Insights, news, education and announcements from PolySwarm

2023 Recap - Malware Hall of Fame

Written by The Hivemind | Dec 18, 2023 8:13:23 PM

Executive Summary

In this report, PolySwarm analysts chose our top five standout malware families for the 2023 Malware Hall of Fame. We also feature the Story of the Year, MOVEit. A small selection of our most recent samples of each family are provided as well.

Key Takeaways

  • The 2023 Malware Hall of Fame includes ALPHV, Rhysida, LockBit, Cl0p, and BlackBasta.
  • Malware families were chosen based on multiple factors, including how prolific the malware is, how successful the criminals behind the malware are, and any factors of interest that set these malware families apart from the others. 
  • PolySwarm analysts chose MOVEit as the story of the year because of the widespread attacks made possible due to this vulnerability. 
  • A small selection of our most recent samples of each family are provided. 

2023 Malware Hall of Fame

PolySwarm analysts chose the following malware for the 2023 Malware Hall of Fame based on multiple factors, including how prolific the malware is, how successful the criminals behind the malware are, and any factors of interest that set these malware families apart from the others. 

ALPHV

Significance

ALPHV was among our 2023 Top Malware to Watch. We predicted the threat actors behind ALPHV would continue to expand its operations in 2023 due to its versatility and profitable affiliate model. Our predictions proved fruitful. ALPHV stood out from the other malware PolySwarm encountered in 2023 due to its growing popularity and tendency to be used to compromise high-value targets.

 

What is ALPHV?

ALPHV is a ransomware as a service (RaaS) that includes a highly customizable feature set, allowing for attacks on a wide range of targets. ALPHV/BlackCat ransomware, which was first observed in late 2021,  is thought to be the first ransomware family written in Rust, making it customizable and extensible. It includes a highly customizable feature set allowing for attacks on a wide range of targets. Developers can easily change the code to pivot and individualize attacks.

The threat actors behind ALPHV are a financially motivated group known for ransomware operations. Industry researchers have speculated the group’s members are likely based in the UK or Europe. The group is known for multiple ransomware variants with similar code, including ALPHV, BlackCat, Sphynx, and Noberus.

There are multiple reasons for ALPHV’s success. ALPHV is proficient in social engineering tactics and human-operated ransomware attacks. The group has been effective in marketing to its affiliates, and affiliates receive a generous share of ransom payments. Threat actors behind ALPHV use double and triple extortion tactics, charging a ransom to decrypt files and threatening to disclose files or engage in DDoS attacks if the ransom is not paid. They are also known to be ruthless in their pursuit of ransom payments. In November, the group compromised the software company MeridianLink and followed up on the attack by filing a U.S. Securities and Exchange Commission complaint against the victim for not complying with the SEC’s four-day cyberattack disclosure rule.

Since it is RaaS, ALPHV is used by various threat actors to target both targets of opportunity and specific entities. Earlier this year, the financially motivated threat actor group Fin8 was observed leveraging the Sardonic backdoor to deliver ALPHV ransomware.

 

Victimology

ALPHV attacks have occurred in the US, Europe, the Philippines, and other regions. Verticals targeted include construction and engineering, retail, transportation, commercial services, insurance, machinery, professional services, telecommunication, auto components, casinos, and pharmaceuticals.

MGM Resorts International was one of the more high-profile victims affected by ALPHV in 2023. The cyber attack impacted several systems, including its website, reservations, and in-casino services such as ATMs, slot machines, and credit card machines. The attack was perpetrated by Scattered Spider, which is noted to be a subgroup of ALPHV. In response to the attack, MGM took the precaution of shutting down several of its systems to mitigate the incident. This resulted in MGM Grand being forced to use alternate, archaic business methods such as making reservations via telephone, taking credit card information using pen and paper, accepting cash-only for bars, and issuing paper vouchers.

 

ALPHV Samples

e7060538ee4b48b0b975c8928c617f218703dab7aa7814ce97481596f2a78556

9802a1e8fb425ac3a7c0a7fca5a17cfcb7f3f5f0962deb29e3982f0bece95e26

f7a038f9b91c40e9d67f4168997d7d8c12c2d27cd9e36c413dd021796a24e083

3a08e3bfec2db5dbece359ac9662e65361a8625a0122e68b56cd5ef3aedf8ce1

F8c08d00ff6e8c6adb1a93cd133b19302d0b651afd73ccb54e3b6ac6c60d99c6

 

You can use the following CLI command to search for all ALPHV  samples in our portal:

$ polyswarm link list -f ALPHV

Rhysida

Significance

One malware family, Rhysida, stood out due to its targeting of multiple healthcare facilities throughout 2023. Although it was a newcomer on the malware scene, it has proved to be formidable.

