Ransomware, Critical Infrastructure Security

Successor to ransomware used in Colonial Pipeline attack observed using new tools

Fuel holding tanks
Symantec detailed new tactics, tools and procedures (TTPs) observed with attackers deploying the Noberus ransomware, which is believed to be the successor to the ransomware family used in the May 2021 Colonial Pipeline attack. (Photo by Drew Angerer/Getty Images)

Symantec on Thursday detailed new tactics, tools and procedures (TTPs) attackers using the Noberus ransomware have deployed in recent months.

In a Thursday blog post by its Threat Hunter Team, Symantec said Noberus is widely believed to be the successor payload to the Darkside and BlackMatter ransomware families, pointing out that Darkside is the same malware used in the May 2021 ransomware attack on Colonial Pipeline.

Tracked by Symantec as Coreid, aka Fin7, both Darkside and BlackMatter were retired by the ransomware-as-a-service group after the attention gained from law enforcement in the Colonial Pipeline attack. The FBI in April asked for help from victims of the Noberus ransomware, noting that at least 60 organizations were compromised between November 2021 and March 2022 with the malware.

What makes the Noberus ransomware notable, said Symantec, is that it’s coded using the Rust cross-platform language that Coreid claims is capable of encrypting files on Windows, EXSI, Debian, ReadyNAS, and Synology operating systems.

The Threat Hunter Team noted that Coreid emphasized Noberus’ superiority to rival ransomware when it emerged on the scene, saying an attacker using the malware “will not be able to reveal the real IP address of the server, and that encrypted negotiation chats can only be accessed by the intended victim.

“The ransomware also offered two encryption algorithms (ChaCha20 and AES), as well as four encryption modes - Full, Fast, DotPattern and SmartPattern,” the blog post continued.

Coreid has continuously updated the ransomware since its launch in November 2021, even adding “plus” features for affiliates bringing in more than $1.5 million, which includes:

  • DDoS attacks
  • Adding the victim’s phone numbers or contact numbers for the affiliate to communicate directly with the victim
  • making it possible to brute force NTDS, Kerberos tickets and other hashes for free

A major update in June introduced an ARM build for encryption in non-standard architectures, as well as an encryption functionality for Windows via rebooting in safe mode and safe mode with networking.

The Threat Hunter Team called Coreid “one of the most dangerous and active ransomware developers operating at the moment,” adding: “Its continuous development of its ransomware and its affiliate programs indicates that this sophisticated and well-resourced attacker has little intention of going anywhere anytime soon.”

Visit Symantec’s blog post for more details on the TTPs of Coreid and the Noberus ransomware.

Stephen Weigand

Stephen Weigand is managing editor and production manager for SC Media. He has worked for news media in Washington, D.C., covering military and defense issues, as well as federal IT. He is based in the Seattle area.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.