"Ransom Cartel" ransomware-as-a-service
Palo Alto Network's Unit42 has written a very detailed report on the inner workings of the "Ransom Cartel" ransomware family. This is a ransomware as a service (RaaS) that surfaced in mid-December 2021 and is using a wide range of tactics and techniques typical of today's threat actors. Also, it is known to use the double extortion approach i.e. not only encrypting files, but also threatening to release stolen data to the public.
Some of the Ransom Cartel techniques used during the attack are:
Using tools such as DonPAPI, LaZagne and Mimikatz to dump credentials from various sources, including memory, web browsers, Wi-Fi keys and remote desktop (RDP) password storage. In short, anything that is stored on a compromised machine as cached credentials will be used to further elevate access.
Special care is given to Vmware ESXi as one of the most prevalent infrastructure components in most organizations. To compromise ESXi devices, Ransom Cartel uses DonPAPI to harvest credentials stored in web browsers used to authenticate to the vCenter web interface. After authenticating to vCenter, the attackers automatically enable SSH access to ESXi servers managed by vCenter: they will then create a new SSH account and set the account’s user identifier (UID) to zero, meaning root access persistence is accomplished.
Once a VMware ESXi server is compromised, the threat actor launches the encryptor, which will automatically enumerate the running virtual machines (VMs) and shut them down using the esxcli command. The result is the encryption and destruction of entire Vmware server images stored in .vmdk and related files.
To gain initial access to the system, Ransom Cartel is using compromised valid VPN, RDP, Citrix or VNC accounts, most likely obtained via phishing.
Beyond the usual phishing as entry point, a focus on credential dumping and Vmware infrastructure seem to be the main takeaways here.
Learn more on the techniques used in the Unit42 blog here.