Fraud Management & Cybercrime , Ransomware

NoName Apparently Allies With RansomHub Operation

NoName Specializes in Long-Tail Exploits
NoName Apparently Allies With RansomHub Operation
The NoName ransomware group says it actually doesn't have a name. (Image: Shutterstock)

Up-and-coming online criminal extortion group RansomHub appears to have a new affiliate - NoName, a midtier actor whose main claim to fame so far has been impersonating the LockBit ransomware-as-a-service operation. NoName is known for exploiting years-old vulnerabilities.

See Also: Live Webinar | Crack Australia’s Code on Ransomware: Empowering Your Last Line of Defence

Researchers from Eset on Tuesday said they assess with medium confidence that NoName has joined forces with RansomHub.

Eset cited a June hacking incident at an unnamed Indian manufacturing company in which NoName hackers initially failed to infect systems with their own ransomware - cryptor malware tracked as ScRansom. After days of trying, the hackers succeeded by using a RansomHub EDR killer tool to circumvent endpoint protection and deploy the RansomHub cryptor.

"To our knowledge, there are no public leaks of RansomHub code or its builder," Eset stated.

RansomHub made its debut earlier this year and has a reputation for being "an efficient and successful" ransomware practitioner, the U.S. federal government said in an August advisory (see: RansomHub Hits Powered by Ex-Affiliates of LockBit, BlackCat).

NoName, which Eset tracks as CosmicBeetle, has been active since at least 2020. In September 2023, it set up a leak site mimicking the LockBit site and claiming LockBit victims as its own. In August, it appears to have used the leaked LockBit 3.0 builder in an attack. NoName operations are known for exploiting years-old vulnerabilities that small and medium businesses left unpatched and using those flaws in attacks that span the globe.

The group's favorite vulnerabilities include CVE-2017-0144, a Windows server message block code execution vulnerability that became public knowledge after a group calling itself the Shadow Brokers leaked an exploit developed by the U.S. National Security Agency called EternalBlue (see: No Coincidence: Microsoft's Timely Equation Group Fixes).

NoName also likes to exploit a flaw in Veeam Backup tracked as CVE-2023-27532 and a 2022 flaw in the FortiOS SSL-VPN tracked as CVE-2022-42475 (see: Fortinet Fixes Critical Remote Code Flaw).

The group's latest cryptor malware, ScRansom, is relatively basic and often leads to permanent data loss. Multiple decryption keys are sometimes required to unlock files, and some are lost altogether due to flaws in the encryption process.

Researchers discovered that the group had been experimenting with LockBit's leaked builder and even set up a fake leak site, dubbed Noname, which mimicked LockBit's platform, hosted ransom notes and attempted to convince victims that they had been targeted by the infamous group.

Earlier versions of ScRansom which is written in Delphi, required manual interaction; attackers needed access to the victim's system to manually launch the ransomware. This approach likely allowed the malware to evade detection in automated sandboxes.


About the Author

Prajeet Nair

Prajeet Nair

Assistant Editor, Global News Desk, ISMG

Nair previously worked at TechCircle, IDG, Times Group and other publications, where he reported on developments in enterprise technology, digital transformation and other issues.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing healthcareinfosecurity.com, you agree to our use of cookies.