 

What is Rhysida?

Rhysida ransomware has been active since at least May 2023 and is RaaS. For initial access and persistence, the Rhysida threat actors leverage external-facing remote services, such as VPNs. They appear to obtain access using compromised but valid credentials, taking advantage of connections that do not require multi-factor authentication (MFA) for login. Rhysida threat actors have been observed leveraging Zerologon (CVE-2020-1472), a vulnerability in Microsoft’s Netlogon Remote Protocol that results in a critical elevation of privileges.

Rhysida threat actors use living off-the-land techniques such as RDP for lateral movement, allowing them to establish VPN access and utilize PowerShell while evading detection. Rhysida threat actors have been observed using ipconfig, whoami, nltest, and net commands to gather domain information and enumerate victim environments. They use a combination of both legitimate and malicious tools, including cmd.exe, PowerShell.exe, PsExec.exe, mstsc.exe, PuTTy.exe, PortStarter, secretsdump, ntdsutil.exe, AnyDesk, wevtutil.exe, and PowerView. They are also known to engage in phishing.

After obtaining access to the victim network, Rhysida uses Cobalt Strike for lateral movement. The threat actors reportedly used PsExec to deploy PowerShell scripts and the Rhysida payload. To evade detection, Rhysida uses a PowerShell script known as SILENTKILL to terminate antivirus, delete shadow copies, modify RDP configurations, and change the Active Directory password. Rhysida uses a 4096-bit RSA key and ChaCha20 for file encryption and appends the .rhysida extension to encrypted files.

The Rhysida ransom note uses a unique approach. Rather than directly demanding a ransom payment, the note appears to be an alert from the Rhysida “cybersecurity team” warning victims that their system has been compromised and their files are encrypted. As a solution, the victim must pay for a “unique key” to use to decrypt the files.

 

Victimology

Rhysida has previously targeted entities in the education, government, manufacturing, and technology verticals. They later expanded their targeting to include the healthcare vertical. Rhysida appears to target opportunistically and has begun evolving tactics, using a double extortion tactic.

Earlier this year, Rhysida reportedly claimed the Chilean Army as one of their victims. The Chilean Army confirmed a security incident occurring in late May 2023, and an Army corporal was arrested for their role in the attack. Following the incident, Rhysida published around 360,000 stolen documents, which allegedly only constitute about a third of the stolen data.

Prospect Medical Holdings was the victim of a Rhysida ransomware attack that impacted multiple facilities. The group claims to have stolen the PII of over 500,000 individuals as well as corporate documents and patient records. Rhysida’s Tor leak site also claimed they have now sold over half the data obtained in the attacks on Prospect Medical Holdings.

According to Rhysida’s Tor leak site, they also compromised the Singing River Health System, which includes three hospitals and ten clinics and is the second largest employer on the Mississippi Gulf Coast. The attack on Singing River Health System impacted Pascagoula Hospital, Ocean Springs Hospital, and Gulfport Hospital. Laboratory and radiology testing were forced to temporarily use paper records as a result of the attack.

More recently, the Rhysida ransomware group claimed they had hacked King Edward VII’s Hospital in London. The hospital is a distinguished and long-standing facility known to provide acute and specialized medical care. Rhysida added data allegedly stolen during the attack to their Tor leak site, including registration forms, x-rays, prescriptions, and medical reports. The ransomware group claims some of the stolen data includes that of the Royal Family.

Other recent Rhysida victims have included the British Library, China Energy Engineering Corporation, and Insomniac Games.

 

Rhysida Samples

edfae1a69522f87b12c6dac3225d930e4848832e3c551ee1e7d31736bf4525ef

a864282fea5a536510ae86c77ce46f7827687783628e4f2ceb5bf2c41b8cd3c6

6903b00a15eff9b494947896f222bd5b093a63aa1f340815823645fd57bd61de

3bc0340007f3a9831cb35766f2eb42de81d13aeb99b3a8c07dee0bb8b000cb96

4bf8fbb7db583e1aacbf36c5f740d012c8321f221066cc68107031bd8b6bc1ee

 

You can use the following CLI command to search for all Rhysida  samples in our portal:

$ polyswarm link list -f Rhysida

LockBit

Significance
LockBit was one of our top malware families to watch for 2023. At the time, we noted LockBit seemed to be evolving its capabilities to keep up with changes in the RaaS economy, in some cases staying ahead of the curve with innovative ideas. We predicted LockBit operations would continue to evolve in 2023. Our predictions were accurate, with LockBit expanding its operations and adding a MacOS variant to its repertoire. 

