NoName, the ransomware group known for specializing in long-tail exploits, has made headlines once again by apparently allying with the up-and-coming online criminal extortion group RansomHub. This new affiliation has raised concerns among cybersecurity experts, who are closely monitoring the collaboration between these two threat actors.
According to researchers from Eset, NoName has joined forces with RansomHub, as indicated by a hacking incident at an Indian manufacturing company where NoName hackers failed to infect systems with their own ransomware initially. The hackers eventually succeeded in deploying the RansomHub cryptor by using a RansomHub EDR killer tool to bypass endpoint protection. This incident highlights the sophistication and persistence of these cybercriminals in exploiting vulnerabilities and evading detection.
RansomHub, which made its debut earlier this year, has gained a reputation for being efficient and successful in carrying out ransomware attacks. The U.S. federal government has issued advisories warning about the threats posed by RansomHub, citing its ties to ex-affiliates of LockBit and BlackCat ransomware operations. This alliance with NoName further underscores the evolving landscape of cybercrime and the need for robust cybersecurity measures to combat these threats.
NoName, identified by Eset as CosmicBeetle, has been active since at least 2020 and has a history of imitating other ransomware groups like LockBit. In a recent attack, NoName used the leaked LockBit 3.0 builder to carry out a ransomware campaign targeting small and medium businesses worldwide. The group’s operations are characterized by exploiting outdated vulnerabilities, such as the Windows server message block code execution vulnerability CVE-2017-0144 and the FortiOS SSL-VPN flaw CVE-2022-42475.
One of the key challenges posed by NoName’s cryptor malware, ScRansom, is its basic encryption process, which often leads to permanent data loss. Decrypting files encrypted by ScRansom can be a complex process requiring multiple decryption keys, and in some cases, data may be irreversibly damaged due to encryption flaws. This underscores the importance of proactive cybersecurity measures, such as regular patching and robust backup strategies, to mitigate the risks posed by ransomware attacks.
The group’s shift towards impersonating established ransomware gangs like LockBit reflects a strategic move to enhance its reputation and instill fear among potential victims. By leveraging leaked tools and setting up fake leak sites to mimic established ransomware operations, NoName aims to confuse and intimidate victims, making it harder for security professionals to identify and thwart their attacks.
Overall, the alliance between NoName and RansomHub signals a new wave of cyber threats that organizations must be prepared to defend against. As cybercriminals continue to collaborate and innovate their tactics, staying ahead of the evolving threat landscape requires a proactive and multi-layered approach to cybersecurity. By implementing comprehensive security measures and staying informed about emerging threats, organizations can better protect their data and networks from ransomware attacks and other cyber threats.