Ransomware Roundup - Knight
2023-10-30 23:0:0 Author: feeds.fortinet.com(查看原文) 阅读量:15 收藏

On a bi-weekly basis, FortiGuard Labs gathers data on ransomware variants of interest that have been gaining traction within our datasets and the OSINT community. The Ransomware Roundup report aims to provide readers with brief insights into the evolving ransomware landscape and the Fortinet solutions that protect against those variants.

This edition of the Ransomware Roundup covers the Knight ransomware.

Affected platforms: Microsoft Windows
Impacted parties: Microsoft Windows
Impact: Encrypts and exfiltrates victims’ files and demands ransom for file decryption
Severity level: High

Knight Ransomware Overview

Knight is a relatively new ransomware group that arrived in August 2023. Like many attackers, the gang behind this variant employs double extortion tactics, where the Knight ransomware encrypts files on victims’ machines and exfiltrates data for extortion purposes.

The predecessor of Knight, Cyclops, had multi-OS tools for Windows, Linux, and Mac OS. So, while FortiGuard Labs had only located a Windows version of the Knight ransomware at the time of our investigation, it seems likely that other versions may be on the way.

Infection Vector

According to an advisory by CERT Italy in early September, Knight targeted Italian organizations with phishing campaigns using emails with malicious attachments. The same was reported in early August by security researcher @felixw3000. In addition, Remcos and Qakbot malware are known to deliver the Knight ransomware to compromised machines.

Victimology

According to data collected through Fortinet's FortiRecon service, the Knight ransomware group has targeted multiple industry verticals. While Retail was most affected by the Knight ransomware, the group also victimized organizations in healthcare, including hospitals, physicians’ clinics, and dental offices, indicating that the threat actor has no reservations about impacting people who need medical care.

When classifying victim organizations by country, the United States is in first place by a significant margin.

As of October 20, 2023, the Knight ransomware group had last posted new victims on October 18th.

Knight Ransomware Execution

Once a network has been compromised and data has been exfiltrated, files encrypted by the Knight ransomware are appended with a “.knight_l” file extension.

Because the Knight ransomware targets enterprises, the ransom fee is set at a relatively high price. However, the Bitcoin wallet in this ransom note had no recorded transactions at the time of our investigation.

Data Leak Site

The Knight ransomware group owns a TOR site where victims can contact the threat actor. Stolen information and a list of victims are also posted there.

The group also uses another TOR site for disclosing stolen data and has abused several publicly available file-sharing services, such as Mega, Gofile, and UploadNow.

Fortinet Protections

Fortinet customers are already protected from these malware variants through our AntiVirus and FortiEDR services, as follows:

FortiGuard Labs detects the Knight ransomware samples with the following AV signature:

  • W64/Filecoder.IZ!tr
  • W64/Filecoder.IZ!tr.ransom

FortiGuard Labs detects the known Knight ransomware droppers with the following AV signature:

  • W64/Agent.CUP!tr
  • W64/Agent.CUO!tr
  • W32/Ransom_Win64_CYCLOPS.A
  • W32/Ransom.JGNPVEC!tr
  • W32/PossibleThreat
  • MSIL/Small.DBB!tr.dldr

The FortiGuard AntiVirus service is supported by FortiGate, FortiMail, FortiClient, and FortiEDR. Fortinet EPP customers running current AntiVirus updates are also protected.

Known hosting sites of the Knight ransomware droppers are blocked by the Web filtering client.

