Unsophisticated campaigns use off-the-shelf RATs and other tools to exfiltrate data and demand a ransom to keep it private.

A little social engineering and commercially available remote administration tools (RATs) and other software are all the new Luna Moth ransom group has needed to infiltrate victims' systems and extort payments.

The threat group is essentially pulling off ransom attacks without the ransomware, according to researchers at Sygnia, who today published their findings on Luna Moth.

With co-opted branding from Zoho Masterclass and Duolingo, Luna Moth launches a classic phishing campaign to compromise victim devices and exfiltrate any available data. Phishing emails request a payment for a subscription and offer a PDF attachment with a cell phone number to call for more information. When the victim calls to discuss the invoice, the call is answered by the threat actor, who will try to trick the victim into installing Atera, a widely available RAT, giving the attackers full device control.

The researchers observed Luna Moth abusing other off-the-shelf remote administration tools including Splashtop, Syncro, and AnyDesk for device takeover. In addition to RATs, commercially available tools like SoftPerfect Network Scanner, SharpShares, and Rclone were used to access and exfiltrate data, the researchers added.

"The tools are stored on compromised machines under false names masquerading as legitimate binaries," Sygnia said it in its report on Luna Moth. "These tools, in addition to the RATs, provide the threat actors with the means to conduct basic reconnaissance activities, access additional available assets, and exfiltrate data from compromised networks."

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

'Luna Moth' Group Ransoms Data Without the Ransomware

In March, a North Korean APT siphoned blockchain gaming platform Axie Infinity of $540M.

In March, a North Korean APT siphoned blockchain gaming platform Axie Infinity of $540M.

Axie Infinity, a popular destination for 3 million traders of in-game collectible non-fungible tokens, reportedly lost $540M in cryptocurrency in a recruiting-themed spear phishing attack. The perpetrators of the crime are believed to be an advanced persistent threat group with ties to North Korean.

The report comes from the publication The Block, which said on March 23rd hackers took control of private keys tied to four validator nodes. Those nodes, according to the report, belong to the Ronin Network – which Axie runs on. The second node belongs to the Axie DAO – a decentralized organization that supports the game’s ecosystem.

A private key, similar to a password, is a secret number that is used in blockchain cryptography. Validator nodes are computers that, together, maintain a blockchain network by, among other things, validating and processing transactions.

Ronin is supported by nine validators so, by controlling five, the attacker possessed majority control over the network. Axie and Ronin are developed by Sky Mavis.

“Axie systems relied on a relatively small number of validators,” Ryan Spanier, vice president of Innovation at Kudelski Security, explained to Threatpost via email. “This is not a typical practice for public chains, although we do see this in permissioned chains similar to Axie,” he said.

The problem wasn’t just that there were too few validators, but that those validators were all concentrated in one place. “The validators were not well distributed between independent organizations,” Spanier continued, “which means the attacker only truly had to compromise one organization. Essentially, they had a decentralized blockchain model but were vulnerable to a centralized threat vector.”

With majority control, the attackers were able to effectively write checks to themselves, Spanier said. They stole 173,600 Ethereum (ETH) and 25.5 million USD Coin (USDC) in all. At the time, that added up to approximately $540 million  in value.

The following month, the U.S. Treasury Department tied the Ethereum wallet address behind the attack to North Korea’s Lazarus Group. What wasn’t clear until this week is how did the attackers gain control over those validators?

**A Malicious Job Offer**

On March 30, the Ronin Network newsletter stated that “all evidence points to this attack being socially engineered, rather than a technical flaw.” The disclosure did not elaborate further. Now two anonymous sources have come forward who claim “direct knowledge of the matter” are share with reporters at The Block the unconfirmed inside story about what happened.

Sources told The Block earlier in the year some Sky Mavis staff were approached with job opportunities by recruiters on LinkedIn. One engineer, following “multiple rounds of interviews,” was offered a job “with an extremely generous compensation package.” The offer came in the form of a PDF which, once the engineer clicked to open, downloaded spyware to his computer. From there, the attackers moved laterally into Ronin’s IT systems, allowing them to steal those coveted validator private keys, according to The Block.

