Pierluigi Paganini
October 03, 2023
In the last few weeks, two cybercriminal groups that have also targeted Italian entities and businesses, are back in the news; they are LockBit 3.0 Black and BlackCat/AlphV, which had already been reported by the media in the first decade of last July.
Like all ransomware, this is a type of malware that, once introduced into an organization, encrypts the data and then requires the victim to pay a ransom in order to decrypt it.
TG Soft ‘s CRAM researchers had the chance to test their Heuristic Behavioral technologies to combat even the variants of this family type of Ransomware attacks. These technologies, made available since 2015, proved to be effective and efficient in blocking the cyber attack, started in any mode, automatically within 100 milliseconds {1 tenth of a second => a blink of an eye} from the start of the encryption process.
The LockBit 3.0 Black attack analyzed by TG Soft‘s CRAM researchers, showed that access by cyber criminals was via exposed RDP.
As already reported in the Ransomware attack information via RDP access violation, drafted in 2017 and re-proposed in 2019, WE STRONGLY ADVISE EVERYONE AGAINST making accesses available via RDP because it is, even today, a potential access gatway to PCs/Servers for ” bad actors.”
The analyzed attack spread the ransomware Lockbit 3.0 aka LockBit Black {28/10}, as highlighted in the side image and the {02/11} the Makop… both were blocked in the initial phase of the attack, by Vir.IT’s AntiRansomware eXplorer PRO system.
Contact with cyber criminals is made via chat from the URLs given in the ransomware instructions.
Attack result…
The tandem of ransomware used in this case – Lockbit + Makop – was effectively blocked in the initial phase of the attack by the Heuristic-Behavioral technologies built into TG Soft’s solution.
Another threat around is the BlackCat/AlphV group.
Below is some payload info from TG Soft’s CRAM Analysts on BlackCat / ALPHV Ransomware.
Encrypted file structure ransomware BlackCat / ALPHV:
| [ORIGINAL_FILENAME].[ORIGINAL_extension].specific/different for each affected company |
We highlight that this ransomware uses a different extension for each affected Company/Entity.
Ransom instructions are released within each folder where the ransomware has encrypted files. The ransomware file is released in text format with the structure:
FileNameRequestToRansomStrRandom.txt
From the attack we simulated in our real infrastructure with a sample retrieved from an actual attack, the heuristic-behavioral protection of Vir.IT eXplorer PRO AntiRansomware Protection CryptoMalware, intervened in the range of 100 milliseconds {1/10th of a second} from the start of the encryption process. The few files encrypted in the initial phase of the attack can be recovered/restored through the RECOVERY & RESTORE tools of Vir.IT eXplorer PRO: BackupOnTheFLY and/or Vir.IT Backup!
The computer where the malicious process was initiated, simulating a HumanOperatedRansomware Attack, was automatically isolated from the rest of the network so that the ransomware attack could not propagate to the entire infrastructure, thus ensuring BusinessContinuity.
Obviously, as with any other software, its effectiveness and efficiency is subject to the 4 rules of good use:
More info on TG Soft’s Heuristic Behavioral technologies take a look at:
https://www.tgsoft.it/news/news_archivio.asp?id=1470&lang=eng
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, Lockbit)
