Cisco Talos, the Cisco cyber-intelligence division, has published a detailed investigation into a new ransomware campaign carried out by the group ‘Chaos’which has already begun to attack multiple organizations in the United States.
Ransomware is next to phishing The greatest threat of world cybersecurity. A computer attack that infects a personal computer, smartphone (or any electronic device) with the aim of blocking its operation and/or access to a part or the entire equipment. Especially worrying is the increase in ransomware in companies and organizations, with attacks that compromise the integrity of an organization’s systems, but also puts their operational capacity at risk.
In recent times, ransomware as a service (RAAS) is highlighting as an attack method And this is how the ‘Chaos’ group located by Cisco Talos works and which he considers responsible for high-profile cyber-stakes (Big-Game Hunting) and double extortion, affecting critical sectors such as technology, insurance, manufacturing, logistics, food services and non-governmental organizations (NGOs).
Although it shares a name with previous variants built with the ‘Chaos Builder’, it is not related to previous malware, and seems to use this intentionally confusion to hinder the detection by cybersecurity equipment.
Talos believes that the new Ransomware Chaos group could be a Blacksuit Ransomware Ranked Operation (Royal) or a new group that emerged from said criminal organization, which talos previously identified as one of the ransomware groups with the highest volume of attacks.
The attackers have used a stepped approach that includes initial access through low -effort spam campaigns -a voice of social engineering for the deployment of the ransomware -, the use of legitimate tools of remote administration such as Anydesk, Screenconnect, Syncro, Optitune and Splashtop Streamer to maintain persistence and control in the compromised systems and the exfiltration of data using the data Goodsync backup software, which redirects stolen information towards cloud storage controlled by attackers.