Mollie MacDougall, director of threat intelligence at Cofense, put it bluntly in an email to Threatpost. “Blockchain platforms should do what every other organization should do: implement an effective phishing defense program that combines technology with the human layer of security.”

“Imagine only one of those employees had reported that email to Axie’s security team. Then imagine that the team could have identified, removed, and notified any other recipients of that email. It could have stopped the attack early in its tracks.”

Popular NFT Marketplace Phished for $540M

The WooCommerce PDF Invoices & Packing Slips WordPress plugin before 2.16.0 doesn't escape a parameter on its setting page, making it possible for attackers to conduct reflected cross-site scripting attacks.

CVE-2022-2092

In CmpChannelServer of CODESYS V3 in multiple versions an uncontrolled ressource consumption allows an unauthorized attacker to block new communication channel connections. Existing connections are not affected.

%PDF-1.7 %���� 1 0 obj <>/Metadata 381 0 R/ViewerPreferences 382 0 R>> endobj 2 0 obj <> endobj 3 0 obj <>/ExtGState<>/Font<>/ProcSet\[/PDF/Text/ImageB/ImageC/ImageI\] >>/MediaBox\[ 0 0 595.32 841.92\] /Contents 4 0 R/Group<>/Tabs/S/StructParents 0>> endobj 4 0 obj <> stream x��Wmo�6�n������N�$v��X��2A���z�-ϑ��'�\_�v�4����3�)��=����s�('7ٰ$GG��̆\_��������~�w>f��,+'Ŭ�.?���s���E�KN�=�9O-ߵ\[�\[�q�x����"!&1L�\`ސE�n����\[�~��3��í'�i��y;�ƹ!�����zXW�07���=��3A�X2�i�D�!���k�Ϥ&0�����I���y�uEI�޵\[���K��Xr��Q�Г�,�i�Oϊ��������-d�aN��2�=�\]5�\*���6��W���\] @��֯h/��C?r�4�5M#����bC��4\]�5������� ��U�cI-��r� ��� A� 0Q:�a�LW��<�߶\[�#�t��P\`�{o��w~�fcB�Y�\[����~����,U1<�\\j�5�Y���-\\.W�kaW� ��ˣu�t� �Za

CVE-2022-30792

The CODESYS OPC DA Server prior V3.5.18.20 stores PLC passwords as plain text in its configuration file so that it is visible to all authorized Microsoft Windows users of the system.

