Trend Micro Research Profile picture
Aug 6, 2021 8 tweets 5 min read Read on X
— A THREAD —

[1/n] We’re monitoring developments on a new piece of proof-of-concept #ransomware called #Chaos. It’s purportedly a .NET version of #Ryuk, but our analysis shows that its routines are different from Ryuk’s. Image
[2/n] Earlier versions of #Chaos were actually destructive #trojans that overwrote rather than encrypted files, which meant that victims had no way of restoring their files to their original state. Image
[3/n] The third version of #Chaos was traditional #ransomware, having the ability to encrypt files via RSA/AES and also providing a decrypter. With this version, the creator asked for donations to support the ongoing development of Chaos. Image
[4/n] The fourth version of #Chaos was recently released on an underground forum. It gained support for custom file extensions, the ability to change an infected machine’s desktop wallpaper, and an increase in the size limit of encrypted files to 2 MB. Image
[5/n] While we have not yet detected an active infection or victim of the #Chaos #ransomware, we believe that the ransomware builder still poses a threat in the hands of malicious actors who have access to malware distribution and deployment.
[6/n] It appears that the #Chaos #ransomware is still undergoing evolution, since it lacks some features that many modern ransomware families have, such as the collection of data from victims that could be used for blackmailing if the ransom is not paid.
[7/n] The development of new #ransomware families and variants will always be a matter of concern. In our research, we provide recommendations that will help organizations prevent and mitigate the effects of modern ransomware attacks: research.trendmicro.com/3xqVtKH
[8/n] This is a developing story. We’ll keep you updated as more information comes in. Image

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Trend Micro Research

Trend Micro Research Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @TrendMicroRSRCH

Aug 29, 2023
1/8: The #Rhadamanthys stealer uses Google Ads mimicking popular software such as AnyDesk, Zoom, and OBS to lure victims to their phishing sites to steal sensitive information.

Follow this thread as we discuss more about this threat. ⏬ Image
2/8: Recently, we came across a new #Rhadamanthys variant that adds a payload bundle consisting of ransomware, a ClipBanker trojan, and a cryptocurrency miner, creating a more sophisticated threat. Image
3/8: We identified the ransomware portion of the bundle as a leaked #LockBit Black payload, which seems to be from a group adopting the moniker "Flamingo.” Interestingly, the group demands a relatively modest ransom of US $90. Image
Read 8 tweets
Oct 18, 2022
[1/5] APT group #EarthAughisky (aka Taidoor) has been consistently involved in #cyberespionage activities that target organizations in Taiwan for over 10 years. Follow this thread for more.
[2/5] Earth Aughisky’s arsenal and deployments vary according to the sensitivities and perceived values of its targets. The higher the value of the personalities, organizations, and/or systems, the more customizations the malware has and the less deployment sightings.
[3/5] Our tracking of Earth Aughisky in over 10 years has allowed us to track observations and consistencies. However, the group’s level of activity dropped beginning in 2017, coinciding with its expansion of targets in the region:
Read 5 tweets
Oct 17, 2022
[1/5] #APT group Earth Aughisky (aka #Taidoor) has been active in cyberespionage for over 10 years. The first malware attributed to them was Taidoor, followed by a series of malware that vary according to their targets. Follow this thread: research.trendmicro.com/3EgHWN4
[2/5] Earth Aughisky consistently targets high-value targets in #Taiwan. In recent years, however, this #APT group has expanded to other countries in the region: Japan and Southeast Asia. Image
[3/5] Our monitoring of #APT group Earth Aughisky noted significant changes in its level and frequency of activities, suggesting a potential internal change in objectives and organization. Image
Read 5 tweets
Sep 23, 2021
[1/5]

LATEST NEWS: Both @CISAgov and @FBI just released an advisory on #Conti #ransomware, which they’ve recently observed being used to attack US and international organizations.

Learn more about Conti’s attack chain and tactics here 👉 research.trendmicro.com/3lOTxrx
[2/5]

#Conti operators use several methods to gain initial access like spear phishing and exploiting public-facing applications, followed by the use of Cobalt Strike. We investigated how Conti #ransomware operators used Cobalt Strike to launch attacks: research.trendmicro.com/3CDba4C
[3/5]

Aside from Cobalt Strike, #Rclone is another legitimate tool abused by Conti operators in their previous campaigns. We discuss some of the most commonly abused legitimate tools here 👉 research.trendmicro.com/2W8cNaS
Read 5 tweets
Sep 22, 2021
LATEST NEWS: Cring #ransomware recently made headlines due to a recent attack that exploited a bug in the 11-year-old version of the Adobe ColdFusion 9 software. Follow this thread and let’s look at the techniques typically wielded by this ransomware.

👇 👇 👇 [1/5] Image
[2/5] #Cring ransomware gains initial access through unsecure remote desktop protocol (RDP) or through unpatched vulnerabilities. Image
[3/5] The threat also abuses tools such as #Mimikatz for credential access and Cobalt Strike for lateral movement. More details on how these tools are abused for ransomware attacks:
research.trendmicro.com/3hYEMkT
Read 5 tweets

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us!

:(