New RansomHub ransomware gang has ties to older Knight group
- by nlqip
The two malware programs are so similar that it’s hard to tell their code apart, the Symantec researchers said, noting that the only differences are an added sleep command to RansomHub’s variant and the commands that are available to execute through the Windows command line shell cmd.exe. However, these commands are configurable in the malware builder when the payload is generated, so it’s not hard to change them.
Even the text of the ransom note is copied almost word for word from Knight’s with only the contact links changed and other small edits. It’s also possible that Knight/Cyclops itself was derived from other ransomware programs from the past.
“A unique feature present in both Knight and RansomHub is the ability to restart an endpoint in safe mode before starting encryption,” the Symantec researchers said. “This technique was previously employed by Snatch ransomware in 2019 and allows encryption to progress unhindered by operating system or other security processes. Snatch is also written in Go and has many similar features, suggesting it could be another fork of the same original source code used to develop Knight and RansomHub.”
Source link
lol
The two malware programs are so similar that it’s hard to tell their code apart, the Symantec researchers said, noting that the only differences are an added sleep command to RansomHub’s variant and the commands that are available to execute through the Windows command line shell cmd.exe. However, these commands are configurable in the malware…
Recent Posts
- Arm To Seek Retrial In Qualcomm Case After Mixed Verdict
- Jury Sides With Qualcomm Over Arm In Case Related To Snapdragon X PC Chips
- Equinix Makes Dell AI Factory With Nvidia Available Through Partners
- AMD’s EPYC CPU Boss Seeks To Push Into SMB, Midmarket With Partners
- Fortinet Releases Security Updates for FortiManager | CISA