%PDF-1.7 %���� 1 0 obj <>/Metadata 374 0 R/ViewerPreferences 375 0 R>> endobj 2 0 obj <> endobj 3 0 obj <>/ExtGState<>/Font<>/ProcSet\[/PDF/Text/ImageB/ImageC/ImageI\] >>/MediaBox\[ 0 0 595.32 841.92\] /Contents 4 0 R/Group<>/Tabs/S/StructParents 0>> endobj 4 0 obj <> stream x��W�n�6�o�����Q�\_��@b'Y�� /C�j+��X��\[io�C9���2�Z�Цh��;�|�䰪gW٤F�a\]g�/�\]$�r�)�-��,��Y=+�$\]~����y6ͫ���(9M5�������(���Z�� e)�W�JF�BU����\*���u ������-������<������ۛ{o�:��ޣ1=a������c���&V"�,��AEװ�4u |�N����Oh���;�k^"����\`���u\]��mzR��7��XYK�ܠ,S��DX��\]M@U��O.�??�v+��J���H�����(�8����P+|Z��e$��bG�kt\`���l���5����ne�/�1��C 8� �4�U|���~/��c(IY� �~�v�h�KV\\#��oi�cC� R���|x@)��J�Y��{���\`�P��G&1?����.�\\C˔%.��ю�j� 3������ɥ���5�І|��������9i)i�s���|�/�Ydq ��.��O/S�<��?�\[�^���B����\`}�'��Ǉ\\�g�<�����q\]=n����~@�ڨP=�p.:G#%҄�<� b�l�j\[ϖ�of��\_�ço���{�QM8ߎ� t�}o�v�0�1!{�Aw�uH�&� pA�=�|�}uŕ#6���N�{F�>�^���rmj�볜@�V\\.^�A��p�+G4��Uf��\`=�H�)\[r�s�j�a�p�4�BT�\*q�-� eZ<�dYF��śu����r!(�9rG�����Й3�㣕�G�n��"��3 ��#9�����ƾ���H������y�=C,.��˶x�@7Q��%,H<�o�S����s� ,.�s?�Z�ICw7-�ݭ�i\_�+�w�=�����N��}��Α�uѱ��� �#�����i�)�&$�82mZno�\[ϖ���怒���n7�@+�TUܵPIT�̻��P�\[8���0���V$Ha@i���j��C1C$az �����W$.��Q:Eʷ��-τoj/K���/T�\_�rq+ endstream endobj 5 0 obj <> stream ����JFIF\`\`��JExifMM\*2:(\`\`��XICC\_PROFILEHLinomntrRGB XYZ � 1acspMSFTIEC sRGB���-HP cprtP3desc�lwtpt�bkptrXYZgXYZ,bXYZ@dmndTpdmdd��vuedL�view�$lumi�meas$tech0rTRC<gTRC<bTRC<textCopyright (c) 1998 Hewlett-Packard CompanydescsRGB IEC61966-2.1sRGB IEC61966-2.1XYZ �Q�XYZ XYZ o�8��XYZ b����XYZ $����descIEC http://www.iec.chIEC http://www.iec.chdesc.IEC 61966-2.1 Default RGB colour space - sRGB.IEC 61966-2.1 Default RGB colour space - sRGBdesc,Reference Viewing Condition in IEC61966-2.1,Reference Viewing Condition in IEC61966-2.1view��\_.���\\�XYZ L VPW�meas�sig CRT curv #(-27;@EJOTY^chmrw|������������������������� %+28>ELRY\`gnu|����������������&/8AKT\]gqz������������!-8COZfr~���������� -;HUcq~��������� +:IXgw��������'7HYj{�������+=Oat�������2FZn�������  % : O d y � � � � � �  ' = T j � � � � � �"9Qi������\*C\\u����� & @ Z t � � � � �.Id���� %A^z���� &Ca~����1Om����&Ed����#Cc����'Ij����4Vx���&Il����Ae����@e���� Ek���\*Qw���;c���\*R{���Gp���@j���>i���  A l � � �!!H!u!�!�!�"'"U"�"�"�# #8#f#�#�#�$$M$|$�$�% %8%h%�%�%�&'&W&�&�&�''I'z'�'�( (?(q(�(�))8)k)�)�\*\*5\*h\*�\*�++6+i+�+�,,9,n,�,�--A-v-�-�..L.�.�.�/$/Z/�/�/�050l0�0�11J1�1�1�2\*2c2�2�3 3F33�3�4+4e4�4�55M5�5�5�676r6�6�7$7\`7�7�88P8�8�99B99�9�:6:t:�:�;-;k;�;�<'

CVE-2022-1794

The $540 million hack of Axie Infinity's Ronin Bridge in late March 2022 was the consequence of one of its former employees getting tricked by a fraudulent job offer on LinkedIn, it has emerged. 
According to a report from The Block published last week citing two people familiar with the matter, a senior engineer at the company was duped into applying for a job at a non-existent company, causing

The $540 million hack of Axie Infinity's Ronin Bridge in late March 2022 was the consequence of one of its former employees getting tricked by a fraudulent job offer on LinkedIn, it has emerged.

According to a report from The Block published last week citing two people familiar with the matter, a senior engineer at the company was duped into applying for a job at a non-existent company, causing the individual to download a fake offer document disguised as a PDF.

"After what one source described as multiple rounds of interviews, a Sky Mavis engineer was offered a job with an extremely generous compensation package," the Block reported.

The offer document subsequently acted as a conduit to deploy malware designed to breach Ronin's network, ultimately facilitating one of the crypto sector's biggest hacks to date.

"Sky Mavis employees are under constant advanced spear-phishing attacks on various social channels and one employee was compromised," the company said in a post-mortem analysis in April.

"This employee no longer works at Sky Mavis. The attacker managed to leverage that access to penetrate Sky Mavis IT infrastructure and gain access to the validator nodes."

In April 2022, the U.S. Treasury Department implicated the North Korea-backed Lazarus Group in the incident, calling out the adversarial collective's history of attacks targeting the cryptocurrency sector to gather funds for the hermit kingdom.

