Apr 09, 2024NewsroomBotnet / Crypto Mining

A threat group of suspected Romanian origin called RUBYCARP has been observed maintaining a long-running botnet for carrying out crypto mining, distributed denial-of-service (DDoS), and phishing attacks.

The group, believed to be active for at least 10 years, employs the botnet for financial gain, Sysdig said in a report shared with The Hacker News.

“Its primary method of operation leverages a botnet deployed using a variety of public exploits and brute-force attacks,” the cloud security firm said. “This group communicates via public and private IRC networks.”

Evidence gathered so far suggests that RUBYCARP may have crossover with another threat cluster tracked by Albanian cybersecurity firm Alphatechs under the moniker Outlaw, which has a history of conducting crypto mining and brute-force attacks and has since pivoted to phishing and spear-phishing campaigns to cast a wide net.

“These phishing emails often lure victims into revealing sensitive information, such as login credentials or financial details,” security researcher Brenton Isufi said in a report published in late December 2023.

A notable aspect of RUBYCARP’s tradecraft is the use of a malware called ShellBot (aka PerlBot) to breach target environments. It has also been observed exploiting security flaws in the Laravel Framework (e.g., CVE-2021-3129), a technique also adopted by other threat actors like AndroxGh0st.

In a sign that the attackers are expanding their arsenal of initial access methods to expand the scale of the botnet, Sysdig said it discovered signs of WordPress sites being compromised using commonly used usernames and passwords.

“Once access is obtained, a backdoor is installed based on the popular Perl ShellBot,” the company said. “The victim’s server is then connected to an [Internet Relay Chat] server acting as command-and-control, and joins the larger botnet.”

The botnet is estimated to comprise over 600 hosts, with the IRC server (“chat.juicessh[.]pro”) created on May 1, 2023. It heavily relies on IRC for general communications as well as for managing its botnets and coordinating crypto mining campaigns.

Furthermore, members of the group – named juice_, Eugen, Catalin, MUIE, and Smecher, among others – have been found to communicate via an Undernet IRC channel called #cristi. Also put to use is a mass scanner tool to find new potential hosts.

RUBYCARP’s arrival on the cyber threat scene is not surprising given their ability to take advantage of the botnet to fuel diverse illicit income streams such as crypto mining and phishing operations to steal credit card numbers.

While it appears that the stolen credit card data is used to purchase attack infrastructure, there is also the possibility that the information could be monetized through other means by selling it in the cyber crime underground.

“These threat actors are also involved in the development and sale of cyber weapons, which isn’t very common,” Sysdig said. “They have a large arsenal of tools they have built up over the years, which gives them quite a range of flexibility when conducting their operations.

Mar 28, 2024NewsroomCyber Espionage / Malware

The Police of Finland (aka Poliisi) has formally accused a Chinese nation-state actor tracked as APT31 for orchestrating a cyber attack targeting the country’s Parliament in 2020.

The intrusion, per the authorities, is said to have occurred between fall 2020 and early 2021. The agency described the ongoing criminal probe as both demanding and time-consuming, involving extensive analysis of a “complex criminal infrastructure.”

The breach was first disclosed in December 2020, with the Finnish Security and Intelligence Service (Supo) describing it as a state-backed cyber espionage operation designed to penetrate the Parliament’s information systems.

“The police have previously informed that they are investigating the hacking group APT31’s connections with the incident,” Poliisi said. “These connections have now been confirmed by the investigation, and the police have also identified one suspect.”

APT31, also called Altaire, Bronze Vinewood, Judgement Panda, and Violet Typhoon (formerly Zirconium), is a Chinese state-backed group that has been active since at least 2010.

Earlier this week, the U.K. and the U.S. blamed the adversarial collective for engaging in a widespread cyber espionage campaign targeting businesses, government officials, dissidents, and politicians.

Seven operatives associated with the group have been charged in the U.S. for their involvement in the hacking spree. Two of them – Ni Gaobin and Zhao Guangzong – have been sanctioned by the two nations, alongside a company named Wuhan XRZ, which allegedly served as a cover for orchestrating cyber attacks against critical infrastructure.

