable protected files in the Windows Operating System to prevent unauthorized changes to critical files.

8) Segment networks to prevent the spread of ransomware. Network segmentation can help prevent the spread of ransomware by controlling traffic flows between—and access to—various subnetworks and by restricting adversary lateral movement.

9) Maintain offline backups of data and regularly maintain backup and restoration. By implementing this practice, the organisation ensures they will not be severely interrupted, and/or only have irretrievable data.

Generally, MyCERT advises the users of these devices to be updated with the latest security announcements by the vendor and follow best practice security policies to determine which updates should be applied.

For further enquiries, please contact MyCERT through the following channels:

E-mail: cyber999[at]cybersecurity.my
Phone: 1-300-88-2999 (monitored during business hours)
Mobile: +60 19 2665850 (24x7 call incident reporting)
Business Hours: Mon - Fri 09:00 -18:00 MYT
Web: https://www.mycert.org.my
Twitter: https://twitter.com/mycert
Facebook: https://www.facebook.com/mycert.org.my

6.0 References

21 Nov 2023
Alert
rhysida, ransomware

1.0 Introduction

Recently, the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the Multi-State Information Sharing and Analysis Center (MS-ISAC) released a joint Cybersecurity Advisory (CSA), #StopRansomware: Rhysida Ransomware, to disseminate known Rhysida ransomware indicators of compromise (IOCs), detection methods, and tactics, techniques, and procedures (TTPs) identified through investigations as recently as September 2023.

Observed as a ransomware-as-a-service (RaaS) model, Rhysida actors have compromised organizations in education, manufacturing, information technology, and government sectors and any ransom paid is split between the group and affiliates. Rhysida actors leverage external-facing remote services, such as virtual private networks (VPNs), Zerologon vulnerability (CVE-2020-1472), and phishing campaigns to gain initial access and persistence within a network.

2.0 Impact
Threat actors leveraging Rhysida ransomware are known to impact “targets of opportunity,” including victims in the education, healthcare, manufacturing, information technology, and government sectors. Open source reporting details similarities between Vice Society (DEV-0832)[1] activity and the actors observed deploying Rhysida ransomware. Additionally, open source reporting[2] has confirmed observed instances of Rhysida actors operating in a ransomware-as-a-service (RaaS) capacity, where ransomware tools and infrastructure are leased out in a profit-sharing model. Any ransoms paid are then split between the group and the affiliates.

For additional information on Vice Society actors and associated activity, see the joint CSA #StopRansomware: Vice Society.

3.0 Technical Details

3.1 Tactics, Techniques and Procedures (TTPs)
3.1.1 Initial Access

Rhysida actors have been observed leveraging external-facing remote services to initially access and persist within a network. Remote services, such as virtual private networks (VPNs), allow users to connect to internal enterprise network resources from external locations. Rhysida actors have commonly been observed authenticating to internal VPN access points with compromised valid credentials [T1078], notably due to organizations lacking MFA enabled by default. Additionally, actors have been observed exploiting Zerologon (CVE-2020-1472)—a critical elevation of privileges vulnerability in Microsoft’s Netlogon Remote Protocol [T1190]—as well as conducting successful phishing attempts [T1566]. Note: Microsoft released a patch for CVE-2020-1472 on August 11, 2020.[3]

3.1.2 Living off the Land

Analysis identified Rhysida actors using living off the land techniques, such as creating Remote Desktop Protocol (RDP) connections for lateral movement [T1021.001], establishing VPN access, and utilizing PowerShell [T1059.001]. Living off the land techniques include using native (built into the operating system) network administration tools to perform operations. This allows the actors to evade detection by blending in with normal Windows systems and network activities.

Ipconfig [T1016], whoami [T1033], nltest [T1482], and several net commands have been used to enumerate victim environments and gather information about domains. In one instance of using compromised credentials, actors leveraged net commands within PowerShell to identify logged-in users and performed reconnaissance on network accounts within the victim environment. Note: The following commands were not performed in the exact order listed.

net user [username] /domain [T1087.002]
net group “domain computers” /domain [T1018]
net group “domain admins” /domain [T1069.002]
net localgroup administrators [T1069.001]

Analysis of the master file table (MFT)[4] identified the victim system generated the ntuser.dat registry hive, which was created when the compromised user logged in to the system for the first time. This was considered anomalous due to the baseline of normal activity for that particular user and system. Note: The MFT resides within the New Technology File System (NTFS) and houses information about a file including its size, time and date stamps, permissions, and data content.

3.1.3 Leveraged Tools

Table 1 lists legitimate tools Rhysida actors have repurposed for their operations. The legitimate tools listed in this joint CSA are all publicly available. Use of these tools should not be attributed as malicious without analytical evidence to support they are used at the direction of or controlled by threat actors.

Disclaimer: Organizations are encouraged to investigate and vet use of these tools prior to performing remediation actions.

Name	Description
cmd.exe	The native command line prompt utility.
PowerShell.exe	A native command line tool used to start a Windows PowerShell session in a Command Prompt window.
PsExec.exe	A tool included in the PsTools suite used to execute processes remotely. Rhysida actors heavily leveraged this tool for lateral movement and remote execution.
mstsc.exe	A native tool that establishes an RDP connection to a host.
PuTTY.exe	Rhysida actors have been observed creating Secure Shell (SSH) PuTTy connections for lateral movement. In one example, analysis of PowerShell console host history for a compromised user account revealed Rhysida actors leveraged PuTTy to remotely connect to systems via SSH [T1021.004].
PortStarter	A back door script written in Go that provides functionality for modifying firewall settings and opening ports to pre-configured command and control (C2) servers.[1]
secretsdump	A script used to extract credentials and other confidential information from a system. Rhysida actors have been observed using this for NTDS dumping [T1003.003] in various instances.
ntdsutil.exe	A standard Windows tool used to interact with the NTDS database. Rhysida actors used this tool to extract and dump the NTDS.dit database from the domain controller containing hashes for all Active Directory (AD) users. Note: It is strongly recommended that organizations conduct domain-wide password resets and double Kerberos TGT password resets if any indication is found that the NTDS.dit file was compromised.
AnyDesk	A common software that can be maliciously used by threat actors to obtain remote access and maintain persistence [T1219]. AnyDesk also supports remote file transfer.
wevtutil.exe	A standard Windows Event Utility tool used to view event logs. Rhysida actors used this tool to clear a significant number of Windows event logs, including system, application, and security logs [T1070.001].
PowerView	A PowerShell tool used to gain situational awareness of Windows domains. Review of PowerShell event logs identified Rhysida actors using this tool to conduct additional reconnaissance-based commands and harvest credentials.

