{"id":43417,"date":"2021-10-15T00:00:00","date_gmt":"2021-10-15T00:00:00","guid":{"rendered":"https:\/\/www.trendmicro.com\/en_us\/research\/21\/j\/ransomware-operators-found-using-new-franchise-business-model.html"},"modified":"2021-10-15T00:00:00","modified_gmt":"2021-10-15T00:00:00","slug":"ransomware-operators-found-using-new-franchise-business-model-sr-threat-researcher","status":"publish","type":"post","link":"https:\/\/www.threatshub.org\/blog\/ransomware-operators-found-using-new-franchise-business-model-sr-threat-researcher\/","title":{"rendered":"Ransomware Operators Found Using New “Franchise” Business Model Sr. Threat Researcher"},"content":{"rendered":"

<\/p>\n

<\/div>\n

Shared infrastructure <\/span><\/p>\n

To date, we have found fifteen onion addresses used by at least four different servers, and three others still unknown.<\/p>\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n
Onion Address<\/b><\/td>\nServer<\/b><\/td>\n<\/tr>\n
w6ilafwwrgtrmilorzqex6pgpvfsa667fydca2wpoluj6sajka225byd[.]onion<\/td>\nA<\/td>\n<\/tr>\n
accdknc4nmu4t5hclb6q6kjm2u7u5xdzjnewut2up2rlcfqe5lootlqd[.]onion<\/td>\nA<\/td>\n<\/tr>\n
c6zkofycoumltpmm6zpyfadkuddpmlqk6vyd3orrfjgtq3vrgyifl6yd[.]onion<\/td>\nA<\/td>\n<\/tr>\n
3klsbd4dwj3yqgo4xpogfgwqkljbnbdxjryeqks2cjion5jj33wvkqyd.onion<\/td>\nB<\/td>\n<\/tr>\n
yk7erwdvj4vxcgiq3gmcufkben4bk4ixddl5j2xvu7gurtdq754jmiad.onion<\/td>\nB<\/td>\n<\/tr>\n
z4cn6lpet4y4r6mdlbpklpcrjdruwb6kiuvxn6gsiuoub23z6prlx6ad.onion<\/td>\nB<\/td>\n<\/tr>\n
ibih5znjxf2cqgo737xmooyvmxhac45wd4rivh6n5hd7fysn42g3fayd.onion<\/td>\nB<\/td>\n<\/tr>\n
ikrah6fb4e6r2raxkyvyoxp22jam5z6ak5ajfnzxutmassoagvr2bhad.onion<\/td>\nB<\/td>\n<\/tr>\n
hceesrsg6f5p4gcph4j6jv6vl4mkmaik735oz4r45lgjfyedsxfoprad.onion<\/td>\nB<\/td>\n<\/tr>\n
qfgh2lpslhjb33z3wsenmqrxcdragelinvcpowlgkbjca6yig5zloeyd.onion<\/td>\nB<\/td>\n<\/tr>\n
x4mjvffmytkw3hyu.onion<\/td>\nC<\/td>\n<\/tr>\n
tpze4yo74m6qflef.onion<\/td>\nD<\/td>\n<\/tr>\n
evl425tkt4hkwryyplvqu6bn6slfow3fa4xwgvwe5t4zf6gizs3ewuyd.onion<\/td>\nUnknown 1<\/td>\n<\/tr>\n
xingnewj6m4qytljhfwemngm7r7rogrindbq7wrfeepejgxc3bwci7qd.onion<\/td>\nUnknown 2<\/td>\n<\/tr>\n
zckdr5wmbzxphoem77diqb2ome2a54o23jl2msz3kmotjlpdnjhmn6yd.onion<\/td>\nUnknown 3<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

Table 1. The onion addresses used by the different servers<\/p>\n

And here is how they relate to the group:<\/p>\n\n\n\n\n\n\n\n\n\n\n
Server<\/b><\/td>\nXingLocker<\/b><\/td>\nAstroLocker Team<\/b><\/td>\n<\/tr>\n
A<\/td>\nx<\/td>\n <\/td>\n<\/tr>\n
B<\/td>\nx<\/td>\nx<\/td>\n<\/tr>\n
C<\/td>\nx<\/td>\nx<\/td>\n<\/tr>\n
D<\/td>\nx<\/td>\n <\/td>\n<\/tr>\n
Unknown 1<\/td>\nx<\/td>\n <\/td>\n<\/tr>\n
Unknown 2<\/td>\nx<\/td>\n <\/td>\n<\/tr>\n
Unknown 3<\/td>\nx<\/td>\n <\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

Table 2. The different servers in relation to XingLocker and AstroLocker Team<\/p>\n

While this is not a sophisticated innovation, it is important to highlight that ransomware groups are looking for new ways<\/a> to run their affiliate programs and RaaS businesses. This form of shared infrastructure and code can make things harder from an investigative point of view. It is not uncommon to find XingLocker samples detected as Mount Locker, or identify two different onion addresses pointing to the same onion service but used by different groups. Investigators should be aware of these factors when researching ransomware.<\/p>\n

Why is this important? Most RaaS models operate by affiliates working with the ransomware group<\/a> to install a specifically named ransomware on as many machines as possible, then splitting the profits. This is advantageous for the attackers because when victims look up the ransomware and see many reports about it, they are more likely to pay. As a disadvantage, affiliates are largely anonymous and can\u2019t use these attacks as the basis of THEIR own criminal business. They are just like managers in a burger chain.<\/p>\n

It seems likely we have now observed a new “franchise” RaaS model involving XingLocker, AstroLocker and Mount Locker. In this model there seems to be a main RaaS (in this case Mount Locker), and then affiliates license the ransomware and release it under their own name and brand. <\/p>\n

In this scenario, the affiliates are like managers of their own local burger joint, getting products from a generic food supplier. The products are provided by the parent company, but the individual operators conduct business under their own branding, with unique names and images. This method gives more flexibility and recognition for the affiliates, especially mid-tier aspiring criminal gang leaders. One disadvantage is that it means less brand recognition for specific ransomware, so victims may be less inclined to pay. Of course, from an investigation point of view, this method adds confusion in terms of naming and makes tracking harder.<\/p>\n

How to Defend Against Ransomware<\/span><\/p>\n

Ransomware is a continuously evolving threat, and organizations should be vigilant in maintaining the best and most effective security policies and practices. Protection frameworks set by the Center of Internet Security<\/a> and the National Institute of Standards and Technology<\/a> can help organizations prevent and mitigate the impact of ransomware attacks: <\/p>\n