“Guangzong is a Chinese national who has conducted numerous malicious cyber operations against U.S. victims as a contractor for Wuhan XRZ,” the U.S. Treasury said. “Ni Gaobin assisted Zhao Guangzong in many of his most high profile malicious cyber activities while Zhao Guangzong was a contractor at Wuhan XRZ.”

In July 2021, the U.S. and its allies implicated APT31 in a widespread campaign exploiting zero-day security flaws in Microsoft Exchange servers with the goal of likely “acquiring personally identifiable information and intellectual property.”

China, however, has hit back against the accusations that it’s behind the hacking campaign targeting the West. It has accused the Five Eyes (FVEY) alliance of spreading “disinformation about the threats posed by the so-called ‘Chinese hackers.'”

“We urge the U.S. and the U.K. to stop politicizing cybersecurity issues, stop smearing China and imposing unilateral sanctions on China, and stop cyberattacks against China,” China’s Foreign Ministry Spokesperson Lin Jian said. “China will take necessary measures to firmly safeguard its lawful rights and interests.”

Mar 22, 2024NewsroomCyber Defense / Vulnerability

A China-linked threat cluster leveraged security flaws in Connectwise ScreenConnect and F5 BIG-IP software to deliver custom malware capable of delivering additional backdoors on compromised Linux hosts as part of an “aggressive” campaign.

Google-owned Mandiant is tracking the activity under its uncategorized moniker UNC5174 (aka Uteus or Uetus), describing it as a “former member of Chinese hacktivist collectives that has since shown indications of acting as a contractor for China’s Ministry of State Security (MSS) focused on executing access operations.”

The threat actor is believed to have orchestrated widespread attacks against Southeast Asian and U.S. research and education institutions, Hong Kong businesses, charities and non-governmental organizations (NGOs), and U.S. and U.K. government organizations between October and November 2023, and again in February 2024 using the ScreenConnect bug.

Initial access to target environments is facilitated by the exploitation of known security flaws in Atlassian Confluence (CVE-2023-22518), ConnectWise ScreenConnect (CVE-2024-1709), F5 BIG-IP (CVE-2023-46747), Linux Kernel (CVE-2022-0185), and Zyxel (CVE-2022-3052).

A successful foothold is followed by extensive reconnaissance and scanning of internet-facing systems for security vulnerabilities, with UNC5174 also creating administrative user accounts to execute malicious actions with elevated privileges, including dropping a C-based ELF downloader dubbed SNOWLIGHT.

SNOWLIGHT is designed to download the next-stage payload, an obfuscated Golang backdoor named GOREVERSE, from a remote URL that’s related to SUPERSHELL, an open-source command-and-control (C2) framework that allows attackers to establish a reverse SSH tunnel and launch interactive shell sessions to execute arbitrary code.

Also put to use by the threat actor is a Golang-based tunneling tool known as GOHEAVY, which is likely employed to facilitate lateral movement within compromised networks, as well as other programs like afrog, DirBuster, Metasploit, Sliver, and sqlmap.

In one unusual instance spotted by the threat intelligence firm, the threat actors have been found to apply mitigations for CVE-2023-46747 in a likely attempt to prevent other unrelated adversaries from weaponizing the same loophole to obtain access.

“UNC5174 (aka Uteus) was previously a member of Chinese hacktivist collectives ‘Dawn Calvary’ and has collaborated with ‘Genesis Day”https://thehackernews.com/”Xiaoqiying’ and ‘Teng Snake,'” Mandiant assessed. “This individual appears to have departed these groups in mid-2023 and has since focused on executing access operations with the intention of brokering access to compromised environments.”

There is evidence to suggest that the threat actor may be an initial access broker, even claiming to be affiliated with the MSS in dark web forums. This is bolstered by the fact some of the U.S. defense and U.K. government entities were simultaneously targeted by another access broker referred to as UNC302.

