#1 Trending Cyber Security News & Magazine
Thursday, May 25, 2023
No Result
View All Result
The Cyber Express
  • MagazineDownload
  • Firewall Daily
    • All
    • Dark Web News
    • Data Breach News
    • Hacking News
    • Ransomware News
    • Vulnerabilities
    Open-Source Code Repository

    PyPI Problems: Open-Source Code Repositories Witness Surge in Malware

    Microsoft Entra

    Microsoft Build 2023: Microsoft Entra Introduced With New Identity and Access Features

    Nokoyowa

    Nokoyowa Leaks: Unveiling 24 New Victims and Possible Connection to Snatch Ransomware

    Carukia Ransomware

    Typhon Project: $500 Carukia Ransomware Boasts of Faster Encryption

    Double Extortion Ransomware Group

    Double Extortion Ransomware Groups Emerging as a Pervasive Cybersecurity Threat

    MDBotnet for DDoS attacks

    MDBotnet for DDoS Attacks Sold on the Dark Web for 2500 Russian Rubles

    Trojanized Android App

    Trojanized Android App Invades Google Play Store, Exposes 50000 Users to AhRat RAT

    Philadelphia Inquirer cyber attack

    Cuba Ransomware Claims Responsibility for The Philadelphia Inquirer Cyber Attack

    Three Apple Vulnerabilities

    Did You Patch These Three Apple Vulnerabilities Yet?

    Trending Tags

    • blackbyte ransomware
    • Ransomware
    • lapsus$ ransomware
    • Apple
    • Apple vulnerability
  • Essentials
    • All
    • Compliance
    • Governance
    • Policy Updates
    • Regulations
    Microsoft Entra

    Microsoft Build 2023: Microsoft Entra Introduced With New Identity and Access Features

    Data Protection Commission

    Irish Data Protection Commission imposes $1.3bn Fine on Meta

    US Police Auction Seized Cell Phones Without Wiping Data, Sparks Privacy Concerns

    US Police Auction Seized Cell Phones Without Wiping Data, Sparks Privacy Concerns

    disclosing cybersecurity incidents

    Why Victims Fail to Disclose Cybersecurity Incidents, And Why They Should

    Stakeholder Communication During Crisis

    Stakeholder Communication During Crisis: How to Get It Right

    Government Regulation of AI businesses

    Government Regulation of AI businesses: UK Competition Watchdog Launches Review

    national cybersecurity strategy

    US National Cybersecurity Strategy: Businesses, Let’s Start with Disclosure!

    Top 10 Ransomware Gangs

    All You Need to Know About the Top Ransomware Groups

    Matt Malarkey

    ‘Standards Are No Longer Voluntary’

    • Regulations
    • Compliance
    • Governance
    • Policy Updates
  • Features
    • Cyber Warfare
    • Espionage
    • Workforce
      • Learning & Development
  • Business
    • All
    • Appointments
    • Budgets
    • Mergers & Aquisitions
    • Partnerships
    • Press Release
    • Startups
    IBM Acquired Polar Security

    IBM Acquires Polar Security Reportedly For $60 Million

    World CyberCon Middle East 2023

    World CyberCon Middle East 2023: The Premier Cybersecurity Conference in the Region

    ODIN by Cyble

    Cyble Launches ODIN: A Revolutionary Tool for Unparalleled Internet Exploration

    cybersecurity investments

    Cybersecurity Investments Up in April, Market Watchers Predict Growth of Over $700 billion

    OilRig APT

    Experts Warn of Increased IT Supply Chain Attacks by OilRig APT in Middle East

    World Password Day 2023

    World Password Day 2023: Protect Your Password, Create an Unbreakable One

    national cybersecurity strategy

    US National Cybersecurity Strategy: Businesses, Let’s Start with Disclosure!

