Ransom Extortion Without Ransomware

Diving into the details

• The gang has been breaching organizations to filch sensitive information, threatening victims with making the files publicly available unless a ransom is paid.
• It mainly depends on phishing attacks.
• Over the past three months, Luna Moth conducted a large-scale campaign that tricked victims with false subscription emails for using Duolingo, Zoho, or MasterClass services.

Modus operandi

• Luna Moth utilizes emails that resemble the brands, however, it is an obvious scam since the messages are sent from Gmail accounts.
• The email contains an attached PDF and the target is urged to call a phone number if any issues with the subscription arise.
• The group uses pretty basic tools, such as AnyDesk, Atera, Syncro, and Splashtop.
• These enable the attacker to gain persistence; if one of the RATs is uninstalled from the system, others can reinstall it.
• Other off-the-shelf tools used include Rclone, SoftPerfect Network Scanner, and SharpShares. These tools impersonate legitimate binaries and are stored in compromised machines under fake names.
• Luna Moth doesn’t have a specific target set; instead, it deploys opportunistic attacks where it exfiltrates whatever information available and uses it for extortion.

Another non-ransomware extortion group

• RansomHouse is another threat actor that engages in data extortion without the use of any ransomware. 
• It emerged in March and listed four victims on its Onion site. 
• The attackers have stated that they abuse vulnerabilities to infiltrate a network instead of using any ransomware or building an encryption module.
• AMD became its latest victim, wherein the gang claimed to have stolen 450GB of data. 

The bottom line