The SafeBreach Platform has been updated with coverage for several newly discovered threats including novel malware and ransomware variants. SafeBreach customers can select and run these attacks from the SafeBreach Hacker’s Playbook to ensure coverage against these advanced threats. Additional details about the threat and our coverage can be seen below.

Venus Ransomware

This ransomware variant (also known as GOODGAME) has been active since August 2022 and has targeted victims worldwide. Threat actors leveraging Venus ransomware are targeting publicly exposed Remote Desktop Services (RDP), including those running on non-standard TCP ports to encrypt Windows devices. Based on the information available, Venus ransomware will attempt to terminate 39 processes associated with database servers and Microsoft Office applications. The ransomware will delete event logs, Shadow Copy Volumes, and disable Data Execution Prevention. When encrypting files, the ransomware uses AES and RSA algorithms and will append the ‘.venus’ extension. In each encrypted file, a ‘goodgamer’ filemarker and other information are added to the end of the file. Open-source reports indicate that initial ransom demands may start around 1 BTC or less than USD $20,000. Samples in the wild have been observed contacting IP addresses in various countries including the US, Great Britain, Denmark, France, Ireland, the Netherlands, Russia, and Japan.

SafeBreach Coverage of Venus Ransomware

The SafeBreach platform has been updated with the following attacks to ensure our customers can validate their security controls against the new ransomware variant.

• #8015 – Write Venus ransomware malware to disk (Host-Level)
• #8026 – Transfer of Venus ransomware malware over HTTP/S (Lateral Movement)
• #8027 – Transfer of Venus ransomware malware over HTTP/S (Infiltration)
• #8028 – Email Venus ransomware malware as a ZIP attachment (Lateral Movement)
• #8029 – Email Venus ransomware malware as a ZIP attachment (Infiltration)

Lorenz Ransomware

The Lorenz ransomware group has been known to target enterprises worldwide since December 2020 with ransom demands ranging in the hundreds of thousands of dollars. The Lorenz gang typically sells stolen victim data prior to encryption to pressure their victims into paying the ransom. They are also known to sell access to victim networks to other threat actors. The group stores stolen victim data in password-protected RAR archives and if the demanded ransom is not paid, Lorenz also releases the password to access the leaked archives to provide public access to the stolen files.

SafeBreach Coverage of Lorenz Ransomware

The SafeBreach platform has been updated with the following attacks to ensure our customers can validate their security controls against the new ransomware variant.

• #8030 – Write Lorenz ransomware malware to disk (Host-Level)
• #8031 – Transfer of Lorenz ransomware malware over HTTP/S (Lateral Movement)
• #8032 – Transfer of Lorenz ransomware malware over HTTP/S (Infiltration)
• #8033 – Email Lorenz ransomware malware as a ZIP attachment (Lateral Movement)
• #8034 – Email Lorenz ransomware malware as a ZIP attachment (Infiltration)

QakBot Malware/ BlackBasta Ransomware

The ransomware group BlackBasta which has been active since April 2022 has been observed targeting U.S.-based companies with the QakBot trojan to gain initial access, move laterally, and deploy BlackBasta or other ransomware in their victim networks. QakBot, also known as QBot or Pinkslipbot, is a banking trojan primarily used to steal victims’ financial data, including browser information, keystrokes, and credentials. Once QakBot has successfully infected an environment, the malware installs a backdoor allowing the threat actor to drop additional malware—namely, ransomware.

SafeBreach Coverage of QakBot Trojan/BlackBasta Ransomware

The SafeBreach platform has been updated with the following attacks to ensure our customers can validate their security controls against the new trojan and ransomware variant.

• #1359 – Transfer of the QakBot Malware over HTTP/S
• #1864 – Email the QakBot malware as part of a ZIP attachment
• #1359 -Transfer of the QakBot Malware over HTTP/S
• #7176 – Write Black Basta malware to disk
• #7177 – Transfer of Black Basta malware over HTTP/S
• #7178 – Transfer of Black Basta malware over HTTP/S
• #7179 – Email Black Basta malware as a ZIP attachment
• #7180 – Email Black Basta malware as a ZIP attachment

AwfulShred Malware and ArguePatch Loader

AwfulShred malware is a malicious shell script designed to corrupt Linux systems. It has been deployed by the Sandworm APT group to target critical infrastructure in Eastern Europe.

ArguePatch is a loader malware that was previously used in campaigns against Ukraine which involve CaddyWiper and Industroyer2. The malware is a patched version of a legitimate component of Hex-Rays IDA Pro software. This ArguePatch variant includes a feature to set up a scheduled task in order to perform a specific action at a specified time.

SafeBreach Coverage of AwfulShred Malware and ArguePatch Loader

The SafeBreach platform has been updated with the following attacks to ensure our customers can validate their security controls against the new malware(s).

• #8060 – Write AwfulShred malware to disk
• #8061 – Transfer of AwfulShred malware over HTTP/S
• #8062 – Transfer of AwfulShred malware over HTTP/S
• #8063 – Email AwfulShred malware as a ZIP attachment
• #8064 – Email AwfulShred malware as a ZIP attachment
• #8065 – Write ArguePatch (AprilAxe) malware to disk
• #8066 – Transfer of ArguePatch (AprilAxe) malware over HTTP/S
• #8067 – Transfer of ArguePatch (AprilAxe) malware over HTTP/S
• #8068 – Email ArguePatch (AprilAxe) malware as a ZIP attachment
• #8069 – Email ArguePatch (AprilAxe) malware as a ZIP attachment

Interested In Protecting Against Advanced Ransomware?

SafeBreach now offers a complimentary and customized real-world ransomware assessment (RansomwareRx) that can allow you to gain unparalleled visibility into how your security ecosystem responds at each stage of the defense process. This ransomware assessment includes:

• Training – Understand the methodology around ransomware attacks, persistent threats, and malware attacks.
• Assessment – Review goals and ensure simulation connection to our management console and all configurations are complete.
• Attack Scenario – Run safe-by-design, real-world ransomware attacks across the cyber kill chain on a single device of your choice.
• Report – Receive a custom-built report that includes simulation results and actionable remediation insights.

Empower your team to understand more about ransomware attacks, methodologies, and behaviors—all through the lens of the attacker. Request your complimentary RansomwareRx assessment today.