Symantec detailed new tactics, tools and procedures (TTP) attackers using the Noberus ransomware have deployed recently.
Noberus is considered to be the successor to the Darkside and BlackMatter ransomware families. Darkside is malware used in the May, 2021 ransomware cyberattack on the Colonial Pipeline.
Coreid (aka Fin7, Carbon Spider), a notorious ransomware-as-a-service hacking group responsible for the malware used in the Colonial Pipeline attack, retired Darkside and BlackMatter after extensive attention from federal agents and law enforcement. The FBI estimates at least 60 organizations were compromised between November 2021 and March 2022 with the malware.
Coreid still maintains a ransomware-as-a-service operation today and remains active. Cybercriminals can use Coreid-developed malware as an “affiliate”, and Coreid takes a cut of the profits gained in subsequent ransomware attacks on targets.
Noberus is capable of encrypting files on “Windows, EXSI, Debian, ReadyNAS, and Synology operating systems,” according to Symantec researchers.
Interestingly, Coreid has a list of targets that must be avoided when deploying Noberus ransomware.
- The Commonwealth of Independent States or neighboring countries
- Organizations in or related to the healthcare sector
- Charitable or non-profit organizations
- Affiliates are also advised to avoid attacking the education and government sectors.
Coreid continues to make improvements and adjustments to its Noberus ransomware code, most recently in July, 2022. The updated code “improves Linux encryption process, and added indexing of stolen data…data leaks can be searched by keyword, file type, and more,” according to Symantec.
This is a nightmare scenario for any organization on the defense, as defensive techniques must continue to be adjusted as the ransomware improves. It also makes the ransomware more effective at encryption and data exfiltration.
Symantec has published the indicators of compromise (IoC) file hashes (SHA256) for Noberus ransomware on its website.
