Cybersecurity analysts have revealed an intricate network of interconnected ransomware variants, all of which can be traced back to a shared origin: the Adhubllka ransomware family.
Researchers found a fresh ransomware strain dating to 2019. This variant, TZW, targets individuals and small businesses, seeking modest ransoms from each victim instead of the usual large sums. Netenrich, a security and operations analytics firm, recently published an article revealing TZW as the latest offshoot of the Adhubllka malware family. This family emerged in January 2020 but was already operational the year prior.
Even more significant than uncovering the strain is the methodology employed by researchers to accurately pinpoint its identity. Over time, numerous samples of Adhubllka were mistakenly categorized under different ransomware families, according to Rakesh Krishnan, senior threat analyst at Netenrich.
Additionally, other names were already assigned to the same piece, including ReadMe, MMM, MME, GlobeImposter2.0, which actually belong to the Adhubllka ransomware family.
All this confusion required further investigation of the ransomware strain’s lineage for the identification of with appropriate performance, says Krishnan.
More about Adhubllka
Adhubllka initially garnered increased attention in January 2020, yet its substantial activity was also evident the preceding year, as indicated by the researchers. In 2020, the TA547 threat group leveraged Adhubllka variants in their targeted campaigns across various regions in Australia.
The complexity in identifying TZW as an Adhubllka derivative primarily stems from the group’s practice of demanding relatively small ransoms, ranging from $800 to $1,600. This minimal amount often compels victims to comply, allowing the attackers to remain unnoticed.
In fact, moving forward, experts anticipate that this ransomware might resurface under different aliases, potentially employed by other factions for launching their individual ransomware initiatives.
Certainly, the researchers successfully linked the recent campaign to Adhubllka by tracing previously associated Tor domains employed by the attacker. They uncovered hints within the ransom note, guiding them to the source.
Within the note, the hacker directs victims to utilize a Tor-based victim portal for decrypting keys post-payment. Notably, the group transitioned from a v2 Tor Onion URL to a v3 Tor URL in their communication due to the removal of v2 Onion domains within the Tor community, as stated in the post.
Furthermore, an extra sentence in the note, stating “the server with your decryptor is located in a closed Tor network,” was exclusively found in two recent Adhubllka variants—TZW and U2K—as noted by the researchers.
Other clear indicators of the latest Adhubllka variant included the consistent usage of the email address email@example.com throughout the campaign, a widely reported marker of the ransomware group, and the linkage to Adhubllka’s MD5 variant sample identified in 2019.
The research underscores the intricate design of ransomware to divert threat hunters’ attention from cybercriminals, highlighting the need to fortify defenses against attacks through terminal security solutions, Krishnan emphasizes.