The findings once again underscore Chinese nation-state groups’ continued efforts to breach edge appliances by swiftly co-opting recently disclosed vulnerabilities into their arsenal in order to conduct cyber espionage operations at scale.

“UNC5174 has been observed attempting to sell access to U.S. defense contractor appliances, U.K. government entities, and institutions in Asia in late 2023 following CVE-2023-46747 exploitation,” Mandiant researchers said.

“There are similarities between UNC5174 and UNC302, which suggests they operate within an MSS initial access broker landscape. These similarities suggest possible shared exploits and operational priorities between these threat actors, although further investigation is required for definitive attribution.”

The disclosure comes as the MSS warned that an unnamed foreign hacking group had infiltrated “hundreds” of Chinese business and government organizations by leveraging phishing emails and known security bugs to breach networks. It did not reveal the threat actor’s name or origin.

Mar 18, 2024NewsroomCyber Warfare / Malware

The Russia-linked threat actor known as APT28 has been linked to multiple ongoing phishing campaigns that employ lure documents imitating government and non-governmental organizations (NGOs) in Europe, the South Caucasus, Central Asia, and North and South America.

“The uncovered lures include a mixture of internal and publicly available documents, as well as possible actor-generated documents associated with finance, critical infrastructure, executive engagements, cyber security, maritime security, healthcare, business, and defense industrial production,” IBM X-Force said in a report published last week.

The tech company is tracking the activity under the moniker ITG05, which is also known as Blue Athena, BlueDelta, Fancy Bear, Fighting Ursa, Forest Blizzard (formerly Strontium), FROZENLAKE, Iron Twilight, Pawn Storm, Sednit, Sofacy, TA422, and UAC-028.

The disclosure comes more than three months after the adversary was spotted using decoys related to the ongoing Israel-Hamas war to deliver a custom backdoor dubbed HeadLace.

APT28 has since also targeted Ukrainian government entities and Polish organizations with phishing messages designed to deploy bespoke implants and information stealers like MASEPIE, OCEANMAP, and STEELHOOK.

Other campaigns have entailed the exploitation of security flaws in Microsoft Outlook (CVE-2023-23397, CVSS score: 9.8) to plunder NT LAN Manager (NTLM) v2 hashes, raising the possibility that the threat actor may leverage other weaknesses to exfiltrate NTLMv2 hashes for use in relay attacks.

The latest campaigns observed by IBM X-Force between late November 2023 and February 2024 leverage the “search-ms:” URI protocol handler in Microsoft Windows to trick victims into downloading malware hosted on actor-controlled WebDAV servers.

There is evidence to suggest that both the WebDAV servers, as well as the MASEPIE C2 servers, may be hosted on compromised Ubiquiti routers, a botnet comprising which was taken down by the U.S. government last month.

The phishing attacks impersonate entities from several countries such as Argentina, Ukraine, Georgia, Belarus, Kazakhstan, Poland, Armenia, Azerbaijan, and the U.S., putting to use a mix of authentic publicly available government and non-government lure documents to activate the infection chains.

“In an update to their methodologies, ITG05 is utilizing the freely available hosting provider, firstcloudit[.]com to stage payloads to enable ongoing operations,” security researchers Joe Fasulo, Claire Zaboeva, and Golo Mühr said.

The climax of APT28’s elaborate scheme ends with the execution of MASEPIE, OCEANMAP, and STEELHOOK, which are designed to exfiltrate files, run arbitrary commands, and steal browser data. OCEANMAP has been characterized as a more capable version of CredoMap, another backdoor previously identified as used by the group.

“ITG05 remains adaptable to changes in opportunity by delivering new infection methodologies and leveraging commercially available infrastructure, while consistently evolving malware capabilities,” the researchers concluded.

Mar 14, 2024NewsroomCyber Espionage / Malware

The Russian-speaking cybercrime group called RedCurl is leveraging a legitimate Microsoft Windows component called the Program Compatibility Assistant (PCA) to execute malicious commands.

