CyberWire Daily - Noberus ransomware: evolving tactics. [Research Saturday]
Episode Date: October 15, 2022Brigid O Gorman from Symantec's Threat Hunter team joins Dave to discuss their research on "Noberus Ransomware - Darkside and BlackMatter Successor Continues to Evolve its Tactics." The research state...s that Noberus ransomware (aka BlackCat, ALPHV) is more dangerous than ever because attackers have been using new tactics, tools, and procedures in recent months. In the research, Symantec says, "Among some of the more notable developments has been the use of a new version of the Exmatter data exfiltration tool, and the use of Eamfo, information-stealing malware that is designed to steal credentials stored by Veeam backup software." They go over an in-depth look at how its affiliate program operates. The research can be found here: Noberus Ransomware: Darkside and BlackMatter Successor Continues to Evolve its Tactics Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. data products platform comes in. With Domo, you can channel AI and data into innovative uses that
deliver measurable impact. Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to
your role. Data is hard. Domo is easy. Learn more at ai.domo.com.
That's ai.domo.com.
Hello, everyone, and welcome to the CyberWire's Research Saturday.
I'm Dave Bittner, and this is our weekly conversation
with researchers and analysts,
tracking down the threats and vulnerabilities,
solving some of the hard problems of protecting ourselves
in a rapidly evolving cyberspace.
Thanks for joining us.
Baris is probably one of the most prevalent ransomware threats we've seen over the last year or so.
So the fact that it's been around for a year is actually probably almost noticeable at this point
because many ransomware families now have kind of a shorter lifespan than that at the moment.
That's Bridget O'Gorman. She's a senior intelligence analyst with Symantec's Threat Hunter team.
The research we're discussing today is titled Noberis Ransomware.
DarkSide and BlackMatter's successor continues to evolve its tactics.
Well, they also have an interesting history here.
Can you walk us through some of the background?
Yeah, sure.
Yeah, Noberis definitely has an interesting history.
For those who may not be familiar with the name,
Noberis is a name we use for the ransomware
that's also very commonly called Black Cat or ALF.
And this ransomware, as I said, first appeared in November 2021.
And it sort of sparked, I suppose, interest at the time because it was written in Rust.
And that was the first time we'd seen a ransomware that was written in that language
being kind of professionally deployed sort of in ransomware attacks like this.
And Rust is kind of an interesting language. It's very secure. It's also cross-platform, so it would mean the ransomware
could potentially be ported over and used on other platforms if the attackers or the developers
wanted to do that. But also, yeah, the kind of background of Noberis then is that it's essentially
the successor to the Dark Side
and Black Matter ransomware families and is believed to be developed by the same group
which is a group that Symantec tracks as Corid but which is also you know commonly known as
Fin7 as well and obviously Dark Side would be a name I think familiar to a lot of people, anyone who kind of follows cybersecurity news, because that is the group that was behind the Colonial Pipeline ransomware attack back in May 2021, which sort of drew a lot of heat onto the group at the time, I suppose.
And that's what led it to rebrand as Black Matter.
And then they've subsequently rebranded now as Novaris,
which is basically the latest rebrand of that group's ransomware, essentially.
So my understanding is that this is operated as a ransomware as a service
type of thing here. And they do have some specific rules for their affiliates. Can
you take us through some of that? Yeah, so that's it. Novaris is operated
as a ransomware as a service,
which I'm sure obviously most listeners to this podcast will understand what that means. But
basically it means, you know, Coris, they're the developers of Noberis, they control the ransomware
to control the malware. But then it's the attacks are essentially carried out by what is known as
affiliates. So basically other groups who actually infiltrate the victims, the companies,
and deploy the ransomware on their networks. And most ransomware developers who operate these kind
of programs, they do tend to have rules about how the ransomware can be used. And that's generally
in an effort to, you know, prevent them from coming under too much scrutiny, shall we say.
