Meet ShinySp1d3r: New Ransomware-as-a-Service created by ShinyHunters
Summary:
ShinySp1d3r is an emerging ransomware-as-a-service platform being developed by threat actors linked to ShinyHunters, Scattered Spider, and Lapsus$. These groups, which in the past have relied on other ransomware groups’ encryptors, are now building their own ransomware strain, according to an announcement on Telegram. Based on samples submitted to VirusTotal, the actors are developing the encryptor from scratch, rather than reusing leaked codebases.
The Windows build that was uploaded to VirusTotal includes a wide range of capabilities, including event log evasion, process killing to ensure associated files are encrypted, wiping disk space, and terminating processes associated with antivirus solutions to evade detection. The ransomware is also capable of propagating to other devices, deleting shadow volume copies to prevent restoration, and searching for hosts with open network shares for encryption.
When encrypting files, the ransomware uses the ChaCha20 encryption algorithm with the private key protected using RSA-2048. Notably, each file encrypted has a unique extension and contains a file header that begins with ’SPDR’ and ends with ’ENDS.’ In this case, the header contains information about the encrypted file, including the filename, the encrypted private key, and other metadata. Furthermore, the ransomware will include a ransom note, called ‘R3ADME_1Vks5fYe.txt**’** inside each folder on the encrypted device, directing victims to negotiate ransom payments via TOX.
Security Officer Comments:
While a Windows variant has been spotted so far, ShinyHunters notes that they have completed a CLI build with runtime configuration and are in the process of releasing Linux, ESXi, and lightning versions of the encryptor. These different variants will be marketed under the “Scattered LAPSUS$ Hunters” brand, signaling the recent collaboration between ShinyHunters, Scattered Spider, and Lapsus$.
According to Scattered LAPSUS$ Hunters, companies in the healthcare sector, including pharmaceutical companies, hospitals, clinics, and insurance firms, cannot be targeted with their encryptor. While similar statements have been made by other ransomware operations in the past, these promises have ended up being broken. Furthermore, attacks are forbidden from targeting Russia and other CIS countries, since many affiliates will come from those regions and could become targets of law enforcement.
Suggested Corrections:
Backup your data, system images, and configurations, regularly test them, and keep the backups offline: Ensure that backups are regularly tested and that they are not connected to the business network, as many ransomware variants try to find and encrypt or delete accessible backups. Maintaining current backups offline is critical because if your network data is encrypted with ransomware, your organization can restore systems.
Update and patch systems promptly: This includes maintaining the security of operating systems, applications, and firmware in a timely manner. Consider using a centralized patch management system; use a risk-based assessment strategy to drive your patch management program.
Test your incident response plan: There's nothing that shows the gaps in plans more than testing them. Run through some core questions and use those to build an incident response plan: Are you able to sustain business operations without access to certain systems? For how long? Would you turn off your manufacturing operations if business systems such as billing were offline?
Check your security team's work: Use a 3rd party pen tester to test the security of your systems and your ability to defend against a sophisticated attack. Many ransomware criminals are aggressive and sophisticated and will find the equivalent of unlocked doors.
Segment your networks: There's been a recent shift in ransomware attacks – from stealing data to disrupting operations. It's critically important that your corporate business functions and manufacturing/production operations are separated and that you carefully filter and limit internet access to operational networks, identify links between these networks, and develop workarounds or manual controls to ensure ICS networks can be isolated and continue operating if your corporate network is compromised. Regularly test contingency plans such as manual controls so that safety-critical functions can be maintained during a cyber incident.
Train employees: Email remains the most vulnerable attack vector for organizations. Users should be trained on how to avoid and spot phishing emails.
Implement multi-factor authentication (MFA): External-facing assets that leverage single-factor authentication (SFA) are highly susceptible to brute-forcing attacks, password spraying, or unauthorized remote access using valid (stolen) credentials. Implementing MFA enhances security and adds an extra layer of protection.
