Cybersecurity researchers have unveiled a complex web of interconnected ransomware strains that trace their origins back to a common source: the Adhubllka ransomware family.
The study, conducted by cybersecurity analysts at Netenrich, delves into the lineage of various ransomware variants, including LOLKEK, BIT, OBZ, U2K and TZW. The researchers observed that these seemingly distinct ransomware strains share significant similarities in their codebase, tactics and infrastructure.
By tracing the evolution of these strains, the researchers were able to establish a genealogical relationship that ties them back to the original Adhubllka ransomware, which first surfaced in January 2020.
Netenrich emphasized that the Adhubllka ransomware family has undergone multiple iterations, each with slight modifications to encryption schemes, ransom notes and communication methods.
This practice is a common strategy among cyber-criminals to evade detection. Researchers also noted that reusing code and tactics can lead to misclassifications, making it crucial for investigators to consider multiple parameters beyond code similarities.
One key aspect of the study was the analysis of ransom notes and communication channels used by the ransomware operators. The researchers discovered a progression from v2 Tor Onion URLs to v3 Tor URLs, as well as shifts in communication methods. Despite the evolving tactics, the researchers identified consistent patterns that link all the variants back to the Adhubllka family.
Read more on Tor: Tor Browser Adds Automatic Censorship Circumvention
“By setting up an endpoint security solution, we can thwart the attacks to some extent. However, when ransomware is newly formed/coded, it can only be thwarted by basic security education like not to click on malicious links delivered via email,” explained Rakesh Krishnan, senior threat analyst at Netenrich and author of the research post.
“The important protections, however, come from preventing threat actors from getting ransomware into an environment in the first place, which means looking for behavior anomalies, privilege escalation and the introduction of suspicious removable media into an environment.”
Krishnan concluded by saying that while the Adhubllka ransomware family may undergo rebranding and new monikers may emerge, the distinct communication patterns utilized by the threat actors will remain a consistent thread.
“As long as the threat actor does not change their mode of communication, we will be able to trace all such cases back to the Adhubllka family.”