3.2 Rhysida Ransomware Characteristics

3.2.1 Execution

In one investigation, Rhysida actors created two folders in the C:\ drive labeled in and out, which served as a staging directory (central location) for hosting malicious executables. The in folder contained file names in accordance with host names on the victim’s network, likely imported through a scanning tool. The out folder contained various files listed in Table 2 below. Rhysida actors deployed these tools and scripts to assist system and network-wide encryption.

File Name	Hash (SHA256)	Description
conhost.exe	6633fa85bb234a75927b23417313e51a4c155e12f71da3959e168851a600b010	A ransomware binary.
psexec.exe	078163d5c16f64caa5a14784323fd51451b8c831c73396b967b4e35e6879937b	A file used to execute a process on a remote or local host.
S_0.bat	1c4978cd5d750a2985da9b58db137fc74d28422f1e087fd77642faa7efe7b597	A batch script likely used to place 1.ps1 on victim systems for ransomware staging purposes [T1059.003].
1.ps1	4e34b9442f825a16d7f6557193426ae7a18899ed46d3b896f6e4357367276183	Identifies an extension block list of files to encrypt and not encrypt.
S_1.bat	97766464d0f2f91b82b557ac656ab82e15cae7896b1d8c98632ca53c15cf06c4	A batch script that copies conhost.exe (the encryption binary) on an imported list of host names within the C:\Windows\Temp directory of each system.
S_2.bat	918784e25bd24192ce4e999538be96898558660659e3c624a5f27857784cd7e1	Executes conhost.exe on compromised victim systems, which encrypts and appends the extension of .Rhysida across the environment.

Rhysida ransomware uses a Windows 64-bit Portable Executable (PE) or common object file format (COFF) compiled using MinGW via the GNU Compiler Collection (GCC), which supports various programming languages such as C, C++, and Go. The cryptographic ransomware application first injects the PE into running processes on the compromised system [T1055.002]. Additionally, third-party researchers identified evidence of Rhysida actors developing custom tools with program names set to “Rhysida-0.1” [T1587].

3.2.2 Encryption

After mapping the network, the ransomware encrypts data using a 4096-bit RSA encryption key with a ChaCha20 algorithm [T1486]. The algorithm features a 256-bit key, a 32-bit counter, and a 96-bit nonce along with a four-by-four matrix of 32-bit words in plain text. Registry modification commands [T1112] are not obfuscated, displayed as plain-text strings and executed via cmd.exe.

Rhysida’s encryptor runs a file to encrypt and modify all encrypted files to display a .rhysida extension.[5] Following encryption, a PowerShell command deletes the binary [T1070.004] from the network using a hidden command window [T1564.003]. The Rhysida encryptor allows arguments -d (select a directory) and -sr (file deletion), defined by the authors of the code as parseOptions.[6] After the lines of binary strings complete their tasks, they delete themselves through the control panel to evade detection.

3.2.3 Data Extortion

Rhysida actors reportedly engage in “double extortion” [T1657]—demanding a ransom payment to decrypt victim data and threatening to publish the sensitive exfiltrated data unless the ransom is paid.[5],[7] Rhysida actors direct victims to send ransom payments in Bitcoin to cryptocurrency wallet addresses provided by the threat actors. As shown in Figure 1, Rhysida ransomware drops a ransom note named “CriticalBreachDetected” as a PDF file—the note provides each company with a unique code and instructions to contact the group via a Tor-based portal.

Figure 1: Rhysida Ransom Note

Figure 1: Rhysida Ransom Note

Identified in analysis and also listed in open source reporting, the contents of the ransom note are embedded as plain-text in the ransom binary, offering network defenders an opportunity to deploy string-based detection for alerting on evidence of the ransom note. Rhysida threat actors may target systems that do not use command-line operating systems. The format of the PDF ransom notes could indicate that Rhysida actors only target systems that are compatible with handling PDF documents.[8]

3.3 Indicators of Compromise (IOCs)

On November 10, 2023, Sophos published TTPs and IOCs identified from analysis conducted for six separate incidents.[9] The C2 IP addresses listed in Table 3 were derived directly from Sophos’ investigations and are listed on GitHub among other indicators.[10]

C2 IP Address
5.39.222[.]67
5.255.99[.]59
51.77.102[.]106
108.62.118[.]136
108.62.141[.]161
146.70.104[.]249
156.96.62[.]58
157.154.194[.]6

Additional IOCs were obtained from FBI, CISA, and the MS-ISAC’s investigations and analysis. The email addresses listed in Table 4 are associated with Rhysida actors’ operations. Rhysida actors have been observed creating Onion Mail email accounts for services or victim communication, commonly in the format: [First Name][Last Name]@onionmail[.]org.

Email Address
rhysidaeverywhere@onionmail[.]org
rhysidaofficial@onionmail[.]org

Rhysida actors have also been observed using the following files and executables listed in Table 5 to support their operations.

Disclaimer: Organizations are encouraged to investigate the use of these files for related signs of compromise prior to performing remediation actions.

