针对全球医疗保健和企业的重新品牌的Knight勒索软件

An analysis of a nascent ransomware strain called RansomHub has revealed it to be an updated and rebranded version of Knight ransomware, itself an evolution of another ransomware known as Cyclops.

对一种新生的勒索软件变种RansomHub的分析表明，它是Knight勒索软件的更新和重新品牌版本，Knight勒索软件本身又是另一种被称为Cyclops的勒索软件的演变。

Knight (aka Cyclops 2.0) ransomware first arrived in May 2023, employing double extortion tactics to steal and encrypt victims' data for financial gain. It's operational across multiple platforms, including Windows, Linux, macOS, ESXi, and Android.

Knight（又名Cyclops 2.0）勒索软件于2023年5月首次出现，采用双重勒索战术窃取并加密受害者数据以获取经济利益。它在多个平台上运作，包括Windows、Linux、macOS、ESXi和Android。

Advertised and sold on the RAMP cybercrime forum, attacks involving the ransomware have been found to leverage phishing and spear-phishing campaigns as a distribution vector in the form of malicious attachments.

在RAMP网络犯罪论坛上发布和出售，涉及该勒索软件的攻击被发现利用钓鱼和定向钓鱼活动作为分发向量，形式为恶意附件。

The ransomware-as-a-service (RaaS) operation has since shut down as of late February 2024, when its source code was put up for sale, raising the possibility that it may have changed hands to a different actor, who subsequently decided to update and relaunch it under the RansomHub brand.

截至2024年2月底，勒索软件即服务（RaaS）业务已关闭，当时其源代码被出售，引发可能已易主的可能性，随后决定在RansomHub品牌下更新和重新推出。

RansomHub, which posted its first victim that same month, has been linked to a series of ransomware attacks in recent weeks, counting that of Change Healthcare, Christie's, and Frontier Communications. It has also vowed to refrain from targeting entities in the Commonwealth of Independent States (CIS) countries, Cuba and  North Korea.

RansomHub于同一月发布了其第一个受害者，最近几周已被链接到一系列勒索软件攻击，包括Change Healthcare、Christie's和Frontier Communications。它还发誓不针对独立国家联合体（CIS）国家、古巴和朝鲜的实体。

"Both payloads are written in Go and most variants of each family are obfuscated with Gobfuscate," Symantec, part of Broadcom, said in a report shared with The Hacker News. "The degree of code overlap between the two families is significant, making it very difficult to differentiate between them."

"两个有效负载均由Go编写，每个家族的大多数变种都使用Gobfuscate进行了混淆，" Symantec（Broadcom的一部分）在与The Hacker News分享的报告中说。"两个家族之间的代码重叠程度很大，使得很难区分它们。"

The two ransomware families share identical help menus on the command-line, with RansomHub adding a new "sleep" option that makes it dormant for a specified time period (in minutes) before execution. Similar sleep commands have also been observed in Chaos/Yashma and Trigona ransomware families.

这两种勒索软件家族在命令行上的帮助菜单完全相同，RansomHub 增加了一个新的“sleep”选项，使其在执行前休眠指定时间（以分钟为单位）。类似的休眠命令也在 Chaos/Yashma 和 Trigona 勒索软件家族中被观察到。

The overlaps between Knight and RansomHub also extend to the obfuscation technique used to encode strings, the ransom notes dropped after encrypting files, and their ability to restart a host in safe mode before starting encryption.

Knight和RansomHub之间的重叠还延伸到用于编码字符串的混淆技术、加密文件后删除的赎金说明以及它们在开始加密之前在安全模式下重启主机的能力。

The only main difference is the set of commands executed via cmd.exe, although the "way and order in which they are called relative to other operations is the same," Symantec said.

唯一的主要区别是通过cmd.exe执行的命令集，尽管"在调用它们的方式和顺序相对于其他操作的方式是相同的"，Symantec表示。

RansomHub attacks have been observed leveraging known security flaws (e.g., ZeroLogon) to obtain initial access and drop remote desktop software such as Atera and Splashtop prior to ransomware deployment.

已观察到RansomHub攻击利用已知的安全漏洞（例如ZeroLogon）来获得初始访问权限，并在部署勒索软件之前放置远程桌面软件，如Atera和Splashtop。

According to statistics shared by Malwarebytes, the ransomware family has been linked to 26 confirmed attacks in the month of April 2024 alone, putting it behind Play, Hunters International, Black Basta, and LockBit.

根据Malwarebytes分享的统计数据，仅在2024年4月份就已经确认RansomHub家族与26起攻击相关联，使其落后于Play、Hunters International、Black Basta和LockBit。

Google-owned Mandiant, in a report published this week, revealed that RansomHub is attempting to recruit affiliates that have been impacted by recent shutdowns or exit scams such as that of LockBit and BlackCat.