    Stack Identity

    Silicon Valley Startup, Stack Identity Receives $4 Million to Detect Shadow Access in Cloud

    Cyble Wins at the Global InfoSec Awards 2023

    Cyble Triumphs Yet Again With 9 Category Wins at the Global InfoSec Awards 2023, Including Editor’s Choice for Cybersecurity Startup

    • Startups
    • Mergers & Aquisitions
    • Partnerships
    • Appointments
    • Budgets
    • Research
      • Whitepapers
      • Sponsored Content
      • Market Reports
    • Interviews
      • Podcast
  • EventsCyberCon
    • World CyberCon Middle East 2023
    •  Cyber Security Webinar
    • Endorsed Events
  • ProductsTools
    • Cyble Vision
    • Cyble Hawk (LEA, Govt.)
    • Am I Breached
    • Cyble Odin (Beta)
SUBSCRIBE
  • MagazineDownload
  • Firewall Daily
    • All
    • Dark Web News
    • Data Breach News
    • Hacking News
    • Ransomware News
    • Vulnerabilities
    Open-Source Code Repository

    PyPI Problems: Open-Source Code Repositories Witness Surge in Malware

    Microsoft Entra

    Microsoft Build 2023: Microsoft Entra Introduced With New Identity and Access Features

    Nokoyowa

    Nokoyowa Leaks: Unveiling 24 New Victims and Possible Connection to Snatch Ransomware

    Carukia Ransomware

    Typhon Project: $500 Carukia Ransomware Boasts of Faster Encryption

    Double Extortion Ransomware Group

    Double Extortion Ransomware Groups Emerging as a Pervasive Cybersecurity Threat

    MDBotnet for DDoS attacks

    MDBotnet for DDoS Attacks Sold on the Dark Web for 2500 Russian Rubles

    Trojanized Android App

    Trojanized Android App Invades Google Play Store, Exposes 50000 Users to AhRat RAT

    Philadelphia Inquirer cyber attack

    Cuba Ransomware Claims Responsibility for The Philadelphia Inquirer Cyber Attack

    Three Apple Vulnerabilities

    Did You Patch These Three Apple Vulnerabilities Yet?

    Trending Tags

    • blackbyte ransomware
    • Ransomware
    • lapsus$ ransomware
    • Apple
    • Apple vulnerability
  • Essentials
    • All
    • Compliance
    • Governance
    • Policy Updates
    • Regulations
    Microsoft Entra

    Microsoft Build 2023: Microsoft Entra Introduced With New Identity and Access Features

    Data Protection Commission

    Irish Data Protection Commission imposes $1.3bn Fine on Meta

    US Police Auction Seized Cell Phones Without Wiping Data, Sparks Privacy Concerns

    US Police Auction Seized Cell Phones Without Wiping Data, Sparks Privacy Concerns

    disclosing cybersecurity incidents

    Why Victims Fail to Disclose Cybersecurity Incidents, And Why They Should

    Stakeholder Communication During Crisis

    Stakeholder Communication During Crisis: How to Get It Right

    Government Regulation of AI businesses

    Government Regulation of AI businesses: UK Competition Watchdog Launches Review

    national cybersecurity strategy

    US National Cybersecurity Strategy: Businesses, Let’s Start with Disclosure!

    Top 10 Ransomware Gangs

    All You Need to Know About the Top Ransomware Groups

    Matt Malarkey

    ‘Standards Are No Longer Voluntary’

    • Regulations
    • Compliance
    • Governance
    • Policy Updates
  • Features
    • Cyber Warfare
    • Espionage
    • Workforce
      • Learning & Development
  • Business
    • All
    • Appointments
    • Budgets
    • Mergers & Aquisitions
    • Partnerships
    • Press Release
    • Startups
    IBM Acquired Polar Security

    IBM Acquires Polar Security Reportedly For $60 Million

    World CyberCon Middle East 2023

    World CyberCon Middle East 2023: The Premier Cybersecurity Conference in the Region

    ODIN by Cyble

    Cyble Launches ODIN: A Revolutionary Tool for Unparalleled Internet Exploration

    cybersecurity investments

    Cybersecurity Investments Up in April, Market Watchers Predict Growth of Over $700 billion

    OilRig APT

    Experts Warn of Increased IT Supply Chain Attacks by OilRig APT in Middle East

    World Password Day 2023

    World Password Day 2023: Protect Your Password, Create an Unbreakable One

    national cybersecurity strategy

    US National Cybersecurity Strategy: Businesses, Let’s Start with Disclosure!

