Urgent Warning NoName Gang Launches RansomHub Malware – Is Your Data at Risk?

The NoName ransomware gang has been attempting to build a reputation for over three years by targeting small and medium-sized businesses worldwide with its encryption tools. It now appears to be working as part of the RansomHub network.

The gang uses custom tools known as the Spacecolon malware family, deploying them after gaining access to networks through brute-force attacks, as well as exploiting older vulnerabilities such as EternalBlue (CVE-2017-0144) and ZeroLogon (CVE-2020-1472).

In recent attacks, NoName has been using the ScRansom ransomware, which replaced the Scarab encryptor. The gang also attempted to boost its reputation by experimenting with the leaked LockBit 3.0 ransomware builder, creating a similar data leak site, and using almost identical ransom notes.

ScRansom Ransomware

Cybersecurity company ESET has been tracking NoName’s activities under the alias CosmicBeetle since 2023, with the emergence of the ScRansom ransomware, a Delphi-based file-encrypting malware.

In a recent report, ESET researchers noted that although ScRansom, part of the Spacecolon malware family, is not as sophisticated as other ransomware threats, it remains a continuously evolving menace.

The malware supports partial encryption at various speeds, giving attackers more flexibility. It also features an “ERASE” mode that overwrites file content with a fixed value, making recovery impossible.

ScRansom can encrypt files across all drives, including fixed, remote, and removable media, and allows attackers to target specific file extensions through a customizable list.

Before launching the encryption process, ScRansom terminates several processes and services on Windows hosts, including Windows Defender, Volume Shadow Copy, SVCHost, RDPclip, LSASS, and processes associated with VMware tools.

ESET pointed out that ScRansom’s encryption scheme is relatively complex, using a combination of AES-CTR-128 and RSA-1024, with an additional AES key generated to protect the public key.

However, the multi-step process of key exchanges can sometimes introduce errors, causing decryption to fail even with the correct keys.

Moreover, if the ransomware is executed again on the same device or in a network with multiple systems, new sets of unique keys and victim IDs are generated, complicating the decryption process further.

One case highlighted by ESET involved a victim who received 31 decryption keys after paying the ransom but was still unable to recover all of their encrypted files.

NoName Exploiting Vulnerabilities

In addition to brute-force attacks, the NoName gang has been exploiting various vulnerabilities commonly found in small and medium-sized business environments, including:

• CVE-2017-0144 (known as EternalBlue)

• CVE-2023-27532 (a vulnerability in the Veeam Backup & Replication component)

• CVE-2021-42278 and CVE-2021-42287 (Active Directory privilege escalation vulnerabilities through noPac)

• CVE-2022-42475 (a vulnerability in FortiOS SSL-VPN)

• CVE-2020-1472 (known as Zerologon)

A recent report from Turkey-based cybersecurity company Pure7 also noted that NoName exploited CVE-2017-0290 in its attacks using a batch file (DEF1.bat) that modifies Windows settings to disable Windows Defender features and services.

NoName Deploying RansomHub Tools

Before officially becoming part of the RansomHub network, NoName made several moves that demonstrated its commitment to the ransomware business. In September 2023, CosmicBeetle launched an extortion website on the dark web called "NONAME," which was a modified version of the LockBit data leak site.

In November 2023, the gang intensified its impersonation efforts by registering the domain lockbitblog[.]info and using the LockBit logo and theme. While investigating a ransomware incident in June, researchers discovered that NoName had deployed RansomHub tools on a compromised device, further indicating their integration into the RansomHub network.

ESET researchers expressed medium confidence that CosmicBeetle had officially joined RansomHub.