October 23, 2024 at 06:36AM
Threat actors are exploiting Amazon S3’s Transfer Acceleration feature for ransomware attacks to exfiltrate data. They use disguised Golang ransomware and hard-coded AWS credentials, affecting both Windows and macOS. Recent reports show a rise in ransomware incidents, with notable groups adapting their tactics amidst ongoing threats and vulnerabilities.
### Meeting Takeaways
1. **Ransomware Trends:**
– Threat actors are exploiting AWS S3 Transfer Acceleration for data exfiltration during ransomware attacks.
– A new Golang ransomware variant is disguising itself as LockBit to leverage its notoriety.
– Over 30 active ransomware samples have been identified with embedded AWS credentials.
2. **Ransomware Characteristics:**
– The ransomware targets both Windows and macOS, encrypting files with specific extensions after exfiltrating them to AWS.
– Executed files are renamed to include an initialization vector and a specific `.abcd` extension.
– Victims are coerced into payment by displaying a LockBit 2.0-themed wallpaper on the infected device.
3. **Other Ransomware Developments:**
– A decryptor for a Mallox ransomware variant has been released, benefiting victims affected before March 2024.
– Mallox affiliates are using modified versions of the Kryptina ransomware to target Linux systems.
4. **Current Ransomware Landscape:**
– Ransomware attacks decreased slightly in Q3 2024 but continue to pose significant threats.
– Microsoft’s report highlighted a substantial increase in human-operated ransomware encounters despite fewer attacks reaching encryption stages.
5. **Shift in Ransomware Tactics:**
– LockBit’s decline has allowed groups like RansomHub, Qilin, and Akira to gain traction.
– Akira is evolving its techniques, including developing a Rust variant and utilizing compromised VPN credentials for infiltration.
6. **Sector Targeting:**
– Akira has been focusing on organizations in the manufacturing and professional services sectors, indicating a strategic targeting approach.
### Recommendations:
– Stay informed on ransomware tactics and trends, especially concerning AWS vulnerabilities.
– Regularly review and update security measures, particularly for cloud services.
– Educate teams on recognizing potential ransomware threats and safe practices to mitigate risk.