Researchers have recently discovered a new strain of ransomware that has been active since 2019 and specifically targets individuals and small businesses. Unlike typical ransomware attacks that demand large sums of money, this new strain, known as TZW, demands smaller ransoms from each client. The strain is part of the Adhubllka ransomware family, which first emerged in January 2020 but was already active the previous year.
What makes this discovery even more significant is the unique process that researchers used to identify the strain accurately. Over the years, many samples of Adhubllka had been misclassified or mislabeled as other ransomware families, causing confusion among threat hunters and researchers. Previous analyses of TZW had even detected traces of other malware, such as CryptoLocker, in the sample.
Uncovering the true identity of TZW required further investigation into the genealogy of the ransomware strain. Researchers had to trace the communication channels and other means used by the threat actors, such as contact emails, ransom notes, and execution methods. Ultimately, this research shed light on the tracing of a ransomware family back to its origin.
Adhubllka gained more attention in January 2020 but was “highly active” the previous year, particularly in campaigns targeting various sectors in Australia. What made it challenging to identify TZW as a spinoff of Adhubllka was the relatively low ransom demands made by the group—typically ranging from $800 to $1,600. This allowed the attackers to remain unnoticed, as victims often paid the ransom without attracting media attention.
According to Rakesh Krishnan, a senior threat analyst at Netenrich, TZW is delivered via phishing campaigns but only targets individuals and small-sized companies. While this may prevent it from making big news on media channels, it doesn’t mean that Adhubllka won’t grow bigger in the future, as the group has already made infrastructure updates.
Researchers anticipate that the ransomware may eventually be rebranded and used by other groups to launch their own campaigns. However, as long as the threat actor’s mode of communication remains the same, researchers will be able to trace such cases back to the Adhubllka family.
The key that investigators used to connect the latest campaign to Adhubllka was tracking previously used Tor domains through the ransom note dropped to victims. The note stated that victims should communicate via a Tor-based victim portal to obtain decryption keys following ransom payment. The shift from v2 to v3 Tor Onion URLs, along with a specific sentence included only in the TZW and U2K variants of Adhubllka, further narrowed down attribution.
Other indicators that pointed to the latest variant of Adhubllka were the use of a specific email address associated with the ransomware group and the link to the MD5 variant sample of Adhubllka discovered in 2019.
This research highlights the meticulous nature of ransomware attacks and the efforts made by cybercriminals to evade detection. It reinforces the importance of implementing strong endpoint security solutions and educating users about the risks of clicking on malicious links delivered via email. Additionally, organizations should focus on preventing ransomware from entering their environment by looking for behavior anomalies, privilege escalation, and the introduction of suspicious removable media.
As ransomware attacks continue to evolve and become more sophisticated, it is crucial for security professionals and individuals alike to stay vigilant and adopt proactive measures to protect against these threats.