Ransomware gangs are expanding their efforts

Many experts have warned that no matter the industry you’re in, you’re not safe from ransomware attacks.  This is evidenced by the recent attack on Estée Lauder, the giant beauty care company.  In another twist, a ransomware virus going around pretending to be a valid alert from Sophos is infecting computers across the globe.

Two ransomware groups, ALPHV/BlackCat and Clop, have put beauty company Estée Lauder on their data leak sites as a recent victim. The BlackCat gang mocked the company and it’s lack of security measures, stating they were still in their company computer systems.

In a Security Exchange Commission (SEC) filing on Tuesday, The Estée Lauder Companies confirmed one of the attacks stating that the ransomware attacker gained access to some of its systems and may have stolen data. The company did not provide too many details about the incident. It continues to say that it acted quickly and took down some systems to prevent attackers from expanding on the network.

An investigation is ongoing with the support of third-party cybersecurity experts. The company is also coordinating with law enforcement. Experts are stating that the Clop ransomware gang gained access to the company after exploiting a vulnerability in the MOVEit Transfer platform for secure file transfers. The threat actor started leveraging the vulnerability when it was a zero-day in late May and claimed to have breached hundreds of companies.

On their data leak site, Clop ransomware lists Estée Lauder with the simple message “The company doesn’t care about its customers, it ignored their security!!!” and a note that they have more than 131GB of the company’s data.

BlackCat pressing for negotiation

On Tuesday, BlackCat also added Estée Lauder to their list of victims but the entry is accompanied by a message showing the threat actor’s dissatisfaction towards the company’s silence to their extortion emails. “We first wrote to the ELC leadership on 15 July 2023 to their corporate and personal emails. At 9:43 MSK (UTC +3). We sent further emails from the same address, but received no reply” stated the message from the BlackCat ransomware group.

Referring to the security experts that Estée Lauder brought in to investigate, BlackCat said that despite the company using Microsoft’s Detection and Response Team (DART) and Mandiant the network remained compromised and they still had access. The attacker also said that they did not encrypt any of the company systems, adding that unless Estée Lauder engages in negotiations they will reveal more details about the stolen data.

BlackCat hinted that the information exfiltrated could impact customers, company employees, and suppliers.

Estée Lauder’s lack of response to BlackCat’s communication indicates that the company will not engage in any negotiation with the threat actor. In the SEC filing, the company informs that the focus is “on remediation, including efforts to restore impacted systems and services” and that the “incident has caused, and is expected to continue to cause, disruption to parts of the Company’s business operations.”

Sophos impersonation creates confusion

Cybersecurity vendor Sophos is being impersonated by a new ransomware-as-a-service called SophosEncrypt, with the threat actors using the company name for their operation. Discovered by MalwareHunterTeam, the ransomware was initially thought to be part of a red team exercise by Sophos. However, the Sophos X-Ops team tweeted that they did not create the encryptor and that they are investigating its launch.

“We found this on VT earlier and have been investigating. Our preliminary findings shows Sophos InterceptX protects against these ransomware samples,” tweeted Sophos.

The SophosEncrypt ransomware

The ransomware encryptor is written in Rust and uses the ‘C:\Users\Dubinin\’ path for its crates. Internally, the ransomware is named ‘sophos_encrypt,’ so it has been dubbed SophosEncrypt, with detections already added to ID Ransomware.

When executed, the encryptor prompts the affiliate to enter a token associated with the victim that is likely first retrieved from the ransomware management panel. When a token is entered, the encryptor will connect to 179.43.154.137:21119 and verify if the token is valid.

When a valid token is entered, the encryptor will prompt the ransomware affiliate for additional information to be used when encrypting the device. This information includes a contact email, jabber address, and a 32-character password, which Gillespie says is used as part of the encryption algorithm.

The encryptor will then prompt the affiliate to encrypt one file or encrypt the entire device. When encrypting files, it uses AES256-CBC encryption with PKCS#7 padding. Each encrypted file will have the entered token, the entered email, and the sophos extension appended to a file’s name in the format :.[[]].[[]].sophos.

In each folder that a file is encrypted, the ransomware will create a ransom note named information.hta, which is automatically launched when the encryption is finished. This ransom note contains information on what happened to a victim’s files and the contact information.

The ransomware also has the capability to change the Windows desktop wallpaper, with the current wallpaper boldly displaying the ‘Sophos’ brand that it is impersonating. To be clear, this wallpaper was created by the threat actors and has no association with the legitimate Sophos cybersecurity company.

The encryptor contains numerous references to a Tor site located at http://xnfz2jv5fk6dbvrsxxf3dloi6by3agwtur2fauydd3hwdk4vmm27k7ad.onion. This Tor site is not a negotiation or data leak site but rather what appears to be the affiliate panel for the ransomware-as-a-service operation.

Researchers are still analyzing the SophosEncrypt to see if any weaknesses could allow the recovery of files for free. If any weaknesses, or encryption issues, are found, we will publish an update to this article.

Sophos Releases Report

According to the Sophos report, the ransomware gang’s command and control server at 179.43.154.137 is also linked to Cobalt Strike C2 servers used in previous attacks.

“In addition, both samples contain a hardcoded IP address (one we did see the samples connect to),” explains Sophos’ report.

“The address has been associated for more than a year with both Cobalt Strike command-and-control and automated attacks that attempt to infect internet-facing computers with cryptomining software.”

Not only is a good backup solution necessary, but so is a thoroughly vetted IT environment that stays on top of vulnerabilities and remediates issues as quickly as possible.  This is where BBG comes into the picture.  Not only do we have our DRaaS solution, our technical advisors have helped many companies shore up their IT environment and ensure they have the processes in place to stay up to date with security information.  Contact us today to setup a time to discuss!