 

What is LockBit?

Lockbit is RaaS. LockBit was one of the most prolific ransomware groups of 2022 and has been active since at least 2019. The threat actors behind LockBit often use a double extortion model, threatening to leak stolen files if the ransom is not paid within the specified time. LockBit is different from other ransomware groups in that it has its own bug bounty program, which began in 2022. Bug bounty programs typically reward security researchers for discovering and reporting vulnerabilities. Lockbit has taken a different approach, offering rewards for finding vulnerabilities, doxxing managers, and submitting “brilliant ideas” to be used for RaaS.

LockBit TTPs have evolved over time. In 2023, LockBit released several new variants, including LockBit Green in January 2023 and the MacOS LockBit variant discovered in April. LockBit Green added cloud-based services to its list of targets. LockBit Green is available to affiliates via the builder on the LockBit portal. Industry researchers noted it shared significant overlap with Conti ransomware.

The LockBit Mac variant is thought to be the first time a big-name ransomware gang has targeted MacOS systems. The LockBit MacOS variant, which can run on Apple silicon, is a 64-bit arm64 Mach-O. The threat actors attempted to include anti-debugging logic, meant to kill the process if a debugger is attached.

 

Victimology

LockBit has continued to breach a variety of targets, with thousands of victims in 2023. Some of their high-profile targets in 2023 included Boeing and multiple US government entities.

 

LockBit Samples

0fe8b77a72447a61e017d1c2bf8d3fb8e80bec55ba46bca81cc5c991b18bdfe9

8d864c11c820e6d85a14c4041798e4c0c6c03ca3d21a3d68a141b2425f82263f

07b158ef3cef2c6c7b2c9660f4551bfbf1c37cd690cfbf66fc149296a5be973c

5eca6566ab72b852448f5c2f47345dad8b039238ea1cb9fc81c496508c6bb6b9

Fdc3880d7911d65a7963a4869a08ef364dae0ea1b78b844f4678f1fa18bd87ef

 

You can use the following CLI command to search for all LockBit samples in our portal:

$ polyswarm link list -f LockBit

Cl0p

Significance

Cl0p ransomware stood out among other malware families due to two things: the use of the MOVEit vulnerability to compromise a myriad of high-profile targets and the addition of a Linux variant to its arsenal. 

 

What is Cl0p?

Cl0p, a member of the CryptoMix malware family, is RaaS. It uses a combination of AES, RSA, and RC4 in its encryption scheme. Encrypted files are appended with the .clop extension. Cl0p infection vectors include malicious email attachments, trojans, malicious URLs, trojanized cracked software, and RDP. It can propagate across networks and has been known to use digital signatures to evade security controls. Cl0p is associated with the FIN11/TA505 threat actor group.

In early 2023, industry researchers reported on a newly discovered Linux variant of Cl0p ransomware. The Linux variant has been in the wild since late December 2022 and is similar to the Windows variant. However, some functionality found in the Windows version is not yet available in the Linux version, leading industry researchers to assess the Linux variant, which is still under development.

 

Victimology

Cl0p is known to target a variety of verticals, with financial, information technology, and manufacturing entities being their most popular targets. They primarily target entities in Western countries, with a majority of their victims being in the US, UK, Canada, and Germany.

Cl0p ransomware gang has one of the highest ransomware victim counts of 2023, claiming over 400 organizations and over 60 million individuals as victims while leveraging the MOVEit 0day in mid-2023. Further details are provided below in the Story of the Year - MOVEit section of this report.

More recent high-profile Cl0p victims include Shell, Bombardier, and Stanford University.

 

Cl0p Samples

6cff22a3ea7c054075b9aded5933587bf997623183539e10e426d103d604f046

f1b8c7b2d20040f1dd9728de9808925fdcf035a1a289d42f63e5faa967f50664

dd2f458a29b666bbfe5a5dbf6a36c906d0140e0ae15b599e8b4da1863e7e41ff

5bd222de46901638e159382db0cde66450353a391b916ed7581c55df48a8de94

A5a11f16cafa9e127309b688a136ae9ff2a1c95f481fa523a9551f000a8f8d7e

 

You can use the following CLI command to search for all Cl0p samples in our portal:

$ polyswarm link list -f Cl0p

BlackBasta

Significance

BlackBasta was another malware family our analysts had chosen as one of the malware families to watch in 2023. BlackBasta has proven to be an effective and profitable RaaS. Industry researchers estimated the group has made over $100 million USD in less than two years. Additionally, it continues to be one of the most active ransomware families. BlackBasta ransomware is considered dangerous based on the rapid rate of successful attacks and its destructive potential. 

