Malware’s Shared Secrets: Code Similarity Insights for Ransomware Gangs Activities Tracking

On July 1, 2024, the cyber security vendor Halcyon, Inc., identified a novel ransomware strain they named LukaLocker (ref. here). In the article researchers from Halcyon reported a new ransomware operator, dubbed Volcano Demon, specialized in attacks using the LukaLocker encryptor. According to the source, the threat actor targets both Continue Reading

Unveiling Obfuscated Batch Scripts: From UTF-8 to UTF-16 BOM Conversion

This morning I observed an Internet Shortcut file (sha256:0817cd8b0118e2f023342ad016ef443fd4c2e4657a373f9023807a231d16b0fa – Fattura Elettronica 11817929720.url) designed to compromise an Italian organization, containing these instructions: The .lnk file in its turn showed the following commands: This instructions are designed to perform two main actions: it moves a file and then starts it. First, Continue Reading

A {Black}Cat and mouse game: How the gang’s operators have ‘unseized’ their Dedicated Leak Site

In recent days, the FBI was entrenched in a virtual struggle against the ransomware group known as ALPHV / BlackCat. This engagement unfolded subsequent to the FBI gaining control of the underlying infrastructure that the group had utilized to amass over $300 million in ransoms. In the early hours of Dec. 19, 2023, the darkweb Continue Reading

Under the shellcode of the ‘Operation Duck Hunt’. Analysis of the FBI’s ducks killer.

The “Duck Hunt” operation refers to a specific operation called “Operation Duck Hunt” that disrupted the Qakbot botnet. The Qakbot botnet was a sophisticated network of compromised computers that was used to distribute malware, steal sensitive information, and carry out other malicious activities. The operation to disrupt the Qakbot botnet Continue Reading

Rhysida: An old / new threat in the ransomware landscape

Rhysida is a relatively new ransomware group operating as a R-a-a-S (Ransomware-as-a-Service) provider. The corresponding ransomware has the particularity of making use of LibTomCrypt, a cryptographic library that allows attackers to leverage on robust encryption methods and a fast development. Rhysida appears to be written in C++ and compiled via MinGW; the payloads I’ve found are quite Continue Reading