    Stack Identity

    Silicon Valley Startup, Stack Identity Receives $4 Million to Detect Shadow Access in Cloud

    Cyble Wins at the Global InfoSec Awards 2023

    Cyble Triumphs Yet Again With 9 Category Wins at the Global InfoSec Awards 2023, Including Editor’s Choice for Cybersecurity Startup

    • Startups
    • Mergers & Aquisitions
    • Partnerships
    • Appointments
    • Budgets
    • Research
      • Whitepapers
      • Sponsored Content
      • Market Reports
    • Interviews
      • Podcast
  • EventsCyberCon
    • World CyberCon Middle East 2023
    •  Cyber Security Webinar
    • Endorsed Events
  • ProductsTools
    • Cyble Vision
    • Cyble Hawk (LEA, Govt.)
    • Am I Breached
    • Cyble Odin (Beta)
No Result
View All Result
The Cyber Express
No Result
View All Result
Home Firewall Daily

New Obsidian ORB Ransomware Emerges with Unique Extortion Technique

The threat actors associated with Obsidian ORB ransomware demand payment through gift cards, including popular platforms like Roblox, Paysafe, Payday, Steam, and others

Chandu Gopalakrishnan by Chandu Gopalakrishnan
May 25, 2023
in Firewall Daily
0
Obsidian ORB Ransomware
585
SHARES
3.2k
VIEWS
Share on LinkedInShare on Twitter

Researchers have spotted a new and distinct ransomware strain, dubbed “Obsidian ORB ransomware”. Further probe revealed a strong connection between Obsidian ORB ransomware and the underlying source code of the notorious Chaos ransomware.

According to the researchers at the Cyble Research and Intelligence Labs (CRIL), the Obsidian ORB ransomware focuses on file encryption as its core strategy, utilizing sophisticated encryption algorithms to effectively lock victims’ data.

You might also like

Cyber Attack on Scandinavian Airlines: Anonymous Sudan Raises Ransom Demand to $175,000

PyPI Problems: Open-Source Code Repositories Witness Surge in Malware

Microsoft Build 2023: Microsoft Entra Introduced With New Identity and Access Features

What sets the Obsidian ORB ransomware group apart is its unconventional approach to extorting payments from victims.

“Unlike traditional ransomware actors who typically request cryptocurrency payments, the TAs associated with Obsidian ORB have adopted an alternative method,” said the CRIL report.

“They now demand payment through gift cards, including popular platforms such as Roblox, Paysafe, Payday, Steam, etc.”

This change in strategy highlights the adaptability of ransomware attackers, constantly exploring new avenues for extortion purposes.

Obsidian ORB ransomware: Technical Analysis

CRIL researchers analyzed a 32-bit PE binary compiled using .NET, with the following hash: 290072a9e1cf3872487cf586a592be534abc894d20ffd1121fe8338f1b52b451.

“Upon execution, the ransomware first checks for the presence of any existing instances of itself. If another instance is found, the ransomware terminates its execution,” said the report.

“After ensuring that no previous instance of the ransomware exists, Obsidian creates a copy of itself in the %appdata% directory with the file name “svchost.exe” and executes the newly created process.”

Obsidian ORB ransomware
File Details. Image courtesy: CRIL

It also adds a shortcut file to the Windows Startup folder, ensuring automatic execution during subsequent system reboots.

The ransomware scans the victim’s machine to identify available drives and proceeds to encrypt files on each drive, excluding the root of the “C:” drive. Specific directories are also targeted for encryption.