“The Program Compatibility Assistant Service (pcalua.exe) is a Windows service designed to identify and address compatibility issues with older programs,” Trend Micro said in an analysis published this month.

“Adversaries can exploit this utility to enable command execution and bypass security restrictions by using it as an alternative command-line interpreter. In this investigation, the threat actor uses this tool to obscure their activities.”

RedCurl, which is also called Earth Kapre and Red Wolf, is known to be active since at least 2018, orchestrating corporate cyber espionage attacks against entities located in Australia, Canada, Germany, Russia, Slovenia, the U.K., Ukraine, and the U.S.

In July 2023, F.A.C.C.T. revealed that a major Russian bank and an Australian company were targeted by the threat actor in November 2022 and May 2023 to pilfer confidential corporate secrets and employee information.

The attack chain examined by Trend Micro entails the use of phishing emails containing malicious attachments (.ISO and .IMG files) to activate a multi-stage process that starts with the use of cmd.exe to download a legitimate utility called curl from a remote server, which then acts as a channel to deliver a loader (ms.dll or ps.dll).

The malicious DLL file, in turn, leverages PCA to spawn a downloader process that takes care of establishing a connection with the same domain used by curl to fetch the loader.

Also used in the attack is the use of the Impacket open-source software for unauthorized command execution.

The connections to Earth Kapre stem from overlaps in the command-and-control (C2) infrastructure as well as similarities with known downloader artifacts used by the group.

“This case underscores the ongoing and active threat posed by Earth Kapre, a threat actor that targets a diverse range of industries across multiple countries,” Trend Micro said.

“The actor employs sophisticated tactics, such as abusing PowerShell, curl, and Program Compatibility Assistant (pcalua.exe) to execute malicious commands, showcasing its dedication to evading detection within targeted networks.”

The development comes as the Russian nation-state group known as Turla (aka Iron Hunter, Pensive Ursa, Secret Blizzard, Snake, Uroburos, Venomous Bear, and Waterbug) has begun employing a new wrapper DLL codenamed Pelmeni to deploy the .NET-based Kazuar backdoor.

Pelmeni – which masquerades as libraries related to SkyTel, NVIDIA GeForce Experience, vncutil, or ASUS – is loaded by means of DLL side-loading. Once this spoofed DLL is called by the legitimate software installed on the machine, it decrypts and launches Kazuar, Lab52 said.

Mar 11, 2024NewsroomZero-Day / Endpoint Security

A financially motivated threat actor called Magnet Goblin is swiftly adopting one-day security vulnerabilities into its arsenal in order to opportunistically breach edge devices and public-facing services and deploy malware on compromised hosts.

“Threat actor group Magnet Goblin’s hallmark is its ability to swiftly leverage newly disclosed vulnerabilities, particularly targeting public-facing servers and edge devices,” Check Point said.

“In some cases, the deployment of the exploits is within 1 day after a [proof-of-concept] is published, significantly increasing the threat level posed by this actor.”

Attacks mounted by the adversary have leveraged unpatched Ivanti Connect Secure VPN, Magento, Qlik Sense, and possibly Apache ActiveMQ servers as an initial infection vector to gain unauthorized access. The group is said to be active since at least January 2022.

A successful exploitation is followed by the deployment of a cross-platform remote access trojan (RAT) dubbed Nerbian RAT, which was first disclosed by Proofpoint in May 2022, as well as its simplified variant called MiniNerbian. The use of the Linux version of Nerbian RAT was previously highlighted by Darktrace.

Both the strains allow for execution of arbitrary commands received from a command-and-control (C2) server and exfiltrating the results backed to it.

Some of the other tools used by Magnet Goblin include the WARPWIRE JavaScript credential stealer, the Go-based tunneling software known as Ligolo, and legitimate remote desktop offerings such as AnyDesk and ScreenConnect.

“Magnet Goblin, whose campaigns appear to be financially motivated, has been quick to adopt 1-day vulnerabilities to deliver their custom Linux malware, Nerbian RAT and MiniNerbian,” the company said.

