Trustwave and Cybereason Merge to Form Global MDR Powerhouse for Unparalleled Cybersecurity Value. Learn More

Trustwave and Cybereason Merge to Form Global MDR Powerhouse for Unparalleled Cybersecurity Value. Learn More

Services
Managed Detection & Response

Eliminate active threats with 24/7 threat detection, investigation, and response.

Co-Managed SOC (SIEM)

Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.

Advisory & Diagnostics

Advance your cybersecurity program and get expert guidance where you need it most.

Penetration Testing

Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.

Database Security

Prevent unauthorized access and exceed compliance requirements.

Email Security

Stop email threats others miss and secure your organization against the #1 ransomware attack vector.

Digital Forensics & Incident Response

Prepare for the inevitable with 24/7 global breach response in-region and available on-site.

Firewall & Technology Management

Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.

Solutions
BY TOPIC
Microsoft Security
Unlock the full power of Microsoft Security
Offensive Security
Solutions to maximize your security ROI
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
About Us
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Security Operations Platform
Trustwave Security Colony
Partners
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats

Trustwave SpiderLabs Reveals the Ransomware Threats Targeting Latin American Financial and Government Sectors

Ransomware-as-a-service (RaaS) threat groups are placing severe and continuous pressure on the financial and government services sectors in Latin America, according to data compiled by the elite Trustwave SpiderLabs team.

RaaS is where developers working for threat actors manage and update the malware while affiliates carry out the actual ransomware attacks. The specific method of initial intrusion varies depending on the affiliate responsible for targeting the network and any financial gains from the activity are split on a pre-determined basis.

Trustwave SpiderLabs broadly covered these general issues in its 2023 Financial Services Sector Threat Landscape: Trustwave Threat Intelligence Briefing and Mitigation Strategies report but did a special dive spotlighting the most active threat groups striking Latin America: LockBit 3.0, ALPHV (BlackCat), Cl0p, BlackByte, Medusa, Vice Society, and RansomHouse.

 

Analyzing the Ransomware Groups’ Attack Vectors

Trustwave SpiderLabs covered the different attack vectors employed by ransomware operators and affiliates, with the most common methods by which threat actors obtain initial access to networks being phishing (Mitre ATT&CK label T1566), exploiting public-facing applications (T1190) and compromised valid credentials (T1078) and session cookies (T1539). The cookies are often harvested from successful infostealer infections (T1555 and T1083) and sold by specialized “initial access brokers” on Dark Web and special-access sources.

Trustwave SpiderLabs recently reported that it is tracking phishing campaigns specifically targeting the Latin American region. The phishing emails generally contained a ZIP file attachment that when extracted reveals an HTML file that leads to a malicious file download posing as an invoice. If the phishing attack is successful a malicious RAR file will download.

BlackCat/ALPHV, which itself was disrupted by law enforcement and may or may not be active, employs a double extortion scheme, combining data encryption with data theft tools as part of its attack strategy. This approach intensifies the pressure on victims to comply with its demands. The proposed scope of the review is as follows:

BlackCat/ALPHV’s initial access vectors are:

  • T1189: Drive-by Compromise Malvertising
    o WinSCP and AnyDesk software infected with Cobalt Strike beacon.
  • T1078: Valid Accounts
    o Compromised accounts and stolen credentials.
  • T1133: External Remote Services
    o Remote desktop (RDP) access using Valid Accounts.
  • T1190: Exploit Public-Facing Application
    o ProxyShell – Microsoft Exchange Server Vulnerabilities: (CVE-2021-31207, CVE-2021-34473, CVE-2021-34523) o SonicWall SMA100 Pre-Auth SQL Injection (CVE-2019-7481.

LockBit 3.0 represents a RaaS group that has inherited the legacy of its predecessors, LockBit and LockBit 2, and it must be noted that LockBit 3.0 was also successfully targeted by a US/UK law enforcement operation in February, disrupting the group. Beginning in January 2020, LockBit adopted an affiliate-based ransomware approach, allowing its affiliates to employ diverse tactics in targeting a broad spectrum of businesses and critical infrastructure organizations.

LockBit 3.0 is known to use initial access brokers and an insider recruitment program advertised on various hacker forums to facilitate network intrusions.

