Data extortion doesn’t require the use of ransomware. This has once again been proved by a new gang, dubbed Luna Moth or Silent Ransom Group. It has been active since March and primarily focuses on data breach extortion attacks.
Diving into the details
The gang has been breaching organizations to filch sensitive information, threatening victims with making the files publicly available unless a ransom is paid.
It mainly depends on phishing attacks.
Over the past three months, Luna Moth conducted a large-scale campaign that tricked victims with false subscription emails for using Duolingo, Zoho, or MasterClass services.
Luna Moth utilizes emails that resemble the brands, however, it is an obvious scam since the messages are sent from Gmail accounts.
The email contains an attached PDF and the target is urged to call a phone number if any issues with the subscription arise.
The group uses pretty basic tools, such as AnyDesk, Atera, Syncro, and Splashtop.
These enable the attacker to gain persistence; if one of the RATs is uninstalled from the system, others can reinstall it.
Other off-the-shelf tools used include Rclone, SoftPerfect Network Scanner, and SharpShares. These tools impersonate legitimate binaries and are stored in compromised machines under fake names.
Luna Moth doesn’t have a specific target set; instead, it deploys opportunistic attacks where it exfiltrates whatever information available and uses it for extortion.
Another non-ransomware extortion group
RansomHouse is another threat actor that engages in data extortion without the use of any ransomware.
It emerged in March and listed four victims on its Onion site.
The attackers have stated that they abuse vulnerabilities to infiltrate a network instead of using any ransomware or building an encryption module.
AMD became its latest victim, wherein the gang claimed to have stolen 450GB of data.
The bottom line
Cybercriminals have moved to new extortion techniques and sophisticated business structures, they are still hitting on the same cybersecurity gaps. The extortion without ransomware model is gaining traction among threat actors. Selling confidential data without encrypting systems is becoming a lucrative enterprise.