Colonial Pipeline Ransomware has Increases its Danger

According to Symantec, the organization, known as Coreid, has updated its data exfiltration tool and is now providing more sophisticated capabilities to successful affiliates.c
SIA Team
September 24, 2022

The colonial pipeline ransomware organization has adopted new strategies to increase its danger to the web.

In May 2021, Colonial Pipeline, a firm in charge of distributing oil and gas throughout the East Coast, came under attack by the Darkside ransomware, which led to widespread media attention. The cybercriminals behind Darkside are now utilizing new ransomware along with new tools and methods, which increases the threat that they pose.

“In most ways, this report simply reinforces the fact that while there are a few monolithic ‘full stack’ cybercrime gangs, many players in the cybercriminal ecosystem are specialized in different functions,” Chris Clements, VP of Solutions Architecture for Cerberus Sentinel, said. 

Security company Symantec described the most recent actions and strategies taken by Coreid to target businesses with ransomware in a study released on Thursday.

Coreid is a ransomware-as-a-service (RaaS) operation that creates ransomware tools and services and then collects money from affiliates who use these tools to carry out the actual attacks. It is also known as FIN7 or Carbon Spider in some areas.

The operation swiftly reappeared, describing its ransomware offering under the moniker Noberus this time. And with more advanced tools and technologies, Noberus poses a larger threat.

“There are initial access brokers reselling footholds into networks, ransomware as service developers that build the tools to escalate privileges, exfiltrate data, and launch mass encryption operations, and their customers who leverage those toolsets to extort victims,” Clements said.

Noberus, a ransomware variant first observed in November of last year, has several features intended to emphasize its superiority over other ransomware varieties. Noberus has four encryption modes and two different encryption algorithms, all of which can be used to encrypt stolen files from a victim to confound victims and law enforcement. 

To swiftly and securely encrypt data while also avoiding discovery, the default encryption method employs a technique known as “intermittent encryption.”

Noberus employs a program called Exmatter to recover the stolen data. According to Symantec, Exmatter is made to take particular kinds of files from particular directories and upload them to the attacker’s site even before the ransomware is activated. Exmatter, which is constantly improved and improved, may exfiltrate files through FTP, SFTP (Secure FTP), or WebDav. 

It is said that it can produce a report of all the processed exfiltrated files. And if used in a non-corporate setting, it has the potential to self-destruct.

Also, reportedly, Noberushas the ability to utilize information-stealing malware to steal credentials from Veeam backup software, a data protection and disaster recovery tool that many enterprises use to store login information for cloud services and domain controllers. The malware, is known as Infostealer.Eamfo, can connect to the SQL database containing the credentials and steal them using a specific SQL query.