Source URL: https://www.theregister.com/2024/10/03/ransomware_spree_infects_100_orgs/
Source: The Register
Title: Ransomware crew infects 100+ orgs monthly with new MedusaLocker variant
Feedly Summary: Crooks ‘like a sysadmin, with a malicious slant’
Exclusive An extortionist armed with a new variant of MedusaLocker ransomware has infected more than 100 organizations a month since at least 2022, according to Cisco Talos, which recently discovered a “substantial" Windows credential data dump that sheds light on the criminal and their victims.…
AI Summary and Description: Yes
Summary: The text discusses recent findings by Cisco Talos regarding a variant of MedusaLocker ransomware, known as BabyLockerKZ, which has been actively targeting over 100 organizations per month since 2022. It reveals the tactics employed by the extortionist, termed “PaidMemes,” highlighting the opportunistic nature of their attacks primarily on small and medium-sized businesses across various global regions.
Detailed Description:
– **Ransomware Variant**: The text focuses on a new variant of MedusaLocker ransomware, specifically BabyLockerKZ. Talos identified this malware as a substantial threat affecting numerous companies.
– **Attack Pattern**: Since 2022, PaidMemes has infected about 200 unique IPs monthly. The group’s tactics involve opportunistic attacks rather than targeting specific organizations, indicating a broader and more random approach in victim selection.
– **Victims Across Regions**: Originally targeting countries like France, Germany, and Spain, the focus shifted towards Central and South America in 2023, particularly Brazil and Mexico.
– **Nature of Extortion**: The ransom demands are relatively modest, often ranging between $30,000 and $50,000, appealing to smaller entities that may struggle to afford such payments. This trend signals an alarming shift of ransomware actors toward small and medium enterprises, which often lack robust security measures.
– **Methods of Attack**: PaidMemes uses compromised remote desktop configurations, phishing, and other techniques to gain initial access. The criminal’s toolkit includes publicly available malware, network scanners, and credential-dumping tools (e.g., Mimikatz), making the approach accessible and low-cost for attackers.
– **Tools Utilized**: The attacker’s methodologies involve utilizing common administration scripts and tools, combining them for malicious purposes. They leverage tools like Checker, which aids in credential management and lateral movement within compromised networks.
– **Impact on SMBs**: The report indicates that small and medium-sized businesses are increasingly at risk, as they may not implement multi-factor authentication (MFA) or single sign-on (SSO) due to cost concerns. The report warns that these businesses might face a growing percentage of ransomware activity, as larger organizations enhance their defenses.
– **Protective Measures**: Talos highlights challenges for SMBs in deterring ransomware attacks and suggests that employing MFA and other advanced security measures could help; however, the cost remains a barrier.
– **Conclusion**: The findings synthesized in the report reveal the evolving landscape of ransomware attacks and emphasize the need for enhanced awareness and security measures, especially among smaller businesses.
By presenting opportunistic behavior and the technical methods used by ransomware actors, this information is invaluable for security professionals in crafting strategies to combat ransomware threats, particularly in environments with expansive but vulnerable networks.