“Those tools have operated under the radar as they mostly reside on edge-devices. This is part of an ongoing trend for threat actors to target areas which until now have been left unprotected.”

Mar 06, 2024NewsroomCyber Crime / Ransomware

The threat actors behind the BlackCat ransomware have shut down their darknet website and likely pulled an exit scam after uploading a bogus law enforcement seizure banner.

“ALPHV/BlackCat did not get seized. They are exit scamming their affiliates,” security researcher Fabian Wosar said. “It is blatantly obvious when you check the source code of the new takedown notice.”

“There is absolutely zero reason why law enforcement would just put a saved version of the takedown notice up during a seizure instead of the original takedown notice.”

The U.K.’s National Crime Agency (NCA) told Reuters that it had no connection to any disruptions to the BlackCat infrastructure.

Recorded Future security researcher Dmitry Smilyanets posted screenshots on the social media platform X in which the BlackCat actors claimed that the “feds screwed us over” and that they intended to sell the ransomware’s source code for $5 million.

The disappearing act comes after it allegedly received a $22 million ransom payment from UnitedHealth’s Change Healthcare unit (Optum) and refused to share the proceeds with an affiliate that had carried out the attack.

The company has not commented on the alleged ransom payment, instead stating it’s only focused on investigation and recovery aspects of the incident.

According to DataBreaches, the disgruntled affiliate – which had its account suspended by the administrative staff – made the allegations on the RAMP cybercrime forum. “They emptied the wallet and took all the money,” they said.

This has raised speculations that BlackCat has staged an exit scam to evade scrutiny and resurface in the future under a new brand. “A re-branding is pending,” a now-former admin of the ransomware group was quoted as saying.

BlackCat had its infrastructure seized by law enforcement in December 2023, but the e-crime gang managed to wrest control of their servers and restart its operations without any major consequences. The group previously operated under the monikers DarkSide and BlackMatter.

“Internally, BlackCat may be worried about moles within their group, and closing up shop preemptively could stop a takedown before it occurs,” Malachi Walker, a security advisor with DomainTools, said.

“On the other hand, this exit scam might simply be an opportunity for BlackCat to take the cash and run. Since crypto is once again at an all-time high, the gang can get away with selling their product ‘high.’ In the cybercrime world, reputation is everything, and BlackCat seems to be burning bridges with its affiliates with these actions.”

The group’s apparent demise and the abandonment of its infrastructure come as malware research group VX-Underground reported that the LockBit ransomware operation no longer supports Lockbit Red (aka Lockbit 2.0) and StealBit, a custom tool used by the threat actor for data exfiltration.

LockBit has also tried to save face by moving some of its activities to a new dark web portal after a coordinated law enforcement operation took down its infrastructure last month after a months-long investigation.

It also comes as Trend Micro revealed that the ransomware family known as RA World (formerly RA Group) has successfully infiltrated healthcare, finance, and insurance companies in the U.S., Germany, India, Taiwan, and other countries since emerging in April 2023.

Attacks mounted by the group “involve multi-stage components designed to ensure maximum impact and success in the group’s operations,” the cybersecurity firm noted.

Mar 06, 2024NewsroomCyber Attack / Malware

A financial entity in Vietnam was the target of a previously undocumented threat actor called Lotus Bane that was first detected in March 2023.

Singapore-headquartered Group-IB described the hacking outfit as an advanced persistent threat group that’s believed to have been active since at least 2022.

The exact specifics of the infection chain remain unknown as yet, but it involves the use of various malicious artifacts that serve as the stepping stone for the next-stage.

“The cybercriminals used methods such as DLL side-loading and data exchange via named pipes to run malicious executables and create remote scheduled tasks for lateral movement,” the company said.

Group-IB told The Hacker News that the techniques used by Lotus Bane overlap with that of OceanLotus, a Vietnam-aligned threat actor also known as APT32, Canvas Cyclone (formerly Bismuth), and Cobalt Kitty. This stems from the use of malware like PIPEDANCE for named pipes communication.