File Name	Hash (SHA256)
Sock5.sh	48f559e00c472d9ffe3965ab92c6d298f8fb3a3f0d6d203cd2069bfca4bf3a57
PsExec64.exe	edfae1a69522f87b12c6dac3225d930e4848832e3c551ee1e7d31736bf4525ef
PsExec.exe	078163d5c16f64caa5a14784323fd51451b8c831c73396b967b4e35e6879937b
PsGetsid64.exe	201d8e77ccc2575d910d47042a986480b1da28cf0033e7ee726ad9d45ccf4daa
PsGetsid.exe	a48ac157609888471bf8578fb8b2aef6b0068f7e0742fccf2e0e288b0b2cfdfb
PsInfo64.exe	de73b73eeb156f877de61f4a6975d06759292ed69f31aaf06c9811f3311e03e7
PsInfo.exe	951b1b5fd5cb13cde159cebc7c60465587e2061363d1d8847ab78b6c4fba7501
PsLoggedon64.exe	fdadb6e15c52c41a31e3c22659dd490d5b616e017d1b1aa6070008ce09ed27ea
PsLoggedon.exe	d689cb1dbd2e4c06cd15e51a6871c406c595790ddcdcd7dc8d0401c7183720ef
PsService64.exe	554f523914cdbaed8b17527170502199c185bd69a41c81102c50dbb0e5e5a78d
PsService.exe	d3a816fe5d545a80e4639b34b90d92d1039eb71ef59e6e81b3c0e043a45b751c
Eula.txt	8329bcbadc7f81539a4969ca13f0be5b8eb7652b912324a1926fc9bfb6ec005a
psfile64.exe	be922312978a53c92a49fefd2c9f9cc098767b36f0e4d2e829d24725df65bc21
psfile.exe	4243dc8b991f5f8b3c0f233ca2110a1e03a1d716c3f51e88faf1d59b8242d329
pskill64.exe	7ba47558c99e18c2c6449be804b5e765c48d3a70ceaa04c1e0fae67ff1d7178d
pskill.exe	5ef168f83b55d2cbd2426afc5e6fa8161270fa6a2a312831332dc472c95dfa42
pslist64.exe	d3247f03dcd7b9335344ebba76a0b92370f32f1cb0e480c734da52db2bd8df60
pslist.exe	ed05f5d462767b3986583188000143f0eb24f7d89605523a28950e72e6b9039a
psloglist64.exe	5e55b4caf47a248a10abd009617684e969dbe5c448d087ee8178262aaab68636
psloglist.exe	dcdb9bd39b6014434190a9949dedf633726fdb470e95cc47cdaa47c1964b969f
pspasswd64.exe	8d950068f46a04e77ad6637c680cccf5d703a1828fbd6bdca513268af4f2170f
pspasswd.exe	6ed5d50cf9d07db73eaa92c5405f6b1bf670028c602c605dfa7d4fcb80ef0801
psping64.exe	d1f718d219930e57794bdadf9dda61406294b0759038cef282f7544b44b92285
psping.exe	355b4a82313074999bd8fa1332b1ed00034e63bd2a0d0367e2622f35d75cf140
psshutdown64.exe	4226738489c2a67852d51dbf96574f33e44e509bc265b950d495da79bb457400
psshutdown.exe	13fd3ad690c73cf0ad26c6716d4e9d1581b47c22fb7518b1d3bf9cfb8f9e9123
pssuspend64.exe	4bf8fbb7db583e1aacbf36c5f740d012c8321f221066cc68107031bd8b6bc1ee
pssuspend.exe	95a922e178075fb771066db4ab1bd70c7016f794709d514ab1c7f11500f016cd
PSTools.zip	a9ca77dfe03ce15004157727bb43ba66f00ceb215362c9b3d199f000edaa8d61
Pstools.chm	2813b6c07d17d25670163e0f66453b42d2f157bf2e42007806ebc6bb9d114acc
psversion.txt	8e43d1ddbd5c129055528a93f1e3fab0ecdf73a8a7ba9713dc4c3e216d7e5db4
psexesvc.exe	This artifact is created when a user establishes a connection using psexec. It is removed after the connection is terminated, which is why there is no hash available for this executable.

4.0 Recommendations
MyCERT recommends system administrators to review this advisory and take the below recommended mitigations to reduce the likelihood and impact of Rhysida and other ransomware incidents.

Prioritize remediating known exploited vulnerabilities.
Enable multifactor authentication (MFA) for all services to the extent possible, particularly for webmail, VPN, and accounts that access critical systems.
Segment networks to prevent the spread of ransomware.

Generally, MyCERT advises the users of this devices to be updated with the latest security announcements by the vendor and follow best practice security policies to determine which updates should be applied.

For further enquiries, please contact MyCERT through the following channels:

5.0 References

15 Jun 2023
Advisory
cl0p, ransomware, moveit, vulnerability

1.0 Introduction

Open-source data indicates that on May 27, 2023, the CL0P Ransomware Gang, also known as TA505, started exploiting a previously unreported SQL injection vulnerability (CVE-2023-34362) in Progress Software’s managed file transfer (MFT), MOVEit Transfer.

A web shell called LEMURLOOT was used to infect MOVEit Transfer web apps that were accessible to the public and steal data from the underlying MOVEit Transfer databases. Similar flurry of activity was launched by TA505 in early 2023 targeting Fortra/Linoma GoAnywhere MFT servers and Accellion File Transfer Appliance (FTA) devices in the form of zero-day exploit-driven attacks.

2.0 Impact

Retrieve Microsoft Azure system settings and enumerate the underlying SQL database.
Store a string sent by the operator and then retrieve a file with a name matching the string from the MOVEit Transfer system.
Create a new administrator privileged account with a randomly generated username and LoginName and RealName values set to “Health Check Service.”
Delete an account with LoginName and RealName values set to ‘Health Check Service.’

3.0 Affected Products

MOVEit Transfer 2023.0.0
MOVEit Transfer 2022.1.x
MOVEit Transfer 2022.0.x
MOVEit Transfer 2021.1.x
MOVEit Transfer 2021.0.x
MOVEit Transfer 2020.1.x
MOVEit Transfer 2020.0.x

