Colonial Pipeline hackers add startling new capabilities to ransomware operation

The ransomware group behind the Colonial Pipeline hack recently added a slate of new tactics, tools, and procedures to its operation, making it even simpler for members to encrypt, steal and sort data.

In a report from the Symantec Threat Hunter Team, researchers examined the latest evolutions of a group they named Coreid.

Symantec researchers outlined how the group has evaded law enforcement by deploying new ransomware strains, having now settled on Noberus — which is shorthand for the BlackCat ALPHV ransomware that has been used in attacks on several U.S. universities. 

The criminal gang has existed in some form since 2012, according to the researchers, who said it began using the Carbanak malware to steal money from organizations in the banking, hospitality and retail sectors.

Three members of the group were arrested in 2018 before it evolved into a ransomware-as-a service (RaaS) operation around 2020.

Coreid has repeatedly updated its ransomware operation since the headline-grabbing attack on Colonial Pipeline — in which it used Darkside ransomware to cripple gas stations across the East Coast in May 2021. 

Scrutiny from law enforcement forced the group to shelve the ransomware and create a new one named BlackMatter, which was used to target agricultural companies during harvest season in the fall of 2021. 

That spate of attacks attracted a similarly high level of law enforcement scrutiny, prompting the group to move from using the BlackMatter ransomware to a new brand called Noberus.

“Noberus sparked interest when it was first seen in November 2021 because it was coded in Rust, and this was the first time we had seen a professional ransomware strain used in real world attacks coded in that programming language,” the researchers said. 

“Rust is a notable language as it is crossplatform. Coreid claims that Noberus is capable of encrypting files on Windows, EXSI, Debian, ReadyNAS, and Synology operating systems.”

À la carte ransomware

Coreid — known by some security firms as FIN7 or Carbon Spider — operates a RaaS operation in which the group splits paid ransoms with the affiliate in charge of the attack itself. 

In advertisements on the dark web, Coreid highlighted the many improvements to Noberus that made it better than other ransomware — including encrypted negotiation chats that can only be accessed by the intended victim.

Noberus offered cybercriminals two different encryption algorithms and four different ways to encrypt systems, depending on needs around speed and the size of data troves.

The group has shown it will cut off affiliates who don’t earn enough in ransoms, according to Symantec, which noted that in December they added a “Plus” category for affiliates who had extorted at least $1.5 million in attacks.

Those affiliates were given access to additional tools enabling them to cause more significant damage to systems. The designation allowed affiliates to launch distributed denial-of-service (DDoS) attacks, gave them phone numbers to directly threaten victims and more technical tools to devastate networks. 

By June and July of 2022, Symantec says Coreid escalated things further, introducing a way to encrypt non-standard architectures and several other features. They even adopted another feature from other groups that allowed their data leak sites to be searchable by keyword, file type, and more.

“The continuous updating and refining of Noberus’ operations shows that Coreid is constantly adapting its ransomware operation to ensure it remains as effective as possible,” the researchers said, noting that in April, the FBI sent out an alert saying the group had compromised at least 60 organizations around the world between November 2021 and March 2022.

Last month, Coreid added a powerful data exfiltration tool targeted at the most popular file types: .pdf, .doc, .docx, .xls, .xlsx, .png, .jpg, .jpeg, .txt and more.

The tool — named Exmatter — was updated to give cybercriminals the ability to not only create a report of all the stolen files but corrupt the files that had already been processed. It now can even be enabled to self-destruct under certain parameters. 

Some affiliates of the criminal group are also using a special information-stealing malware that is designed to steal credentials stored by Veeam backup software — used by thousands of the biggest companies in the world. Veeam is typically used to store credentials, giving cybercriminals access to data that would allow them to get deeper into a system. 

Like some other groups, Coreid has laid out four main groups that affiliates are not allowed to attack: Commonwealth of Independent States, Russia-affiliated countries, healthcare organizations and non-profits. 

Symantec said the affiliates are “advised to avoid attacking the education and government sectors” — an edict they appear to be lenient about given several attacks on colleges around the world.

The group drew headlines late last month after attacking Accelya — a technology firm providing services to Delta, British Airways, JetBlue, United, Virgin Atlantic, American Airlines and many of the world's largest airlines.