


Ensure all the identified IOCs are input into the network SIEM for continuous monitoring and alerts.Ensure routine auditing is conducted for all accounts.Use double authentication when logging into accounts or services.

Consider adding an email banner to emails received from outside your organization.Disable unused remote access/Remote Desktop Protocol (RDP) ports and monitor remote access/RDP logs for any unusual activity.Do not give all users administrative privileges. Audit user accounts with administrative privileges and configures access controls with the least privilege in mind.Review domain controllers, servers, workstations, and active directories for new or unrecognized user accounts.
MALWAREBYTES RANSOMWARE INSTALL
MALWAREBYTES RANSOMWARE UPDATE

Known ransomware attacks in April 2022 by industry Ransomware mitigations Attacks by ransomware typeĭespite its rapid start, the activities of Black Basta and the other newly-emerged types of ransomware were dwarfed in April by three established threats: LockBit, Conti, and AlphV, which made up 60 percent of all the known breaches in our analysis. This information represents victims who were successfully attacked but opted not to pay a ransom. Malwarebytes Threat Intelligence builds a monthly picture of ransomware activity by monitoring the information published by ransomware gangs on their Dark Web leak sites. It seems likely that this behavior is the result of a bug in the notoriously poorly-written ransomware builder though.Īnother newly-emerged gang is Mindware, which appears to have started operations in mid-March using a well-known ransomware strain called SFile2 (aka Escal)-but it was not until April that it began to practice "double extortion", where data is stolen before it's encrypted so that victims are faced with the twin threats of data they can't decrypt, and leaks of sensitive information. At first, some suspected that Onyx may be a wiperrather than ransomware because it destroyed files larger than 2MB instead of encrypting them. Onyxis a new ransomware gang based on the old Chaos builder. That ability to perform so many attacks so quickly has led some to speculate that Black Basta is a re-brand of an existing group that already has affiliates. New gangs emergeīlack Bastamade a name for itself very quickly by coming out of nowhere and carrying out at least eleven successful breaches in April 2022. REvil now seems to have returned to the fray with new payloads, and a new leak blog displaying a mixture of new victims and old victims known to have been attacked by REvil. A string of arrestsfollowed, and then in January-in an act of unprecedented co-operation-Russia’s Federal Security Service (FSB) announced that it had dismantled the REvil group and charged its members, thanks to information provided by the USA. REvil disappeared shortly after the Kaseya attack, only to emerge again a few months later, before being forced offlineon October 21, 2021, by a multi-country operation. REvil(aka Sodinokibi) first appeared in May 2020 and has been responsible for numerous high-profile ransomware attacks, including arguably the biggest ransomware attack of all time-a supply-chain attack on Kaseya VSAin July 2021 that is thought to have affected over 1,000 businesses. The Malwarebytes Threat Intelligence team monitors the threat landscape continuously and produces monthly ransomware reports based on a mixture of proprietary and open-source intelligence.Īpril 2022 was most notable for the emergence of three new ransomware-as-a-service ( RaaS) groups- Onyx, Mindware, and Black Basta-as well as the unwelcome return of REvil, one of the world’s most notorious and dangerous ransomware operations.
