A notorious ransomware gang has recently been targeting Windows administrators through a sophisticated malvertising campaign using popular tools like PuTTy and WinSCP. These malicious actors exploit trusted software to gain unauthorized access to sensitive networks, encrypt valuable data, and demand hefty ransom payments. This article will explore the methods utilized by this ruthless gang, the implications for Windows admins, and the preventive measures that can be taken to guard against such attacks.
Ransomware Operation Targeting Windows System Administrators
The ransomware operation targets Windows system administrators by removing Google ads to promote fake download sites for Putty and WinSCP. These are standard Windows utilities, with WinSCP functioning as an SFTP and FTP client, and Putty as an SSH client. System administrators often have elevated privileges on a Windows network, making them prime targets for malicious actors looking to quickly spread through a network, steal files, and gain access to a network’s domain controller for deploying ransomware.
According to a recent report by Rapid7, a search engine campaign displayed ads for fake Putty and WinSCP sites when users searched for “download winscp” or “download putty.” These ads utilized typosquatting domains like puutty.org, puutty[.]org, wnscp[.]accumulate, and vvinscp[.]accumulate. While some sites impersonated the genuine WinSCP website, others imitated an unaffiliated site for PuTTY, leading users to believe it was the official webpage. The legitimate PuTTY website is actually located at https://www.chiark.greenend.org.uk/~sgtatham/putty/.
The fake sites contained download links that redirected users to genuine websites or downloaded a ZIP archive from the malicious actors’ servers based on the referral source. The ZIP archives included a Setup.exe executable, which was a renamed version of the genuine Python for Windows executable (pythonw.exe), along with a malicious python311.dll file. When users launched the Setup.exe, thinking they were installing PuTTY or WinSCP, it loaded the malicious DLL through DLL Sideloading, executing an encrypted Python script.
Impact and Tactics of the Ransomware Gang
The malicious script installed the Sliver post-exploitation toolkit, a popular tool used for initial access to corporate networks. Rapid7 reported that the actors utilized Sliver to remotely drop additional payloads, including Cobalt Strike beacons. This access was exploited to steal files and attempt to deploy a ransomware encryptor. While Rapid7 did not provide detailed information on the ransomware used, they noted similarities to previous campaigns reported by Malwarebytes and Trend Micro involving the now-defunct BlackCat/ALPHV ransomware.
The campaign’s tactics, techniques, and procedures (TTP) mirror those observed in previous BlackCat/ALPHV campaigns, indicating a consistent modus operandi among ransomware actors. Search engine ads have become a significant challenge in recent years, with numerous threat actors leveraging them to distribute malware and phishing sites. These ads have targeted popular programs such as Keepass, CPU-Z, Notepad, Grammarly, and many others.
A recent incident involved a threat actor running Google ads that led to a phishing webpage masquerading as the genuine URL for the crypto trading platform Whales Market. This deceptive tactic aimed to trick users into divulging their cryptocurrency information, highlighting the evolving strategies employed by malicious actors in online campaigns.
safeguarding against ransomware attacks requires vigilance, awareness of potential threats, and proactive security measures to protect critical systems and data from malicious exploitation. Windows administrators should exercise caution when downloading software, verify the authenticity of websites, and implement robust security protocols to defend against evolving cyber threats.
