Ransomware-as-a-service (RaaS) threat groups are placing severe and continuous pressure on the financial and government services sectors in Latin America, according to data compiled by the elite Trustwave SpiderLabs team.
RaaS is where developers working for threat actors manage and update the malware while affiliates carry out the actual ransomware attacks. The specific method of initial intrusion varies depending on the affiliate responsible for targeting the network and any financial gains from the activity are split on a pre-determined basis.
Trustwave SpiderLabs broadly covered these general issues in its 2023 Financial Services Sector Threat Landscape: Trustwave Threat Intelligence Briefing and Mitigation Strategies report but did a special dive spotlighting the most active threat groups striking Latin America: LockBit 3.0, ALPHV (BlackCat), Cl0p, BlackByte, Medusa, Vice Society, and RansomHouse.
Analyzing the Ransomware Groups’ Attack Vectors
Trustwave SpiderLabs covered the different attack vectors employed by ransomware operators and affiliates, with the most common methods by which threat actors obtain initial access to networks being phishing (Mitre ATT&CK label T1566), exploiting public-facing applications (T1190) and compromised valid credentials (T1078) and session cookies (T1539). The cookies are often harvested from successful infostealer infections (T1555 and T1083) and sold by specialized “initial access brokers” on Dark Web and special-access sources.
Trustwave SpiderLabs recently reported that it is tracking phishing campaigns specifically targeting the Latin American region. The phishing emails generally contained a ZIP file attachment that when extracted reveals an HTML file that leads to a malicious file download posing as an invoice. If the phishing attack is successful a malicious RAR file will download.
BlackCat/ALPHV, which itself was disrupted by law enforcement and may or may not be active, employs a double extortion scheme, combining data encryption with data theft tools as part of its attack strategy. This approach intensifies the pressure on victims to comply with its demands. The proposed scope of the review is as follows:
BlackCat/ALPHV’s initial access vectors are:
- T1189: Drive-by Compromise Malvertising
o WinSCP and AnyDesk software infected with Cobalt Strike beacon.
- T1078: Valid Accounts
o Compromised accounts and stolen credentials.
- T1133: External Remote Services
o Remote desktop (RDP) access using Valid Accounts.
- T1190: Exploit Public-Facing Application
o ProxyShell – Microsoft Exchange Server Vulnerabilities: (CVE-2021-31207, CVE-2021-34473, CVE-2021-34523) o SonicWall SMA100 Pre-Auth SQL Injection (CVE-2019-7481.
LockBit 3.0 represents a RaaS group that has inherited the legacy of its predecessors, LockBit and LockBit 2, and it must be noted that LockBit 3.0 was also successfully targeted by a US/UK law enforcement operation in February, disrupting the group. Beginning in January 2020, LockBit adopted an affiliate-based ransomware approach, allowing its affiliates to employ diverse tactics in targeting a broad spectrum of businesses and critical infrastructure organizations.
LockBit 3.0 is known to use initial access brokers and an insider recruitment program advertised on various hacker forums to facilitate network intrusions.
Lockbit 3.0’s initial access vectors:
- T1189: Drive-by Compromise
- T1566: Phishing
- T1078: Valid Accounts
o Compromised accounts and stolen credentials
- T1133: External Remote Services Remote desktop (RDP) access using Valid Accounts
- T1190: Exploit Public-Facing Application
o Fortinet FortiOS SSL VPN web portal (CVE-2018-13379) BIG-IP F5 iControl Server-Side Request Forgery / Remote Command Execution (CVE-2021-22986
CL0P emerged as a RaaS in February 2019, evolving from the CryptoMix ransomware variant. This malicious software was strategically employed in extensive spear-phishing campaigns, using a verified and digitally signed binary to circumvent system defenses effectively. CL0P utilizes the ‘double extortion’ tactic.
CL0P’s initial access vectors are:
- T1566: Phishing
- T1078: Valid Accounts
o Compromised accounts and stolen credentials
- T1190: Exploit Public-Facing Application
o GoAnywhere MFT Remote code injection via admin panel (CVE-2023-0669)
o MOVEit Transfer SQL Injection Remote Code Execution (CVE-2023-34362)
o Accellion FTA SQL injection vulnerability (CVE-2021-27101)
o Accellion FTA OS command execution vulnerability (CVE-2021-27102)
o Accellion FTA OS command execution vulnerability (CVE-2021-27104)
o SolarWinds Serv-U Remote Code Execution Vulnerability (CVE-2021-35211)
Hive also operates under the RaaS model, where developers manage and update the malware while affiliates carry out the actual ransomware attacks. The affiliate responsible for targeting the network determines the specific method of initial intrusion.
Between June 2021 and at least November 2022, threat actors have extensively employed Hive ransomware to target various businesses and critical infrastructure sectors.
Hive’s initial access vectors are:
- T1566: Phishing
o Spearphishing with malicious attachments
- T1078: Valid Accounts
o Compromised accounts and stolen credentials
o T1190: Exploit Public-Facing Application
o Microsoft Exchange Server Security Feature Bypass (CVE-2021-31207)
o Microsoft Exchange Server Remote Code Execution (CVE-2021-34473)
o Microsoft Exchange Server Privilege Escalation Vulnerability (CVE-2021-34523)
o FortiOS SSL VPN Authentication Vulnerability (CVE-2020-12812)
BlackByte ransomware also operates under the RaaS model. BlackByte affiliates are known to use living-off-the-land tools for persistence and reconnaissance and Cobalt Strike beacons for command and control (C2).
BlackByte’s initial access vectors:
- T1566: Phishing
o Spearphishing with malicious attachments
- T1078: Valid Accounts
o Compromised accounts and stolen credentials
o T1190: Exploit Public-Facing Application
o Microsoft Exchange Server Security Feature Bypass (CVE-2021-31207)
o Microsoft Exchange Server Remote Code Execution (CVE-2021-34473)
o Microsoft Exchange Server Privilege Escalation Vulnerability (CVE-2021-34523)
Medusa ransomware emerged in June 2021. After initial access, the MedusaLocker typically propagates throughout a network from a batch file that executes a PowerShell script.
Medusa’s initial access vectors:
- T1566: Phishing
o Spearphishing with malicious attachments
- T1078: Valid Accounts
o Compromised accounts and stolen credentials
- T1133: External Remote Services
o Remote desktop (RDP) access using Valid Accounts
The Vice Society ransomware group initially appeared in the summer of 2021. It is responsible for the notable incident that impacted the rapid transit system in San Francisco. The group gained significant media attention in late 2022 and early 2023 due to a series of high-profile attacks.
Vice Society’s initial Access Vectors are:
- T1566: Phishing
o Spearphishing with malicious attachments
- T1078: Valid Accounts
o Compromised accounts and stolen credentials
- T1190: Exploit Public-Facing Application
RansomHouse is a data extortion group that first emerged in December of 2021. It made headlines in 2022 for attacking chipmaker AMD and exfiltrating 450GB of data. The group’s ransom demands reportedly range between $1 million and $11 million. RansomHouse uses polymorphic malware called MarioLocker, which is designed to run on VMWare ESXI hypervisors.
RansomHouse’s initial access vector is:
- T1190: Exploit Public-Facing Application
