Axxes Ransomware Group Appears to be the Rebranded Version of Midas Group
Axxes Ransomware Group Appears to be the Rebranded Version of Midas Group
| Category:
Adversary Intelligence |
Industry:
Multiple |
Country/ Region:
Global |
Source*:
F6 |
|---|
Executive Summary
- CloudSEK’s flagship digital risk monitoring platform XVigil discovered a financially motivated threat actor group, named Axxes ransomware, that is considered to be a rebrand of a formerly known ransomware group.
- The Axxes ransomware group’s PR site lists The H Dubai as their latest victim.
- Their target regions include the USA, Middle East, France, and China.
Analysis and Attribution
About the Axxes Ransomware
- Axxes is a ransomware that encrypts files and appends the .axxes extension to them.
- Axxes creates a file labeled “RESTORE_FILES_INFO.hta,” which includes a ransom note. It also creates a file labeled “RESTORE_FILES_INFO.txt.”
- The ransomware executes various tasks such as:
- Looking up the geo-location of the device
- Modifying the Windows Firewall
- Modifying the extension of the files in the victim’s device.
- Killing the processes with taskkill.exe
| >> What happened?
Important files on your network was ENCRYPTED and now they have “Axxes” extension. In order to recover your files you need to follow instructions below. >> Sensitive Data Sensitive data on your network was DOWNLOADED. More than 70 GB. If you DON’T WANT your sensitive data to be PUBLISHED you have to act quickly. Data includes: – Employees personal data, CVs, DL, SSN. – Complete network map including credentials for local and remote services. – Private financial information including: clients data, bills, budgets, annual reports, bank statements. >> CAUTION DO NOT MODIFY ENCRYPTED FILES YOURSELF. DO NOT USE THIRD PARTY SOFTWARE TO RESTORE YOUR DATA. YOU MAY DAMAGE YOUR FILES, IT WILL RESULT IN PERMANENT DATA LOSS. >> What should I do next? 1) Download and install Tor Browser from: https://torproject.org/ 2) ymnbqd5gmtxc2wepkesq2ktr5qf4uga6wwrsbtktq7n5uvhqmbyaq4qd.onion/link.php?id=hTjNdkb5OCr74qyYii8r5987laFscF |
|---|
Axxes ransomware note
- Once encrypted, the ransomware group leaves a link with the victim ID. The link directs the victim to a chat page where an account is created using the authorization ID.
- The victim organizations listed on the group’s PR site include details about the organization, such as an address, contact information, number of views, website, and next update date.
Axxes Ransomware Group
- Based on the logo of the ransomware group, it appears to be a rebranded version of the Midas ransomware group.
- Midas ransomware used the same logo and listed the same victims, except for the recent additions. This Midas ransomware group was first observed in October 2021.
- The Midas group itself was believed to be a rebranded version of Haron ransomware. And Haron was a rebranded version of the Avvadon ransomware group.
- Some researchers have also claimed that Midas is a variant of Thanos.
- While the Haron ransomware group is still operating as Haron Ransomware2, the leak site of the Midas ransomware group is not active anymore.
Indicators of Compromise (IOCs)
Based on the results from VirusTotal and Triage, the following are the IOCs for Axxes ransomware.
| MD5 | |
|---|---|
| 063a4b2fb6f7bd96710dd054d03a8668 | ac2e9f9f84f98a1c7514fcf2e81eaa88 |
| SHA-1 | |
| b82bc6b886672606672bf58e84625fafeebf09cc | 8dfb08d755a31fdd40bfc624983113e2b0a4c0ad |
| SHA-256 | |
| 5b1d1e8d4d93d360b044101d6c5835b4ac4cb0ef0d19e83d93cafbbd22e708ab | ec7fbdf548bd27bb5076dd9589e1b87f3c5740da00e77c127eb4cd4541d7d6f7 |
| IPv4 | |
| 8[.]240[.]24[.]124 | 8[.]249[.]245[.]252 |
| 192[.]168[.]0[.]66 | 8[.]252[.]36[.]124 |
| 8[.]252[.]68[.]252 | 8[.]253[.]151[.]245 |
| 8[.]253[.]208[.]108 | 8[.]253[.]208[.]109 |
| 8[.]253[.]208[.]116 | 8[.]253[.]254[.]124 |
Impact & Mitigation
| Impact | Mitigation |
|---|---|
|
|
References
- *https://en.wikipedia.org/wiki/Intelligence_source_and_information_reliability
- #https://en.wikipedia.org/wiki/Traffic_Light_Protocol