New RansomHub ransomware gang has ties to older Knight group
- by nlqip
The two malware programs are so similar that it’s hard to tell their code apart, the Symantec researchers said, noting that the only differences are an added sleep command to RansomHub’s variant and the commands that are available to execute through the Windows command line shell cmd.exe. However, these commands are configurable in the malware builder when the payload is generated, so it’s not hard to change them.
Even the text of the ransom note is copied almost word for word from Knight’s with only the contact links changed and other small edits. It’s also possible that Knight/Cyclops itself was derived from other ransomware programs from the past.
“A unique feature present in both Knight and RansomHub is the ability to restart an endpoint in safe mode before starting encryption,” the Symantec researchers said. “This technique was previously employed by Snatch ransomware in 2019 and allows encryption to progress unhindered by operating system or other security processes. Snatch is also written in Go and has many similar features, suggesting it could be another fork of the same original source code used to develop Knight and RansomHub.”
Source link
lol
The two malware programs are so similar that it’s hard to tell their code apart, the Symantec researchers said, noting that the only differences are an added sleep command to RansomHub’s variant and the commands that are available to execute through the Windows command line shell cmd.exe. However, these commands are configurable in the malware…
Recent Posts
- Windows 10 KB5046714 update fixes bug preventing app uninstalls
- Eight Key Takeaways From Kyndryl’s First Investor Day
- QNAP pulls buggy QTS firmware causing widespread NAS issues
- N-able Exec: ‘Cybersecurity And Compliance Are A Team Sport’
- Hackers breach US firm over Wi-Fi from Russia in ‘Nearest Neighbor Attack’