NoName Ransomware Gang Deploys RansomHub Malware in Recent Attacks

The NoName ransomware gang has been actively targeting small and medium-sized businesses worldwide for over three years, deploying custom malware and evolving its attack methods. Recently, NoName has been linked to RansomHub, suggesting the group is now an affiliate. This development signals a growing threat to global cybersecurity, especially for SMBs.

NoName's Custom Malware Arsenal:

    • NoName, tracked as CosmicBeetle, uses the Spacecolon malware family to penetrate networks via brute-force attacks and exploits of older vulnerabilities like EternalBlue (CVE-2017-0144) and ZeroLogon (CVE-2020-1472).
    • The gang previously used ScRansom, a Delphi-based ransomware, as part of its toolkit. The malware can encrypt files across various drives and includes an “ERASE” mode, making file recovery impossible.

RansomHub Involvement:

    • In September 2023, NoName set up an extortion site mimicking the LockBit data leak site, signaling its affiliation with RansomHub. This was confirmed after multiple attacks where RansomHub’s EDR killer and ransomware were deployed.
    • NoName is leveraging RansomHub tools to disable security software and escalate privileges by exploiting legitimate vulnerable drivers on compromised systems.

Sophisticated Encryption Methods:

    • ScRansom uses a complex encryption mechanism involving AES-CTR-128 and RSA-1024, sometimes causing issues during decryption. Victims have reported receiving multiple decryption keys but still being unable to recover all files.

Exploited Vulnerabilities:

    • NoName’s attacks exploit several vulnerabilities commonly found in SMB environments, including:
      • CVE-2017-0144 (EternalBlue)
      • CVE-2020-1472 (ZeroLogon)
      • CVE-2023-27532 (Veeam Backup & Replication component)
      • CVE-2022-42475 (FortiOS SSL-VPN)
      • CVE-2021-42278 and CVE-2021-42287 (AD privilege escalation vulnerabilities through NoPac)

RansomHub’s Impact on SMBs:

    • NoName’s affiliation with RansomHub and the use of advanced ransomware tools like ScRansom present a significant threat to businesses lacking robust cybersecurity measures.

The NoName gang’s affiliation with RansomHub highlights the evolution of cybercriminal groups into larger, more sophisticated operations. Small and medium-sized businesses need to prioritize vulnerability management and advanced endpoint protection to defend against such persistent threats.

Stay protected with Net Protector Cyber Security — your trusted defense partner against ransomware and malware attacks!