It’s worth noting that PIPEDANCE was first documented by Elastic Security Labs in February 2023 in connection with a cyber attack targeting an unnamed Vietnamese organization in late December 2022.

“This similarity suggests possible connections with or inspirations from OceanLotus, however, the different target industries make it likely that they are different,” Anastasia Tikhonova, head of Threat Intelligence for APAC at Group-IB, said.

“Lotus Bane is actively engaging in attacks primarily targeting the banking sector in the APAC region. Although the known attack was in Vietnam, the sophistication of their methods indicates the potential for broader geographical operations within APAC. The exact duration of their activity prior to this discovery is currently unclear, but ongoing investigations may shed more light on their history.”

The development comes as financial organizations across Asia-Pacific (APAC), Europe, Latin America (LATAM), and North America have been the target of several advanced persistent threat groups such as Blind Eagle and the Lazarus Group over the past year.

Another notable financially motivated threat group is UNC1945, which has been observed targeting ATM switch servers with the goal of infecting them with a custom malware called CAKETAP.

“This malware intercepts data transmitted from the ATM server to the [Hardware Security Module] server and checks it against a set of predefined conditions,” Group-IB said. “If these conditions are met, the data is altered before being sent out from the ATM server.”

UNC2891 and UNC1945 were previously detailed by Google-owned Mandiant in March 2022 as having deployed the CAKETAP rootkit on Oracle Solaris systems to intercept messages from an ATM switching network and perform unauthorized cash withdrawals at different banks using fraudulent cards.

“The presence and activities of both Lotus Bane and UNC1945 in the APAC region highlight the need for continued vigilance and robust cybersecurity measures,” Tikhonova said. “These groups, with their distinct tactics and targets, underline the complexity of protecting against financial cyber threats in today’s digital landscape.”

Mar 02, 2024NewsroomSpyware / Privacy

A U.S. judge has ordered NSO Group to hand over its source code for Pegasus and other products to Meta as part of the social media giant’s ongoing litigation against the Israeli spyware vendor.

The decision, which marks a major legal victory for Meta, which filed the lawsuit in October 2019 for using its infrastructure to distribute the spyware to approximately 1,400 mobile devices between April and May. This also included two dozen Indian activists and journalists.

These attacks leveraged a then zero-day flaw in the instant messaging app (CVE-2019-3568, CVSS score: 9.8), a critical buffer overflow bug in the voice call functionality, to deliver Pegasus by merely placing a call, even in scenarios where the calls were left unanswered.

In addition, the attack chain included steps to erase the incoming call information from the logs in an attempt to sidestep detection.

Court documents released late last month show that NSO Group has been asked to “produce information concerning the full functionality of the relevant spyware,” specifically for a period of one year before the alleged attack to one year after the alleged attack (i.e., from April 29, 2018, to May 10, 2020).

That said, the company doesn’t have to “provide specific information regarding the server architecture at this time” because WhatsApp “would be able to glean the same information from the full functionality of the alleged spyware.” Perhaps more significantly, it has been spared from sharing the identities of its clientele.

“While the court’s decision is a positive development, it is disappointing that NSO Group will be allowed to continue keeping the identity of its clients, who are responsible for this unlawful targeting, secret,” said Donncha Ó Cearbhaill, head of the Security Lab at Amnesty International.

NSO Group was sanctioned by the U.S. in 2021 for developing and supplying cyber weapons to foreign governments that “used these tools to maliciously target government officials, journalists, businesspeople, activists, academics, and embassy workers.”

The development comes as Recorded Future revealed a new multi-tiered delivery infrastructure associated with Predator, a mercenary mobile spyware managed by the Intellexa Alliance.

The infrastructure network is highly likely associated with Predator customers, including in countries like Angola, Armenia, Botswana, Egypt, Indonesia, Kazakhstan, Mongolia, Oman, the Philippines, Saudi Arabia, and Trinidad and Tobago. It’s worth noting that no Predator customers within Botswana and the Philippines had been identified until now.

