Fraud Management & Cybercrime , Ransomware

Ransomware Trends: Medusa and Akira Rage; Tortilla Disrupted

Crypto-Malware Trackers Report a Surge in Known Ransomware Victims at End of 2023
Ransomware Trends: Medusa and Akira Rage; Tortilla Disrupted
Ransomware attackers are on a roll, but Tortilla hackers fell flat. (Image: Shutterstock)

Ransomware-wielding attackers show no signs of stopping, and experts report December 2023 was the second-worst month on record for known victims. Lately, Akira-wielding attackers have been hitting Finland hard, and Medusa has been behind a rising number of attacks.

See Also: The Cost of Underpreparedness to Your Business

Despite international efforts to combat ransomware, the known victim count has continued to rise, jumping from 220 in 2022 to 321 in 2023, according to security firm Emsisoft.

Law enforcement continues to pursue suspects that use ransomware. Last month, the FBI seized the infrastructure used by the Conti spinoff group Alphv - aka BlackCat, which seems to have disrupted its operations.

Another disruption comes in the form of Dutch police reportedly busting the leader of Tortilla, a ransomware group that used a variant based on the Babuk source code, which has enabled security experts to build a free decryptor for Tortilla's victims.

Even so, ransomware rages on. While December typically is a slow month for ransomware attacks, last month broke that trend, as 70 new ransomware attack victims came to light, making it the second worst month of the year, after November, cybersecurity firm BlackFog reported. Caveats apply, in that not all ransomware groups run data leak sites, and when they do, they only list a subset of nonpaying victims.

LockBit claimed the most victims last month, followed by Alphv/BlackCat and Medusa, BlackFog found.

Medusa Freezes Files

Attacks by Medusa have been on the rise, Palo Alto's Unit 42 threat intelligence group warned.

The Medusa ransomware-as-a-service operation debuted in late 2022. In early 2023, it launched a dedicated leak site on which it listed 74 victims last year. It also leaks stolen data via a Telegram channel named "information support," Unit 42 said.

"This operation showcases complex propagation methods, leveraging both system vulnerabilities and initial access brokers, while adeptly avoiding detection through living-off-the-land techniques," researchers wrote. One tactic the group has used is to upload a malicious web shell to compromised Microsoft Exchange servers.

One of the group's more high-profile alleged victims was the European and African division of Japan's Toyota Financial Services, an auto financing subsidiary of Toyota Motor Corp., from which Medusa recently demanded an $8 million ransom, Bleeping Computer reported. Medusa leaked data it had allegedly stolen from Toyota last November, which suggests the organization paid no ransom.

This opportunistic, Russian-speaking organization appears to be willing to negotiate with ransomware victims seeking a lower ransom, as well as to monetize attacks in every way possible. Like many ransomware groups, Medusa's lock screen on infected systems features a countdown timer. When the timer runs out, the group promises to leak stolen data although, somewhat unusually, it advises victims they can pay $10,000 for the privilege of a timer extension, Unit 42 said.

Police Bust Babuk's Alleged 'Tortilla'

Cisco's Talos threat intelligence group reports that the leader of Tortilla, a ransomware group that based its crypto-locking malware on leaked Babuk source code, was arrested by Dutch police in Amsterdam and subsequently prosecuted by the Dutch Public Prosecution Office, based in part on intelligence provided by Talos. Dutch authorities didn't immediately respond to a request for comment.

"During the Amsterdam police operation, Talos obtained and analyzed the decryptor, recovered the decryption key and shared the key with engineers from Avast Threat Labs in charge of development and maintenance of the decryptor for several other Babuk variants," Cisco's Talos threat intelligence group wrote in a blog post.

The source code for Babuk ransomware leaked in September 2021 onto a Russian-language hacking forum. Luckily for victims who want to decrypt their files, Tortilla's take on Babuk didn't change the encryption schema. Cisco Talos also said Tortilla only seemed to use a single public/private key pair to encrypt every one of its victims, rather than generating a new one for each victim, as some groups do.

Avast said that greatly simplifies the process of decrypting Tortilla-locked files, and that it has updated its free Babuk decryptor, which is also available via the No More Ransom portal, to handle Tortilla-encrypted files. These files can be identified in part because they've had .babyk extension appended to their filename.

Finns Hit Hard by Akira

Opportunistic affiliates of the Akira ransomware-as-a-service operation have snared a number of Finnish firms in recent months and accounted for six of the seven attacks reported to Finnish authorities in December 2023.

So warns the National Cyber Security Center Finland, which said many of these Akira attacks have exploited Cisco Adaptive Security Appliance and Firepower Threat Defense devices that users haven't yet been updated to install a patch released in September 2023.

The vulnerability, tracked as CVE-2023-20269, "could allow an unauthenticated, remote attacker to conduct a brute force attack in an attempt to identify valid username and password combinations or an authenticated, remote attacker to establish a clientless SSL VPN session with an unauthorized user," according to the U.S. National Vulnerability Database.

The vulnerability cannot be used to bypass multifactor authentication on Cisco ASA and FTD devices, highlighting the importance of using MFA, said Olli Hönö, an information security expert at NCSC-FI.

Warnings about the vulnerability began last September, when it was patched. Security firms subsequently reported seeing a surge in attacks targeting Cisco ASA and FTD devices beginning in March 2023, which is around the time Akira debuted (see: Feds Warn Healthcare Sector of Akira Ransomware Threats).

Like other ransomware-wielding attackers, Akira's affiliates steal data and threaten to leak it unless they get paid. They have been seeking and destroying backups to prevent victims from simply restoring their systems, including targeting network-attached storage servers and tape backups. "In almost every case we know of, all backups have been lost," said NCSC-FI, according to a machine translation.

Finland's cybersecurity center recommends all organizations follow the 3-2-1 rule, which is: Maintain three backups in two different places, at least one of which isn't network-connected.

About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.