Bogus job offers have been long employed by the advanced persistent threat as a social engineering lure, dating back as early as August 2020 to a campaign dubbed by Israeli cybersecurity firm ClearSky as "Operation Dream Job."

In its T1 Threat Report for 2022, ESET noted how actors operating under the Lazarus umbrella have employed fake job offers through social media like LinkedIn as its strategy for striking defense contractors and aerospace companies.

While Ronin's Ethereum bridge was relaunched in June, three months after the hack, the Lazarus Group is also suspected to be behind the recent $100 million altcoin theft from Harmony Horizon Bridge.

The findings also come as blockchain projects centered around Web 3.0 have lost more than $2 billion to hacks and exploits in the first six months this year, blockchain auditing and security company CertiK disclosed in a report last week.

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

Hackers Used Fake Job Offer to Hack and Steal $540 Million from Axie Infinity

By Deeba Ahmed
Earlier in March this year, Ronin Network (RON), a blockchain network underpinning the famous crypto game Axie Infinity…
This is a post from HackRead.com Read the original post: Hackers Used Fake LinkedIn Job Offer to Hack Off $625M from Axie Infinity

****Earlier in March this year, Ronin Network (RON), a blockchain network underpinning the famous crypto game Axie Infinity and Axie DAO suffered the largest crypto hack against a decentralized finance network reported to date.****

In May 2022, the United States issued an advisory according to which highly skilled hackers from North Korea were trying to get employed by posing as IT freelancers. Now, it has been revealed that Axie Infinity hacking was socially engineered in which North Korean government-backed hacker group Lazarus used a fake job offer to infiltrate Sky Mavis’ network by sending one of the company’s employees a PDF file containing spyware.

Lazarus’ involvement in such a high-profile hack should not come as a surprise. In January 2022, researchers from different crypto security firms concluded that North Korean hackers have so far stolen $1.3 billion from cryptocurrency exchanges across the globe, while their prime suspect in these hacks was the infamous Lazarus gang.

**Axie Infinity Hack**

The employee, an ex-senior engineer at the company, took the bait and thought that it was a high-paying job offer from another company and opened the PDF. However, in reality, this company didn’t exist. During the recruiting process, the ex-employee gave away critical personal information, which attackers used to steal from the company.

Sky Mavis explained that its employees are constantly threatened by “advanced spear-phishing attacks on various social channels.” In this instance, one employee was fooled, who doesn’t even work at Sky Mavis anymore.

It is worth noting that the play-to-earn game Axie Infinity is a Pokemon-inspired game developed by Sky Mavis and rakes in approximately $15 million in revenue daily.

**How was Ronin Hacked?**

According to The Block, when the hacking took place, Axie Infinity had nine validators from its proof-of-authority, an Ethereum-based sidechain Ronin.

“The attacker managed to leverage that access to penetrate Sky Mavis IT infrastructure and gain access to the validator nodes,” Sky Mavis stated.

The attacker had to capture five out of nine validators to infiltrate the company’s networks. The spyware-laced PDF helped the attacker control 4 validators and access the community-run Axie DAO (Decentralized Autonomous Organization), from where they got control of the 5th validator.

After compromising the network, the attackers stole $25 million worth of USDC stablecoin and 173,600 ether (roughly $597 million) from Axie Infinity’s treasury, collectively stealing crypto worth around $625 million.

Nevertheless, Ronin sidechain increased the number of validators to 11 to enhance security, whereas Sky Mavis is reimbursing Axie Players who lost crypto due to the attack. The company underwent a $150 million funding round back in April 2022.

**Lazarus Hackers**

The US government claims that the notorious North Korean hacker group Lazarus is responsible for the attack. This group specializes in such attacks.

This isn’t the first time that Lazarus has targeted the blockchain industry. However, this is uncommon for Lazarus to use social engineering to invade a company’s networks. In fact, in June 2020, Slovak internet security company ESET warned LinkedIn users of Lazarus’ involvement in a sophisticated LinkedIn recruiter scam targeting military and aerospace firms.

