The Good, the Bad and the Ugly in Cybersecurity – Week 6

The Good

Seven individuals were sanctioned this week for their involvement with the notorious TrickBot cyber gang. Authorities have sanctioned a formal block on all U.S.-based property and funds belonging to Vitaly Kovalev, Maksim Mikhailov, Valentin Karyagin, Mikhail Iskritskiy, Dmitry Pleshevskiy, Ivan Vakhromeyev, and Valery Sedletski. Of the seven, one has been identified as a senior figure within the gang while others were involved in ransomware development, money-laundering, and day-to-day administration.

TrickBot malware transitioned from banking trojan to a full-blown malware designed to break into corporate networks in advanced ransomware operations. The Russian-based cybercrime gang is also tied to the development of multiple malware strains such as BumbleBee, BazarBackdoor, and Anchor. TrickBot is no stranger to news headlines – in just the last three years, the malware was leveraged in a major attack on the Costa Rican government and targeted large hospitals and healthcare services across Ireland and the U.S., particularly during the COVID-19 pandemic.

The joint sanction effort by authorities in the U.S. and United Kingdom follows a significant leak last year of Conti and TrickBot internal conversations, source code, and personally identifiable information. The ‘ContiLeaks’ resulted in a rare look into the operational infrastructures and identities of key members across both groups, with Conti having acquired TrickBot earlier last year.

Though Conti has disbanded after the leaking of their source code, individuals from the group have likely all transferred to other ransomware gangs, or started new operations. This fact alone makes collaborative efforts to impose sanctions on cybercriminals that much more necessary. Deployment of sanctions make it much harder for threat actors to launder their money, cutting them off from their financial gains and leaving less room for them to operate in.

The Bad

This week, SentinelLabs researchers reported on a new variant of Cl0p ransomware targeting Linux devices, noting its appearance as part of a larger trend amongst ransomware groups creating new variants of their respective strains.

Cl0p ransomware may have only just branched out into targeting Linux devices, widely used by enterprises as servers and cloud workload hosts, but the group itself has been around since 2019. They have been known to target critical infrastructure around the world but focus especially on large enterprises, financial institutions, and schools. So far, the Linux variant has been seen targeting educational institutions, including a university in Columbia late December.

Despite the concerns this development raises, the report highlights a small silver lining. SentinelLabs researchers found a flaw in the Linux variant, enabling them to create a decryptor tool. Victims of the Linux variant can decrypt any encrypted data without having to pay the ransom. The report explains that unlike the Cl0p Windows ransomware variant, which uses asymmetric encryption and a private key only known to the attackers, the Linux variant uses a symmetric encryption algorithm with the key needed for decryption hardcoded into the malware itself. This makes it possible for analysts to reverse the encryption based on code found in the sample.

The discovery of a Linux variant of Cl0p ransomware demonstrates once again that ransomware groups will continue to seek new targets and methods to maximize their profits. Linux, which is widely used in many enterprise environments, offers up a rich pool of potential victims in the eyes of threat actors. With more operations shifting towards cloud computing and virtual environments, there’s no doubt that Linux has become increasingly attractive to actors in search of easier targets and higher rewards. It is likely that the malware authors will fix the flaw in future iterations and organizations should take steps to protect themselves from ransomware.

The Ugly

A wave of new ESXiArgs ransomware attacks was reported this week, encrypting extensive amounts of data on various servers across the US, Canada, and Central Europe. While ongoing investigations indicate that the servers were compromised by way of a two-year-old VMware Service Location Protocol (SLP) vulnerability tracked as CVE-2021-21974, some victims are reporting that they still experienced breach and encryption even though SLP was disabled in their environments.

Since the first wave of the ransomware campaign earlier this week, the ESXiArgs attacks have targeted over 3800 victims by encrypting the configuration files on vulnerable, unpatched VMware ESXi servers and rendering the virtual machines potentially unusable. Investigative findings so far show the ransomware encrypting .vmdk, .vmx, .vmxf, .vmsd, .vmsn, .vswp, .vmss, .nvram, and .vmem files on compromised servers. To date, CISA and the FBI have jointly released an advisory and recovery script for victims available on GitHub. The advisory encourages enterprises with affected servers to update to the latest version of ESXi, disable the SLP service, and remove any exposure of the ESXi hypervisor to the public internet.

Security researchers believe these attacks have been so rampant due to the sheer volume of vulnerable targets: At least 12% of all existing VMware ESXi servers remain unpatched against CVE-2021-21974, making them a vulnerable target to ESXiArgs ransomware. Highly-focused ransomware campaigns like ESXiArgs may not be particularly sophisticated, but they can be thoroughly damaging. Such a widely exposed attack surface underscores the criticality of upholding regular patch management, especially for internet-facing devices. This is a developing story and the operators behind ESXiArgs have yet to be attributed.