IOCs

File IOCs

SHA2

Note

1112d8346ee413ac8aecaf5bc0dc5400041669116a5a596c6be2e24c6886849d

Knight ransomware

2bfababf54992c32afced15b355cf7fcf7c6b0783cfee9086e80893d5f5124ed

3ed381014d25a9796bd6d007573b2abe152ee455738ae5f2288e5146726f3b2e

3f029aee12d43e3c67c4ab07c43bcd0960fa9f6a371f40577004673ac95e870c

40c6896d761595fe190e0fa891462bfb120579b6399bd28f40839c017a367538

4416ba60d11b0e8eafa07f3c3051c2d84ffcb5c860d458b6a1374fdc935e92f2

484414d68e1c3e79e602ed2876e963161916e21ea4e2c920da5cc623ea19731f

50ce3d6e410f0f83c9407a572eb29733084fed94f5dacff59cea350bcccee27d

581c6c58e6ea187e74bc23d8d0fa9feb7dc5cc2db4ca887afee5be229532e8e2

5ec48925f73ea58a27d6306d23d76b5da41e16754f58f26098ed36f0d1f198c8

6ff69b6e0f778aabf521a72a70c34274acfabc59a3472f7cba2372ebb8875d0f

70d2891a1cb3b6172428ea9cdb5a81b0494deac02b7dee91527a17fb9f53509a

712fc089cb028e381e285685519df357fb4102f8bc8de31547a9b98ca7629e49

7b4d227fddcc4e93ea0cdf017026ff2dad6efd6bc7de71b689dc0595a2a4fb4d

7f99540993e2afc351776b85ea22661d3701743521d55d657abdb23e12c93c00

a6258d70bc0b5d5c87368c5024d3f23585790b14227b8c59333413082524a956

b586d60beb49b362d4cd9b8d64fc9a3eef3da76b0f494c42c4ac30d6612d8993

b5deec95d1f50229e1361ca47761b9742006f484cf1f2c31ba8a495afb814ae2

cb41bbbe053e7a9b4857bf89c92298e7c0abdf9da157185fcfec5b383fe1e62c

cd92bf9c3349b086eec621de247bbb1bceebffb90863a46496c3b41fb13ec745

ce609604f4deb265ed957540b86ba96b33d26399c8d508110d78b0602f9d9d3a

d256bb30d0609d0e3aa7f1b98077dda6136f2f3604beb71ec982d8125d2858ed

e2af95e7827144a9278fcbb87fe8d9a4cfdb8f69b2f43f63c9e26aa6a33cc2ed

e5f1f8f5b2b4304493f416b54324c0b0e0253ed07ee1f4512bbe184e32e4580a

ecafd694118c4bcd21b4f7a620ed8a1346932f05acefe8cd32a01febec9a92d9

fba8fee602b5c3db46cbbb45ff2f8aa72791f47f8b8c6a556334d3d3358cebba

1341bd6193ea223c05566aaca13fc1152732b67af8344519d6efaaf9ab6ed5f4

Knight ransomware dropper

14ab9dc515dc22f0bbf5f3e44cc280e35331bf9209b6c4d35b86bfe3f32bcd23

167678eb9daa2376bd805069fac69c42b0ad0c6f70b9d644161970c1770c117f

3bd52cefc9d88c5292275729ca096c131a5db8c77ec142493a066623270cb782

3fbedfb9ae1e9bcef7983491124e3a50937f9c5209b7cfc2614197a2e8045cfb

4f1e46ac9e46f019d3be3173f0541f5ed07bde6389180cd7e8255d35b49f812e

554990b8636baf5af393d52ce85150a8b263b9c5fb214bc0e69a1b032ee8f3ae

5ace35adeb360b9e165e7c55065d12f192a3ec0ca601dd73b332bd8cd68d51fe

5c0f3de1254bcad7f457ad1898df2fdbe44dc964b5e92fba125c19888481da75

5ed4dfb7da504438688d779092a717cb2426ee88bc4f0ee588b3e989b7567dff

61bb91bc554d9b849cbd670669365bc5a58a8c5f9a0f530b8ed9a4b8f0968186

716341671eff8ca18c5f5bbf38095d07225141d02854168f854b168731b4c71c

75e227a3a41dc1c2d4384e877d88f9a06437a49f2c71f8efa7e2cc60bab6cc4a

7ec0d3e3dc4222f34c482926ce1f971b51929e95b9d097140bc1f4b1c84dafd9

9123e42cdd3421e8f276ac711988fb8a8929172fa76674ec4de230e6d528d09a

a2c654357d790d7c4cec619de951649db31ecdb63935f38b11bb37f983ff58de

b6064f6936f72d1312f40f86f0cb889c6d0477c20f59c6c96c385c6287f701f7

b94e28bc2e23eeff0d8c26334ef6c59d86a45fec37ffc83ab585d34019247355

bb65532e8a52e282d98938031c0d75155082933524924d01de4246e12690cf9c

c42ad519510936f14ab46fbad53606db8132ea52a11e3fc8d111fbccc7d9ab5a

dbf9cc65461c7bc650938156d3751d4ae0ce4312d3899f747e590767c0ef0408

eedda61d02d8bd0e145a07e6048621fc84f420376e6cda2616c2d77d4fd4fe18

f2571431c9d8e87081816d46cda9bde8d98b081056fdc2114e88cbad2d544cec

Network IOCs

URL

Note

hxxp://89.23.96.203/333/1[.]exe

Knight ransomware dropper location

Knight ransomware dropper location

hxxp://89.23.96.203/333/2[.]exe

hxxp://89.23.96.203/333/3[.]exe

hxxp://89.23.96.203/333/4[.]exe

hxxp://89.23.96.203/333/6[.]exe

hxxp://89.23.96.203/333/7[.]exe

hxxp://89.23.96.203/333/8[.]exe

hxxp://89.23.96.203/333/9[.]exe

hxxp://89.23.96.203/333/92[.]exe

hxxp://89.23.96.203/333/10[.]exe

hxxp://89.23.96.203/333/2wrRR6sW6XJtsXyPzuhWhDG7qwN4es[.]exe

