🚀 لقد رفعت CloudSek جولة B1 من السلسلة B1 بقيمة 19 مليون دولار - تعزيز مستقبل الأمن السيبراني التنبؤي
اقرأ المزيد

Category: Adversary Intelligence
Industry: BFSI
Region: Asia
Motivation: Financial
TLP: AMBER
CloudSEK's threat research team is closely monitoring a significant ransomware attack that has disrupted India's banking ecosystem, impacting banks and payment providers. This report aims to dissect the attack chain, uncover adversary tactics, and offer actionable insights for organizations to enhance their security posture. As the situation is still unfolding, this report will provide ongoing updates and recommendations to address the evolving threat landscape.
The impacted entity in this case is Brontoo Technology Solutions, a key collaborator with C-EDGE, a joint venture between TCS and SBI. This report aims to explore the broader implications of this attack on the ecosystem.
According to the report filed by Brontoo Technology Solutions with CertIn(Indian Computer Emergency Response Team) it was mentioned that the attack chain started at a misconfigured jenkins server. CloudSEK threat research team was able to identify the affected jenkins server and subsequently the attack chain.
In the recent history we have published extensively on the exploitation of Jenkins using a local file inclusion vulnerability, read about the case study here and the complete exploit chain here


Through our investigation and leveraging sensitive sources, we have confirmed that the ransomware group responsible for this attack is RansomEXX. This determination was facilitated by our extensive engagement with the affected banking sector in India

RansomEXX v2.0 is a sophisticated variant of the RansomEXX ransomware, known for targeting large organizations and demanding significant ransom payments. This group operates as part of a broader trend where ransomware developers continuously evolve their malware to bypass security defenses and maximize their impact.
1. Background and Evolution
2. Infection Vectors and Tactics
3. Payload and Encryption
4. Ransom Demands and Negotiation
5. Notable Incidents
6. Recent Developments
While analyzing the attack history we found the following information:
1. Region Wise distribution: The Ransomware group has majorly been active in Europe, Asia and America region. They target continents and regions with maximum chance of payout

2. Sector wise distribution: We can see that the most targeted industries are Government followed by Technology then Manufacturing, Telecom as well as Healthcare.All of these industries are business critical and have the maximum chance of a payout or reputation upliftment

3. Timeline of attacks: Since the ransomware group has been rebranded they have had a total of 58 victims, following timeline represents the number of attacks per year:

