Some Ransomware Gangs No Longer Using Malware: What’s Next?

Several ransomware gangs have stopped using malware to encrypt targets’ files and have switched to a data theft/extortion approach to get paid. Among them, is 0mega (spelled with a zero), a relative newcomer to the ransomware/extortion business. It was first spotted a year ago when a victim refused to pay and its company data was leaked on a dedicated leak site. The gang used ransomware that added the “.0mega” extension to encrypted files. Obsidian Security’s threat research team believes 0mega is behind a data theft attack on the Sharepoint Online assets of an unnamed company. The attackers compromised one of the company’s Microsoft Global admin service accounts that didn’t have multi-factor authentication enabled, then used it to create a new Microsoft AD user called 0mega and added various permissions. 

The Obsidian team determined that the attackers were granted site collection administrator capabilities for multiple SharePoint sites and collections, while also removing existing administrators. The attackers then exfiltrated hundreds of company files and uploaded thousands of text files drawing attention to the data exfoliation and containing instructions on how to get in touch with them to start payment negotiations. Obsidian has since released indicators of compromise to help other organizations prevent potential attacks.