Ransomware descended from the tool used in the Colonial Pipeline attack in 2021 has been leveraging new tools, tactics, and procedures. What does this evolving threat mean for its potential targets?

Carrie Pallardy, Contributing Reporter

September 29, 2022

4 Min Read
red skulls on a keyboard
Negro Elkha via Adobe Stock

The Threat Hunter Team with software company Symantec reported that Noberus, which also goes by the names BlackCat/ALPHV, is leveraging new tools, tactics, and procedures (TTPs). The ransomware-as-a-service BlackCat/ALPHV has compromised at least 60 different entities across the world using the programing language RUST, according to a Federal Bureau of Investigation Cyber Division report from April 2022. The number of affected organizations has likely increased since then.

Noberus is using an updated data exfiltration tool, Exmatter and Eamfo malware designed to steal credentials, according to the Symantec report. Four cybersecurity experts dig into what the Noberus updates and evolving ransomware mean for IT leaders that need to help defend their organizations.

How Noberus Works

Noberus is a descendant of the Darkside and BlackMatter ransomware families; Darkside was used in the 2021 Colonial Pipeline attack. Symantec reports that ransomware-as-a-service operation Coreid is likely responsible for the development of these ransomware strains.

Noberus was initially discovered in November 2021, and since then, it has undergone a number of updates to improve its efficiency, including new encryption functionality. An updated version of the Exmatter tool was spotted in connection with Noberus attacks in August, according to Symantec. It also reports that attackers leveraging Noberus have been observed using Eamfo malware to steal credentials stored by Veeam software.

“What sets Noberus apart from other ransomware groups is its ability to design highly customizable ransomware executables for its intended target,” says Aaron Sandeen, CEO and co-founder of Cyber Security Works, a U.S. Department of Homeland Security-sponsored CVE Numbering Authority. “Rather than creating automated malware, Noberus ransomware dedicates a lot of manpower to understanding its target’s systems to find specific entry points.”

Responding to Evolving Ransomware

The updates to Noberus are concerning but expected. “This is the new normal. Criminal groups will continue to reinvest part of their profits in research and development to drive the innovation cycle of development and distribution of their unwanted products,” says Kayne McGladrey, a senior member of the professional organization the Institute of Electrical and Electronics Engineers (IEEE).

While large organizations may seem like the prime targets for ransomware attacks, threat actors are targeting entities of all sizes. And smaller organizations often lack cybersecurity defenses. The SpyCloud Ransomware Defense Report found that smaller companies have fared worse than larger companies this year.

“Attackers have figured out how to monetize the cyber-poor, but the defenders have not yet,” says Joshua Corman, former chief strategist for the Cybersecurity Infrastructure Security Agency (CISA) and vice president of cyber safety at cybersecurity company Claroty.

But IT leaders do have ways to minimize the attack surface and vulnerabilities that Noberus or other ransomware strains can target. “First and foremost, IT leaders should be familiar with the vendors/products and specific vulnerabilities Noberus and associated APT groups target and patch them immediately if they have not already been remediated,” Cyber Security Works’ Sandeen explains.

Cybersecurity best practices, like zero trust and the NIST Cybersecurity Framework, can significantly reduce the risk of falling prey to ransomware, but adopting these practices is not always within reach. Corman suggests organizations that lack the budget and resources to invest in cybersecurity start by cutting down on bad practices, like unsupported end-of-life software, default passwords, and single-factor remote administration tools.

Additionally, organizations can make use of easily accessible resources. For example, CISA publishes known exploited vulnerabilities and aggregates resources for organizations to defend against ransomware, as well as guidance for when entities have been hit by a ransomware attack.

“If a company cannot dedicate cybersecurity personnel to protect its own assets, then outsourcing to industry professionals or leveraging cloud resources with cybersecurity professionals already staffed internally is a very reasonable approach that can if implemented correctly, drastically reduce the risk of ransomware,” says Andrew Reifers, PhD, associate teaching professor at the University of Washington Information School.

Facing a Growing Threat

Ransomware is here to stay, but lost revenue and records are no longer the only consequence. Threat actors are now targeting health care and other critical infrastructure organizations.

“For the last 30 years of cybersecurity and connectivity, most attackers respected and left alone things like the water you drink and the food you put on your table and healthcare. That respect is no longer present. They are much more aggressive,” Corman cautions. “Ransomware is now having a human toll. We are not measuring record count. We are measuring body count.”

Coreid released rules with the Noberus ransomware, stating that it cannot be used to attack healthcare, education, and government sectors, among others, according to the Symantec report. But critical infrastructure is undeniably vulnerable. In 2021, the FBI reported 649 complaints of ransomware attacks on critical infrastructure organizations.

Ransomware, like Noberus, will continue to evolve, but attackers will also continue to leverage legacy tools that require very little, if anything, in the way of innovation while many of their targets continue to lack adequate cybersecurity.

What to Read Next:

4 Lessons Learned From the Latest Uber Breach

The Cost of a Ransomware Attack, Part 1: The Ransom

The Cost of a Ransomware Attack, Part 2: Response & Recovery

About the Author(s)

Carrie Pallardy

Contributing Reporter

Carrie Pallardy is a freelance writer and editor living in Chicago. She writes and edits in a variety of industries including cybersecurity, healthcare, and personal finance.

Never Miss a Beat: Get a snapshot of the issues affecting the IT industry straight to your inbox.

You May Also Like


More Insights