Full Report
Note This trend report on the deep web and dark web of March 2025 is sectioned into Ransomware, Data Breach, DarkWeb, CyberAttack, and Threat Actor. Please note that there are some parts of the content that cannot be verified for accuracy. Key Issues 1) Ransomware 1. Overview […]
Analysis Summary
# Incident Report: Widespread Ransomware and Data Extortion Activity (March 2025)
## Executive Summary
March 2025 saw a significant escalation in the ransomware landscape, characterized by the emergence of numerous new threat groups and sophisticated evasion techniques employed by existing actors. Major government agencies and critical infrastructure worldwide were targeted, resulting in confirmed compromises across the manufacturing, public sector, and healthcare industries globally. Response efforts focused on containment amid evolving encryption standards and complex lateral movement techniques.
## Incident Details
- Discovery Date: Throughout March 2025 (as reported in March 2025 trend report)
- Incident Date: March 2025
- Affected Organization: Baltimore City State’s Attorney’s Office (US), Ministry of Foreign Affairs (Ukraine), State-owned defense company (Argentina), \*\*\* LLC (US), \*\*\* Holdings (China), Automotive door moving system manufacturer (Korea), Industrial automation equipment manufacturer (Japan), Diesel engine/turbocharger manufacturer (Germany), Surfing/lifestyle brand (US), Building/consumer goods distributor (Indonesia), Casino/hotel complex (US), \*\*\*era European branch (Japan), \*\*\* Limited (India), \*\*\* National Bank (Cayman Islands), Utsunomiya Central Clinic (Japan), Los Madroños Hospital (Spain), Cleveland Court (US), \*\*\* Corporation (Japan), \*\*\* communication solution provider (US), \*\*\* Auto Group (US), Gaines County (US), \*\*\* Technology (US), \*\*\* Holdings (Japan), The Home \*\*\* (Mexico branch), City of Aurora (US), Vietnamese MoD, South Korean MoD, Taobao (China).
- Sector: Government/Public Sector, Critical Infrastructure, Automotive, Healthcare, Finance, Manufacturing, Technology.
- Geography: Global (US, Ukraine, Argentina, Korea, Japan, Germany, Indonesia, Cayman Islands, Spain, India, Vietnam, China, Mexico).
## Timeline of Events
### Initial Access
- Date/Time: Not specified, ongoing throughout March 2025.
- Vector: Varies by group; reported vectors include global hacking campaigns targeting Jira servers (Hellcat) or specific vulnerabilities (potential zero-days).
- Details: New groups demonstrated systematic attack planning, while established groups like RansomHub utilized multifunctional backdoors (Betruger).
### Lateral Movement
- Details: RansomHub actors were confirmed using EDRKillShifter, indicating techniques designed to bypass critical security controls during internal reconnaissance and movement.
### Data Exfiltration/Impact
- Impact: Significant disruption across sectors, particularly the manufacturing sector (35% of attacks), often strategically targeting organizations to disrupt global supply chains. Critical government and healthcare entities (e.g., Ukraine MFA, Cleveland Court, various hospitals) were confirmed victims.
### Detection & Response
- Detection: Varied, with some detection relying on observing infrastructure changes (e.g., Qilin moving FTP server from Russia to Hong Kong) or identifying specific malware artifacts (e.g., Akira using webcam features).
- Response Actions: Response actions are generally implied through the containment of these incidents, which required targeted remediation based on the specific ransomware strain and evasion techniques used.
## Attack Methodology
- Initial Access: Unknown specifics for most, but Hellcat targeted Jira servers; generally exploiting external-facing applications or utilizing initial access brokers (implied by Anubis recruitment).
- Persistence: Implied through the use of established backdoors (Betruger by RansomHub).
- Privilege Escalation: Not explicitly detailed, but inferred by the ability of groups to affect critical infrastructure and major corporations.
- Defense Evasion: Advanced techniques observed: Akira using webcam to bypass EDR; Hellcat attempting to hide encrypted communications; RansomHub using EDRKillShifter.
- Credential Access: Not explicitly detailed.
- Discovery: Implied through the targeting of organizational functions (e.g., targeting industrial automation, supply chain components).
- Lateral Movement: Use of specific tools like EDRKillShifter suggests sophisticated internal movement post-compromise.
- Collection: Data collection implied for extortion purposes, affecting supply chain entities heavily.
- Exfiltration: Hellcat observed attempting to conceal encrypted communications; general data exfiltration mechanism not specified.
- Impact: Data encryption employing advanced techniques (PE32 using AES-256 CTR, ML-KEM, Kyber1024, and RSA-4096).
## Impact Assessment
- Financial: Not quantified, but attacks on large international entities (automotive, defense, finance) suggest high financial impact.
- Data Breach: Data loss confirmed across government, defense, manufacturing, and healthcare records.
- Operational: Significant operational disruption, especially in the manufacturing sector targeted to disrupt global supply chains (e.g., attacks on auto parts and industrial equipment manufacturers).
- Reputational: High visibility due to attacks against government entities (e.g., Baltimore City SAO, Ministries of Defense).
## Indicators of Compromise
- Network indicators: Hellcat distributing new samples via Pastebin and FileHosting services (URLs defanged: hxxps://pastebin[.]com, hxxps://filehosting[.]service). Qilin FTP infrastructure shifting from Russia to Hong Kong.
- File indicators: Specific malware samples associated with Akira, Hellcat, RansomHub (Betruger, EDRKillShifter), PE32, Anubis, BlackPanther, and Louis.
- Behavioral indicators: Use of webcam manipulation to evade EDR (Akira); attempts to delete logs to conceal encrypted communications (Hellcat).
## Response Actions
- Containment: Required isolating affected segments handling critical supply chain components or government data.
- Eradication: Implied remediation required understanding group-specific malware delivery mechanisms (e.g., Betruger backdoor removal).
- Recovery: Sector-specific recovery required, with public sector entities needing rapid restoration efforts.
## Lessons Learned
- Threat Actor Sophistication: Threat actors are rapidly advancing, particularly concerning EDR/security solution evasion and adopting cutting-edge encryption standards (e.g., adoption of ML-KEM/Kyber algorithms).
- Sector Targeting: Attackers are strategically focusing on sectors critical to global stability, such as manufacturing supply chains and government operations.
- Infrastructure Adaptation: Adversaries are agile in changing their command-and-control infrastructure (e.g., Qilin moving servers).
## Recommendations
- **Strengthen EDR Evasion Defenses:** Specifically review and harden EDR configurations to monitor and prevent webcam manipulation or suspicious process injection techniques.
- **Monitor Supply Chain Security:** Increase due diligence and security oversight for third-party vendors, especially in the manufacturing and logistics sectors, given the targeted nature of these attacks.
- **Patch and Monitor External Services:** Prioritize patching and monitoring for widely targeted platforms such as Jira servers.
- **Encryption Readiness:** Investigate security posture against emerging cryptographic standards being adopted by threat actors (e.g., post-quantum cryptography primitives).