Threat Actor Groups Using Leaked Ransomware Variants To Launch Attacks

In Cybersecurity News - Original News Source is cybersecuritynews.com by Blog Writer

Post Sharing

Ransomware operators often acquire malware through purchases on the dark web, group affiliations, and leaked source codes rather than developing themselves.

They target victims by using common tools and modified samples to propagate attacks.

Recent reports by the security analysts at Kaspersky Lab suggest that new emerging groups like SEXi utilize different leaked ransomware variants, for example, those specifically designed for Windows (Lockbit-based) and Linux (Babuk-based) operating systems.

Leaked Ransomware Variants

SEXi mainly focuses on unsupported ESXi systems by exploiting security flaws in outdated software.

This group notably differs from other ransom-communication methods since it uses a session messaging app instead of traditional emails or leak sites despite its multi-platform approach, which could indicate a possibly unsophisticated operation.

How to Build a Security Framework With Limited Resources IT Security Team (PDF) - Free Guide

Key Group (aka keygroup777) and Mallox ransomware groups represent the developing cybercrime area. Key Group has been active since April 2022, using eight kinds of ransomware and constantly changing their TTPs.

Use of leaked ransomware builders by Key Group (Source – Securelist)

What differs from them are the mechanisms supporting them, from altering registry files to exploiting start-up folders.

Notably, the Key Group operates within Russia contrary to the rest of the Russian-speaking threat actors who use more secure platforms such as GitHub repositories and Telegram.

Mallox, which began in 2021, approaches it differently. In 2022, they launched an affiliate program tailored specifically for Russian-speaking partners who target organizations with at least $10 million annual turnover, excluding hospitals and educational institutions.

Mallox affiliates reached a peak of 16 in the spring and autumn of 2023 before declining to eight in 2024.

Though not renowned, Mallox does have some “Big Game Hunting” characteristics, like a leak site and a TOR-hosted server.

Based on its affiliates’ identification numbers, the group can observe partners’ behavior, which helps analyze the dynamics behind ransomware attacks and ever-changing connections between threat actors.

The report reads that the ransomware landscape has evolved from unprofessional tools targeting consumers to sophisticated “Big Game Hunting” operations affecting entire organizations.

While it is easy to get professional ransomware, it is hard for amateurs to make successful attacks on large targets.

In contrast, they often come off as unprofessional but are effective due to affiliate schemes or when they narrow their focus.

These developments reveal a growing threat posed by leaked or published ransomware versions for the corporate environment and individual users, even though performing massive strikes is complex.

IoCs

SEXi:-

4e39dcfb9913e475f04927e71f38733a

0a16620d09470573eeca244aa852bf70

Key Group:-

bc9b44d8e5eb1543a26c16c2d45f8ab7

acea7e35f8878aea046a7eb35d0b8330

Mallox:-

00dbdf13a6aa5b018c565f4d9dec3108

01d8365e026ac0c2b3b64be8da5798f2

Are you from SOC and DFIR Teams? – Analyse Malware Incidents & get live Access with ANY.RUN -> Free Access