Nov 2023 Cybercrime Update | LLMs, Ransomware and Destructive Wipers Proliferate in Recent Attacks

In this blog post, we delve into the notable trends shaping the cyber threat landscape over the past month. Hot topics this month revolve around the expanding use of generative AIs by cybercriminals, the ongoing surge of ransomware campaigns, and the latest developments in cyber warfare related to the Israel-Hamas war.

Crimeware Scene Continues to Explore Advantages of LLMs

AI-centric tools and services continue to emerge, with a number of notable developments since our October 2023 update. Though a relatively new market for threat actors, the types of services on offer are evolving quickly.

One tool that has emerged in recent weeks is FraudGPT, which advertises itself as “Not just a GPT LLM, but an all inclusive, testing, cracking, action and access tool” with the ability to “Generate scam emails, identify malicious code, and uncover leaks and vulnerabilities in seconds”.

Combining the GPT LLM with other tools allows powerful potential for automated havoc. For example, FraudGPT includes integration with an expanding CVE database. This allows attackers to check whether targets are vulnerable to any known software bugs, allowing them to tailor their operation via simple text-based prompts.

FraudGPT

For cybercriminals, the cost is not prohibitive. One FraudGPT seller offers varied subscription options ranging from 89.003 euros per month to 749.00 euros “Lifetime Pro” options. Customized private builds are also advertised at prices starting at 1899.99 euros.

WolfGPT is another tool for sale offering similar functionality. Its feature set includes:

  • Generation of malware and ransomware
  • Automated writing of scam emails
  • Automated writing of “fake news and misinformation”
  • Vulnerability discovery
  • Multiple AI models
  • Unlimited Characters
  • Privacy and performance focused

So-called “Lifetime” licenses for the current version of WolfGPT go for USD $300.

WolfGPT
WolfGPT

Ransomware Hits Financial, Education and Healthcare Sectors

China’s largest Bank, ICBC, was extorted by LockBit, it was reported this month. The attack on the Industrial and Commercial Bank of China is notable given the sheer size and ‘position in the world economy’ that the ICBC holds. According to sources, the ICBC’s U.S. unit was impacted to such an extent that trades representing “billions of US dollars” had to be conducted by transferring information on USB sticks as its computer systems were isolated from the rest of Wall Street.

Elsewhere, an attack on the Toronto Public Library has been attributed to Black Basta ransomware group. The attack is said to have led to “significant disruptions” as all internal systems went down in response to the incident.

In early November 2023, JAE (Japan Aviation Electronics) was targeted by ALPHV (aka BlackCat).

ALPHV and JAE
ALPHV and JAE

Among other attacks attributed to the ALPHV group this month is a claim to have infiltrated Dragos, a cybersecurity provider focused on industrial control systems.

ALPHV and Dragos Inc
ALPHV and Dragos Inc

Confirmation of this attack remains uncertain at the time of writing. A post briefly appeared on the ALPHV blog on November 11, 2023 claiming that Dragos had been breached, but that has since been removed.

In September’s update we reported on the activities of Ransomed.VC. This group has now ceased operations. The developer(s) posted on Telegram and other forums claiming that:

“The project ransomedvc is up for sale…I do not want to continue running the project due to personal reasons, none will be disclosed to journalists, don’t even ask. We are selling everything”

The operator was asking for USD $10 million for its clearnet and TOR domains, ransomware builders and source, affiliate group access, and social media accounts

However, a subsequent message claimed that members of its group had been arrested and that the entire operation was being shut down due to the risks.

Updated Ransomed.VC statement
Updated Ransomed.VC statement

That said, the operator continues to solicit interest in a new private project via the same Telegram channel, so watch this space.

Israel-Hamas Conflict | Destructive Wipers Begin to Emerge

As we saw during the early stages of the Russian invasion of Ukraine, cyber warfare actors were quick to begin destructive wiper campaigns. A similar trend is now being seen in the Israel-Hamas war.

Between October 30th 2023 and November 2nd 2023, a series of wipers began targeting systems across Israel. The wipers, collectively known as “Bibi” wipers, are designed to resemble ransomware but in fact simply overwrite the victims data, with no possibility of recovery. In some of the early variants seen, affected files are renamed with a .BiBi1 file extension.

Variants for both Linux and Windows systems have been noted. When launched all accessible files are overwritten, including core OS files and data. The malware has an option to allow an attacker to specify a target directory for wiping rather than the entire machine.

SHA1: 24f6785ca2e82d1d1d61f4cb01d5e753f80445cf (VirusTotal)
SHA1: 24f6785ca2e82d1d1d61f4cb01d5e753f80445cf (VirusTotal)

The malware also executes commands designed to prevent interruption of execution and to hinder attempts at recovery through deletion of the system VSS backups.

Additionally, on November 13, 2023, Israeli’s CERT published an alert with details and indicators of further wiper attacks, including the following suspected wiper hashes:

27e28737415e9d6a45b5afb03c7b33038df8f800
44f2e8860e2935e900446dc5dea31508c71701ff
48bc39011e06931b319d873a4d2a0cff5b119cdf

These most recent wipers are attributed to Iranian threat actors (BlackShadow aka DEV-0022).

Conclusion

The cybercrime ecosphere continues to explore the use of LLMs, with more offerings of AI-powered tools designed to lower the barrier to entry into cybercrime and make attacks more efficient. Meanwhile, ransomware actors like LockBit and ALPHV have been actively attacking some big name targets as well as public sector healthcare and education providers. The emergence and deployment of multiple variants of wiper malware, while not entirely surprising, represents a new development in cyber threat activity related to the Israel-Hamas war. As past conflicts have shown, such cyber weapons have a very real possibility of affecting targets far from those initially intended.

In the face of these emerging trends, employing a comprehensive security solution like Singularity XDR, which leverages AI and automated remediation, can serve as a potent weapon in an organization’s cybersecurity arsenal. It’s more crucial than ever to stay ahead of the curve, adopting proactive measures that help detect and mitigate threats before they can inflict significant damage.

To learn more about how SentinelOne can help defend your organization’s endpoint, cloud, and network assets, contact us or request a free demo.