September 10, 2024 at 12:34PM
CosmicBeetle debuts new ransomware, ScRansom, targeting SMBs globally, possibly as an affiliate for RansomHub. The attack spans various sectors and uses brute-force attacks and known security flaws for infiltration. Cicada3301 ransomware is observed with modifications, while a kernel-mode signed Windows driver, POORTRY, used by multiple ransomware gangs as an EDR wiper.
From the meeting notes, the following key points can be extracted:
1. CosmicBeetle has launched a new ransomware strain called ScRansom, targeting small- and medium-sized businesses in several continents. It appears to be affiliated with RansomHub and has a history of experimenting with various malicious tools and encryption schemes.
2. The Cicada3301 ransomware has been observed using an updated encryptor version, with modifications such as the absence of hard-coded usernames or passwords and the introduction of a new command-line argument.
3. There has been an evolution of a kernel-mode signed Windows driver used by multiple ransomware gangs to turn off Endpoint Detection and Response (EDR) software, effectively acting as a wiper for deleting critical components associated with those solutions.
Overall, the meeting notes highlight the evolving tactics and tools used by threat actors in the ransomware landscape, as well as the potential connections between different ransomware groups and their affiliations.