Axxes Ransomware Group Appears to be the Rebranded Version of Midas Group

Category: Adversary Intelligence	Industry: Multiple	Country/ Region: Global	Source*: F6

Executive Summary

• CloudSEK’s flagship digital risk monitoring platform XVigil discovered a financially motivated threat actor group, named Axxes ransomware, that is considered to be a rebrand of a formerly known ransomware group.
• The Axxes ransomware group’s PR site lists The H Dubai as their latest victim.
• Their target regions include the USA, Middle East, France, and China.

[caption id="attachment_19347" align="alignnone" width="1086"] Recent activities of the Axxes ransomware group[/caption]  

Analysis and Attribution

About the Axxes Ransomware

• Axxes is a ransomware that encrypts files and appends the .axxes extension to them.
• Axxes creates a file labeled "RESTORE_FILES_INFO.hta," which includes a ransom note. It also creates a file labeled "RESTORE_FILES_INFO.txt."
• The ransomware executes various tasks such as:
  • Looking up the geo-location of the device
  • Modifying the Windows Firewall
  • Modifying the extension of the files in the victim’s device.
  • Killing the processes with taskkill.exe

>> What happened? Important files on your network was ENCRYPTED and now they have "Axxes" extension. In order to recover your files you need to follow instructions below. >> Sensitive Data Sensitive data on your network was DOWNLOADED. More than 70 GB. If you DON'T WANT your sensitive data to be PUBLISHED you have to act quickly. Data includes: - Employees personal data, CVs, DL, SSN. - Complete network map including credentials for local and remote services. - Private financial information including: clients data, bills, budgets, annual reports, bank statements. >> CAUTION DO NOT MODIFY ENCRYPTED FILES YOURSELF. DO NOT USE THIRD PARTY SOFTWARE TO RESTORE YOUR DATA. YOU MAY DAMAGE YOUR FILES, IT WILL RESULT IN PERMANENT DATA LOSS. >> What should I do next? 1) Download and install Tor Browser from: https://torproject.org/ 2) ymnbqd5gmtxc2wepkesq2ktr5qf4uga6wwrsbtktq7n5uvhqmbyaq4qd.onion/link.php?id=hTjNdkb5OCr74qyYii8r5987laFscF

Axxes ransomware note  

• Once encrypted, the ransomware group leaves a link with the victim ID. The link directs the victim to a chat page where an account is created using the authorization ID.

• The victim organizations listed on the group’s PR site include details about the organization, such as an address, contact information, number of views, website, and next update date.

Axxes Ransomware Group

• Based on the logo of the ransomware group, it appears to be a rebranded version of the Midas ransomware group.
• Midas ransomware used the same logo and listed the same victims, except for the recent additions. This Midas ransomware group was first observed in October 2021.
• The Midas group itself was believed to be a rebranded version of Haron ransomware. And Haron was a rebranded version of the Avvadon ransomware group.
• Some researchers have also claimed that Midas is a variant of Thanos.

[caption id="attachment_19349" align="alignnone" width="546"] Twitter post discussing Midas ransomware[/caption]  

• While the Haron ransomware group is still operating as Haron Ransomware2, the leak site of the Midas ransomware group is not active anymore.

Indicators of Compromise (IOCs)

Based on the results from VirusTotal and Triage, the following are the IOCs for Axxes ransomware.

MD5
063a4b2fb6f7bd96710dd054d03a8668	ac2e9f9f84f98a1c7514fcf2e81eaa88
SHA-1
b82bc6b886672606672bf58e84625fafeebf09cc	8dfb08d755a31fdd40bfc624983113e2b0a4c0ad
SHA-256
5b1d1e8d4d93d360b044101d6c5835b4ac4cb0ef0d19e83d93cafbbd22e708ab	ec7fbdf548bd27bb5076dd9589e1b87f3c5740da00e77c127eb4cd4541d7d6f7
IPv4
8[.]240[.]24[.]124	8[.]249[.]245[.]252
192[.]168[.]0[.]66	8[.]252[.]36[.]124
8[.]252[.]68[.]252	8[.]253[.]151[.]245
8[.]253[.]208[.]108	8[.]253[.]208[.]109
8[.]253[.]208[.]116	8[.]253[.]254[.]124

Impact & Mitigation

Impact

Mitigation

The published source codes could allow other threat actors to gain access to the organizations’ networks. If it contains any exposed Personally Identifiable Information (PII), it could enable threat actors to orchestrate social engineering schemes, phishing attacks, and even identity theft. Exposed IP addresses and login credentials can lead to potential account takeovers. The exposed confidential details could reveal business practices and intellectual property. Since password reuse is a common practice, actors could leverage exposed credentials to access other accounts of the user.

Reset the compromised user login credentials and implement a strong password policy for all user accounts. Check for possible workarounds and patches while keeping the ports open. Patch all vulnerable and exploitable endpoints. Monitor for anomalies, in user accounts and systems, that could be indicators of possible takeovers. Use MFA (multi-factor authentication) across logins.

References

• *https://en.wikipedia.org/wiki/Intelligence_source_and_information_reliability
• ^#https://en.wikipedia.org/wiki/Traffic_Light_Protocol