4.0 Indicators of Compromise (IoCs)
4.1 Moveit Campaign Indicators of Compromised

Files	Hash
LEMURLOOT Web Shell e.g. human2.aspx		0b3220b11698b1436d1d866ac07cc90018e59884e91a8cb71ef8924309f1e0e9
		0ea05169d111415903a1098110c34cdbbd390c23016cd4e179dd9ef507104495
		110e301d3b5019177728010202c8096824829c0b11bb0dc0bff55547ead18286
		1826268249e1ea58275328102a5a8d158d36b4fd312009e4a2526f0bfbc30de2
		2413b5d0750c23b07999ec33a5b4930be224b661aaf290a0118db803f31acbc5
		2ccf7e42afd3f6bf845865c74b2e01e2046e541bb633d037b05bd1cdb296fa59
		348e435196dd795e1ec31169bd111c7ec964e5a6ab525a562b17f10de0ab031d
		387cee566aedbafa8c114ed1c6b98d8b9b65e9f178cf2f6ae2f5ac441082747a
		38e69f4a6d2e81f28ed2dc6df0daf31e73ea365bd2cfc90ebc31441404cca264
		3a977446ed70b02864ef8cfa3135d8b134c93ef868a4cc0aa5d3c2a74545725b
		3ab73ea9aebf271e5f3ed701286701d0be688bf7ad4fb276cb4fbe35c8af8409
		3c0dbda8a5500367c22ca224919bfc87d725d890756222c8066933286f26494c
		4359aead416b1b2df8ad9e53c497806403a2253b7e13c03317fc08ad3b0b95bf
		48367d94ccb4411f15d7ef9c455c92125f3ad812f2363c4d2e949ce1b615429a
		58ccfb603cdc4d305fddd52b84ad3f58ff554f1af4d7ef164007cb8438976166
		5b566de1aa4b2f79f579cdac6283b33e98fdc8c1cfa6211a787f8156848d67ff
		6015fed13c5510bbb89b0a5302c8b95a5b811982ff6de9930725c4630ec4011d
		702421bcee1785d93271d311f0203da34cc936317e299575b06503945a6ea1e0
		769f77aace5eed4717c7d3142989b53bd5bac9297a6e11b2c588c3989b397e6b
		7c39499dd3b0b283b242f7b7996205a9b3cf8bd5c943ef6766992204d46ec5f1
		93137272f3654d56b9ce63bec2e40dd816c82fb6bad9985bed477f17999a47db
		98a30c7251cf622bd4abce92ab527c3f233b817a57519c2dd2bf8e3d3ccb7db8
		9d1723777de67bc7e11678db800d2a32de3bcd6c40a629cd165e3f7bbace8ead
		9e89d9f045664996067a05610ea2b0ad4f7f502f73d84321fb07861348fdc24a
		a1269294254e958e0e58fc0fe887ebbc4201d5c266557f09c3f37542bd6d53d7
		a8f6c1ccba662a908ef7b0cb3cc59c2d1c9e2cbbe1866937da81c4c616e68986
		b1c299a9fe6076f370178de7b808f36135df16c4e438ef6453a39565ff2ec272
		b5ef11d04604c9145e4fe1bedaeb52f2c2345703d52115a5bf11ea56d7fb6b03
		b9a0baf82feb08e42fa6ca53e9ec379e79fbe8362a7dac6150eb39c2d33d94ad
		bdd4fa8e97e5e6eaaac8d6178f1cf4c324b9c59fc276fd6b368e811b327ccf8b
		c56bcb513248885673645ff1df44d3661a75cfacdce485535da898aa9ba320d4
		c77438e8657518221613fbce451c664a75f05beea2184a3ae67f30ea71d34f37
		cec425b3383890b63f5022054c396f6d510fae436041add935cd6ce42033f621
		cf23ea0d63b4c4c348865cefd70c35727ea8c82ba86d56635e488d816e60ea45
		d477ec94e522b8d741f46b2c00291da05c72d21c359244ccb1c211c12b635899
		d49cf23d83b2743c573ba383bf6f3c28da41ac5f745cde41ef8cd1344528c195
		daaa102d82550f97642887514093c98ccd51735e025995c2cc14718330a856f4
		e8012a15b6f6b404a33f293205b602ece486d01337b8b3ec331cd99ccadb562e
		ea433739fb708f5d25c937925e499c8d2228bf245653ee89a6f3d26a5fd00b7a
		ed0c3e75b7ac2587a5892ca951707b4e0dd9c8b18aaf8590c24720d73aa6b90c
		f0d85b65b9f6942c75271209138ab24a73da29a06bc6cc4faeddcb825058c09d
		fe5f8388ccea7c548d587d1e2843921c038a9f4ddad3cb03f3aa8a45c29c6a2f

4.2 GoAnywhere Campaign Indicators of Compromise

Files	Hash	Description
larabqFa.exe Qboxdv.dll	0e3a14638456f4451fe8d76 fdc04e591fba942c2f16da3 1857ca66293a58a4c3	Truebot
%TMP%\7ZipSfx.000\Zoom.exe	1285aa7e6ee729be808c46 c069e30a9ee9ce34287151 076ba81a0bea0508ff7e	Spawns a PowerShell subprocess which executes a malicious DLL file
%TMP%\7ZipSfx.000\ANetDiag.dll	2c8d58f439c708c28ac4ad 4a0e9f93046cf076fc6e5ab 1088e8943c0909acbc4	Obfuscated malware which also uses long sleeps and debug detection to evade analysis
AVICaptures.dll	a8569c78af187d603eecdc 5faec860458919349eef510 91893b705f466340ecd	Truebot
kpdphhajHbFerUr.exe gamft.dll	c042ad2947caf4449295a5 1f9d640d722b5a6ec69575 23ebf68cddb87ef3545c	Truebot
dnSjujahur.exe Pxaz.dll	c9b874d54c18e895face05 5eeb6faa2da7965a336d70 303d0bd6047bec27a29d	Truebot
7ZSfxMod_x86.exe ZoomInstaller.exe Zoom.exe	d5bbcaa0c3eeea17f12a5c c3dbcaffff423d00562acb69 4561841bcfe984a3b7	Fake Zoom installer - Truebot
update.jsp	eb9f5cbe71f9658d38fb4a7 aa101ad40534c4c93ee73e f5f6886d89159b0e2c2	Java Server Pages (JSP) web shell with some base64 obfuscation
%TMP%\<folder>\extracted_at_0x e5c8f00.exe	f2f08e4f108aaffaadc3d11b ad24abdd625a77e0ee9674 c4541b562c78415765	Employs sandbox detection and string obfuscation - appears to be a collection of C# hack tools
UhfdkUSwkFKedUUi.exe gamft.dll	ff8c8c8bfba5f2ba2f800325 5949678df209dbff95e16f2f 3c338cfa0fd1b885	Truebot

Email Address	Description
unlock@rsv-box[.]com	CL0P communication email
unlock@support-mult[.]com	CL0P communication email
rey14000707@gmail[.]com	Login/Download
gagnondani225@gmail[.]com	Email

