Colonial Pipeline Ransomware Attackers Launch New Tactics

New ransomware, malware, and other threats from bad actors are making headlines because so many attacks are successful. Statista says that about 70 percent of businesses were victimized by ransomware in 2022. The Verizon 2022 Data Breach Investigations Report found a 13 percent increase in ransomware over the study period—more than the last five years combined—and over 5,200 confirmed breaches worldwide.

Now, the Symantec Threat Hunter Team has posted that attackers using the ransomware strain Noberus, also known as BlackCat and ALPHV, have begun to employ new tactics, tools, and procedures that should amp the angst of any IT pro.

The Noberus Provenance

According to the Threat Hunter Team post, Noberus is suspected to be a successor payload to the Darkside and BlackMatter ransomware families, which were developed by a group that goes by various names, including Coreid and Carbon Spider. Darkside was the culprit used in the devastating Colonial Pipeline ransomware attack in 2021. The post notes that an intense public and law enforcement focus following the Colonial attack led Coreid to replace Darkside with BlackMatter.

Coreid offers ransomware-as-a-service (RaaS), developing ransomware tools and services, then collecting money from affiliates who use these tools to carry out the attacks. The Threat Hunter Team was also the first to note late last year that Noberus was coded in Rust. That was the first time they had seen a professional ransomware strain using Rust—a cross-platform language—in a real-world attack. That cross-platform capability is behind Coreid’s assertion that Noberus can encrypt files on Windows, EXSI, Debian, ReadyNAS, and Synology operating systems.

The Threat Hunter Team post includes a deep dive into the new version of data exfiltration tools used in the ransomware attacks. It also notes that these threats now use a new version of the ExMatter data exfiltration tool and Eamfo, malware designed to steal credentials stored by Veeam backup software. You can read Veeam’s official response here.

The post’s conclusion states that Coreid is one of the most dangerous and active ransomware developers today. Read the entire post here.

Be Prepared for Ransomware

Ransomware is insidious. While it often emanates from sophisticated groups like Coreid, there are untold numbers of solo hackers and cyber criminals out there, constantly trying new attack methods. While bolstering your cybersecurity strategies and tactics is crucial, those defenses aren't foolproof. That’s why you need an effective backup and disaster recovery solution as your last line of defense.  

Find out how you can put that last line of defense in place and protect your data from ransomware by talking to an Arcserve technology partner. Check out our free demos and free trials, too.