For files below 2 MB, Obsidian ORB ransomware employs the “Microsoft Enhanced RSA and AES Cryptographic Provider” libraries for encryption. However, files larger than 2 MB are overwritten with random data, rendering them permanently inaccessible.

After encryption, a ransom note titled “read_it.txt” is generated in each directory, serving as a communication channel between the TA and the victim.

To impede recovery, the ransomware executes commands via cmd.exe, deleting backups and disabling recovery mode on the infected system.

Obsidian ORB ransomware includes a mechanism to propagate to other drives within the system, spreading its payload by copying itself onto target drives.

“It systematically goes through the available drives and verifies if the current drive is not the “C:” drive and if a file named “surprise.exe” is not already present on the newly identified drive,” said the report.

“If both conditions are satisfied, the ransomware proceeds to copy itself onto the target drive using the File.Copy() method, allowing it to spread its malicious payload to other drives, expanding its reach across the system.”

Finally, the ransomware modifies the desktop background image on the compromised system, indicating its presence.

Obsidian ORB ransomware and the Chaos connection

Cyble earlier observed a trend among threat actors, who find it advantageous to leverage pre-existing ransomware codes as a foundation for creating new ransomware families.

Obsidian ORB ransomware joins a growing list of peer strains originating from the Chaos ransomware source code. Previous examples include Blacksnake and Onyx, which share similarities in their encryption techniques and behavior.

“Onyx and Yashma ransomware families were already linked to the Chaos ransomware family, and the BlackSnake ransomware is another family now associated with the strain,” said the Cyble report.

“The Threat Actor has tweaked the Chaos ransomware source code and added a clipper module directly into the file, which is different from the usual approach of having a separate file for the clipper.”

In September 2022, Chaos popped up in cybersecurity news with a new variant. This latest version, developed using Go and designed to operate across multiple platforms, bears no resemblance to its previous iteration.

During the analysis of an IP address associated with a staging server hosting supplementary modules, an interesting discovery was made.

The IP address exhibited an anomalous self-signed certificate that displayed the organization name as “Chaos,” as detailed in a threat assessment report by Black Lotus Labs, the threat intelligence division of Lumen Technologies.

The emergence of Obsidian ORB ransomware highlights the ever-evolving nature of cyber threats. The use of gift cards as a form of payment underscores the need for continued vigilance and updated security measures to mitigate such attacks.

Share this:

  • Click to share on LinkedIn (Opens in new window)
  • Click to share on Reddit (Opens in new window)
  • Click to share on Twitter (Opens in new window)
  • Click to share on Facebook (Opens in new window)
  • More
  • Click to email a link to a friend (Opens in new window)
  • Click to share on WhatsApp (Opens in new window)

Related

Tags: Obsidian ORB ransomware
Previous Post

Updated StopRansomware Guide Warns of Ransomware’s Shape Shifting Tactics

Chandu Gopalakrishnan

Chandu Gopalakrishnan

Executive Editor, The Cyber Express

Related Posts

Cyber Attack On Scandinavian Airlines
Firewall Daily

Cyber Attack on Scandinavian Airlines: Anonymous Sudan Raises Ransom Demand to $175,000

by Vishwa Pandagle
May 25, 2023
Open-Source Code Repository
Firewall Daily

PyPI Problems: Open-Source Code Repositories Witness Surge in Malware

by Ashish Khaitan
May 24, 2023
Microsoft Entra
Cyber Essentials

Microsoft Build 2023: Microsoft Entra Introduced With New Identity and Access Features

by Vishwa Pandagle
May 24, 2023 - Updated on May 25, 2023
Nokoyowa
Dark Web News

Nokoyowa Leaks: Unveiling 24 New Victims and Possible Connection to Snatch Ransomware

by Ashish Khaitan
May 24, 2023
Carukia Ransomware
Firewall Daily

Typhon Project: $500 Carukia Ransomware Boasts of Faster Encryption

by Vishwa Pandagle
May 24, 2023

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

I agree to the Terms & Conditions and Privacy Policy.

