January 29, 2021
Over the past thirty days and specifically in the first weeks of 2021, Ankura’s Cyber Security practice has responded to a wide range of matters including nation-state sponsored exploitation activity and activities associated with newly identified ransomware actors.
As we detail in the pages below, Ankura’s Cyber Threat Analysis and Pursuit Team (CTAPT) analysts have observed what appears to be an opening salvo between two (2) of the largest ransomware groups operating today and suggests overt conflict between the competing “cartels.” The open competition and conflict could potentially spill over to victims as these actors work to discredit each other and or work to secure “market share.” In the past, competing Cartels have intentionally released sensitive victim information held by competitors, targeted competitor victims with additional ransom demands, and posted competitor held victim-related information on the Dark Web. As ransomware and related extortion continues to be lucrative, competition among criminal elements will persist and will likely continue to impact victims.
As a function of our response activities, Ankura’s CTAPT has initiated monitoring of a new variant of ransomware called “Pay2Key.” This new variant is suspected to be associated with Iranian threat actors and based on the reported capabilities, is likely utilized as a cover for other activity responsive to Iranian objectives. Those details can also be found below.
Lastly, during this period Ankura’s Cyber Security team has been working with organizations which may have been exploited due to an existing vulnerability within Zyxel appliances, potentially enabling unauthorized remote access to individual user accounts.
Ransomware Cartel Warfare
Ankura previously reported specifics describing the circumstances around Maze ransomware group shutting down operations. At the time, Maze posted that they had made the decision to “retire” and any activity associated with Maze thereafter would be incorrect. Ankura’s Cyber Threat and Pursuit Team (CTAPT) anticipated seeing a large spike in chatter related to the group and that chatter has manifested in an unexpected way. CTAPT analysts recently observed posts on an underground web forum that suggests Maze members may be victims of a data breach themselves. First observed on November 19, 2020, on “Raidforums”, an actor using the handle “asdf123456” claimed to be in possession of Personally Identifiable Information (PII) data for actors associated with the Maze ransomware group. The actor associated with “asdf123456” also posted information suggesting Maze is led by “Russia secret service” and offered screenshots of correspondence to prove the point:
Figure 1: Original posting made on Raidforums on November 19, 2020
Figure 2: Additional information provided by the posting which mentions the Maze team as the intended target
Shortly after the posting by “asdf123456” additional chatter emerged indicating that the REvil ransomware group (also known as Sodinokibi) was responsible for the Maze compromise and the source of the PII information. The banter intensified when another account named “revil” (claiming to speak on behalf of REvil) began posting additional claims directly targeting the Maze Group. “Revil” claimed to have gathered information on eight (8) different Maze operatives and attributed this data to an insider from within Maze.
“Revil” also posted claims alleging Maze actors did not shutdown operations but rather created the “Egregor” group to skirt OFAC sanctions and/or to enhance anonymity. Lastly, as seen in the images below, the “revil” account also identified the Russian hacker “Maxim Yakubets” (EvilCorp Leader) as belonging to the Maze cartel:
Figure 3: The three images above show only a few postings made by the “revil” account. (There is low confidence “revil” is actually a REvil member)
Shortly after the release of the above posts an account named “Unknown”, the apparent leader of REvil, posted that the rumors and “revil” postings were not true: “It is fake. I haven’t heard anything about [a] confrontation with Maze (I think they as well). I already said before – a competitor is a competitor, better compete in software quality than to arrange some kind of backstage intrigue. I think they are of the same opinion”.
Figure 4: The account name “Unknown” responded to the allegations and rumors being posted about the Maze group.
At this time, CTAPT analysts have not seen convincing evidence that REvil targeted the Maze group; however, the situation cannot be completely disregarded. The discourse could impact ransomware victims currently as well as those future victims. Paying a ransom in this contested environment may be even riskier because eventually that data might be leaked by a competitor. As an example, in September 2020, CTAPT published a report revealing how the “ShinyHunters” ransomware group was targeted and compromised by “hackers.” As a result, data stolen by ShinyHunters from their victims was released by the hackers on various dark web forums. It was a shock for some victim entities to find their data in that release since they had paid ransoms previously and believed no additional exposure would result. The emerging REvil and Maze group situation could potentially manifest in a similar fashion.
