Ransomware Tracker (Entry #229): Hakuna Matata 1.7

Entry: https://www.watchguard.com/wgrd-security-hub/ransomware-tracker/bagli

Bagli is commonly called Bagli Wiper because it doesn't actually encrypt files; it overrides the file's bytes with the Random() function (.NET). Therefore, it's technically not ransomware; it's pseudo-ransomware as a wiper. Although a ransom note—oxu.txt—is dropped that demands a ransom of $350 in Bitcoin, there is no possible way to recover files. The ransom note is in Azerbaijani, and the wiper's creator, ryukRans, spoke primarily Russian on XSS.is (a hacking forum). Therefore, we denoted the user as Azerbaijani with low-to-moderate confidence.

All in all, Bagli isn't a sophisticated or unique wiper. It's most known for being the foundation and beginning ancestry of another popular ransomware builder, Chaos. Due to the builder's open-source nature, Chaos has hundreds of variants. Thankfully, later versions of Chaos have decryptors for most of its creations. The only exceptions are versions 1.0 and 2.0, which are built upon the wiper aspect of Bagli.

Entry: https://www.watchguard.com/wgrd-security-hub/ransomware-tracker/mike-tyson

Mike Tyson ransomware, dubbed "Tyson" for short, is a variant of the Chaos ransomware family and obviously refers to the boxer Mike Tyson. Derivatives of Chaos are created using the Chaos Ransomware builders, of which there are six primary versions (including Yashma, traditionally referred to as version 6). This variant is believed to be from Chaos 5.0, specifically Chaos 5.2. The determination for this is that it can change the desktop wallpaper, which is applicable for only version 4.0 and beyond, and it encrypts files larger than 2 MB external of the C drive; only applicable to versions 5.0 and on. It is not Yashma because the ransom note mimicked the Chaos 5.2 boilerplate text almost verbatim, besides the ransom amount and crypto wallet, and the Yashma note is significantly different in terms of how it's worded. We believe it's specifically version 5.2 because this is the only ransomware builder easily found on GitHub at the time of the creation of this variant - September 2024. For these reasons, we believe Mike Tyson is a one-off Chaos 5.2 derivative likely created for the "lulz." Since we already know the technical details of Chaos 5.2, we copied them below. We've also included the ransom note names, images, and encrypted file names below.

Entry: https://www.watchguard.com/wgrd-security-hub/ransomware-tracker/azzasec

AzzaSec (AzzaSecurity) is both the name of the ransomware and of an Italian hacktivist group. That is based on research from Threatmon, which wrote an extensive report on this ransomware and its members. The other two members are Turkish (WalterBishop_AzzaSec) and Brazilian (DmitryRansom). However, the leader—madoneputain/Friendied—is Italian. The group was first observed in late February 2024 and disbanded in August of the same year. During this time, they created ransomware with the same name as their group, but one of the samples we analyzed also went by AnonCry. Hence, the Alias of AnonCry. This name is interesting because it is seemingly meaningless, but after we analyzed other ransomware with similar characteristics, we discovered that the group likely had earlier testing ransomware iterations called BlackSkull, GhosHacker, and Anonymous, all of which are based on the NoCry ransomware builder. The primary piece of evidence of this is from the Anonymous variant that contained a debug string directly linked to NoCry. The Anonymous variant also contained AzzaSec strings. Seeing as these are all identical and there are string references, and because these were all created within the timeframe of the group's existence, we have moderately high confidence these all are related to AzzaSec. Also, the name AnonCry (Anonymous+NoCry) is another piece of evidence. Based on this evidence, we believe the public research indicating AzzaSec is based on HiddenTear to be incorrect.

The AzzaSec group worked on a RaaS model that allowed users to purchase the encryptor as a flat fee or subscription service. This comes from a post on CrackingX by a member of AzzaSec. However, they didn't indicate if there was some revenue split or if they simply sold the ransomware encryptor. It's likely the latter. As for the ransomware encryptor, it appended both .AzzaSec and .AzzaSec_Encryptor based on the sample (all but one used .AzzaSec) and encrypted files with AES combined with SHA-512. Similar to the other ransomware mentioned in this description, the extortion amounts were all less than $100, and the maximum amount in the samples we found was $600, a far cry from other major ransomware groups. However, this isn't a surprise, considering the group's motives were hacktivism. They also were aligned with pro-Russian groups such as APT44 and Noname057(16), which commonly use DDoS attacks.