Malicious Domain

http://hiperfdhaus[.]com

http://jirostrogud[.]com

http://qweastradoc[.]com

http://qweastradoc[.]com/gate.php

http://connectzoomdownload[.]com/download/ZoomInstaller.exe

https://connectzoomdownload[.]com/download/ZoomInstaller.exe

Certificate Name

Status

Date Valid

Thumbprint

Serial Number

Savas Investments PTY LTD

Valid Issuer: Sectigo Public Code Signing CA R36

10/7/2022 -

10/7/2023

8DCCF6AD21A58226521

00-82-D2-24-

32-3E-FA-65-

06-0B-64- 1F-

51-FA-DF-EF-

E36D7E5DBAD133331C181

MOVEit Campaign Infrastructure IP Addresses May/June 2023	GoAnywhere Campaign Infrastructure IP Addresses January/February 2023
104.194.222[.]107	100.21.161[.]34
138.197.152[.]201	104.200.72[.]149
146.0.77[.]141	107.181.161[.]207
146.0.77[.]155	141.101.68[.]154
146.0.77[.]183	141.101.68[.]166
148.113.152[.]144	142.44.212[.]178
162.244.34[.]26	143.31.133[.]99
162.244.35[.]6	148.113.159[.]146
179.60.150[.]143	148.113.159[.]213
185.104.194[.]156	15.235.13[.]184
185.104.194[.]24	15.235.83[.]73
185.104.194[.]40	162.158.129[.]79
185.117.88[.]17	166.70.47[.]90
185.162.128[.]75	172.71.134[.]76
185.174.100[.]215	173.254.236[.]131
185.174.100[.]250	185.104.194[.]134
185.181.229[.]240	185.117.88[.]2
185.181.229[.]73	185.174.100[.]17
185.183.32[.]122	185.33.86[.]225
185.185.50[.]172	185.33.87[.]126
188.241.58[.]244	185.80.52[.]230
193.169.245[.]79	185.81.113[.]156
194.33.40[.]103	192.42.116[.]191
194.33.40[.]104	195.38.8[.]241
194.33.40[.1]64	198.137.247[.]10
198.12.76[.]214	198.199.74[.]207
198.27.75[.]110	198.199.74[.]207:1234/update.jsp
206.221.182[.]106	198.245.13[.]4
209.127.116[.]122	20.47.120[.]195
209.127.4[.]22	208.115.199[.]25
209.222.103[.]170	209.222.98[.]25
209.97.137[.]33	213.121.182[.]84
45.227.253[.]133	216.144.248[.]20
45.227.253[.]147	23.237.114[.]154
45.227.253[.]50	23.237.56[.]234
45.227.253[.]6	3.101.53[.]11
45.227.253[.]82	44.206.3[.]111
45.56.165[.]248	45.182.189[.]200
5.149.248[.]68	45.182.189[.]228
5.149.250[.]74	45.182.189[.]229
5.149.250[.]92	5.149.250[.]90
5.188.86[.]114	5.149.252[.]51
5.188.86[.]250	5.188.206[.]76
5.188.87[.]194	5.188.206.76[:]8000/se1.dll
5.188.87[.]226	5.34.178[.]27
5.188.87[.]27	5.34.178[.]28
5.252.23[.]116	5.34.178[.]30
5.252.25[.]88	5.34.178[.]31
5.34.180[.]205	5.34.180[.]48
62.112.11[.]57	50.7.118[.]90
62.182.82[.]19	54.184.187[.]134
62.182.85[.]234	54.39.133[.]41
66.85.26[.]215	63.143.42[.]242
66.85.26[.]234	68.156.159[.]10
66.85.26[.]248	74.218.67[.]242
79.141.160[.]78	76.117.196[.]3
79.141.160[.]83	79.141.160[.]78
84.234.96[.]104	79.141.161[.]82
84.234.96[.]31	79.141.173[.]94
89.39.104[.]118	81.56.49[.]148
89.39.105[.]108	82.117.252[.]141
91.202.4[.]76	82.117.252[.]142
91.222.174[.]95	82.117.252[.]97
91.229.76[.]187	88.214.27[.]100
93.190.142[.]131	88.214.27[.]101
	91.222.174[.]68
	91.223.227[.]140
	92.118.36[.]210
	92.118.36[.]213
	92.118.36[.]249
	96.10.22[.]178
	96.44.181[.]131
	5.252.23[.]116
	5.252.25[.]88
	84.234.96[.]104
	89.39.105[.]108
	138.197.152[.]201
	148.113.152[.]144
	198.12.76[.]214
	209.97.137[.]33
	209.222.103[.]170

5.0 Recommendations
MyCERT recommends users and administrators to follow the security best practices as recommended below to improve their organization’s security posture.

Reduce threat of malicious actors using remote access tools by:
- Auditing remote access tools.
- Reviewing logs for execution of remote access software.
- Using security software.
- Requiring authorized remote access solutions.
- Blocking both inbound and outbound connections.
Implement application controls.
Strictly limit the use of RDP and other remote desktop services.
Disable command-line and scripting.
Restrict the use of PowerShell.
Update Windows PowerShell or PowerShell Core.
Review domain controllers, servers, workstation, and active directories.
Audit user accounts with administrative privileges.
Reduce the threat of credential compromise.
Implement time-based access for accounts.

In addition, MyCERT recommend apply the following recommendation to limit potential adversarial use of common system and network discovery techniques and to reduce the impact and risk of compromise by ransomware or data extortion actors:

Implement a recovery plan.
Maintain offline backups of data.
Require multifactor authentication.
Keep all operating systems, software and firmware up to date.
Segment networks.
Identify, detect, and investigate abnormal activity and potential traversal of the indicated ransomware with a networking monitoring tool.
Install, regularly update, and enable real time detection for antivirus software.
Disable unused ports and hyperlinks.
Consider adding and email banner to emails.
Ensure all backup data is encrypted, immutable.

For further enquiries, please contact MyCERT through the following channels:

6.0 References

15 Jun 2023
Advisory
bianlian, ransomware,

1.0 Introduction

Recently, the Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), and Australian Cyber Security Centre (ACSC) released a joint Cybersecurity Advisory to disseminate known BianLian ransomware and data extortion group IOCs and TTPs identified through FBI and ACSC investigations as of March 2023.

BianLian is a ransomware developer, deployer, and data extortion cybercriminal group that has targeted organizations in multiple U.S. critical infrastructure sectors since June 2022. They have also targeted Australian critical infrastructure sectors in addition to professional services and property development. The group gains access to victim systems through valid Remote Desktop Protocol (RDP) credentials, uses open-source tools and command-line scripting for discovery and credential harvesting, and exfiltrates victim data via File Transfer Protocol (FTP), Rclone, or Mega. BianLian group actors then extort money by threatening to release data if payment is not made. BianLian group originally employed a double-extortion model in which they encrypted victims’ systems after exfiltrating the data; however, around January 2023, they shifted to primarily exfiltration-based extortion.

