Fraud Management & Cybercrime
,
Ransomware
NoName Specializes in Long-Tail Exploits
Up-and-coming online criminal extortion group RansomHub appears to have a new affiliate – NoName, a midtier actor whose main claim to fame so far has been impersonating the LockBit ransomware-as-a-service operation. NoName is known for exploiting years-old vulnerabilities.
See Also: Best Practices to Protect Communication and Email Fraud with Technology
Researchers from Eset on Tuesday said they assess with medium confidence that NoName has joined forces with RansomHub.
Eset cited a June hacking incident at an unnamed Indian manufacturing company in which NoName hackers initially failed to infect systems with their own ransomware – cryptor malware tracked as ScRansom. After days of trying, the hackers succeeded by using a RansomHub EDR killer tool to circumvent endpoint protection and deploy the RansomHub cryptor.
“To our knowledge, there are no public leaks of RansomHub code or its builder,” Eset stated.
RansomHub made its debut earlier this year and has a reputation for being “an efficient and successful” ransomware practitioner, the U.S. federal government said in an August advisory (see: RansomHub Hits Powered by Ex-Affiliates of LockBit, BlackCat).
NoName, which Eset tracks as CosmicBeetle, has been active since at least 2020. In September 2023, it set up a leak site mimicking the LockBit site and claiming LockBit victims as its own. In August, it appears to have used the leaked LockBit 3.0 builder in an attack. NoName operations are known for exploiting years-old vulnerabilities that small and medium businesses left unpatched and using those flaws in attacks that span the globe.
The group’s favorite vulnerabilities include CVE-2017-0144, a Windows server message block code execution vulnerability that became public knowledge after a group calling itself the Shadow Brokers leaked an exploit developed by the U.S. National Security Agency called EternalBlue (see: No Coincidence: Microsoft’s Timely Equation Group Fixes).
NoName also likes to exploit a flaw in Veeam Backup tracked as CVE-2023-27532 and a 2022 flaw in the FortiOS SSL-VPN tracked as CVE-2022-42475 (see: Fortinet Fixes Critical Remote Code Flaw).
The group’s latest cryptor malware, ScRansom, is relatively basic and often leads to permanent data loss. Multiple decryption keys are sometimes required to unlock files, and some are lost altogether due to flaws in the encryption process.
CosmicBeetle’s shift to impersonating the notorious LockBit gang seems to be a deliberate attempt to bolster its reputation.
Researchers discovered that the group had been experimenting with LockBit’s leaked builder and even set up a fake leak site, dubbed Noname, which mimicked LockBit’s platform, hosted ransom notes and attempted to convince victims that they had been targeted by the infamous group.
Earlier versions of ScRansom which is written in Delphi, required manual interaction; attackers needed access to the victim’s system to manually launch the ransomware. This approach likely allowed the malware to evade detection in automated sandboxes.