Threat Intelligence Report May 9 - May 15 2023

The DarkWatchman Remote Access Trojan (RAT) has recently been observed utilizing a novel phishing technique to propagate itself, underscoring the persistent innovation employed by threat actors to compromise systems. The growing frequency of DarkWatchman sightings in the wild suggests that this malware may become an increasingly prevalent feature of future cyberattacks.

Moreover, the use of the Windows Registry as a storage medium for fileless malware is a notable development, as it can effectively evade detection by traditional antivirus solutions that depend on file scanning. The keylogging functionality of DarkWatchman serves as a representative example of such fileless malware capable of bypassing detection measures.

A recently detected ransomware variant dubbed "Akira" is currently targeting multiple organisations and jeopardizing the confidentiality of their sensitive data. To increase the probability of receiving payment from the victims, the Akira ransomware uses a double-extortion tactic, which involves both exfiltrating and encrypting the data. The threat actors behind the ransomware then threaten to publicize or sell the stolen data on the dark web if the ransom is not paid to decrypt the data.

Akira ransomware was first observed in April 2023 and has already affected more than 15 publicly disclosed victims, with a majority of them located in the United States. The victims hail from diverse industries, including but not limited to BFSI, Construction, Education, Healthcare, and Manufacturing.

The Akira ransomware is a recently identified strain of ransomware that has been predominantly impacting organisations in the United States and Canada. This ransomware group is actively targeting businesses and demanding a substantial amount of money in exchange for the decryption keys.

As organisations ramp up their defences against ransomware attacks, there is a corresponding increase in the number of new ransomware groups emerging. These groups continually refine their strategies and expand their operations to maximize their profits.

The Snake malware is an information-stealing malware that is implemented in the .NET programming language.  It is a feature-rich information-stealing malware that has keystroke logging as well as clipboard data, screenshot, and credential theft capabilities. Snake can steal credentials from over 50 applications, which include File Transfer Protocol (FTP) clients, email clients, communication platforms, and web browsers. Snake can exfiltrate stolen data through a variety of protocols, such as FTP, Simple Mail Transfer Protocol (SMTP), and Telegram.

A new cross-platform botnet has been found originating from malicious software downloads on Windows devices and succeeds in infecting Linux-based devices like Minecraft servers. The botnet spreads by enumerating default credentials on internet-exposed Secure Shell (SSH)-enabled devices. IoT devices with remote configuration enabled and configured with potentially insecure settings are at risk of attacks like this botnet. The botnet’s spreading mechanism makes it uniquely interesting. While the malware can be removed from the infected source PC, it could persist on unmanaged IoT devices in the network and continue to operate as part of the botnet.

Red Piranha proactively gathers information about organizations impacted by ransomware attacks through various channels, including the Dark Web. In the past week, our team identified a total of 109 new ransomware victims from 22 distinct industries across 22 countries worldwide. This highlights the global reach and indiscriminate nature of ransomware attacks, which can affect organizations of all sizes and sectors.

Blackbasta, a specific ransomware, has affected the largest number of new victims (23) spread across various countries. Akira and Alphv groups follow closely with each hitting 15 and 11 new victims respectively. Below are the victim counts (%) for these ransomware groups and a few others.

When we examine the victims by country out of 18 countries around the world, we can conclude that the USA was once again the most ransomware-affected country, with a total of 51 new victims reported last week. The list below displays the number (%) of new ransomware victims per country.

      


After conducting additional research, we found that ransomware has impacted 19 industries globally. Last week, the manufacturing and Education sectors were hit particularly hard, with the loss of 10 businesses in each sector respectively. The table below presents the most recent ransomware victims sorted by industry.