Pay2Key Ransomware Targeting Israeli Victims
CTAPT has observed a surge in cyber-attacks targeting Israeli companies with a new ransomware strain called Pay2Key. This new variant is typically employed following standard ransomware tactics, techniques, and procedures (TTPs) including replicating across a compromised network, encrypting endpoints, and eventually dropping a ransom note:
Figure 5: Pay2Key Ransom note with organization specific ASCII art
What is interesting here is the new variant uses a single machine as the center of operation and remotely executes the ransomware on other machines, encrypting the data with AES and RSA algorithms. Once gaining access to a target machine, typically through RDP (Remote Desktop Protocol), the threat actor defines the machine as either a pivot point or a proxy point within the network. From this point forward, all traffic between the infected network and the threat actor’s Command and Control (C2) server, to include exfiltration of victim data, will be passed through the assigned proxy.
Pay2Key actors also employ the commonly used double extortion method by leaking a small amount of exfiltrated data to act as a “proof of life” and then demanding payment via the ransom note.
Figure 6: Pay2Key’s Ransom Site
Current reporting indicates several Israeli companies have been exploited and have paid the ransom. Those payments are reported to typically be between seven (7) and nine (9) Bitcoin. Those that paid the ransom left a “money trail” and the CTAPT was able to identify an intermediate crypto wallet. Follow-on analysis revealed an associated secondary wallet used to make deposits to an Iranian cryptocurrency exchange named “Excoino.” Of interest is that Excoino requires a user to have an Iranian phone number and ID.
Figure 7: Data leak announcement
Based upon additional analysis and also highlighted by Clear Sky Security, CTAPT believes the Pay2Key campaign may be a diversion to draw attention away from Iranian activity, specifically the APT group Fox Kitten. The attack vector employed by Pay2Key overlaps with Fox Kitten’s access vector. In addition to the overlapping vectors, there are other similarities between the campaigns including but not limited to: use of similar toolkits, vulnerabilities, and leveraging similar passwords within an infected network.
Since the Pay2Key ransom demands are lower than what is normally seen from ransomware groups, it is likely the ruse will play out to completion as victims find it easier to pay. Another interesting tactic shift is that the Pay2Key ransom process does not encrypt all the systems. This suggests machines/networks are specifically chosen to remain unencrypted to enable the further exploitation, collection, or even espionage needs of the Iranian sponsors.
In the first week of January 2021, Zyxel Communications Corporation (“Zyxel”) announced that a secret backdoor was discovered in their firewalls, VPNs, and AP controllers. A secret hardcoded administrative account was discovered in the company’s latest firmware patch that could be used to log into vulnerable devices over both SSH and web interfaces. This account is normally leveraged to deliver firmware updates over FTP. This administrative account can allow for VPN device access, which is especially dangerous since the newly created accounts can be used to gain access to an internal network or create port forwarding rules to make internal services publicly accessible. These types of vulnerabilities are heavily favored by threat actors who are known to use exploits to deploy ransomware or compromise internal corporate networks to exfiltrate data.
This type of vulnerability can lead to attacks such as ransomware, DDoS botnets, and a range of others. As of now, analysis of the vulnerability and attack data has revealed that the first attempts to exploit this vulnerability do not seem targeted, but rather opportunistic. However, there has been an increase in access attempts originating from Russia based IP addresses, though many of these same IPs have been involved in internet-wide scans for other vulnerabilities, and thus are likely part of a particular threat actor’s infrastructure.
For entities using Zyxel solutions, CTAPT recommends reviewing Zyxel’s security advisory and determining if those solutions are impacted. If so, it is important to install the related firmware patch as soon as possible. Immediately following the firmware update, CTAPT recommends conducting a thorough review of user accounts to identify anomalous/suspicious events associated with unauthorized remote access.