ransomware groups Archives

Winsage

March 7, 2025

Akira Ransomware Targets Windows Servers via RDP and Evades EDR with Webcam Trick

The Akira ransomware group has demonstrated its ability to bypass Endpoint Detection and Response (EDR) tools by exploiting an unsecured webcam. In 2024, Akira was responsible for 15% of ransomware incidents addressed by the S-RM team. The group typically gains access through remote access solutions and uses tools like AnyDesk.exe. In a recent attempt to deploy ransomware on a Windows server, their initial effort was thwarted by EDR detection. Subsequently, they conducted an internal network scan and targeted a vulnerable webcam, which lacked EDR protection. By compromising the webcam, Akira deployed Linux-based ransomware to encrypt files across the victim’s network. This incident highlights the need for organizations to patch and manage IoT devices, audit networks for vulnerabilities, implement network segmentation, and monitor IoT traffic for anomalies.

Winsage

October 21, 2024

Beast Ransomware Attacking Windows, Linux, And ESXi Systems

Ransomware groups, such as Beast ransomware, have become significant threats in cybersecurity, utilizing advanced malware to encrypt data and demand ransoms. Beast ransomware, identified by Cybereason, has been active since 2022 and can target Windows, Linux, and ESXi operating systems. Originally developed in Delphi, it now uses C and Go. The ransomware employs elliptic-curve and ChaCha20 encryption techniques, features multithreaded file encryption, process termination, and shadow copy deletion on Windows. For Linux and ESXi, it offers customizable encryption paths and VM shutdown options. It spreads through phishing emails, compromised RDP endpoints, and SMB network scans, exploiting the RstrtMgr.dll for file access manipulation. Recent enhancements include an offline builder for configuring builds across various systems. The attack sequence starts with shadow copy deletion via a WMI query, followed by efficient file encryption targeting various file formats. A ransom note is placed in each affected directory, and users can access the ransomware's GUI during encryption. Recommendations to mitigate risks include tracking affiliates, promoting multi-factor authentication, enabling anti-malware solutions, implementing anti-ransomware measures, ensuring regular system patching, and backing up files.

Tech Optimizer

October 18, 2024

Hackers Abuse EDRSilencer Tool to Bypass Security and Hide Malicious Activity

Threat actors are increasingly using the open-source tool EDRSilencer to evade endpoint detection and response (EDR) solutions. EDRSilencer, inspired by MDSec's NightHawk FireBlock, obstructs outbound traffic from active EDR processes by utilizing the Windows Filtering Platform (WFP). It can terminate processes associated with various EDR products, including those from Microsoft, Elastic, Trellix, and Qualys. By employing EDRSilencer, malicious actors aim to render EDR software ineffective, complicating malware identification and removal. The tool dynamically identifies active EDR processes and establishes persistent filters to inhibit their outbound communications, preventing security software from transmitting telemetry data. This tactic enhances the likelihood of successful attacks without detection. Additionally, ransomware groups are utilizing advanced EDR-killing tools like AuKill and EDRKillShifter, which exploit vulnerable drivers to escalate privileges and terminate security processes, showcasing a sophisticated approach to evading detection. EDRKillShifter employs advanced persistence mechanisms to maintain its presence within a system and disrupt security processes in real-time.

Winsage

July 17, 2024

Security End-Run: ‘AuKill’ Shuts Down Windows-Reliant EDR Processes

FIN7 developed AuKill, an anti-security tool designed to undermine endpoint security, which has been used by ransomware groups in their attacks. AuKill targets protected processes monitored by EDR solutions using time-travel debugging and Process Explorer drivers, causing crashes in targeted systems. Organizations are advised to strengthen their security solutions with anti-tampering protections to defend against kernel-mode attacks.