Chris Swagler | January 23rd, 2023

Three more ransomware variants can be added to the ever-growing list of threats security teams need to monitor. Like most ransomware, the three variants, Vohulk, ScareCrow, and AESRT, are targeting Windows systems and appear to be spreading relatively quickly in numerous countries. According to security researchers tracking the threats, the ransomware samples are gaining traction within a ransomware database. The analysis of the three threats revealed them to be standard ransomware tools that were very effective at encrypting data on compromised systems. The alert didn’t specify how the threat operators of the new ransomware sample distribute their malware; however, it did say that phishing emails have historically been the most common vector for ransomware infections.

If the increase in ransomware in 2022 is any indication of the future, security teams should expect the attack vector to become increasingly popular. The number of new ransomware variants identified surged by nearly 100% in the first half of 2022 compared to the previous six-month period. 10,666 new ransomware variants were discovered compared to only 5,400 in the second half of 2021. The increase is mostly due to more threat operators exploiting ransomware-as-a-service (RaaS) on the Dark Web. Additionally, the most concerning part is the increase in more destructive ransomware attacks on a large scale and across virtually all sector types, which is expected to continue into 2023.

Researchers discovered a Vohuk ransomware variant in its third iteration indicating that its developers are active. The malware downloads a ransom message “READ.txt” on compromised systems, asking victims to contact threat actors through email with a unique ID. The note advises victims that the threat operators aren’t driven by politics and are solely interested in financial gain, reassuring victims that their data will be returned if they pay the ransom demand.

ScareCrow is another common ransomware that encrypts files on victims’ devices. Its ransom note, “readme.txt”, has three Telegram channels through which victims can communicate with the threat actors. Even though the ransom note makes no specific financial demands, victims can expect to pay a ransom to restore encrypted files. ScareCrow and the Conti ransomware variant, one of the most prolific ransomware tools, were discovered to have some overlap, according to the security vendor’s investigation. ScareCrow and Conti employ an identical algorithm to encrypt files, and ScareCrow, like Conti, detects shadow copies using the WMI command line utility to render data unrecoverable on infected systems.

AESRT, the third new ransomware family discovered in the wild, has functionality comparable to the other two threats. Instead of a ransom note, the malware displays a popup window with the threat operator’s email address and a field displaying a key for decrypting encrypted files once victims have paid the demanded ransom.

The new variants add to the vast and ever-growing list of ransomware threats companies need to deal with daily, as ransomware operators continue to pound away at companies. Data on ransomware attacks show that there were 1,133 confirmed ransomware attacks in the first half of 2022, with more than half (52%) affecting United States companies. The most active ransomware group was that behind the LockBit variant, which was followed by groups behind Conti, Black Basta, and Alphy ransomware. However, the activity rate isn’t consistent, and some security companies noticed a slight slowdown in ransomware activity. According to a cybersecurity midyear report, its incident response engagements indicated that the success rate of new ransomware attacks had dropped slightly. The trend is related to the disruption of the Conti RaaS operation and other variables including, the disruptive effect of the Ukrainian war on ransomware groups.

The crypto collapse could affect ransomware operations in 2023 and the latest FTX scandal has caused cryptocurrencies to dive affecting ransomware monetization and essentially makes unpredictable. This isn’t good for ransomware operators because they will have to consider alternative ways of monetization in the long run. Some ransomware groups are considering deploying their own coins due to cryptocurrency trends. It’s unclear if this will materialize, however overall, ransomware groups are concerned about how to monetize and keep anonymity going forward.

With the growing number of new ransomware variants appearing to target high-profile companies, it’s important to always remain alert of the current threat landscape and regularly update their network security infrastructures. At SpearTip, our certified engineers are working continuously at our 24/7/365 Security Operations Center monitoring companies’ networks for potential ransomware threats and are ready to respond to incidents at a moment’s notice. Our remediation experts work tirelessly to restore companies’ operations, reclaim their networks by isolating malware, and recover business-critical assets. ShadowSpear, our integrable managed detection and response platform, uses comprehensive insights through unparalleled data normalization and visualization to detect sophisticated unknown and advanced ransomware threats.

If your company is experiencing a breach, call our Security Operations Centers at 833.997.7327 to speak directly with an engineer.