The Head Mare group is a hacktivist group that targets individuals and organizations in Russia and Russia-aligned countries, specifically Belarus. They appeared at the end of 2023 via a new Twitter/X account they used as a data leak site (DLS). From there, they published screenshots and other images of proof of breaches, and through that, we could account for some of their alleged victims, displayed below. It wasn't until September 2024 that Securelist (Kaspersky) published research of their findings from the group. This was the first known well-published research of Head Mare.
Some of their research corroborated what was already known: They first appeared via Twitter and published screenshots of their victim machines, mainly attacking Russia. However, most of their research unveiled the group's tactics, techniques, and procedures (TTPs), including the ransomware they used in their attacks. Head Mare doesn't have their own ransomware; they leverage already-known encryptors from LockBit and Babuk. According to Kaspersky researchers, the Head Mare operators use LockBit 3.0's encryptor - also known as LockBit Black - for Windows Machines, and they use the Babuk ESXi encryptor for hypervisors.
Their encryption methods are uniquely unorthodox. Kaspersky's research highlighted a specific encryption event in which the group used two LockBit subvariants sequentially. They first encrypt the targeted files with LockBitLite, which encrypts the file contents but doesn't alter the file names or free space. Then, the group encrypted the output with LockBitHard, which encrypts the file contents, encrypts the file name, and wipes free space. There's likely one of two reasons for doing this. The first is to ensure that if there was a flaw in the encryption mechanism, there were safeguards against decryption with two levels of encryption. However, considering both ransomware variants are from the same family, this is unlikely (i.e., if one has a flaw, the other likely does too). The second is for a similar reason, but the intent from the attacker's point of view is to wipe the machine, making it unavailable to recover. Since Head Mare is a hacktivist group, this seems more likely instead of encryption in depth. The final anecdote for the encryption event is that, even though they utilized the leak builders, the operators didn't tweak them much. Even the LockBit Black ransom notes are unchanged from their leaked statuses.
Preceding a ransomware attack, the operators utilize phishing attacks with ZIP folders attached. Once a prospective victim attempts to view the archive, an embedded malware exploits CVE-2023-38831. This exploit allows attacks to execute arbitrary code when viewing an archive using WinRAR version 6.23 or older. After exploitation, the attackers use PhantomDL and PhantomCore for initial discovery, network enumeration, and command and control (C2) establishment. From there, they can deliver more malware since persistence has been established with prior set registry settings. The C2 framework they use is Silver, an open-sourced alternative to Cobalt Strike. Finally, the Head Mare group uses ngrok and rsockstun for network pivoting and XenAllPasswordPro and Mimikatz for credential harvesting before deploying ransomware.
Known Victims(11)
| Industry Sector | Land | Extortion Date | Amount (USD) |
|---|---|---|---|
| Defense | Russia | ||
| Oil & Gas | Russia | ||
| Information Technology | Russia | ||
| Electronics | Russia | ||
| Defense | Russia | ||
| Defense | Russia | ||
| Telecommunications | Russia | ||
| Information Technology | Russia | ||
| Distribution & Logistics | Russia | ||
| Professional Services | Russia | ||
| Construction & Architecture | Russia |