A ransomware operator has continually rebranded itself over the past year in order to evade detection, while launching cyberattacks on critical infrastructure across several industries.
Researchers with Mandiant detailed a threat group called UNC2190, which is an operator behind an affiliate ransomware program. Since June, researchers said they have observed the group targeting the education, health and natural resources sectors in the U.S. and Canada. However, its activities trace back to at least July 2020, and since then the group has rebranded several times.
“UNC2190 has continued to operate over the past year while making only minor changes to their strategies and tooling, including the introduction of a commercial packer and the rebranding of their service offering,” Tyler McLellan and Brandan Schondorfer, with Mandiant, said on Monday. “This highlights how well-known tools, such as Beacon, can lead to impactful and lucrative incidents even when leveraged by lesser-known groups.”
Researchers said that UNC2190's rebrands, coupled with the fact that it is lesser known and potentially smaller, means the group is able to avoid public scrutiny. In July 2020, researchers said that the group deployed ransomware called Rollcoast while branded as “Eruption.” In June 2021, the group rebranded itself as “Arcane” and released a web portal aimed at publicly shaming victims, likely in an attempt to further extort them. Researchers observed three victims being publicly extorted in this way in June.
Then in October, researchers observed a new public shaming web portal and blog from a group calling itself “Sabbath.” This appeared to be yet another rebranding effort, as the web portal and blog were nearly identical to that of “Arcane,” including the same text content, consistent grammatical errors, and only minor changes to the name, color scheme and logo.
Researchers observed victims being publicly extorted via this newer web portal in mid-November, when six victims were added over the course of two days. UNC2190’s victims include a Texas school district, which was hit with a cyberattack in September. The threat group made a multi-million dollar ransom demand for this victim and emailed its staff, parents and even students to put further pressure on the district.
“UNC2190 uses a multifaceted extortion model where ransomware deployment may be quite limited in scope, bulk data is stolen as leverage, and the threat actor actively attempts to destroy backups,” said McLellan and Schondorfer.
Researchers first came across UNC2190's activities when they identified posts on various Russian language hacker forums that sought out partners with access to commercial networks. UNC2190 was offering to pay a percentage of successful ransom payments collected to the hackers that provide access, exfiltrate stolen data, delete backups, and carry out portions of their ransomware operations, said McLellan.
“UNC2190 has continued to operate over the past year while making only minor changes to their strategies and tooling, including the introduction of a commercial packer and the rebranding of their service offering."
The Rollcoast ransomware, first observed in use by UNC2190 in July 2020, is a dynamic link library (DLL) that encrypts files on logical drives attached to a system. The ransomware has various features allowing it to evade detection: For instance, it had only one ordinal export, which researchers believe could mean the sample was designed to sidestep detection and be invoked within memory, potentially through the Beacon malware provided to affiliates. The Rollcoast ransomware would also check the system language and exit if it detected a non-supported language code (from Russia, Turkey or Albania, for instance). This is a common practice for ransomware families, and helps them avoid encrypting systems in Russia and other Commonwealth of Independent States countries, potentially to avoid attracting attention of law enforcement in countries where ransomware operators or affiliates may reside, said researchers.
“Mandiant only observed Rollcoast in one incident which was attributed to UNC2190," said Schondorfer. "In this incident, Mandiant Consulting captured Rollcoast in memory. Since Rollcoast appears to be designed to be loaded into memory by Beacon, this has allowed UNC2190 to avoid leaving copies of the ransomware on disk at any victims and kept ROLLCOAST from showing up on VirusTotal and other malware repositories.”
Since July 2020, UNC2190 was offering these pre-configured Beacon backdoors, which are payloads that are part of the Cobalt Strike commercial simulation software. Cobalt Strike is marketed to red teams but has also been stolen and utilized by ransomware operators. However, researchers said the use of a random affiliate program operator provided Beacon is “unusual” and complicates attribution. These payloads contain “unique malleable profile elements” to affiliates in its program. Researchers observed that samples included GET requests that ended with kitten.gif, for instance.
Ransomware groups have typically rebranded as a way to fly under the radar. Researchers have suggested that the DarkSide ransomware gang for instance rebranded as a BlackMatter ransomware operation. These rebrands comes asfederal agencies crack down both on ransomware operators and the way that ransom payments are made, after the Colonial Pipeline attack in May.
“The targeting of critical infrastructure by ransomware groups has become increasingly concerning as evidenced by governments moving to target ransomware actors as national security level threats with particular attention to groups that target and disrupt critical infrastructure,” said McLellan and Schondorfer.