Lockbit 3.0’s initial access vectors:

  • T1189: Drive-by Compromise
  • T1566: Phishing
  • T1078: Valid Accounts
    o Compromised accounts and stolen credentials
  • T1133: External Remote Services Remote desktop (RDP) access using Valid Accounts
  • T1190: Exploit Public-Facing Application
    o Fortinet FortiOS SSL VPN web portal (CVE-2018-13379) BIG-IP F5 iControl Server-Side Request Forgery / Remote Command Execution (CVE-2021-22986

Discover Trustwave SpiderLabs

Learn More

CL0P emerged as a RaaS in February 2019, evolving from the CryptoMix ransomware variant. This malicious software was strategically employed in extensive spear-phishing campaigns, using a verified and digitally signed binary to circumvent system defenses effectively. CL0P utilizes the ‘double extortion’ tactic.

CL0P’s initial access vectors are:

  • T1566: Phishing
  • T1078: Valid Accounts
    o Compromised accounts and stolen credentials
  • T1190: Exploit Public-Facing Application
    o GoAnywhere MFT Remote code injection via admin panel (CVE-2023-0669)
    o MOVEit Transfer SQL Injection Remote Code Execution (CVE-2023-34362)
    o Accellion FTA SQL injection vulnerability (CVE-2021-27101)
    o Accellion FTA OS command execution vulnerability (CVE-2021-27102)
    o Accellion FTA OS command execution vulnerability (CVE-2021-27104)
    o SolarWinds Serv-U Remote Code Execution Vulnerability (CVE-2021-35211)

Hive also operates under the RaaS model, where developers manage and update the malware while affiliates carry out the actual ransomware attacks. The affiliate responsible for targeting the network determines the specific method of initial intrusion.

Between June 2021 and at least November 2022, threat actors have extensively employed Hive ransomware to target various businesses and critical infrastructure sectors.

Hive’s initial access vectors are:

  • T1566: Phishing
    o Spearphishing with malicious attachments
  • T1078: Valid Accounts
    o Compromised accounts and stolen credentials
    o T1190: Exploit Public-Facing Application
    o Microsoft Exchange Server Security Feature Bypass (CVE-2021-31207)
    o Microsoft Exchange Server Remote Code Execution (CVE-2021-34473)
    o Microsoft Exchange Server Privilege Escalation Vulnerability (CVE-2021-34523)
    o FortiOS SSL VPN Authentication Vulnerability (CVE-2020-12812)

BlackByte ransomware also operates under the RaaS model. BlackByte affiliates are known to use living-off-the-land tools for persistence and reconnaissance and Cobalt Strike beacons for command and control (C2).

BlackByte’s initial access vectors:

  • T1566: Phishing
    o Spearphishing with malicious attachments
  • T1078: Valid Accounts
    o Compromised accounts and stolen credentials
    o T1190: Exploit Public-Facing Application
    o Microsoft Exchange Server Security Feature Bypass (CVE-2021-31207)
    o Microsoft Exchange Server Remote Code Execution (CVE-2021-34473)
    o Microsoft Exchange Server Privilege Escalation Vulnerability (CVE-2021-34523)

Medusa ransomware emerged in June 2021. After initial access, the MedusaLocker typically propagates throughout a network from a batch file that executes a PowerShell script.

Medusa’s initial access vectors:

  • T1566: Phishing
    o Spearphishing with malicious attachments
  • T1078: Valid Accounts
    o Compromised accounts and stolen credentials
  • T1133: External Remote Services
    o Remote desktop (RDP) access using Valid Accounts

The Vice Society ransomware group initially appeared in the summer of 2021. It is responsible for the notable incident that impacted the rapid transit system in San Francisco. The group gained significant media attention in late 2022 and early 2023 due to a series of high-profile attacks.

Vice Society’s initial Access Vectors are:

  • T1566: Phishing
    o Spearphishing with malicious attachments
  • T1078: Valid Accounts
    o Compromised accounts and stolen credentials
  • T1190: Exploit Public-Facing Application

RansomHouse is a data extortion group that first emerged in December of 2021. It made headlines in 2022 for attacking chipmaker AMD and exfiltrating 450GB of data. The group’s ransom demands reportedly range between $1 million and $11 million. RansomHouse uses polymorphic malware called MarioLocker, which is designed to run on VMWare ESXI hypervisors.

RansomHouse’s initial access vector is:

  • T1190: Exploit Public-Facing Application

ABOUT TRUSTWAVE

Trustwave is a globally recognized cybersecurity leader that reduces cyber risk and fortifies organizations against disruptive and damaging cyber threats. Our comprehensive offensive and defensive cybersecurity portfolio detects what others cannot, responds with greater speed and effectiveness, optimizes client investment, and improves security resilience. Learn more about us.

Latest Intelligence

Discover how our specialists can tailor a security program to fit the needs of
your organization.

Request a Demo