NoName Ransomware Gang Expands Tactics, Now Deploying RansomHub Malware

September 10, 2024

The NoName ransomware gang, also known as CosmicBeetle, has been making a name for itself over the past three years by targeting small and medium-sized businesses worldwide. Recently, the gang has been observed deploying a new type of malware known as RansomHub. The gang uses a variety of custom tools, including those from the Spacecolon malware family, to gain access to networks. These tools are deployed using brute force methods and by exploiting known vulnerabilities, such as EternalBlue (CVE-2017-0144) and ZeroLogon (CVE-2020-1472).

In recent attacks, the NoName gang has been using ScRansom ransomware, which has replaced the previously used Scarab encryptor. The gang has also been experimenting with the leaked LockBit 3.0 ransomware builder, creating a similar data leak site and using similar ransom notes. ESET, a cybersecurity company, has been tracking the NoName gang's activities since 2023. It has observed that ScRansom, although not as sophisticated as other ransomware threats, continues to evolve and pose a significant threat.

ScRansom supports partial encryption with different speed modes, allowing attackers some versatility. It also features an 'ERASE' mode that replaces file contents with a constant value, rendering them unrecoverable. ScRansom can encrypt files across all drives and allows the operator to determine what file extensions to target. Before launching the encryptor, ScRansom kills a list of processes and services on the Windows host, including Windows Defender, the Volume Shadow Copy, SVCHost, RDPclip, LSASS, and processes associated with VMware tools.

The encryption scheme used by ScRansom is complex, using a combination of AES-CTR-128 and RSA-1024, and an extra AES key is generated to protect the public key. However, the multi-step process sometimes introduces errors that can lead to decryption failures. If the ransomware is executed a second time on the same device, or in a network of multiple distinct systems, new sets of unique keys and victim IDs will be generated, making the decryption process rather complex.

In addition to using brute force to gain access to networks, the NoName gang exploits several vulnerabilities that are likely to be present in SMB environments. These include CVE-2017-0144 (aka EternalBlue), CVE-2023-27532 (a vulnerability in a Veeam Backup & Replication component), CVE-2021-42278 and CVE-2021-42287 (AD privilege escalation vulnerabilities) through noPac, CVE-2022-42475 (a vulnerability in FortiOS SSL-VPN), and CVE-2020-1472 (aka Zerologon).

The NoName gang's ascension to the status of a RansomHub affiliate has been marked by a series of moves indicating the gang's commitment to the ransomware business. In September 2023, the gang set up an extortion site on the dark web branded 'NONAME,' a modified copy of the LockBit data leak site. In November 2023, the gang stepped up its impersonation efforts by registering the domain lockbitblog[.]info.

The researchers at ESET believe that the NoName gang has enrolled itself as a new RansomHub affiliate. Despite the uncertainty surrounding the affiliation with RansomHub, ESET notes that the ScRansom encrypter is under active development. This, combined with the switch from ScRansom to LockBit, indicates that the NoName gang is not showing any signs of giving up.

Related News

Latest News

Like what you see?

Get a digest of headlines, vulnerabilities, risk context, and more delivered to your inbox.

Subscribe Below

By submitting this form, you’re giving us permission to email you. You may unsubscribe at any time.

Accelerate Security Teams

Continuously identify and prioritize the risks that are most critical in your environment, and validate that your remediation efforts are reducing risk. An always-on single source-of-truth of your assets, services, and vulnerabilities.