Threat Actor Update: Ragnarok and Phorpiex Disappearance from Malware Landscape is Unlikely to Reduce the Threat
According to separate articles from E Hacking News, two ransomware families ceased operations during the last week of August. The Ragnarok ransomware group, also known as Asnarok, published a master decryption key online and ceased all other operations without an explanation. The group had been active since at least 2019. (1) Similarly, the creators of the Phorpiex botnet abandoned operations and are offering the malware source code for sale online. The botnet’s two original developers are no longer maintaining the botnet, which is the implied reason for the shutdown. (2)
The current cyber threat landscape remains full of malware families whose tools and operations continue growing in size and sophistication, so the shutdown of two known malware families will probably have a negligible impact on the cyber threat landscape in the medium-to-long term. EclecticIQ threat researchers assess that skilled threat actors associated with either organization will probably easily transition to working on other malware projects. Analysts will watch for indications about the amount paid for Phorpiex’s source code—if it sells. An especially quick or lucrative sale could shed light on the demand for off-the-shelf, proven-to-work malware code.
Policy and Governance: U.S. Brings Industry Leaders Together to Initiate Cyber Cooperation
On 25 August, U.S. President Joe Biden convened a meeting of leaders from across industry and academia to discuss a “whole of nation” approach to cybersecurity, which the Biden administration called a “national security and economic security imperative.” Among the pronouncements from the meeting, the government pledged to establish a new supply chain security framework, and to add natural gas pipelines to the Industrial Control Systems Cybersecurity Initiative. Top-tier tech companies, educational institutions and non-governmental organizations pledged a variety of cyber education and investment initiatives, some spanning the next several years. (3)
Cooperative efforts like this one, which cross the government-industry-academia divide, are helpful first steps in becoming more cyber-secure. Nonetheless, implementing real cyber security initiatives will undoubtedly be extremely costly and time consuming, and the biggest challenge will be ensuring that cooperation continues long-term. Governments will be most successful in partnering with the tech industry if they incentivize voluntary cyber security measures, demonstrate the fiscal benefits of preventing attacks, and take a cooperative (not adversarial) stance to assist victims of cyberattacks.
New and Noteworthy: Yet Another Crypto Heist Illustrates Enduring Risk of Cyber Theft to Cryptocurrency Assets
Decentralized Finance (DeFi) organization Cream Finance suffered a loss of over $34 million when an attacker exploited a vulnerability to make off with Etherium and AMP tokens. Cream Finance is offering to let the thief keep 10% of the stolen tokens as a bounty as long as he returns the remaining 90%. The company is also offering 50% of the assets to anybody who provides information about the attacker. Notwithstanding those two options, the company pledged to set aside 20% of its protocol fees to replace customers’ lost assets. (4) This theft comes on the heels of attacks against other cryptocurrency assets via attacks against Poly Network, Liquid, and Popsicle Finance, each of which were victims of crypto theft in August. (5, 6, 7)
This spate of thefts is probably a result of several factors which contribute to the growing appeal of stealing cryptocurrency assets. As expected, the risk of theft of cryptocurrency assets will continue to rise as cryptocurrency gains popularity and as the number of cryptocurrency vendors grows. Both factors will increase the sheer number of opportunities for theft. Furthermore, the lack of legislation surrounding crypto-related crimes leaves companies to fend for themselves in the aftermath of a theft. The current trend of offering amnesty, financial reward, or even employment to cryptocurrency thieves will reinforce the notion that this activity is somehow less destructive and thus more acceptable than traditional robberies. Crypto investors would be wise to consider these heightened risks when investing in crypto assets until companies demonstrate mature security capabilities for crypto assets.
About EclecticIQ Threat Research
EclecticIQ is a global provider of threat intelligence, hunting and response technology and services. Headquartered in Amsterdam, the EclecticIQ Threat Research team is made up of experts from Europe and the U.S. with decades of experience in cyber security and intelligence in industry and government.
We would love to hear from you. Please send us your feedback by emailing us at research@eclecticiq.com.
Appendix:
- https://www.ehackingnews.com/2021/08/ragnarok-ransomware-gang-releases-free.html
- https://www.ehackingnews.com/2021/08/phorpiex-malware-has-shut-down-their.html
- https://www.whitehouse.gov/briefing-room/statements-releases/2021/08/25/fact-sheet-biden-administration-and-private-sector-leaders-announce-ambitious-initiatives-to-bolster-the-nations-cybersecurity/
- https://www.zdnet.com/article/cream-finance-wallet-pilfered-for-34-million-in-cryptocurrency/#ftag=RSSbaffb68
- https://www.ehackingnews.com/2021/08/the-hacker-behind-biggest-crypto-heist.html
- https://www.welivesecurity.com/2021/08/20/hackers-swipe-100million-cryptocurrency-exchange/
- https://www.coindesk.com/markets/2021/08/04/popsicle-finance-loses-207m-in-cyberattack/