**More Lazarus Gang Hacks**

1.  US-Cert warns of North Korean BLINDINGCAN malware
2.  Lazarus Group’s AppleJeus MacOS malware targeting crypto exchanges
3.  NK Hackers infect authentic 2FA apps to infect Mac devices with malware
4.  LAZARUS APT Using TraderTraitor Malware to Target Blockchain Orgs, Users
5.  Lazarus hackers use Magecart attack to steal card data from EU, and US sites

Hackers Used Fake LinkedIn Job Offer to Hack Off $625M from Axie Infinity

Bogus job offers and unrevoked permissions are to blame for a massive crypto-heist which took place earlier this year.
The post Fake job offer leads to $600 million theft appeared first on Malwarebytes Labs.

Back in March, popular NFT battler Axie Infinity lay at the heart of a huge cryptocurrency theft inflicted on the Ronin network. From the Ronin newsletter:

> There has been a security breach on the Ronin Network. Earlier today, we discovered that on March 23rd, Sky Mavis’s Ronin validator nodes and Axie DAO validator nodes were compromised resulting in 173,600 Ethereum and 25.5M USDC drained from the Ronin bridge in two transactions. The attacker used hacked private keys in order to forge fake withdrawals. We discovered the attack this morning after a report from a user being unable to withdraw 5k ETH from the bridge.

These validator nodes act as a means to prevent criminals making off with lots of money. In order to put together a bogus transaction, they’d need to gain access to 5 out of 9 validator nodes. The successful attack happened over 2 stages.

An unwary employee provided one foot in the door. An unrevoked permission elsewhere kicked it wide open.

**The trap is set**

According to The Block, everything fell into place thanks to a senior engineer at the game developer. Two inside sources claim the engineer was fooled by a fake job offer. In fact, it seems multiple employees were approached and encouraged to put in applications. Scams originating from LinkedIn accounts are popular at the moment. As it happens, this is where scammers tried to persuade various people on the development team.

One individual is all it took to empty out a big slice of cryptocurrency funds. A job offer made after several interviews was enough to convince the victim to get on board. Perhaps the “extremely generous” compensation package offered should have set off some alarm bells. Having said that, anything digital finance related likely has huge amounts of cash available.

**We rate this job offer a 4 out of 5**

Unbeknownst to the engineer, everything came crashing down once they received the job offer. A booby-trapped PDF granted the attackers access to Ronin systems, and they were able to compromise 4 out of the required 5 nodes.

Just one node remained to be compromised. How did they do it?

Step up to the plate, non-revoked access. When employees leave an organisation, it’s a good idea to remove access to networks and devices. Unknown entities will happily make use of unattended credentials or permissions. Sure enough, that’s what happened here.

**Nudging a node**

A Decentralised Autonomous Organization (DAO) is a way for people in a community to make decisions on a project. The developers approached an Axie DAO for assistance with transactions in November 2021. Ultimately, this is where the fifth node compromise starts to take shape. The issue isn’t that the DAO exists. The issue is the permissions granted to the DAO.

From the Substack post detailing the attack:

> At the time, Sky Mavis controlled 4/9 validators, which would not be enough to forge withdrawals. The validator key scheme is set up to be decentralized so that it limits an attack vector, similar to this one, but the attacker found a backdoor through our gas-free RPC node, which they abused to get the signature for the Axie DAO validator.  
> 
> This traces back to November 2021 when Sky Mavis requested help from the Axie DAO to distribute free transactions due to an immense user load. The Axie DAO allowlisted Sky Mavis to sign various transactions on its behalf. This was discontinued in December 2021, but the allowlist access was not revoked.

**Who takes the blame?**

In April, the US Department of Treasury pinned this one on North Korean hacking group Lazarus. Research elsewhere details Lazarus attacks on both the aerospace and defence sector involving bogus job posts. There’s no mention of those attacks having any connection to what happened above. However, the research does highlight further recruitment scams using LinkedIn as the starting point.

Whether you’re operating in a cryptocurrency / web3 realm or not, forgotten permissions could cost you dearly. There’s also the fake job offer approach to consider, too. In recent months we’ve seen other game developers targeted. Deepfakes are now worming their way into the bogus job scene. Malware is rife in this sort of operation, so please be cautious around any promising new offer.