4. Some Notable hacks: As mentioned above RansomEXX is known to target High value organizations, following are some of the notable organizations they have attacked.
Threat Actor Profiling
Active since: Original group(Defray777) active since 2018
PR website: hxxp[:]//rnsm777cdsjrsdlbs4v5qoeppu3px6sb2igmh53jzrx7ipcrbjz5b2ad.onion
Current Status: Active and a sudden surge in activity
History: Targets High value organizations
MITRE framework mapped to TTPs
Initial Access
-Phishing: Spear Phishing Attachment (T1566.001): Attackers use targeted phishing emails with malicious attachments.
- Exploit Public-Facing Application (T1190): Exploiting vulnerabilities in public-facing applications.
- Valid Accounts (T1078): Using stolen or brute-forced credentials.
Execution
- Command and Scripting Interpreter: PowerShell (T1059.001): Utilizing PowerShell scripts to execute malicious commands.
- Command and Scripting Interpreter: Windows Command Shell (T1059.003): Using the command prompt to execute malicious commands.
- System Services: Service Execution (T1569.002): Using Windows services to execute the ransomware payload.
Persistence
- Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder (T1547.001): Modifying registry keys or adding files to the startup folder.
- Create or Modify System Process: Windows Service (T1543.003): Creating or modifying Windows services for persistence.
Privilege Escalation
- Exploitation for Privilege Escalation (T1068): mExploiting vulnerabilities to escalate privileges.
- Valid Accounts: Local Accounts (T1078.003): Using local administrator accounts.
Defense Evasion
- Obfuscated Files or Information (T1027): Using obfuscation techniques to avoid detection.
- Deobfuscate/Decode Files or Information (T1140): Decrypting or decoding files to execute payloads.
- Disabling Security Tools (T1562.001): Disabling antivirus and other security tools.
Credential Access
- OS Credential Dumping: LSASS Memory (T1003.001): Dumping credentials from the LSASS process.
- OS Credential Dumping: NTDS (T1003.003): Dumping Active Directory credentials.
Discovery
- Network Service Discovery (T1046): Enumerating network services.
- System Information Discovery (T1082): Gathering information about the OS and hardware.
- Process Discovery (T1057): Enumerating running processes.
Lateral Movement
- Remote Services: Remote Desktop Protocol (T1021.001): Using RDP to move laterally within the network.
- Remote Services: SMB/Windows Admin Shares (T1021.002): Using SMB shares to move laterally and deploy ransomware payloads.
Collection
- Data from Local System (T1005): Collecting data from the local system.
- Data Staged: Local Data Staging (T1074.001): Staging collected data locally before encryption or exfiltration.
Exfiltration
- Exfiltration Over C2 Channel (T1041): Exfiltrating data over an established command and control (C2) channel.
- Exfiltration Over Web Service (T1567.002): Using web services to exfiltrate data.
Impact
- Data Encrypted for Impact (T1486): Encrypting files on the victim’s system.
- Service Stop (T1489): Stopping services to facilitate encryption and hinder recovery efforts.
- Inhibit System Recovery (T1490): Deleting or disabling backup and recovery systems.
Indicators Of Compromise:
SHA256
62e9d5b3b4d5654d6ec4ffdcd7a64dfe5372e209b306d07c6c7d8a883e01bead
6962e408aa7cb3ce053f569415a8e168a4fb3ed6b61283c468f6ee5bbea75452
981e6f2584f5a4efa325babadcb0845528e8147f3e508c2a1d60ada65f87ce3c
98266835a238797f34d1a252e6af0f029c7823af757df10609f534c4f987e70f
ad635630ac208406cd28899313bef5d4e57dba163018dfb8924de90288e8bab3
b6ed0a10e1808012902c1a911cf1e1b6aa4ad1965e535aebcb95643ef231e214
b89742731932a116bd973e61628bbe4f5d7d92b53df3402e404f63003bac5104
d931fe8da243e359e9e14f529eafe590b8c2dd1e76ca1ad833dd0f927648f88b
ec2a22d92dd78e37a6705c8116251fabdae2afecb358b32be32da58008115f77
f9c6dca22e336cf71ce4be540905b34b5a63a7d02eb9bbd8a40fc83e37154c22
09c99e37121722dd45a2c19ff248ecfe2b9f1e082381cc73446e0f4f82e0c468
4cae449450c07b7aa74314173c7b00d409eabfe22b86859f3b3acedd66010458
78147d3be7dc8cf7f631de59ab7797679aba167f82655bcae2c1b70f1fafc13d
cb408d45762a628872fa782109e8fcfc3a5bf456074b007de21e9331bb3c5849
259670303d1951b6b11491ddf8b76cad804d7a65525eac08a5b6b4473b42818b
48301f37e92a9d5aa29710bda4eee034dd888a3edd79e2f74990300ffd8eb3b6
48460c9633d06cad3e3b41c87de04177d129906610c5bbdebc7507a211100e98
4b8103cd9fbb0efb472cbf39715becacf098f7ee44bf98f6672278e4e741542b
5c3569c166654eed781b9a2a563adec8e2047078fdcbafcdef712fabf2dd3f57
5ccf8c6bf9c39ccb54c5ebabd596a1335da522d70985840036e50e3c87079ab4
335d1c6a758fcce38d0341179e056a471ca84e8a5a9c9d6bf24b2fb85de651a5
452c219223549349f3b2c4fe25dfef583900f8dac7d652a4402cf003bf5ecf46
URLs
hxxp://iq3ahijcfeont3xx.sm4i8smr3f43.com
hxxps://iq3ahijcfeont3xx.tor2web.blutmagie.de
hxxp://iq3ahijcfeont3xx.fenaow48fn42.com
hxxp://iq3ahijcfeont3xx.sm4i8smr3f43.com