Kaspersky’s latest research reveals the growing threat of ransomware attacks using leaked code, highlighting the need for robust cybersecurity solutions.
Kaspersky’s Global Research and Analysis Team (GReAT) has published a report describing recent ransomware attacks using leaked code. This research sheds light on the tools and methods utilized by organized ransomware groups and individual attackers.
With a vast array of tools and samples at their disposal, organized ransomware cybercriminal groups often have proprietary ransomware samples. At the same time, standalone criminals frequently rely on leaked DIY variants to launch their attacks. The latest research by Kaspersky reveals recent ransomware attacks using the leaked source codes, which enables threat actors to seek out victims and propagate malicious activities swiftly—making new cybercriminals a menace.
Also Read: Paris Olympics: A Cyber Gold Rush?
- SEXi: In April 2024, the SEXi group launched a ransomware attack against data center and hosting provider IxMetro, utilizing a newly identified software variant. This group targets ESXi applications, with all known victims running unsupported versions. SEXi group distinguishes itself by using different ransomware variants for different platforms – Babuk for Linux and Lockbit for Windows. Uniquely, they employ the Session communication app for contact, using a universal user ID across multiple attacks. This lack of professionalism and the absence of a TOR-based leak site further set them apart.
- Key Group: The Key Group, also known as keygroup777, has utilized eight different ransomware families since its inception in April 2022. Their techniques and persistence mechanisms have evolved with each new variant. The UX-Cryptor variant, for example, employed multiple registry entries for persistence, while the Chaos variant used a different approach involving the Startup folder. Despite their diverse methods, Key Group is noted for its unprofessional operations, including using a public GitHub repository for C2 communication and Telegram for interaction, making them easier to track.
- Mallox: Mallox, a lesser-known ransomware variant, first appeared in 2021. Soon after its inception, the group began its affiliate program. In 2023, there were 16 active partners. Unlike SEXi and Key Group, Mallox’s authors claim to have purchased the source code. They are also very explicit about what types of organizations affiliates should infect: no less than US$10 million in revenue and no hospitals or educational institutions. Mallox’s affiliates were tracked through unique IDs, contributing to significant activity spikes in 2023.
“The barrier to entry for launching ransomware attacks has plummeted. With off-the-shelf ransomware and affiliate programs, even novice cybercriminals can pose a significant threat,” comments Jornt van der Wiel, a senior cybersecurity researcher at Kaspersky’s GReAT.
While groups using leaked variants may not exhibit high levels of professionalism, their effectiveness lies in successful affiliate schemes or niche targeting, as Key Group and SEXi demonstrated. Thus, the publication and leakage of ransomware variants pose substantial threats to organizations and individuals.
Also Read: Fortress Fallacy: Why Your Network Security Needs a Zero Trust Makeover
To keep your data protected from ransomware, Kaspersky experts recommend:
- Set up offline backups that intruders cannot misuse, and make sure you can access it quickly in an emergency.
- Always keep software updated on all your devices to prevent ransomware from exploiting vulnerabilities.
- Use a protection solution for endpoints and mail servers with anti-phishing capabilities, such as Kaspersky Next, to decrease the chance of infection through a phishing email.
- Use protection solutions for mail servers with anti-phishing capabilities to decrease the chance of infection through a phishing email. Kaspersky Security for Mail Server prevents your employees and business from being defrauded by socially engineered scams.
- If you use Microsoft 365 cloud service, remember to protect it, too. Kaspersky Security for Microsoft Office 365 has dedicated anti-spam and anti-phishing protection for SharePoint, Teams, and OneDrive apps for secure business communications.
- Provide your staff with basic cybersecurity hygiene training, such as Kaspersky Security Awareness. Conduct a simulated phishing attack to ensure your employees know how to distinguish phishing emails.
- Assess and audit your supply chain and managed services’ access to your environment.
