Recently it has been reported that the NoName ransomware gang has been observed deploying malicious ransomware known as RansomHub. As a new affiliate of RansomHub this shows the commitment of NoName to the ransomware business.
The gang has built a reputation over the last three years targeting small and medium-sized businesses. They are known to use brute force methods for attack and exploiting older CVE vulnerabilities that are known to be in small businesses.
It has been shared the CVE most exploited by the group include:
CVE-2017-0144 (aka EternalBlue),
CVE-2023-27532 (a vulnerability in a Veeam Backup & Replication component),
CVE-2021-42278 and CVE-2021-42287 (AD privilege escalation vulnerabilities) through noPac,
CVE-2022-42475 (a vulnerability in FortiOS SSL-VPN), and
CVE-2020-1472 (aka Zerologon).
The NoName group’s ransomware continues to be a significant threat to SMBs, employing advanced encryption techniques and exploiting well-known vulnerabilities. Their partnership with RansomHub and experimentation with LockBit 3.0 further highlights their adaptability and evolving tactics. Organizations must enhance patch management, detection capabilities, and maintain strong backup policies to mitigate the risks posed by this ransomware.
Remediation Actions and Recommendations:
Patch Management: Prioritize patching critical vulnerabilities.
Endpoint Protection: Use robust EDR (Endpoint Detection and Response) solutions to detect behaviors like process-killing attempts.
Penetration Testing: Testing of your environment will show where you have these CVE and brute force vulnerabilities.
Backup Strategies: Regularly back up data and store these backups offline to protect them from ransomware attacks. Ensure that backups are encrypted and cannot be altered by the malware.
User Education: Educate users on recognizing phishing attempts and brute-force attacks, as these are common initial access methods for the NoName group.
References:
09 September 2024. Toulas, B. BleepingComputer: "NoName ransomware gang deploying RansomHub malware"
CyberForce|Q wrote an article on “What Cybersecurity Services Do Small Companies Need?”, that provides an overview of three essential services to improve your cybersecurity posture.
How can CyberForce|Q services help you address this risk?
Incident Response is a time-based situation and CyberForce|Q can assist with a potential incident in your environment. Our experienced Incident Response Team can be deployed 24x7x365– reach out to solutions@cyberforceq.com.
Learn more about CyberForce|Q.