Rorschach Ransomware: Advanced Evasion Strategies Threaten Businesses
A new, highly sophisticated ransomware strain called Rorschach has emerged, causing alarm among cybersecurity experts. Rorschach is unique in its high level of customization and unprecedented encryption speed. Similarities in the ransomware’s source code suggest connections to Babuk, LockBit 2.0, Yanluowang, and DarkSide ransomware strains.
Rorschach’s most notable feature is its use of DLL side-loading to deliver its payload, a technique rarely seen in ransomware attacks. Additionally, the strain exhibits highly customizable behavior and employs direct syscalls to manipulate files, bypassing defense mechanisms. According to the information that is available, Rorschach targets small and medium-sized companies and industrial firms in Asia, Europe, and the Middle East.
Thriving Phishing Kit Market Discovered on Telegram Channels
Researchers have found that cybercriminals are using Telegram channels to sell phishing kits and facilitate phishing campaigns. Links to these channels have been distributed through YouTube, GitHub, and the phishing kits themselves.
Over the past six months, Kaspersky detected over 2.5 million malicious URLs generated using these phishing kits. Cybercriminals are using Telegram bots to automate the creation of phishing pages and collect user data. Scammers often share users’ personal data for free to attract new criminals, then sell paid kits for more advanced attacks.
Microsoft Fights Cobalt Strike Tool Misuse by Cybercriminals
Microsoft has partnered with Fortra and Health-ISAC to tackle the illegal use of the Cobalt Strike tool by cybercriminals distributing malware, including ransomware. Microsoft’s Digital Crimes Unit (DCU) has obtained a US court order to remove illegal copies of Cobalt Strike from circulation. While Cobalt Strike is a legitimate post-exploitation tool, illegal versions have been weaponized by threat actors. The DCU aims to disrupt the use of legacy Cobalt Strike copies and force cybercriminals to rethink their tactics.
International Operation Dismantles Genesis Market
A joint international law enforcement operation has dismantled the illegal online marketplace Genesis Market, which specialized in selling stolen credentials. The operation resulted in 119 arrests and 208 property searches in 13 countries. Since its inception in March 2018, Genesis Market had become a major hub for criminal activities, offering access to data stolen from over 1.5 million compromised computers worldwide. The takedown is expected to create a ripple effect throughout the underground economy as threat actors search for alternatives.
Taiwanese PC Company MSI Hit by Ransomware Attack
Taiwanese PC company Micro-Star International (MSI) has confirmed a cyber attack on its systems. Although details of the attack have not been disclosed, MSI has promptly initiated incident response and recovery measures and alerted law enforcement agencies. The affected systems have gradually resumed normal operations, with no significant financial impact. MSI urges users to download firmware/BIOS updates only from its official website. The ransomware attack may be linked to the Money Message ransomware gang, which employs double extortion techniques and uploads victims’ data to a leak site if ransoms are unpaid.
Leave a Comment