Link(s):
https://www.bleepingcomputer.com/ne...somware-as-a-service-created-by-shinyhunters/
ShinySp1d3r is an emerging ransomware-as-a-service platform being developed by threat actors linked to ShinyHunters, Scattered Spider, and Lapsus$. These groups, which in the past have relied on other ransomware groups’ encryptors, are now building their own ransomware strain, according to an announcement on Telegram. Based on samples submitted to VirusTotal, the actors are developing the encryptor from scratch, rather than reusing leaked codebases.
The Windows build that was uploaded to VirusTotal includes a wide range of capabilities, including event log evasion, process killing to ensure associated files are encrypted, wiping disk space, and terminating processes associated with antivirus solutions to evade detection. The ransomware is also capable of propagating to other devices, deleting shadow volume copies to prevent restoration, and searching for hosts with open network shares for encryption.
When encrypting files, the ransomware uses the ChaCha20 encryption algorithm with the private key protected using RSA-2048. Notably, each file encrypted has a unique extension and contains a file header that begins with ’SPDR’ and ends with ’ENDS.’ In this case, the header contains information about the encrypted file, including the filename, the encrypted private key, and other metadata. Furthermore, the ransomware will include a ransom note, called ‘R3ADME_1Vks5fYe.txt**’** inside each folder on the encrypted device, directing victims to negotiate ransom payments via TOX.
Security Officer Comments:
While a Windows variant has been spotted so far, ShinyHunters notes that they have completed a CLI build with runtime configuration and are in the process of releasing Linux, ESXi, and lightning versions of the encryptor. These different variants will be marketed under the “Scattered LAPSUS$ Hunters” brand, signaling the recent collaboration between ShinyHunters, Scattered Spider, and Lapsus$.
According to Scattered LAPSUS$ Hunters, companies in the healthcare sector, including pharmaceutical companies, hospitals, clinics, and insurance firms, cannot be targeted with their encryptor. While similar statements have been made by other ransomware operations in the past, these promises have ended up being broken. Furthermore, attacks are forbidden from targeting Russia and other CIS countries, since many affiliates will come from those regions and could become targets of law enforcement.
Suggested Corrections:
Backup your data, system images, and configurations, regularly test them, and keep the backups offline: Ensure that backups are regularly tested and that they are not connected to the business network, as many ransomware variants try to find and encrypt or delete accessible backups. Maintaining current backups offline is critical because if your network data is encrypted with ransomware, your organization can restore systems.
Update and patch systems promptly: This includes maintaining the security of operating systems, applications, and firmware in a timely manner. Consider using a centralized patch management system; use a risk-based assessment strategy to drive your patch management program.
Test your incident response plan: There's nothing that shows the gaps in plans more than testing them. Run through some core questions and use those to build an incident response plan: Are you able to sustain business operations without access to certain systems? For how long? Would you turn off your manufacturing operations if business systems such as billing were offline?
Check your security team's work: Use a 3rd party pen tester to test the security of your systems and your ability to defend against a sophisticated attack. Many ransomware criminals are aggressive and sophisticated and will find the equivalent of unlocked doors.
Segment your networks: There's been a recent shift in ransomware attacks – from stealing data to disrupting operations. It's critically important that your corporate business functions and manufacturing/production operations are separated and that you carefully filter and limit internet access to operational networks, identify links between these networks, and develop workarounds or manual controls to ensure ICS networks can be isolated and continue operating if your corporate network is compromised. Regularly test contingency plans such as manual controls so that safety-critical functions can be maintained during a cyber incident.
Train employees: Email remains the most vulnerable attack vector for organizations. Users should be trained on how to avoid and spot phishing emails.
Implement multi-factor authentication (MFA): External-facing assets that leverage single-factor authentication (SFA) are highly susceptible to brute-forcing attacks, password spraying, or unauthorized remote access using valid (stolen) credentials. Implementing MFA enhances security and adds an extra layer of protection.
Link(s):
https://www.bleepingcomputer.com/ne...somware-as-a-service-created-by-shinyhunters/