So Noberis, like many ransomware families
one of its rules is that it can't be deployed in the commonwealth of independent states or
neighboring countries which essentially are the you know ex-soviet states in russia basically
and they also say it can't be deployed on health care organizations or non-profits
and they also advise against attacking the education and
government sectors and as you said these are all essentially to avoid their attacks throwing you
know too much attention and obviously um corey that develops no bearers i suppose was stung in
the past with its attack on and the colonial pipeline drawing so much attention on it at the
time so those are kind of the main rules the gang is interesting it doesn't seem to have any
you know issue with kind of dropping affiliates if it feels they can't kind of aren't you know
performing up to to what they the level they expect you're bringing in enough money basically
for them they will get rid of affiliates it seems fairly uh fairly easily if they they feel they're
not doing a good enough job essentially well let's dig into some of the technical capabilities here.
Can you walk us through what exactly is it capable of?
Yeah, well, Noberis is, it's kind of interesting.
It sort of, it underlines, I guess, for its affiliates,
you know, what it's capable of doing.
So, you know, it creates a unique entrance
to its own onion domain for each attack that takes place. It also offers, you know, it creates a unique entrance to its own onion domain for each attack that takes place.
It also offers encrypted negotiation chats that can only be accessed by the intended victim.
And that's something that seems to have become kind of more of a priority for ransomware gangs over the last couple of months of the year, I would say as well.
They really want to keep these negotiation chats private and prevent them being infiltrated by law enforcement or security
researchers I think. Also one of the most interesting things I think about Noberis is
that it offers it actually offers four encryption modes so it offers full encryption, fast encryption,
dot pattern and smart pattern encryption. Now full encryption is obviously the most self-explanatory
it's the most secure but it's also obviously the
slowest mode of encryption. The most interesting one, I think, is the smart pattern encryption,
because this basically is also known as intermittent encryption in other iterations,
by other ransomware groups. And it basically offers encryption of a certain percentage of
megabytes in percentage increments. Now, by default, for Noberis, it encrypts with a strip of 10 megabytes
every 10% of the file starting from the header.
And they say this is kind of the optimal mode for attackers
in terms of both speed and also cryptographic strength.
And Sentinel Labs actually published a report about this kind of encryption recently,
where they refer to it as intermittent encryption.
And they said how it was used by Noberis.
It's also used by Black Busta. it's also used by the play ransomware which
is one of the newer ransomware families as well and i think it's quite interesting because it
nearly seems to be used at the moment by ransomware families as nearly a bit of a selling point the
fact that their ransomware is capable of deploying this intermittent encryption you know they're
kind of using it as a selling point to try and get for leads to use their ransomware is capable of deploying this intermittent encryption you know they're kind of using it as a selling point to try and get for leads to use their ransomware because
they're saying you know they're capable of um encrypting files quicker than other ransomware
if they have to deploy full ransomware or full encryption i should say and that kind of thing so
um i think that's quite um quite an interesting part of Nuberis' operation. have spent billions of dollars on firewalls and VPNs. Yet breaches continue to rise
by an 18% year-over-year increase in ransomware attacks
and a $75 million record payout in 2024.
These traditional security tools expand your attack surface
with public-facing IPs that are exploited by bad actors
more easily than ever with AI tools.
It's time to rethink your security.
Zscaler Zero Trust Plus AI stops attackers
by hiding your attack surface,
making apps and IPs invisible,
eliminating lateral movement,
connecting users only to specific apps,
not the entire network,
continuously verifying every request
based on identity and context,
simplifying security management with AI-powered automation.
And detecting threats using AI to analyze over 500 billion daily transactions.
Hackers can't attack what they can't see.
Protect your organization with Zscaler Zero Trust and AI.
Learn more at zscaler.com slash security.
Yeah, that is really an interesting aspect of it. Help me understand here. I mean, so
are they basically, you know, sprinkling the encryption throughout the files so they only have to encrypt a small percentage of it.
Does that work on the flip side as well?
If someone pays the ransom and wants to decrypt,
do they get their files back faster?
I presume they probably would.
Now, I'm not sure on that,
but I presume because there will be less of the file to decrypt
that it should decrypt faster.