Google旗下的Mandiant在本周发布的一份报告中透露，RansomHub正试图招募最近受到关闭或退出诈骗影响的联盟会员，例如LockBit和BlackCat。

"One former Noberus affiliate known as Notchy is now reportedly working with RansomHub," Symantec said. "In addition to this, tools previously associated with another Noberus affiliate known as Scattered Spider, were used in a recent RansomHub attack."

"一位名为Notchy的前Noberus联盟成员据称现在正在与RansomHub合作，" Symantec表示。"除此之外，之前与另一位Noberus联盟成员（称为Scattered Spider）相关联的工具，也被用于最近的RansomHub攻击中。"

"The speed at which RansomHub has established its business suggests that the group may consist of veteran operators with experience and contacts in the cyber underground."

"RansomHub建立业务的速度表明，该团体可能由在网络地下界具有经验和联系的老练操作人员组成。"

The development comes amid an increase in ransomware activity in 2023 compared to a "slight dip" in 2022, even as approximately one-third of 50 new families observed in the year have been found to be variants of previously identified ransomware families, indicating the increasing prevalence of code reuse, actor overlaps, and rebrands.

这一发展出现在2023年勒索软件活动增加的背景下，与2022年相比出现了"轻微下降"，即使在该年观察到的50个新家族中约三分之一被发现是先前已识别的勒索软件家族的变种，表明代码重复、行为者重叠和重新品牌的普遍性日益增加。

"In almost one third of incidents, ransomware was deployed within 48 hours of initial attacker access," Mandiant researchers said. "Seventy-six percent (76%) of ransomware deployments took place outside of work hours, with the majority occurring in the early morning."

"在近三分之一的事件中，勒索软件在攻击者初始访问后的48小时内部署，" Mandiant的研究人员说。"百分之七十六（76%）的勒索软件部署发生在工作时间之外，其中大多数在清晨发生。"

These attacks are also characterized by the use of commercially available and legitimate remote desktop tools to facilitate the intrusion operations as opposed to relying on Cobalt Strike.

这些攻击还表现出使用商业化和合法的远程桌面工具来促进入侵操作，而不是依赖于Cobalt Strike。

"The observed increasing reliance on legitimate tools likely reflects efforts by attackers to conceal their operations from detection mechanisms and reduce the time and resources required to develop and maintain custom tools," Mandiant said.

"观察到对合法工具的依赖程度增加，可能反映了攻击者为了将其行动隐藏在检测机制之外并减少开发和维护定制工具所需的时间和资源而进行的努力，" Mandiant表示。

The rebound in ransomware attacks follows the emergence of new ransomware variants like BlackSuit, Fog, and ShrinkLocker, the latter of which has been observed deploying a Visual Basic Script (VBScript) that takes advantage of Microsoft's native BitLocker utility for unauthorized file encryption in extortion attacks targeting Mexico, Indonesia, and Jordan.

勒索软件攻击的回升伴随着新的勒索软件变种的出现，如BlackSuit、Fog和ShrinkLocker，后者已被发现部署一种利用微软本地BitLocker实用程序的Visual Basic脚本（VBScript）进行未经授权文件加密的勒索攻击，目标是墨西哥、印度尼西亚和约旦。

ShrinkLocker is so named for its ability to create a new boot partition by shrinking the size of each available non-boot partition by 100 MB, turning the unallocated space into a new primary partition, and using it to reinstall the boot files in order to enable recovery.

ShrinkLocker之所以如此命名，是因为它能够通过将每个可用的非引导分区的大小缩小100 MB来创建一个新的引导分区，将未分配空间转换为新的主分区，并使用它重新安装引导文件以实现恢复。

"This threat actor has an extensive understanding of the VBScript language, and Windows internals and utilities, such as WMI, diskpart, and bcdboot," Kaspersky said in its analysis of ShrinkLocker, noting that they likely "already had full control of the target system when the script was executed."

"这个威胁行为者对VBScript语言和Windows内部以及实用程序（如WMI、diskpart和bcdboot）有着广泛的了解，" 卡巴斯基在其对ShrinkLocker的分析中表示，指出他们很可能"在执行脚本时已经完全控制了目标系统。"

参考资料

[1]https://thehackernews.com/2024/06/rebranded-knight-ransomware-targeting.html

关注我们

        欢迎来到我们的公众号！我们专注于全球网络安全和精选双语资讯，为您带来最新的资讯和深入的分析。在这里，您可以了解世界各地的网络安全事件，同时通过我们的双语新闻，获取更多的行业知识。感谢您选择关注我们，我们将继续努力，为您带来有价值的内容。

原文始发于微信公众号（知机安全）：针对全球医疗保健和企业的重新品牌的Knight勒索软件