 

What is BlackBasta?

Black Basta ransomware was first identified in April 2022. Based on compile dates, the ransomware may have been active as early as February 2022. Both Windows and Linux variants exist. Written in C++. BlackBasta’s encryption scheme uses ChaCha20 and RSA-4096. To make the encryption process more efficient, the ransomware encrypts in chunks of 64 bytes, with 128 bytes of data remaining unencrypted between the encrypted parts. Black Basta typically uses a double extortion model, launching a ransomware attack and stealing sensitive data from a victim, threatening to sell or release it if the victim does not pay the ransom.

Qakbot was observed delivering BlackBasta prior to the Qakbot takedown in August. However, BlackBasta was among several malware families that survived the takedown and continued to proliferate using other means.

 

Victimology

Black Basta has targeted multiple verticals, including manufacturing, construction, transportation, telecommunications, pharmaceuticals, cosmetics, plumbing and heating, automotive, clothing, and others. It has claimed at least 350 victims to date.

BlackBasta targets in 2023 have included the Toronto Public Library, ABB, Rheinmetall, Alliance, and others. 

 

BlackBasta Samples

da6800063764aa4f39998d4aa069ca380ce6bcbe70099e16ece946c1754423cc

38a5659c98ca7353b656e3542ec336a1e7ecab71febd35491344aca304275a0e

723d1cf3d74fb3ce95a77ed9dff257a78c8af8e67a82963230dd073781074224

ebbd88b3ba1b0750cd8f0326dbabd94ed97cccd83baed2121e6ceaefa7f7eb1b

D982401b64ae312363fafadcfdedabdd7c13ad89651767c5c6bc0fef03f63fb4

 

You can use the following CLI command to search for all BlackBasta  samples in our portal:

$ polyswarm link list -f BlackBasta

 

Story of the Year - MOVEit

Significance

PolySwarm analysts chose MOVEit as the story of the year due to the widespread attacks made possible due to this vulnerability. As noted above, Cl0p was among the threat actors known to leverage MOVEit in their campaigns. 

 

What is MOVEit?

CVE-2023-34362 is a critical SQL injection vulnerability affecting Progress Software’s MOVEit Transfer managed file transfer (MFT) software. The vulnerability allows an unauthenticated threat actor to access databases associated with MOVEit. MOVEit Cloud was initially affected by the vulnerability, but a backend fix remedied the situation. Progress Software has also issued updates to patch other currently used MOVEit versions.

MOVEit-associated activity was first observed in the wild as early as March 2023. Threat actors used the vulnerability to install a webshell/backdoor in order to steal data uploaded via MOVEit Transfer. Mandiant referred to the webshell, written in C#, as LemurLoot. 

 

Victimology

Over 2300 organizations have confirmed being victims of MOVEit-related data breaches. Threat actors can potentially use the stolen information for extortion, to gain access to both business and personal accounts, and to engage in identity theft, among other nefarious activities.

CCleaner, a popular optimization app owned by Gen Digital, was targeted using the MOVEit vulnerability in May. The MOVEit vulnerability was also leveraged to target US-based government and defense entities. As noted above, the Cl0p ransomware gang has claimed over 400 organizations and over 60 million individuals as victims while leveraging the MOVEit 0day.

MOVEit also posed a threat to critical infrastructure and energy sector entities. Siemens Energy and Schneider Electric are among the named victims. The well-known oil and gas (ONG) entity Shell and two US Department of Energy entities were also compromised by Cl0p, using the MOVEit 0day. 

 

MOVEit Samples

9e89d9f045664996067a05610ea2b0ad4f7f502f73d84321fb07861348fdc24a

6015fed13c5510bbb89b0a5302c8b95a5b811982ff6de9930725c4630ec4011d

c7428f49a11ad1a2b19452b8a2b086d3b120b09be0cab1bc72ea693c6844e68b

e5de01c9605d46df9341adc95403ab2787af46247573ed4dc8611115cfb0ed1b

ce704a5dcc79b1a2ef30c3789a414938093dd2a9d2e0cf55642d1db43c6c24d0

 

You can use the following CLI command to search for all MOVEit  samples in our portal:

$ polyswarm link list -f MOVEit

 

Don’t have a PolySwarm account? Go here to sign up for a free Community plan or to subscribe.

Contact us at
 hivemind@polyswarm.io | Check out our blog | Subscribe to our reports.