Learn how hybrid work is fueling ransomware attacks and what to do about it.
Traditional security approaches are flawed, costly, and overwhelming for security teams. Menlo Security is different. It’s the simplest, most definitive way to secure work—making online threats irrelevant to your users and your business.
Our platform invisibly protects users wherever they go online. So threats are history and the alert storm is over.
Traditional network security wasn’t built to address today’s complex enterprise environments. SASE fixes that problem.
Menlo Labs provides insights, expertise, context and tools to aid customers on their journey to connect, communicate and collaborate securely without compromise. The collective is made up of elite security researchers that put a spotlight on the threats you know and don’t know about.
Menlo Labs provides insights, expertise, context and tools to aid customers on their journey to connect, communicate and collaborate securely without compromise.
Share this article
Menlo Labs is tracking the Russian invasion of Ukraine which has not only escalated substantially physically, but also in the cyber realm. From increased distributed denial of service (DDoS) attacks that impacted both the Ukrainian government and banking institutions, to a new variant of wiper malware named HermeticWiper that was discovered in Ukraine. Shortly after that, a new round of website defacement attacks was also observed impacting Ukrainian government organizations, and Russian ones as well.
Historically, when it comes to Russian cyber activity, everyone is fair game, and we anticipate a continuous rise in activity. We assess with moderate confidence that many may see an increase in scanning, phishing, and other types of SWAG (stuff we all get) attacks on targets outside of the conflict coming from Russia. Menlo Labs also believes with moderate confidence that there will be an increase in scams and phishing campaigns pretending to seek donations for Ukrainian refugees.
To keep you apprised of the increased cyber activity because of the Russia-Ukraine conflict, we’ll be updating this activity bulletin based on what we’ve analyzed and have observed across the intelligence community (IC):
The attacks may have started before the end of the Winter Olympics and peaked the day before Russian troops and tanks crossed the border. The attacks – which could be distinguished by the trademark tools and methods of the People’s Liberation Army – were allegedly designed to steal data and explore ways to shut down or disrupt vital defense and civilian infrastructure.
The malware primarily leverages two techniques. In the first it overwrites content with zero blocks of 4096 bytes (using FileStream.Write) or using API-calls NtFileOpen, NtFsControlFile (code: FSCTL_SET_ZERO_DATA). The technique involves deleting Windows registries – HKCU, HKU, HKLM \ BCD – before shutting down the infected system.
Russia is a dominate threat actor in the cyber space and as the war continues, companies should be prepared for increased and possible targeted attacks. In an effort to provide guidance, the Cybersecurity and Infrastructure Security Agency (CISA) created Shields Up, a resource center that provides insights and recommendations for organizations.
The group also brought down Rosatom, a Russian firm that seized the Ukrainian nuclear power plant, Zaporizhzhya. The group changed the interface on the site to make it inaccessible. They also claimed to have gained access to gigs of data which they plan to leak to the public.
This is not your war. This is your government’s war. We lie to your brothers and sisters. Soldiers from some military units think they are in formation. But when they achieve their goal, which is to be a drill, they are met by bloodthirsty Ukrainians who want revenge for the destruction of their land that Putin’s puppets have inflicted on them. Some of them think they will go down in history, making the world a better place when they take part in the invasion of Ukraine. Brethren, open your eyes. Glory to Ukraine! God bless Ukrainians and Russians. Let the Russian government live what Ukrainians have to live every day.
[The dialogue we’re observing among threat actors during this conflict is unprecedented. Threat actors have either publicly taken a side or remained neutral during this conflict. We believe the groups staying neutral are doing to not only keep paying affiliates, but also to keep peace among international group members. We also believe that if the conflict continues to intensify, we could have a possible disruption in threat activity as many use Russian infrastructure and many threat actors are Russian in origin.]
Around the same time on a Dark Web forum, LockBit criticized Conti about their lack of operational security while reviewing the leaked documents. LockBit went on to say they will buy Emotet/Trickbot sources (a reference to Conti joining up with Trickbot in the past).
LockBit made a post on their leak site stating that they aren’t taking sides, possibly another jab at Conti. However, LockBit isn’t alone. Other ransomware gangs are also stating they won’t take sides, stating their “employees” and affiliates are all over the world.
Menlo Labs is closely monitoring the conflict and for new intelligence. While these attacks have mostly been confined within the Ukraine and Russia, it’s possible that similar attacks, in addition to the malware used, could be leveraged against other targets.
Menlo Labs on Apr 13, 2022
Threat Trends & Research
To talk to a Menlo Security expert, complete the form, or call us at (650) 695-0695.