New Business Model: White Labeling of RansomwareTrend Micro: Operators Rebrand "Supplier" Ransomware Before Deployment
Researchers at cybersecurity firm Trend Micro have observed the adoption of a new franchise-based business model by ransomware operators that moves away from the traditional ransomware-as-a-service model. "It seems that the operators are rebranding a 'supplier' ransomware before deployment instead of simply distributing it under the original name," researchers say.
This ‘white labeling’ operation was found by the Trend Micro team while it was investigating the operations of XingLocker ransomware operators who have been highly active in the past few months, when it observed the new business model that differs from the usual tactics.
Initially, the researchers thought that XingLocker was just a rebrand of the earlier known MountLocker ransomware, which is a common practice among many ransomware operators. "However, one thing caught our attention — the usage of a different onion address for each victim. Instead of setting up multiple servers, as has been done in many cases, the XingLocker team created multiple addresses pointing to the same server," say Trend Micro researchers.
The researchers add: "Most RaaS models operate by affiliates working with the ransomware group to install a specifically named ransomware on as many machines as possible, then splitting the profits. This is advantageous for the attackers because when victims look up the ransomware and see many reports about it, they are more likely to pay." However, an affiliate program does not give the affiliates enough recognition, whereas, the white labeling business model gives them that flexibility the researchers say.
The Locker Connection
On analyzing the HTTP requests made to the common server, the researchers found other directories containing data associated with the companies targeted by another ransomware operation team - the AstroLocker.
Cybersecurity firm Sophos, in March 2021, linked the AstroLocker team to the MountLocker ransomware, citing that the five organizations listed on the AstroLocker data leak site were also listed as victims on the MountLocker data leak site. Additionally, Sophos researchers noted that the size of the data leak on the two sites matched, and some of the leaked data linked on the MountLocker site was being hosted on the AstroLocker onion site: http[:]//anewset****.onion, which brought more clarity to the relationship of these two teams.
Trend Micro's researchers compared the welcome message of XingLocker with that of the AstroLocker present in the Sophos blog and inferred that the two are linked to MountLocker and are a "franchise" of this ransomware group.
Trend Micro says that the XingLocker team shares a lot of infrastructure with AstroLocker. They have evidently found at least 15 onion addresses used by four different servers, while three others are still unknown, the researchers say.
Worth Taking Note
According to the researchers, these tactics of sharing infrastructure and resources are not new. So why is this important and worth taking note? Trend Micro's researchers answer this by saying "It seems likely we have now observed a new "franchise" RaaS model involving XingLocker, AstroLocker and Mount Locker. In this model there seems to be a main RaaS (in this case Mount Locker), and then affiliates license the ransomware and release it under their own name and brand," similar to how legitimate manufacturers ‘white-label’ goods for other suppliers.
Trend Micro's researchers note that "this method adds confusion in terms of naming and makes tracking harder." Sophos researchers also have similar views and recommend organizations and investigators analyzing the indicators of compromise and TTPs of the attackers check all possible TTPs of the different franchises of MountLocker ransomware group.
XingLocker is a ransomware family popularly known to be targeting Windows systems in the past few months. According to the latest screenshot from Ransomwatch, a website that captures a screenshot once a day of the popular ransomware sites on the dark web [Tor], many critical infrastructure and service providers have been targeted by the XingLocker ransomware team. This includes J.Irwin Company, Sharafi Group Investments, OSF Healthcare System, Coastal Family Health Center, and many more.
According to a reverse engineering blog from Chuong Dong, a security researcher, XingLocker ransomware team uses Mount Locker Ransomware v5.0 that makes use of hybrid-cryptography scheme of RSA-2048 and ChaCha20 to encrypt files and protect its keys. "This version includes a new worm feature that lets it self-propagate to other PCs on the network using IDirectorySearch and IWbemServices COM interfaces," says Chuong Dong. For more information on the list of IoCs of the new version of MountLocker, refer this blog.
For a list of all the IoCs noted by Trend Micro on MountLocker, AstroLocker, and XingLocker refer to the following page.