But like, I guess the point of the intermittent encryption is that while the full file isn't encrypted, you know, the file is still useless, essentially.
So from the perspective of you as the victim, you know, the file is fully encrypted and you can't access it.
So from your perspective, it's still just as serious as the full
encryption but from the attacker's perspective it doesn't take as much time and that's obviously
like that is the main point we think of the intermittent encryption because obviously the
longer attackers are on a system the longer it takes for them to encrypt these files the more
chance of their activity being intercepted and the more chance that they may not
be able to complete the attack, which is obviously what they want to do. Now, is it correct that
Noberis has sort of different tiers for the level of affiliates? If you do well for them,
they'll give you access to some enhanced tools? Yeah, it does seem that Noberis are quite focused
on attracting, I suppose, you know,
strong affiliates to their team. Affiliates are capable of carrying out, you know, serious kind
of high money attacks. Because as I said, they have no issue with calling affiliates if they're
not bringing in enough money. And they did in December, last year, December 2021, they added
a new, what they called a plus role for affiliates that had brought in more than
one and a half million US dollars and this gave them access to basically I suppose extra
capabilities give them access to kind of a DDoS capability to basically know where this is bought
if they wanted to carry out DDoS attacks as well as giving them access to their brute force kind
of capabilities that made it possible for them to brute force NTDS
or Kuberis tickets and other hashes for free and things like that.
So it does seem that, yeah, Kuberis is definitely focused
on kind of attracting these highly skilled affiliates
to work with them.
It seems to be quite a priority for them.
One of the things that your research highlights here
is the XMatter data exfiltration tool.
Walk us through that.
What are the capabilities there?
Yeah, I thought this was quite interesting.
So we saw this activity in August,
just so not too long ago,
where basically we saw a heavily updated version
of the XMatter data exfiltration tool
being used alongside Noberis in ransomware attacks.
And XMatter was actually discovered by semantic researchers in November 2021.
And at that point, it was being used alongside the BlackMatter ransomware.
So this is also obviously another indication of the kind of links
between Noberis and BlackMatter as well.
And XMatter is designed basically to steal specific file types from a
number of selected directories. It then uploads these to an attacker-controlled server, and then
the ransomware is deployed on victim networks. And even at the time when we found XMatter,
you know, first back in November 2021, there were various theories of the tool in existence then,
because even initially its developers were kind of continuously refining it,
it seems, in order to optimize its operation,
in order to expedite exfiltration of kind of, you know,
a sufficient volume of this high value data as quickly as they could.
Again, you know, speed being one of the goals for ransomware actors too.
But this latest version of x matter it's
actually reduced the number of file types it attempts to exfiltrate down further than even
what it was um so you know it attempts to exfiltrate you know i suppose unsurprising
files with extensions like pdf.doc.xls jpeg files text files, SQL files, message files, zip files,
all those kind of files are still what they're looking to exfiltrate.
They've also added some other new features.
They've added a third exfiltration capability, FTP,
to the SFTP and WebDAV capabilities that were present in older versions.
They've also added the ability to build a report that can list all process files.
They've also added the ability to build a report that can list all process files. They've also added the ability to corrupt process files.
Interestingly as well, I thought they've added a self-destruct capability or configuration option,
which when it's enabled will basically make the tool self-destruct and quit if it's executed in a non-corporate environment.
So obviously that's kind of a non-analysis step that's taken there to in case it suspects it's being deployed on a
sandbox or anything like that and as well as this the malware itself was extensively rewritten and
even its existing features were kind of implemented differently so it's likely that that's all a bid
to avoid detection and unsurprisingly is obviously there's protection detections in place for the
original xmatter tool but um, it's quite an interesting tool.
I mean, it's not 100% clear if XMatter is developed by Cori itself
or if it's developed by one of the affiliates that use Cori's ransomware.
But it's obviously notable that it's been used alongside
both BlackMatter and NoBearist as well.
And another thing that you all tracked here was evidently Noberis was trying to steal
some credentials from some backup software.
Yeah, this was kind of interesting as well.