2.0 Technical Details
BianLian is a ransomware developer, deployer, and data extortion cybercriminal group. FBI observed BianLian group targeting organizations in multiple U.S. critical infrastructure sectors since June 2022. In Australia, ACSC has observed BianLian group predominately targeting private enterprises, including one critical infrastructure organization. BianLian group originally employed a doubleextortion model in which they exfiltrated financial, client, business, technical, and personal files for leverage and encrypted victims’ systems. In 2023, FBI observed BianLian shift to primarily exfiltrationbased extortion with victims’ systems left intact, and ACSC observed BianLian shift exclusively to exfiltration-based extortion. BianLian actors warn of financial, business, and legal ramifications if payment is not made.

2.1 Initial access
BianLian group actors gain initial access to networks by leveraging compromised Remote Desktop Protocol (RDP) credentials likely acquired from initial access brokers or via phishing.

2.2 Command and Control
BianLian group actors implant a custom backdoor specific to each victim written in Go (see the Indicators of Compromise Section for an example) and install remote management and access software—e.g., TeamViewer, Atera Agent, SplashTop, AnyDesk—for persistence and command and control.
FBI also observed BianLian group actors create and/or activate local administrator accounts and change those account passwords.

2.3 Defense Evasion
BianLian group actors use PowerShell and Windows Command Shell to disable antivirus tools, specifically Windows defender and Anti-Malware Scan Interface (AMSI). BianLian actors modify the Windows Registry to disable tamper protection for Sophos SAVEnabled, SEDEenabled, and SAVService services, which enables them to uninstall these services. See Appendix: Windows PowerShell and Command Shell Activity for additional information, including specific commands they have used.

2.4 Discovery
BianLian group actors use a combination of compiled tools, which they first download to the victim environment, to learn about the victim’s environment. BianLian group actors have used:
• Advanced Port Scanner, a network scanner used to find open ports on network computers and retrieve versions of programs running on the detected ports.
• SoftPerfect Network Scanner (netscan.exe), a network scanner that can ping computers, scan ports, and discover shared folders.
• SharpShares to enumerate accessible network shares in a domain.
• PingCastle to enumerate Active Directory (AD). PingCastle provides an AD map to visualize the hierarchy of trust relationships.
BianLian actors also use native Windows tools and Windows Command Shell to:
• Query currently logged-in users.
• Query the domain controller to identify:

All groups.
Accounts in the Domain Admins and Domain Computers groups.
All users in the domain.

• Retrieve a list of all domain controllers and domain trusts.
• Identify accessible devices on the network.

2.5 Credential Access
BianLian group uses valid accounts for lateral movement through the network and to pursue other follow-on activity. To obtain the credentials, BianLian group actors use Windows Command Shell to find unsecured credentials on the local machine. FBI also observed BianLian harvest credentials from the Local Security Authority Subsystem Service (LSASS) memory, download RDP Recognizer (a tool that could be used to brute force RDP passwords or check for RDP vulnerabilities) to the victim system, and attempt to access an Active Directory domain database (NTDS.dit).
In one case, FBI observed BianLian actors use a portable executable version of an Impacket tool (secretsdump.py) to move laterally to a domain controller and harvest credential hashes from it.
Note: Impacket is a Python toolkit for programmatically constructing and manipulating network protocols. Through the Command Shell, an Impacket user with credentials can run commands on a remote device using the Windows management protocols required to support an enterprise network.

2.6 Presistence and Lateral Movement
BianLian group actors use PsExec and RDP with valid accounts for lateral movement. Prior to using RDP, BianLian actors used Command Shell and native Windows tools to add user accounts to the local Remote Desktop Users group, modified the added account’s password, and modified Windows firewall rules to allow incoming RDP traffic. See Appendix: Windows PowerShell and Command Shell Activity for additional information.
In one case, FBI found a forensic artifact (exp.exe) on a compromised system that likely exploits the Netlogon vulnerability (CVE-2020-1472) and connects to a domain controller.

2.7 Collection
FBI observed BianLian group actors using malware (system.exe) that enumerates registry and files and copies clipboard data from users.

2.8 Exfiltration and Impact
BianLian group actors search for sensitive files using PowerShell scripts (See Appendix: Windows PowerShell and Command Shell Activity) and exfiltrate them for data extortion. Prior to January 2023, BianLian actors encrypted files after exfiltration for double extortion.
BianLian group uses File Transfer Protocol (FTP) and Rclone, a tool used to sync files to cloud storage, to exfiltrate data. FBI observed BianLian group actors install Rclone and other files in generic and typically unchecked folders such as programdata\vmware and music folders. ACSC observed BianLian group actors use Mega file-sharing service to exfiltrate victim data.
BianLian’s encryptor (encryptor.exe) modified all encrypted files to have the .bianlian extension. The encryptor created a ransom note, Look at this instruction.txt, in each affected directory (see Figure 1 for an example ransom note.) According to the ransom note, BianLian group specifically looked for, encrypted, and exfiltrated financial, client, business, technical, and personal files.

Figure 1: BianLian Sample Ransom Note (Look at this instruction.txt)

If a victim refuses to pay the ransom demand, BianLian group threatens to publish exfiltrated data to a leak site maintained on the Tor network. The ransom note provides the Tox ID A4B3B0845DA242A64BF17E0DB4278EDF85855739667D3E2AE8B89D5439015F07E81D12D767FC, which does not vary across victims. The Tox ID directs the victim organization to a Tox chat via https://qtox.gitbhub[.]io and includes an alternative contact email address (swikipedia@onionmail[.]org or xxx@mail2tor[.]com). The email address is also the same address listed on the group’s Tor site under the contact information section. Each victim company is assigned a unique identifier included in the ransom note. BianLian group receives payments in unique cryptocurrency wallets for each victim company.
BianLian group engages in additional techniques to pressure the victim into paying the ransom; for example, printing the ransom note to printers on the compromised network. Employees of victim companies also reported receiving threatening telephone calls from individuals associated with BianLian group.

3.0 Indicators of Compromise
See Table 1 for IOCs obtained from FBI investigations as of March 2023.

Name	SHA-256 Hash	Description
def.exe	7b15f570a23a5c5ce8ff942da60834a9d0549ea3ea9f34f900 a09331325df893	Malware associated with BianLian intrusions, which is an example of a possible backdoor developed by BianLian group.
encryptor.exe	1fd07b8d1728e416f897bef4f1471126f9b18ef108eb952f4b 75050da22e8e43	Example of a BianLian encryptor.
exp.exe	0c1eb11de3a533689267ba075e49d93d55308525c04d6aff 0d2c54d1f52f5500	Possible NetLogon vulnerability (CVE-2020- 1472) exploitation.
system.exe	40126ae71b857dd22db39611c25d3d5dd0e60316b72830e 930fba9baf23973ce	Enumerates registry and files. Reads clipboard data.

