Full Report
Welcome to the Threat Context Monthly blog series where we provide a comprehensive roundup of the most relevant cybersecurity news and threat information from KrakenLabs, Outpost24’s cyber threat intelligence team. Here’s what you need to know from September. Threat actor of the month: NoName (Ransomware) “NoName” is a ransomware group that emerged in 2020 but gained […] The post Threat Context Monthly: Executive intelligence briefing for September 2024 appeared first on Outpost24.
Analysis Summary
# Threat Actor: NoName (Ransomware Group)
## Attribution & Identity
- **Identification**: Ransomware group.
- **Emergence**: Emerged in 2020, but gained prominence in 2023.
- **Aliasing/Confusion**: Should not be confused with the pro-Russian hacktivist also named 'NoName'.
- **Associated Groups**: Has attempted to leverage the reputation of the LockBit Group.
## Activity Summary
- The group primarily focuses on data encryption rather than consistent data exfiltration.
- Utilizes a leak site named "NONAME" which is designed to closely resemble LockBit's design to pressure victims.
## Tactics, Techniques & Procedures
- **Initial Access**: Employs **brute-force** attacks.
- **Exploitation**: Exploits known vulnerabilities, specifically mentioning **EternalBlue** (CVE-2017-0144) and **Zerologon** (CVE-2020-1472).
- **Extortion**: Uses a dedicated leak site for pressure, despite not consistently exfiltrating data.
## Targeting
- **Sectors**: Not explicitly detailed, but context suggests general enterprise targeting based on ransomware methodology.
- **Geography**: Not explicitly detailed.
- **Victims**: Not specifically mentioned.
## Tools & Infrastructure
- **Malware families used**: Employs various ransomware families including **RansomHub**, **Scara**, and **ScRansom**.
- **Infrastructure**: Operates a **"NONAME" leak site**.
## Implications
- The use of LockBit-style branding suggests an attempt to benefit from the notoriety and perceived capability of more established ransomware operators.
- The focus on encryption without guaranteed exfiltration suggests a prioritization of system disruption over guaranteed double-extortion leverage, though the leak site is used for influence.
## Mitigations
- Patch known vulnerabilities, especially **EternalBlue** (SMBv1/NTLM) and **Zerologon**.
- Implement strong password policies and multi-factor authentication to counter brute-force attempts.
- Monitor network activity for indicators related to the deployment of RansomHub, Scara, or ScRansom families.