So this was, again, at least one of the affiliates
that was using a Noberis ransomware recently.
Again, this actually happened in August as well.
So August seemed to be kind of an active month
for affiliates deploying Obearis.
But they were using information-stealing malware
that's specifically designed to steal credentials
that are stored by the Veeam backup software.
Now, Veeam is a software that's capable of storing credentials
for a wide range of systems,
including notably domain controllers
and also cloud services.
And these credentials are stored to facilitate
the backup of these systems.
And the malware that was deployed was called InfoStealer.amfo.
And basically, it's designed to connect to the SQL database
for Veeam storage credentials,
and then it steals them with a SQL query, essentially.
It can then decrypt these credentials
and then displays them to the attackers, of course.
So, Amfo, it's not a new tool.
It just seemed to have been around since last year,
around August 2021.
And there is evidence it has previously been used
by attackers who have deployed the Yanluang
and the Lockbit ransomware families.
And there was also a report from BlackBerry
recently, just a couple of weeks ago,
that also detailed Ampho being used alongside a new ransomware strain as well,
that it was calling Monty, which it said appears to be based
on the lead source code of the Conti ransomware.
And the TTPs that were using these Monty attacks,
they would closely resemble former Conti attack chains.
So it's possible that Conti were also behind these Monty attacks as well.
So they may be former affiliates of the group. And of course, as we know, Conti rose behind these Monty attacks as well so they may be former
affiliates of the group and of course as we know Conti was shut down in May and many of the former
affiliates are now working with other ransomware other ransomware families and I mean among that
is Noberis as well like ex-Conti affiliates are believed to be deploying Noberis now as well so
it's possible that that's what we're seeing here and so stealing from
beam it is a known technique it allows for privilege escalation lateral movement basically
gives the attackers access to more data to exfiltrate to more machines to encrypt as well
and something notable as well in these attacks we saw and her info was used was also the a relatively
old rootkit scanner called geamer was also used. And this can be used
by ransomware actors to kill processes. And it's interesting because it's quite an old tool,
but it has been seen used in a few ransomware attacks recently. So it does seem to be something
that ransomware attackers are leveraging a bit at the moment as well. Well, based on the information
that you all have gathered here, what are your recommendations? How should folks best protect themselves?
I think the usual, I suppose, kind of recommendations apply, you know, when it comes to ransomware attacks.
I think the advice doesn't generally change about these kind of things.
You know, it's ensuring you have your backups in place,
that you have good, like like comprehensive security solution in place that
can help protect you from i know it's not only a case of blocking the malware often for ransomware
attacks like sometimes if it's a case if you're blocking the ransomware it's nearly too late
it's kind of trying to spot the the kind of pre-ransomware activity that can be very important
for preventing these ransomware attacks so it's really to make sure you're taking all the steps to avoid these ransomware attacks, that you have that good security
solution in place that will hopefully spot this activity before the ransomware has a chance to
be deployed on your systems, really.
Our thanks to Bridget O'Gorman from Symantec for joining us.
The research is titled Noberis Ransomware.
DarkSide and BlackMatter's successor continues to evolve its tactics.
We'll have a link in the show notes. Thank you. worldwide. ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data, and ensuring your organization
runs smoothly and securely. Visit ThreatLocker.com today to see how a default deny approach can keep
your company safe and compliant.
The Cyber Wire podcast is proudly produced in Maryland out of the startup studios of Data Tribe, where they're co-building the next generation of cybersecurity teams and
technologies.
Our amazing Cyber Wire team is Rachel Gelfand, Liz Ervin, Elliot Peltzman,
Trey Hester, Brandon Karpf, Eliana White, Puru Prakash, Justin Sabey, Tim Nodar, Joe Kerrigan,
Carol Terrio, Ben Yellen, Nick Vilecki, Gina Johnson, Bennett Moe, Chris Russell, John Petrick,
Jennifer Iben, Rick Howard, Peter Kilpie, and I'm Dave Bittner. Thanks for listening.
We'll see you back here next week.