“Although Predator operators respond to public reporting by altering certain aspects of their infrastructure, they seem to persist with minimal alterations to their modes of operation; these include consistent spoofing themes and focus on types of organizations, such as news outlets, while adhering to established infrastructure setups,” the company said.

The threat actors behind the LockBit ransomware operation have resurfaced on the dark web using new infrastructure, days after an international law enforcement exercise seized control of its servers.

To that end, the notorious group has moved its data leak portal to a new .onion address on the TOR network, listing 12 new victims as of writing.

The administrator behind LockBit, in a lengthy follow-up message, said some of their websites were confiscated by most likely exploiting a critical PHP flaw tracked as CVE-2023-3824, acknowledging that they didn’t update PHP due to “personal negligence and irresponsibility.”

“I realize that it may not have been this CVE, but something else like 0-day for PHP, but I can’t be 100% sure, because the version installed on my servers was already known to have a known vulnerability, so this is most likely how the victims’ admin and chat panel servers and the blog server were accessed,” they noted.

They also claimed the U.S. Federal Bureau of Investigation (FBI) “hacked” their infrastructure because of a ransomware attack on Fulton County in January and the “stolen documents contain a lot of interesting things and Donald Trump’s court cases that could affect the upcoming U.S. election.”

They also called for attacking the “.gov sector” more often, while also stating that the server from which the authorities obtained more than 1,000 decryption keys held almost 20,000 decryptors, most of which were protected and accounted for about half of the total number of decryptors generated since 2019.

The group further went on to add that the nicknames of the affiliates have “nothing to do with their real nicknames on forums and even nicknames in messengers.”

That’s not all. The post also attempted to discredit law enforcement agencies, claiming the real “Bassterlord” has not been identified, and that the FBI actions are “aimed at destroying the reputation of my affiliate program.”

“Why did it take 4 days to recover? Because I had to edit the source code for the latest version of PHP, as there was incompatibility,” they said.

“I will stop being lazy and make it so that absolutely every build loker will be with maximum protection, now there will be no automatic trial decrypt, all trial decrypts and the issuance of decryptors will be made only in manual mode. Thus in the possible next attack, the FBI will not be able to get a single decryptor for free.”

Russia Arrests Three SugarLocker Members

The development comes as Russian law enforcement officials have arrested three individuals, including Aleksandr Nenadkevichite Ermakov (aka blade_runner, GustaveDore, or JimJones), in connection with the SugarLocker ransomware group.

“The attackers worked under the guise of a legitimate IT firm Shtazi-IT, which offers services for the development of landing pages, mobile applications, scripts, parsers, and online stores,” Russian cybersecurity firm F.A.C.C.T. said. “The company openly posted ads for hiring new employees.”

The operators have also been accused of developing custom malware, creating phishing sites for online stores, and driving user traffic to fraudulent schemes popular in Russia and the Commonwealth of Independent States (CIS) nations.

SugarLocker first appeared in early 2021 and later began to be offered under the ransomware-as-a-service (RaaS) model, leasing its malware to other partners under an affiliate program to breach targets and deploy the ransomware payload.

Nearly three-fourths of the ransom proceeds go to the affiliates, a figure that jumps to 90% if the payment exceeds $5 million. The cybercrime gang’s links to Shtazi-IT were previously disclosed by Intel 471 last month.

The arrest of Ermakov is notable, as it comes in the wake of Australia, the U.K., and the U.S. imposing financial sanctions against him for his alleged role in the 2022 ransomware attack against health insurance provider Medibank.

The ransomware attack, which took place in late October 2022 and attributed to the now-defunct REvil ransomware crew, led to the unauthorized access of approximately 9.7 million of its current and former customers.

The stolen information included names, dates of birth, Medicare numbers, and sensitive medical information, including records on mental health, sexual health, and drug use. Some of these records also found their way to the dark web.

It also follows a report from news agency TASS, which revealed that a 49-year-old Russian national is set to face trial on charges of carrying out a cyber attack on technological control systems that left 38 settlements of the Vologda without power.