Table 1: BianLian Ransomware and Data Extortion Group IOCs

Through FBI investigation as of March 2023, FBI has observed BianLian actors use the commands in Table 2. ACSC has observed BianLian actors use some of the same commands.

Command	Use
[Ref].Assembly.GetType(‘System.Management .Automation.AmsiUtils’).GetField(‘amsiInitFaile d’,’NonPublic,* Static’).SetValue($null,$true)	Disables the AMSI on Windows. AMSI is a built-in feature on Windows 10 and newer that provides an interface for anti-malware scanners to inspect scripts prior to execution. When AMSI is disabled, malicious scripts may bypass antivirus solutions and execute undetected.
cmd.exe /Q /c for /f “tokens=1,2 delims= “ ^%A in (‘”tasklist /fi “Imagename eq lsass.exe” \| find “lsass””’) do rundll32.exe C:\windows\System32\comsvcs.dll, MiniDump ^%B \Windows\Temp\<file>.csv full	Creates a memory dump lsass.exe process and saves it as a CSV filehttps://attack.mitre.org/versions/v12/techniq ues/T1003/001/. BianLian actors used it to harvest credentials from lsass.exe.
cmd.exe /Q /c net user <admin> /active:yes 1> \\127.0.0.1\C$\Windows\Temp\<folder> 2>&1	Activates the local Administrator account.
cmd.exe /Q /c net user "<admin>"<password> 1> \\127.0.0.1\C$\Windows\Temp\<folder> 2>&1	Changes the password of the newly activated local Administrator account.
cmd.exe /Q /c quser 1> \\127.0.0.1\C$\Windows\Temp\<folder> 2>&1	Executes quser.exe to query the currently logged-in users on a machine. The command is provided arguments to run quietly and exit upon completion, and the output is directed to the \Windows\Temp directory.
dism.exe /online /Disable-Feature /FeatureName:Windows-Defender /Remove /NoRestart	Using the Deployment Image Servicing and Management (DISM) executable file, removes the Windows Defender feature.
dump.exe -no-pass -just-dc user.local/<fileserver.local>\@<local_ip>	Executes secretsdump.py, a Portable Executable version of an Impacket tool. Used to dump password hashes from domain controllers.
exp.exe -n <fileserver.local> -t <local_ip>	Possibly attempted exploitation of the NetLogon vulnerability (CVE-2020-1472).
findstr /spin "password" . >C:\Users\training\Music\<file>.txt	Searches for the string password in all files in the current directory and its subdirectories and puts the output to a file.
ldap.exe -u user\<user> -p <password> ldap://<local_ip>	Connects to the organization’s Lightweight Directory Access Protocol (LDAP) server.
logoff	Logs off the current user from a Windows session. Can be used to log off multiple users at once.
mstsc	Launches Microsoft Remote Desktop Connection client application in Windows.
net group /domain	Retrieves a list of all groups from the domain controller.
net group 'Domain Admins' /domain	Queries the domain controller to retrieve a list of all accounts from Domain Admins group.
net group 'Domain Computers' /domain	Queries the domain controller to retrieve a list of all accounts from Domain Computers group.
net user /domain	Queries the domain controller to retrieve a list of all users in the domain.
net.exe localgroup "Remote Desktop Users" <user> /add	Adds a user account to the local Remote Desktop Users group.
net.exe user <admin> <password> /domain	Modifies the password for the specified account.
netsh.exe advfirewall firewall add rule "name=allow RemoteDesktop" dir=in * protocol=TCP localport=<port num> action=allow	Adds a new rule to the Windows firewall that allows incoming RDP traffic.
netsh.exe advfirewall firewall set rule "group=remote desktop" new enable=Yes	Enables the pre-existing Windows firewall rule group named Remote Desktop. This rule group allows incoming RDP traffic.
nltest /dclist	Retrieves a list of domain controllers.
nltest /domain_trusts	Retrieves a list of domain trusts.
ping.exe -4 -n 1 *	Sends a single ICMP echo request packet to all devices on the local network using the IPv4 protocol. The output of the command will show if the device is reachable or not.
quser; ([adsisearcher]"(ObjectClass=computer)").Find All().count;([adsisearcher]"(ObjectClass=user)") .FindAll().count;[Security.Principal.WindowsIde ntity]::GetCurrent() \| select name;net user "$env:USERNAME" /domain; (Get-WmiObject - class Win32_OperatingSystem).Caption; Get- WmiObject -Namespace root\cimv2 -Class Win32_ComputerSystem; net group "domain admins" /domain; nltest /dclist:; nltest /DOMAIN_TRUSTS	Lists the current Windows identity for the logged-in user and displays the user's name. Uses the Active Directory Services Interface (ADSI) to search for all computer and user objects in the domain and returns counts of the quantities found. Lists information about the current user account from the domain, such as the user's name, description, and group memberships. Lists information about the operating system installed on the local computer. Lists information about the "Domain Admins" group from the domain. Lists all domain controllers in the domain. Displays information about domain trusts.
reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentC ontrolSet\Control\Terminal * Server\WinStations\RDP-Tcp" /v UserAuthentication /t REG_DWORD /d 0 /f	Adds/overwrites a new Registry value to disable user authentication for RDP connections.
reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentC ontrolSet\Control\Terminal Server" /* v fAllowToGetHelp /t REG_DWORD /d 1 /f	Adds/overwrites a new Registry value to allow a user to receive help from Remote Assistance.
reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentC ontrolSet\Services\Sophos Endpoint * Defense\TamperProtection\Config" /t REG_DWORD /v SAVEnabled /d 0 /f	Adds/overwrites a new Registry value to disable tamper protection for Sophos antivirus named SAVEnabled.
reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentC ontrolSet\Services\Sophos Endpoint * Defense\TamperProtection\Config" /t REG_DWORD /v SEDEnabled /d 0 /f	Adds/overwrites a new Registry value to disable tamper protection for Sophos antivirus named SEDEnabled.
reg.exe ADD * HKEY_LOCAL_MACHINE\SOFTWARE\WOW 6432Node\Sophos\SAVService\TamperProtecti on /t REG_DWORD /v Enabled /d 0 /f	Adds/overwrites a new registry value to disable tamper protection for a Sophos antivirus service called SAVService.
reg.exe copy hklm\system\CurrentControlSet\services\tvnser ver * hklm\system\CurrentControlSet\control\safeboo t\network\tvnserver /s /f	Copies the configuration settings for the tvnserver service to a new location in the registry that will be used when the computer boots into Safe Mode with Networking. This allows the service to run with the same settings in Safe Mode as it does in normal mode.
s.exe /threads:50 /ldap:all /verbose /outfile:c:\users\<user>\desktop\1.txt	Executes SharpShares.
schtasks.exe /RU SYSTEM /create /sc ONCE /<user> /tr "cmd.exe /crundll32.exe c:\programdata\netsh.dll,Entry" /ST 04:43	Creates a Scheduled Task run as SYSTEM at 0443 AM. When the task is run, cmd.exe uses crundll32.exe to run the DLL file netsh.dll. (It is likely that netsh.dll is a malware file and not associated with netsh.)
start-process PowerShell.exe -arg C:\Users\Public\Music\<file>.ps1 -WindowStyle Hidden	Executes a PowerShell script, while keeping the PowerShell window hidden from the user.

