RansomHub Affiliate NoName Group Launches ScRansom Attacks

Threat Group: NoName (formerly known as CosmicBeetle)
Threat Type: Ransomware (Part of the Spacecolon malware family)
Exploited Vulnerabilities: CVE-2017-0144 (EternalBlue), CVE-2023-27532 (Veeam Backup), CVE-2020-1472 (ZeroLogon), and others
Malware Used: ScRansom, LockBit variants, RansomHub
Threat Score: High (8.5/10) – Due to its focus on SMBs and evolving encryption methods
Last Threat Observation: September 2024

Overview

The NoName group, previously known as CosmicBeetle, is an emerging ransomware actor that has been highly active since 2023. The group’s custom ransomware strain, ScRansom, replaced their older Scarab ransomware and primarily targets SMBs across industries, including manufacturing, healthcare, legal, and education sectors.

NoName has recently partnered with RansomHub, a prominent ransomware-as-a-service (RaaS) platform. The group has also experimented with the LockBit 3.0 ransomware builder to bolster their visibility and leverage the reputation of other more established ransomware gangs​(

Key Details:

• Encryption Scheme: ScRansom uses AES-CTR-128 and RSA-1024, with an additional AES key generated to protect the public key. This encryption process, while advanced, sometimes results in decryption failures​.
• ERASE Mode and Partial Encryption: ScRansom includes an ERASE mode, which overwrites files and renders them unrecoverable. Additionally, it supports partial encryption, which speeds up the process and makes it harder to detect​.
• Vulnerabilities Exploited: The group exploits several high-profile vulnerabilities, including EternalBlue (CVE-2017-0144) and ZeroLogon (CVE-2020-1472).

Attack Vectors:

NoName primarily gains access through brute-force attacks and by exploiting known vulnerabilities. It uses tools such as Reaper and RealBlindingEDR to disable security processes before deploying ScRansom​(

The group has also been linked to deployments of both ScRansom and RansomHub payloads on the same machine, highlighting a strong operational connection.

New Observations:

• LockBit Mimicry: NoName has been experimenting with LockBit 3.0, attempting to pass off their operations under the guise of this established ransomware group. This is likely an effort to exploit LockBit’s reputation and mask underlying issues with their own tools​.
• Attribution: Earlier reports suggested a possible Turkish origin for NoName based on the use of encryption schemes found in the legitimate ScHackTool. However, this attribution is now in doubt.

Known Indicators of Compromise (IoCs):

• qTox ID for Communication: A qTox ID used in ransom demands. One example: A5F2F6058F70CE5953DC475EE6AF1F97FC6D487ABEBAE76915075E3A53525B1D863102EDD50E​.
• File Extensions: ScRansom often modifies file extensions, depending on the configuration, to mark encrypted files.
• Ransom Notes:
  • Often includes emails such as sunucuverikurtarma@gmail[.]com or serverdatakurtarma@mail[.]ru, and instructs victims to access ransom demands via Tor​.
• Processes Disabled Before Encryption:
  • Windows Defender
  • Volume Shadow Copy
  • SVCHost
  • LSASS
  • VMware tools.
• Batch File (DEF1.bat): Used to disable Windows Defender by altering the Windows Registry.

Exploited CVEs:

1. CVE-2017-0144 (EternalBlue)
   A critical vulnerability in Microsoft's SMBv1 protocol, previously used in the WannaCry attacks.
   More information on CVE-2017-0144
2. CVE-2023-27532 (Veeam Backup)
   A vulnerability in Veeam Backup & Replication that allows unauthenticated access to sensitive information.
   More information on CVE-2023-27532
3. CVE-2020-1472 (ZeroLogon)
   Allows privilege escalation in Active Directory by exploiting the Netlogon protocol.
   More information on CVE-2020-1472
4. CVE-2021-42278 and CVE-2021-42287 (Active Directory Privilege Escalation)
   These vulnerabilities allow privilege escalation within Active Directory environments.
   More information on CVE-2021-42278
   More information on CVE-2021-42287
5. CVE-2022-42475 (FortiOS SSL-VPN)
   Allows unauthenticated remote code execution on Fortinet’s FortiOS SSL-VPN systems.
   More information on CVE-2022-42475

Mitigation and Prevention:

1. Patch Management: Prioritise patching critical vulnerabilities such as EternalBlue (CVE-2017-0144) and ZeroLogon (CVE-2020-1472).
2. Endpoint Protection: Use robust EDR (Endpoint Detection and Response) solutions to detect behaviours like process-killing attempts.
3. Backup Strategies: Regularly back up data and store these backups offline to protect them from ransomware attacks. Ensure that backups are encrypted and cannot be altered by the malware​.
4. User Education: Educate users on recognising phishing attempts and brute-force attacks, as these are common initial access methods for the NoName group.

Conclusion:

The NoName group’s ScRansom ransomware continues to be a significant threat to SMBs, employing advanced encryption techniques and exploiting well-known vulnerabilities. Their partnership with RansomHub and experimentation with LockBit 3.0 further highlights their adaptability and evolving tactics. Organisations must enhance patch management, detection capabilities, and maintain strong backup policies to mitigate the risks posed by this ransomware.

Sources:

1. BleepingComputer: "NoName ransomware gang deploying RansomHub malware"
2. The Hacker News: "CosmicBeetle Deploys Custom ScRansom Ransomware, Partnering with RansomHub"
3. ESET Research: "CosmicBeetle group joins forces with other ransomware gangs"
4. VULNERA: "NoName Ransomware Gang Expands Tactics"