hxxp://89.23.96.203/333/xwenxub285p83ecrzvft[.]exe

hxxp://89.23.96.203/333/TmsLA6kdcU8jxKzpMvbUVweTeF5YcR[.]exe

hxxp://89.23.96.203/333/cv4TCGxUjvS[.]exe

FortiGuard Labs Guidance

Due to the ease of disruption, damage to daily operations, potential impact on an organization’s reputation, and the unwanted destruction or release of personally identifiable information (PII), etc., it is vital to keep all AV and IPS signatures up to date.

Since the majority of ransomware is delivered via phishing, organizations should consider leveraging Fortinet solutions designed to train users to understand and detect phishing threats:

The FortiPhish Phishing Simulation Service uses real-world simulations to help organizations test user awareness and vigilance to phishing threats and to train and reinforce proper practices when users encounter targeted phishing attacks.

Our FREE NSE trainingNSE 1 – Information Security Awareness includes a module on internet threats designed to help end users learn how to identify and protect themselves from various types of phishing attacks and can be easily added to internal training programs.

Organizations will need to make foundational changes to the frequency, location, and security of their data backups to effectively deal with the evolving and rapidly expanding risk of ransomware. When coupled with digital supply chain compromise and a workforce telecommuting into the network, there is a real risk that attacks can come from anywhere. Cloud-based security solutions, such as SASE, to protect off-network devices; advanced endpoint security, such as EDR (endpoint detection and response) solutions that can disrupt malware mid-attack; and Zero Trust Access and network segmentation strategies that restrict access to applications and resources based on policy and context, should all be investigated to minimize risk and to reduce the impact of a successful ransomware attack.

As part of the industry's leading fully integrated Security Fabric, delivering native synergy and automation across your security ecosystem, Fortinet also provides an extensive portfolio of technology and human-based as-a-service offerings. These services are powered by our global FortiGuard team of seasoned cybersecurity experts.

Best Practices Include Not Paying a Ransom

Organizations such as CISA, NCSC, the FBI, and HHS caution ransomware victims against paying a ransom partly because the payment does not guarantee that files will be recovered. According to a US Department of Treasury's Office of Foreign Assets Control (OFAC) advisory, ransom payments may also embolden adversaries to target additional organizations, encourage other criminal actors to distribute ransomware, and/or fund illicit activities that could potentially be illegal. For organizations and individuals affected by ransomware, the FBI has a Ransomware Complaint page where victims can submit samples of ransomware activity via their Internet Crimes Complaint Center (IC3).

How Fortinet Can Help

FortiGuard Labs’ Emergency Incident Response Service provides rapid and effective response when an incident is detected. Our Incident Readiness Subscription Service provides tools and guidance to help you better prepare for a cyber incident through readiness assessments, IR playbook development, and IR playbook testing (tabletop exercises).

Additionally, FortiRecon Digital Risk Protection (DRP), is a SaaS-based service that provides a view of what adversaries are seeing, doing, and planning, to help you counter attacks at the reconnaissance phase and significantly reduce the risk, time, and cost of later-stage threat mitigation.


文章来源: https://feeds.fortinet.com/~/803737226/0/fortinet/blog/threat-research~Ransomware-Roundup-Knight
如有侵权请联系:admin#unsafe.sh