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Latest Issue is Out. Subscribe Now

Download Now

CRIL


Follow Us On Google News

Never miss an update. Subscribe!

* indicates required

mailchimp

Latest Cyber News

Open-Source Code Repository
Firewall Daily

PyPI Problems: Open-Source Code Repositories Witness Surge in Malware

May 24, 2023
Microsoft Entra
Cyber Essentials

Microsoft Build 2023: Microsoft Entra Introduced With New Identity and Access Features

May 24, 2023
Nokoyowa
Dark Web News

Nokoyowa Leaks: Unveiling 24 New Victims and Possible Connection to Snatch Ransomware

May 24, 2023
Carukia Ransomware
Firewall Daily

Typhon Project: $500 Carukia Ransomware Boasts of Faster Encryption

May 24, 2023

Categories

Web Stories

Top 10 CISOs to Follow in 2023
Top 10 CISOs to Follow in 2023
Top 10 Ransomware Gangs in 2023
Top 10 Ransomware Gangs in 2023
Top 5 IoT Security Risks in 2023
Top 5 IoT Security Risks in 2023
Top 10 CTF Platforms in 2023
Top 10 CTF Platforms in 2023
Types of Risks Covered by Cyber Insurance
Types of Risks Covered by Cyber Insurance

About

The Cyber Express by Cyble

#1 Trending Cyber Security News and Magazine

The Cyber Express  by Cyble is a handbook for all stakeholders of the internet that provides information security professionals with the latest news, updates and knowledge they need to combat cyber threats.

 

Contact

For editorial queries: [email protected]

For marketing and Sales: [email protected]

For Events & Conferences related information: [email protected]

 

Quick Links

  • About Us
  • Advertise With Us
  • Contact Us
  • Editorial Calendar

Our Address

We’re remote friendly, with office locations around the world:

San Francisco, Atlanta, Rome,
Dubai, Mumbai, Bangalore, Hyderabad,  Singapore, Jakarta, Sydney, and Melbourne

 

Headquarters:

The Cyber Express LLC
555 North Point Center E
Alpharetta, GA 30022, USA.

 

India Office:

Cyber Express Media Network
HD-021, 4th Floor, C Wing, Building No.4. Nesco IT Park, WE Highway, Goregaon East, Mumbai, Maharashtra, India – 4000063

Subscribe to Our Feed

RSS Feeds

Follow Us On Google News
  • Privacy Statement
  • Terms of Use
  • Write For Us

© 2022 The Cyber Express (Cyber Security News and Magazine) | By Cyble Inc.

No Result
View All Result
  • Magazine
  • Firewall Daily
  • Essentials
    • Regulations
    • Compliance
    • Governance
    • Policy Updates
  • Features
    • Cyber Warfare
    • Espionage
    • Workforce
      • Learning & Development
  • Business
    • Startups
    • Mergers & Aquisitions
    • Partnerships
    • Appointments
    • Budgets
    • Research
      • Whitepapers
      • Sponsored Content
      • Market Reports
    • Interviews
      • Podcast
  • Events
    • World CyberCon Middle East 2023
    •  Cyber Security Webinar
    • Endorsed Events
  • Products
    • Cyble Vision
    • Cyble Hawk (LEA, Govt.)
    • Am I Breached
    • Cyble Odin (Beta)

© 2022 The Cyber Express (Cyber Security News and Magazine) | By Cyble Inc.

Welcome Back!

Login to your account below

Forgotten Password?

Retrieve your password

Please enter your username or email address to reset your password.

Log In

Add New Playlist

This website uses cookies. By continuing to use this website you are giving consent to cookies being used. Visit our Privacy and Cookie Policy.
Top 10 CISOs to Follow in 2023 Top 10 Ransomware Gangs in 2023 Top 5 IoT Security Risks in 2023 Top 10 CTF Platforms in 2023 Types of Risks Covered by Cyber Insurance