Fake job offer leads to $600 million theft

CHICAGO, July 8, 2022 /PRNewswire/ -- According to a research report "Security Orchestration, Automation and Response (SOAR) Market **by Offering (Platform & Solutions, Services), Application (Threat Intelligence, Network Forensics, Compliance), Deployment Mode, Organization Size, Vertical and Region - Global Forecast to 2027**," published by MarketsandMarkets™, the global SOAR Market size is expected to grow from an estimated value of USD 1.1 billion in 2022 to USD 2.3 billion by 2027, at a Compound Annual Growth Rate (CAGR) of 15.8% from 2022 to 2027. As SOAR helps security team to fight against alert fatigue, growing incidents of phishing emails and ransomware is driving the market growth.

_Browse in-depth TOC on_ **"Security Orchestration, Automation and Response Market"****398 – Tables  
39 – Figures  
282 – Pages**

**Download PDF Brochure:** https://www.marketsandmarkets.com/pdfdownloadNew.asp?id=176584778

**By offerings, services segment to grow at higher CAGR during forecast period**

Services involve support offered by security vendors to assist their customers to use and maintain security products efficiently. With the increasing sophistication in cyberattacks, organizations are adopting security services to address risks related to cyber threats as well as prevent them. The security services market is segmented across two major types: professional services and managed services. These services enhance the security portfolio of enterprises and safeguard their systems from unauthorized access, exploitation, and data loss. With the increasing digitalization and changing regulatory norms, customers need continuous guidance from SOAR implementation experts. This expertise gathered from managed services helps consumers design customized solutions for their business processes. MSPs also ensure customers are aware of the Return on Investment (RoI) on their security platform.

**By deployment mode, cloud segment to grow at higher CAGR during forecast period**

With the rapid digital transformation, organizations are changing their operating models and embracing cloud-based solutions. Cloud-based deployment offers several benefits to organizations, such as scalability and agility, reduce physical infrastructure, less maintenance cost, and 24/7 data accessibility from anytime, anywhere. Thus, organizations are adopting cost-effective SOAR solutions to prevent and protect volumes of data from cyberattacks. Cloud platforms automate all the process in an organization that falls short of staff to monitor security operations. These platforms also offer additional support and consulting services.

**Speak to Analyst:** https://www.marketsandmarkets.com/speaktoanalystNew.asp?id=176584778

**By Region, Asia Pacific to grow at a higher CAGR during the forecast period.**

Asia Pacific comprises some of the world's largest economies, such as China, India, Japan, and Australia. The cyber threat landscape in these countries is changing every day, with threats experienced by organizations increasing at an alarming rate. In 2021, the most targeted region for cyberattacks was Asia Pacific, it accounted for one in four cybersecurity attacks launched worldwide. The most incidents in the region were experienced by Japan, Australia, and India, where server access and ransomware were amongst the most popular forms of attacks. The type of threats faced by Asia Pacific countries is also changing and growing more complex each day. Asia Pacific is also proactively leading the charge in the development and adoption of many new technologies, including smart cities. As more and more technologies or complex projects are being taken up, the region also becomes increasingly vulnerable to more sophisticated threats. To address these increasing vulnerabilities, many companies are expanding into Asia Pacific. For example, Swimlane, a major vendor of SOAR has extended its cloud-based security automation into Asia Pacific Japan (APJ) amid momentous growth in region.

**Key Players**

Major vendors in the global **Security Orchestration, Automation and Response (SOAR) Market** include IBM (US), Cisco (US), Rapid7 (US), Palo Alto Networks (US), Splunk (US), Swimlane (US), Tufin (US), Fortinet (US), ThreatConnect (US), Trellix (US), Sumo Logic (US), Siemplify (US), LogRhythm (US), Resolve (US), Exabeam (US), manageEngine (US), KnowBe4 (US), D3 Security (Canada), Qvine (US), Cyware (US), LogicHub (US), Cyberbit (US), Logsign (Netherland), SIRP (UK), Tines (Ireland).

