September 10, 2024 at 06:41AM
The NoName ransomware gang, also known as CosmicBeetle, has targeted small and medium-sized businesses for over three years, using the Spacecolon malware family and recently deploying the ScRansom ransomware. NoName has advanced to becoming a RansomHub affiliate, using various tools, exploiting vulnerabilities, and experimenting with different ransomware to increase its visibility and threat.
Key Takeaways from the Meeting Notes:
– The NoName ransomware gang has been targeting small and medium-sized businesses worldwide for over three years, and they may now be working as a RansomHub affiliate.
– The gang uses custom tools known as the Spacecolon malware family and gains access to networks through brute-force methods and exploiting older vulnerabilities like EternalBlue and ZeroLogon.
– In recent attacks, the gang has been using the ScRansom ransomware, which replaced the Scarab encryptor. They have also experimented with the leaked LockBit 3.0 ransomware builder to create a similar data leak site.
– Cybersecurity company ESET tracks the NoName gang as CosmicBeetle and has been monitoring their activities, especially with the emergence of the ScRansom malware.
– ScRansom is not as sophisticated as other threats on the ransomware scene but continues to evolve. It supports partial encryption with different speed modes, allows encryption of files across all drives, and features an ‘ERASE’ mode that makes files unrecoverable.
– NoName has been using brute force to gain access to networks and also exploits several vulnerabilities that are more likely to be present in SMB environments. They have targeted vulnerabilities such as CVE-2017-0144 (EternalBlue) and others, including AD privilege escalation vulnerabilities and FortiOS SSL-VPN vulnerabilities.
– NoName’s affiliations with RansomHub have involved setting up extortion sites and impersonating the LockBit data leak site. The gang also executed RansomHub’s EDR killer and ransomware on compromised machines, indicating some level of affiliation with RansomHub. This suggests that NoName is not showing any signs of giving up and is actively developing its ransomware capabilities.
Let me know if you need further details on any of these points or if there’s anything else I can assist you with.