Unlike other ransomware groups, this ransomware family doesn’t have an active leak site; instead it prefers to direct the impacted victim to negotiations through TOX chat and onion-based messenger instances.
It employs two distinctive anti-analysis techniques. The first is API function hashing, a known trick to obfuscate which functions are called. The second is an opaque predicate, a technique used for control flow obfuscation.
Most organizations are unprepared for an attack through the exploitation of weak IAM policies. Adversaries target cloud IAM credentials and are ultimately able to collect these credentials as part of their standard operating procedures.
Researchers have identified a new version of SolarMarker, a malware family known for its infostealing and backdoor capabilities, mainly delivered through search engine optimization (SEO) manipulation to convince users to download malicious documents.
An attacker could have exploited these issues to escalate privileges and become a "shadow administrator" with the ability to covertly exfiltrate secrets, deploy malware or cryptominers, and disrupt workloads.