**Browse Adjacent Markets:** Information Security Market Research Reports & Consulting

**Related Reports**

Cybersecurity Market by Component (Software, Hardware, and Services), Software (IAM, Encryption, APT, Firewall), Security Type, Deployment Mode, Organization Size, Vertical, and Region (2022 - 2026)

Security Information and Event Management Market by Component, Application, Deployment Mode, Organization Size, Vertical (Information, Finance and Insurance, Healthcare and Social Assistance, Utilities), and Region - Global Forecast to 2025

**About MarketsandMarkets™**

MarketsandMarkets™ provides quantified B2B research on 30,000 high growth niche opportunities/threats which will impact 70% to 80% of worldwide companies' revenues. Currently servicing 7500 customers worldwide including 80% of global Fortune 1000 companies as clients. Almost 75,000 top officers across eight industries worldwide approach MarketsandMarkets™ for their painpoints around revenues decisions.

Our 850 fulltime analyst and SMEs at MarketsandMarkets™ are tracking global high growth markets following the "Growth Engagement Model – GEM". The GEM aims at proactive collaboration with the clients to identify new opportunities, identify most important customers, write "Attack, avoid and defend" strategies, identify sources of incremental revenues for both the company and its competitors. MarketsandMarkets™ now coming up with 1,500 MicroQuadrants (Positioning top players across leaders, emerging companies, innovators, strategic players) annually in high growth emerging segments. MarketsandMarkets™ is determined to benefit more than 10,000 companies this year for their revenue planning and help them take their innovations/disruptions early to the market by providing them research ahead of the curve.

MarketsandMarkets's flagship competitive intelligence and market research platform, "Knowledge Store" connects over 200,000 markets and entire value chains for deeper understanding of the unmet insights along with market sizing and forecasts of niche markets.

SOAR Market Worth $2.3 Billion by 2027, According to Exclusive Report by MarketsandMarkets

Threat actor released decryption keys after abandoning malware to focus on cryptojacking

Adam Bannister 08 July 2022 at 15:40 UTC

Threat actor released decryption keys after abandoning malware to focus on cryptojacking

Malware protection specialist Emsisoft has released free decryption tools for the AstraLocker and Yashma ransomware variants.

The decryptors were recently uploaded to the VirusTotal malware analysis platform by the ransomware’s developer after they reportedly shut down their operation in order to pivot to cryptojacking.

The AstraLocker decryptor and Yashma decryptor join a host of other decryptors made available for free by Emsisoft, a New Zealand-based outfit.

**Using the decryptor**

“Be sure to quarantine the malware from your system first, or it may repeatedly lock

your system or encrypt files,” reads a guide (PDF) on how to use the AstraLocker tool.

For systems compromised via Windows Remote Desktop, users are advised to change passwords for all users permitted to login remotely and check local user accounts for additional accounts the attacker might have added.

Catch up with the latest ransomware news and attacks

By default, the AstraLocker decryptor pre-populates locations selected for decryption from network and connected drives, but users can add other locations before initiating the decryption process.

The decryptor also defaults to leaving encrypted files in place, although users can enable automatic deletion if disk space is an issue.

“Since the ransomware does not save any information about the unencrypted files, the decryptor can’t guarantee that the decrypted data is identical to the one that was previously encrypted,” the guide warns.

**BabyK offspring**

AstraLocker, which emerged in 2021, is seemingly built on Babuk (or BabyK), a variant deployed via a ransomware-as-a-service (RaaS) model, according to a ReversingLabs analysis of the latter’s leaked source code.

Files are encrypted using a modified HC-128 encryption algorithm and Curve25519 cryptographic function, and or extensions are appended to encrypted files.

Yashma – or ‘AstraLocker 2.0’ – harnesses AES-128 and RSA-2048 to encrypt files and appends encrypted files with the extension or a random four-character alphanumeric combination.

According to ReversingLabs, AstraLocker 2.0 is smuggled into networks via malicious Microsoft Office files.

This ‘smash and grab’ attack methodology is suggestive of a low-skill threat actor, argued Joseph Edwards, senior malware researcher at ReversingLabs.

“This underscores the risk posed to organizations following code leaks like that affecting Babuk, as a large population of low-skill, high-motivation actors leverage the leaked code for use in their own attacks.”

RELATED Ransomware market evolution results in fewer variants, but rise in off-the-shelf cybercrime kits continues

Tag

#pdf