New RansomHub ransomware gang has ties to older Knight group
- by nlqip
The two malware programs are so similar that it’s hard to tell their code apart, the Symantec researchers said, noting that the only differences are an added sleep command to RansomHub’s variant and the commands that are available to execute through the Windows command line shell cmd.exe. However, these commands are configurable in the malware builder when the payload is generated, so it’s not hard to change them.
Even the text of the ransom note is copied almost word for word from Knight’s with only the contact links changed and other small edits. It’s also possible that Knight/Cyclops itself was derived from other ransomware programs from the past.
“A unique feature present in both Knight and RansomHub is the ability to restart an endpoint in safe mode before starting encryption,” the Symantec researchers said. “This technique was previously employed by Snatch ransomware in 2019 and allows encryption to progress unhindered by operating system or other security processes. Snatch is also written in Go and has many similar features, suggesting it could be another fork of the same original source code used to develop Knight and RansomHub.”
Source link
lol
The two malware programs are so similar that it’s hard to tell their code apart, the Symantec researchers said, noting that the only differences are an added sleep command to RansomHub’s variant and the commands that are available to execute through the Windows command line shell cmd.exe. However, these commands are configurable in the malware…
Recent Posts
- Hackers breach US firm over Wi-Fi from Russia in ‘Nearest Neighbor Attack’
- Microsoft rolls out Recall to Windows Insiders with Copilot+ PCs
- Five Companies That Came To Win This Week
- The 10 Hottest Semiconductor Startups Of 2024
- Cybersecurity Snapshot: Prompt Injection and Data Disclosure Top OWASP’s List of Cyber Risks for GenAI LLM Apps