Table 2: PowerShell and Windows Command Shell Activity

4.0 Recommendations
MyCERT recommend organizations implement the recommendation below to improve your organization’s cybersecurity posture on the basis of the threat actor’s activity.

Reduce threat of malicious actors using remote access tools by:
- Auditing remote access tools on your network to identify currently used and/or authorized software.
- Reviewing logs for execution of remote access software to detect abnormal use of programs running as a portable executable.
- Using security software to detect instances of remote access software only being loaded in memory.
- Requiring authorized remote access solutions only be used from within your network over approved remote access solutions, such as virtual private networks (VPNs) or virtual desktop interfaces (VDIs).
- Blocking both inbound and outbound connections on common remote access software ports and protocols at the network perimeter.
Implement application controls to manage and control execution of software.
Strictly limit the use of RDP and other remote desktop services.
Disable command-line and scripting activities and permissions.
Restrict the use of PowerShell.
Update Windows PowerShell or PowerShell Core.
Enable enhanced PowerShell logging.
Configure the Windows Registry to require User Account Control (UAC) approval for any PsExec operations.
Review domain controllers, servers, workstations, and active directories.
Audit user accounts.
Implement time-based access for accounts set at the admin level and higher.

In addition, MyCERT recommend network defenders apply the following mitigations to limit potential adversarial use of common system and network discovery techniques and to reduce the impact and risk of compromise by ransomware or data extortion actors:

Implement a recovery plan.
Maintain offline backups of data.
Require phishing-resistant multifactor authentication.
Keep all operating systems, software, and firmware up to date.
Segment networks.
Identify, detect, and investigate abnormal activity and potential traversal of the indicated ransomware with a networking monitoring tool.
Install, regularly update, and enable real time detection for antivirus software.
Disable unused ports.
Consider adding an email banner to emails.
Ensure all backup data is encrypted, immutable.

For further enquiries, please contact MyCERT through the following channels:

5.0 References

11 Apr 2023
Advisory
BlackCat, alpha, ALPHV, ransomware

1.0 Introduction
MyCERT has observed an increase in ransomware-related attacks, including those executed by ransomware known as BlackCat/ALPHV. This ransomware variant was identified through FBI investigations. BlackCat/ALPHV ransomware as a service (RaaS) had compromised at least 60 entities worldwide and is the first ransomware group to do so successfully using RUST, considered a more secure programming language with improved performance and reliable concurrent processing. BlackCat-affiliated threat actors typically request ransom payments of several million dollars in Bitcoin and Monero but have accepted ransom payments below the initial ransom demand amount. Many developers and money launderers for BlackCat/ALPHV are linked to Darkside/Blackmatter, indicating they have extensive networks and experience with ransomware operations.

2.0 Impact
The malicious actors’ use of Rust to deliver the ransomware payload sets the stage for its encryption routine. The ransomware binary defaces the system’s background images. It replaces it with one containing a notification that important files have been downloaded and encrypted, plus information on where additional instructions can be found. Sample ransom note is as below:

Figure 1: Sample ransom note of the BlackCat ransomware binary.

The payload also terminates specific services related to backups, antivirus applications, databases, Windows internet services, and ESXi virtual machines (VMs).
In addition, a new variant of the BlackCat ransomware binary restarts the affected system to safe mode before proceeding to its encryption routine. It also disables system recovery and deletes volume shadow copies to inhibit the recovery of the affected systems.

3.0 Affected Products

Windows 7 and higher (7, 8.1, 10,11; 2008r2, 2012, 2016, 2019, 2022).
Windows XP and 2003.
VMware ESXi
Debian and Ubuntu Linux
ReadyNAS, Synology, QNAP

4.0 Technical Details

BlackCat/ALPHV ransomware leverages previously compromised user credentials to gain initial access to the victim’s system. Once the malware establishes access, it compromises Active Directory user and administrator accounts. The malware uses Windows Task Scheduler to configure malicious Group Policy Objects (GPOs) to deploy ransomware. Initial malware deployment leverages PowerShell scripts in conjunction with Cobalt Strike and disables security features within the victim’s network. BlackCat/ALPHV ransomware also leverages Windows administrative tools and Microsoft Sysinternals tools during compromise.

BlackCat/ALPHV steals victim data before the execution of the ransomware, including from cloud providers where company or client data was stored.

The actors leverage Windows scripting to deploy ransomware and to compromise additional hosts. For example, the following batch and PowerShell scripts were observed:

start.bat - launches the ransomware executable with the required arguments.
est.bat - copies the ransomware to other locations.
drag-and-drop-target.bat - launches the ransomware executable for the MySQL Server.
run.bat - executes a callout command to and external server using SSH – file names may change depending on the company and systems affected.
Runsl.psl - PowerShell scripts to disable AV.

5.0 Indicators of Compromise

The following are characteristics of compromise by BlackCat/ALPHV, as mid-February 2022:

Advisories

MA-993.112023: MyCERT Alert - Cyber Security Best Practices against Ransomware LockBit 3.0

MA-989.112023: MyCERT Alert - CISA, FBI, and MS-ISAC Release Advisory on Rhysida Ransomware

3.1.2 Living off the Land

MA-944.062023: MyCERT Advisory - CL0P Ransomware Gang Exploits CVE-2023-34362 MOVEit Vulnerability

MA-941.062023: MyCERT Advisory - BianLian Ransomware Group

MA-921.042023: MyCERT Advisory - BlackCat Ransomware