Axxes Ransomware Group Appears to be the Rebranded Version of Midas Group
| Category:
Adversary Intelligence |
Industry:
Multiple |
Country/ Region:
Global |
Source*:
F6 |
Executive Summary
- CloudSEK’s flagship digital risk monitoring platform XVigil discovered a financially motivated threat actor group, named Axxes ransomware, that is considered to be a rebrand of a formerly known ransomware group.
- The Axxes ransomware group’s PR site lists The H Dubai as their latest victim.
- Their target regions include the USA, Middle East, France, and China.
[caption id="attachment_19347" align="alignnone" width="1086"]
Recent activities of the Axxes ransomware group[/caption]
Analysis and Attribution
About the Axxes Ransomware
- Axxes is a ransomware that encrypts files and appends the .axxes extension to them.
- Axxes creates a file labeled "RESTORE_FILES_INFO.hta," which includes a ransom note. It also creates a file labeled "RESTORE_FILES_INFO.txt."
- The ransomware executes various tasks such as:
- Looking up the geo-location of the device
- Modifying the Windows Firewall
- Modifying the extension of the files in the victim’s device.
- Killing the processes with taskkill.exe
| >> What happened?
Important files on your network was ENCRYPTED and now they have "Axxes" extension.
In order to recover your files you need to follow instructions below.
>> Sensitive Data
Sensitive data on your network was DOWNLOADED. More than 70 GB.
If you DON'T WANT your sensitive data to be PUBLISHED you have to act quickly.
Data includes:
- Employees personal data, CVs, DL, SSN.
- Complete network map including credentials for local and remote services.
- Private financial information including: clients data, bills, budgets, annual reports, bank statements.
>> CAUTION
DO NOT MODIFY ENCRYPTED FILES YOURSELF.
DO NOT USE THIRD PARTY SOFTWARE TO RESTORE YOUR DATA.
YOU MAY DAMAGE YOUR FILES, IT WILL RESULT IN PERMANENT DATA LOSS.
>> What should I do next?
1) Download and install Tor Browser from: https://torproject.org/
2) ymnbqd5gmtxc2wepkesq2ktr5qf4uga6wwrsbtktq7n5uvhqmbyaq4qd.onion/link.php?id=hTjNdkb5OCr74qyYii8r5987laFscF |
Axxes ransomware note
- Once encrypted, the ransomware group leaves a link with the victim ID. The link directs the victim to a chat page where an account is created using the authorization ID.
- The victim organizations listed on the group’s PR site include details about the organization, such as an address, contact information, number of views, website, and next update date.
Axxes Ransomware Group
- Based on the logo of the ransomware group, it appears to be a rebranded version of the Midas ransomware group.
- Midas ransomware used the same logo and listed the same victims, except for the recent additions. This Midas ransomware group was first observed in October 2021.
- The Midas group itself was believed to be a rebranded version of Haron ransomware. And Haron was a rebranded version of the Avvadon ransomware group.
- Some researchers have also claimed that Midas is a variant of Thanos.
[caption id="attachment_19349" align="alignnone" width="546"]
Twitter post discussing Midas ransomware[/caption]
- While the Haron ransomware group is still operating as Haron Ransomware2, the leak site of the Midas ransomware group is not active anymore.
Indicators of Compromise (IOCs)
Based on the results from VirusTotal and Triage, the following are the IOCs for Axxes ransomware.
| MD5 |
| 063a4b2fb6f7bd96710dd054d03a8668 |
ac2e9f9f84f98a1c7514fcf2e81eaa88 |
| SHA-1 |
| b82bc6b886672606672bf58e84625fafeebf09cc |
8dfb08d755a31fdd40bfc624983113e2b0a4c0ad |
| SHA-256 |
| 5b1d1e8d4d93d360b044101d6c5835b4ac4cb0ef0d19e83d93cafbbd22e708ab |
ec7fbdf548bd27bb5076dd9589e1b87f3c5740da00e77c127eb4cd4541d7d6f7 |
| IPv4 |
| 8[.]240[.]24[.]124 |
8[.]249[.]245[.]252 |
| 192[.]168[.]0[.]66 |
8[.]252[.]36[.]124 |
| 8[.]252[.]68[.]252 |
8[.]253[.]151[.]245 |
| 8[.]253[.]208[.]108 |
8[.]253[.]208[.]109 |
| 8[.]253[.]208[.]116 |
8[.]253[.]254[.]124 |
Impact & Mitigation
| Impact |
Mitigation |
- The published source codes could allow other threat actors to gain access to the organizations’ networks.
- If it contains any exposed Personally Identifiable Information (PII), it could enable threat actors to orchestrate social engineering schemes, phishing attacks, and even identity theft.
- Exposed IP addresses and login credentials can lead to potential account takeovers.
- The exposed confidential details could reveal business practices and intellectual property.
- Since password reuse is a common practice, actors could leverage exposed credentials to access other accounts of the user.
|
- Reset the compromised user login credentials and implement a strong password policy for all user accounts.
- Check for possible workarounds and patches while keeping the ports open.
- Patch all vulnerable and exploitable endpoints.
- Monitor for anomalies, in user accounts and systems, that could be indicators of possible takeovers.
- Use MFA (multi-factor authentication) across logins.
|
References
- *https://en.wikipedia.org/wiki/Intelligence_source_and_information_reliability
- #https://en.wikipedia.org/wiki/Traffic_Light_Protocol
