Black Bersek Malware Shares Similarities With Cylance Ransomware
EclecticIQ analysts evaluate that Black Bersek ransomware shares multiple similarities with Cylance ransomware. Both malware families share code similarities; very similar command-line arguments are present and the same encryption cypher, Salsa20, are shared.
Ransomware family lifespan is decreasing, resulting in higher numbers of variants. [1] Ransomware families and syndicates are still constantly shifting despite a reported downturn in overall ransomware infections from 2022-2023 [2, 3]. The average ransomware lifespan dropped from 153 days in 2021 to 70 days in 2022. Chainalysis and Malwarebytes report diminishing profits may be driving a drop in ransomware family lifespan - specifically victims refusing to pay. [2] The result of this is organizations must also change tactics more quickly to keep defenses up to date, as families cycle faster with changing techniques.
Offensive Tool Development Based on Large Language Models Will Enable Threat Actors to Focus on Cyberattack Obfuscation
New large language model-based tools will initially be focused on deploying more complex payloads. If new tools are able to do the grunt work of launching exploits, it will enable threat actors to focus on deeper-level strategy. This is very likely to result in cyberattacks that are increasingly obfuscated because threat actors can focus resources normally spent on the exploitation and installation phases of the Kill Chain into more successful execution of the exfiltration phase.
Security researchers recently used a version of ChatGPT to control a proxy agent that was then able to exploit an Active Directory system through channels very similar to real-world pen tests. [4] In another example, an investigation concludes the effectiveness of current strategies and methods to detect AI-content driven bots are inadequate. Researchers use Twitter and a version of ChatGPT to create human-like content in a realistic and feasible scenario. [5] With tools to do the heavy lifting with content generation, threat actors will have more time to obfuscate their bot network in order to promote their campaigns.
Structured Data
Find the Analyst Prompt and earlier editions in our public TAXII collection for easy use in your security stack: TAXII v1 Discovery services.
Please refer to our support page for guidance on how to access the feeds.
About EclecticIQ Intelligence and Research
EclecticIQ is a global provider of threat intelligence, hunting and response technology and services. Headquartered in Amsterdam, the EclecticIQ Intelligence and Research team is made up of experts from Europe and the U.S. with decades of experience in cyber security and intelligence in industry and government.
We would love to hear from you. Please send us your feedback by emailing us at research@eclecticiq.com or fill in the EclecticIQ Audience Interest Survey to drive our research toward your priority area.
You might also be interested in:
German Embassy Lure: Likely Part of Campaign Against NATO Aligned Ministries of Foreign Affairs
Norwegian Cyber Attack, Virustotal Data Leak and AI powered BEC
Spearphishing Campaign Targets Zimbra Webmail Portals of Government Organizations
Appendix
[1] Bill Toulas, “Ransomware Profits Drop 40% in 2022 as Victims Refuse to Pay,” BleepingComputer, Jan. 19, 2023. https://www.bleepingcomputer.com/news/security/ransomware-profits-drop-40-percent-in-2022-as-victims-refuse-to-pay/ (accessed Aug. 08, 2023).
[2] Chainalysis Team, “Ransomware Revenue Down As More Victims Refuse to Pay.” Chainalysis, Jan. 19, 2023. https://blog.chainalysis.com/reports/crypto-ransomware-revenue-down-as-victims-refuse-to-pay/ (accessed Aug. 09, 2023).
[3] Peter Arntz, “Ransomware Revenue Significantly Down Over 2022,” Malwarebytes, Jan. 23, 2023. https://www.malwarebytes.com/blog/news/2023/01/ransomware-revenue-significantly-down-over-2022 (accessed Aug. 08, 2023).
[4]Adreas Happe, Jurgen Cito, “Getting pwn’d by AI: Penetration Testing with Large Language Models,” T.U. Wein, Aug. 7, 2023. https://arxiv.org/pdf/2308.00121.pdf (accessed Aug. 08, 2023).
[5] Kai-Cheng Yang, Filippo Menczer, “Anatomy of an AI-Powered Malicious Social Botnet,” Indiana University, Jul. 30, 2023. https://arxiv.org/abs/2307.16336 (accessed Aug. 08, 2023).
