The TA505, a Russian-speaking APT group, created a buzz early last year with a devastating ransomware attack on the Maastricht University (UM) in the Netherlands. After considering all possibilities, the University’s management had ended up paying a 30 Bitcoin (equivalent to $220,000 at the time) as ransom to threat actors. However, since then, the group had become submissive as no other major attacks were linked to them. This seems to have changed though in the past couple of weeks as researchers of cybersecurity firm, CYFIRMA, have unearthed a global ransomware campaign of the TA505 APT group dubbed as “Night Blood.”
TA505 Comes Out of Stealth Mode
CYFIRMA’s researchers first observed activity from TA505 on May 22, 2021. The operators of the APT group posted 96 IP addresses on an underground discord forum, which in the preceding days was published on three other dark web forums with additional IP addresses. It is suspected that these IP addresses might act as an entry point for the cybercriminals into the victim networks. As per the conversations recorded on these forums, this gang which offers Ransomware-as-a-Service (RaaS) and works collectively with its affiliates, has adopted a two-fanged approach depending on the target’s background for extorting a ransom:
- Gain entry to a publicly accessible web server and then in the case of a simple unsuspecting website visitor, force them to download a malicious plug-in and install the ransomware tool kit.
- Gain entry to a publicly accessible web server and then in the case of a larger organization or company, install malware to scan all systems connected on the network using identified weakness and then install the ransomware tool kit.
Apart from this, they have also adopted the double extortion technique, which involves stealing sensitive data of their victims before encrypting their files and folders and leaving a traditional ransomware note on the infected system. This strategy renders leveraging power to the threat actors during negotiation. As per the initial analysis, the signatures of this campaign match another notorious ransomware group – the REvil gang.
CYFIRMA’s researchers have deemed this as a global ransomware campaign because TA505 is said to be actively targeting countries like Japan, Australia, South Korea, the U.K., the U.S., India, Thailand, Singapore, Germany, and Spain. The industries associated with their targets are widespread and includes manufacturing, food and beverages, financial, real estate, insurance, trading platforms, retail and online stores, electronics and telecommunication, government, etc.
Although the primary motive of this campaign from the TA505 APT group appears to be financial gain, researchers warn that owing to the doping ban on Russian athletes for the next two Olympics, the group can target organizations and institutions associated with these games in any manner. Researchers also suggest that TA505’s “Night Blood” campaign seems to be in the potential reconnaissance phase and organizations around the globe need to keep a close eye on any suspicious activity.