Threat Context Monthly: Executive intelligence briefing for March 2024

Welcome to the Threat Context Monthly blog series where we provide a comprehensive roundup of the most relevant cybersecurity news, and threat information from KrakenLabs, Outpost24’s cyber threat intelligence team.

Threat actor of the month: blackhunt – Ransomware-as-a-Service (RaaS)

blackhunt” is the threat actor behind the promotion in underground forums and Telegram of the Ransomware-as-a-Service (RaaS) projects that use the Wing and Black Hunt 2.0. ransomware strains. Both variants have been created using a leaked LockBit ransomware builder.

  • Wing RaaS: First advertised on January 28, 2024, promises affiliates 70% of each payment and customization options, like the extensions for the encrypted files or the ransom note. It also introduces the figure of a representative, which would be a person that recommends the project to others and will receive 10% of every payment generated by that referred person.
  • Black Hunt 2.0. RaaS: Black Hunt ransomware was first observed in November 2022, and by mid-2023 a new version appeared dubbed Black Hunt 2.0. However, it is not until March 2024 that blackhunt advertises the RaaS in the underground forum RAMP, as a project focused only on compromising big targets for high amounts.

It remains unclear why the group would have taken so long to advertise the Black Hunt project. Outpost24 KrakenLabs analysts believe the delay could be related with the group’s efforts to attract the attention of “LockBit Group“’s affiliates following its seizure. This hypothesis is supported not only because of the timing and the Big Game Hunting intended approach, but also because of a note where the user highlighted their benefits over other RaaS in the event of a hack.

Message from blackhunt in the Black Hunt 2.0. RaaS publication highlighting their benefits over other RaaS in the event of a hack. Source: RAMP

Outpost24 KrakenLabs analysts believe that blackhunt would have been also using the nickname “b0rn_villain” in Telegram. With this identity, the user would likely be responsible for a channel named “bl4nk_room, created in 2017, that share information related to hacking both in English and in the Arabic language.

Spotlight threat: Operation Cronos – Law enforcement disrupts LockBit RaaS

On late February, Operation Cronos, a global law enforcement task force involving ten countries and Europol, dismantled LockBit’s key infrastructure and seized over 200 crypto wallets. This operation compromised LockBit‘s primary platform, took down 34 servers globally, and resulted in the retrieval of over 1,000 decryption keys, leading to the development of a free decryption tool available on the “No More Ransom” portal. In addition, they also obtained a “vast amount of intelligence from their systems about their activities and those who have worked with them”. In this regard, the authorities shared screenshots and internal documents on the group’s blog, including affiliates’ information and snapshots of LockBit‘s admin panel. On the physical level, two people were arrested in Poland and Ukraine and the US unsealed indictments against two further Russian nationals.

Publication done by the authorities regarding the identification of LockbitSupp. Source: Seized Lockbit’s DLS – No longer available.

After the seizure, LockBit Group reappeared on February 24 with a new DLS and began publishing information about victims that, however, had already been published on their previous DLS. In addition, they also published a direct message to the authorities. Some ideas Outpost24 KrakenLabs analysts extract from the group’s manifesto would be the following:

  • LockBit Group has no intention of stopping its operations.
  • The victim’s admin and chat panels server and the blog server were running PHP 8.1.2 and were likely hacked using a critical vulnerability tracked as CVE-2023-3824.
  • According to them, the seizure was done to avoid the publication of sensitive information that could affect the upcoming US election.
  • Authorities did not obtain all decryptors, only some temporary unprotected ones.
  • The two arrested are likely money launderers, not pentesters or affiliates.
  • Denies a relationship with “EvilCorp”; according to LockBit they have just randomly used the same cryptocurrency mixing service.

As a complement for Operation Cronos, the US Department of State offered a reward of US$ 15 million for information on LockBit leaders and designating affiliates. LockBit‘s representatives announced to be doubling the bounty of their own heads if anyone can expose them. What we see is that the group is fighting for its reputation and survival and trying to mock the authorities and dispute their discoveries while downplaying accomplishments.

KrakenLabs highlights observed

Emerging threats

Artificial Intelligence: Five nation-state groups from China, Iran, North Korea, and Russia were detected using large language models (LLMs) for tasks such as understanding satellite communication protocols and coding assistance. Their OpenAI-linked activities were disrupted, emphasizing heightened monitoring by service providers. Learn more →

Artificial Intelligence: Researchers have found an increase in the number of ChatGPT credentials for sale obtained from stealer-infected devices. The top three stealers with most compromised hosts with ChatGPT accesses between June and October 2023 were LummaC2, Raccoon, and RedLine. Learn more →

Vulnerabilities

After the disclosure on February 19, 2024, of two vulnerabilities in ConnectWise ScreenConnect software (CVE-2024-1708 / 1709), various ransomware groups like “Black Basta“, “Bl00dy Group“, and “ALPHV/Blackcat have been observed exploiting them to gain unauthorized access and control over affected systems. Days after LockBit Group‘s seizure, LockBit 3.0. ransomware (whose builder was leaked in 2022) was also distributed after the exploitation of these flaws in attacks that cannot be attributed to the recently seized group. Learn more → / more → / and more →

Ransomware

Exit scam:ALPHV/BlackCat” RaaS operators have decided to shut down their operations, posting a fake image on their DLS claiming to have been seized by the authorities in an attempt to hide their exit scam. According to an alleged affiliate of the group dubbed “notchy“, the group made this decision after receiving a payment of US$22 million from the US company Optum. Learn more → / and more →

New businesses: Ransomware groups are adopting a novel monetization tactic by selling direct network access, traditionally associated with Initial Access Brokers (IABs). These sales occur on DLS or Telegram channels, with notable instances involving LockBit Group, “Stormous, andEverest. Learn more →

Number of victims listed on the monitored Data Leak Sites by ransomware groups in the last 30 days.

Learn more about Threat Compass

Want more? Get started with Threat Compass to receive the latest actionable intelligence from our world-class in-house analyst team.

What’s new in Threat Context this month?

Threat actors: blackhunt, darksenator, Inc. Ransom, NakedPages, Passion Team, RansomHub, raya, ResumeLooters, UNC4990, UNC5325, UNC3886, SoIntsepek, Ares Leaks, R00TK1T ISC, etc.

Tools: Atlantida, CoatHanger, DSLog, FBot, Inc. Ransomware, Mario, MrAgent, NakedPages, bfBot, Fauppod, Symbiote, etc.

and much more!

Get started with Threat Compass

About the Author

KrakenLabs Threat Intelligence Team, Outpost24

KrakenLabs is Outpost24’s Cyber Threat Intelligence team. Our team helps businesses stay ahead of malicious actors in the ever-evolving threat landscape, helping you keep your assets and brand reputation safe. With a comprehensive threat hunting infrastructure, our Threat Intelligence solution covers a broad range of threats on the market to help your business detect and deter external threats.