Midas Ransomware

Midas Ransomware

Introduction: Midas ransomware, operating as a Ransomware-as-a-Service (RaaS), emerged in October 2021. It is an evolution of the Haron RaaS and targets corporate networks, engaging in multi-extortion by demanding payment for decryption tools and the non-release of stolen data. Midas ransomware payloads are based on the Thanos builder.

Targets: Midas ransomware targets a broad spectrum of industries, including healthcare, finance, education, retail, government, and manufacturing.

Propagation: Midas ransomware can be deployed through various methods, including Cobalt Strike or similar frameworks and email phishing.

Technical Details:

  • Evolution and Builder:
    • Midas is a direct evolution of Haron ransomware, both based on the Thanos ransomware builder.
  • Programming Language:
    • Midas ransomware payloads are written in C# with heavy obfuscation.
  • Lateral Movement and Obstruction:
    • Midas is capable of lateral movement to adjacent hosts and attempts to terminate processes and services hindering the encryption process.
    • It terminates processes related to well-known security tools and components of Raccine.
    • Midas can locate process name strings and terminate associated processes to hinder analysis.
  • File Encryption:
    • Encrypted files receive the “.axxes” extension, and ransom notes (“re_ad_me.html”) are deposited in all folders containing encrypted items.
  • Persistence and Exfiltration:
    • Midas actors use commercial tools like TeamViewer and AnyDesk for persistence and data exfiltration.

Detection Strategies: EDR can identify and stop any malicious activities and items related to Midas ransomware.

For those without EDR , here are ways to identify Midas ransomware in your network:

  1. Security Tools:
    • Utilize anti-malware software or security tools capable of detecting and blocking known ransomware variants.
  2. Network Traffic Monitoring:
    • Monitor network traffic for indicators of compromise, such as unusual patterns or communication with known command-and-control servers.
  3. Security Audits:
    • Conduct regular security audits to identify vulnerabilities and ensure all security controls are functioning correctly.
  4. Education & Training:
    • Educate and train employees on cybersecurity best practices to recognize and report suspicious emails and threats.
  5. Backup & Recovery Planning:
    • Implement a robust backup and recovery plan to restore data in the event of an attack.

Mitigation Measures: For EDR customers, the EDR can return systems to their original state using either the Repair or Rollback feature.

For those without EDR , consider the following mitigation steps:

  1. Employee Education:
    • Educate employees on ransomware risks and train them to identify and avoid phishing emails and malicious attachments.
  2. Strong Passwords:
    • Implement strong, unique passwords for all user accounts, regularly updating and rotating them.
  3. Multi-Factor Authentication (MFA):
    • Enable MFA for user accounts to add an extra layer of security.
  4. System Updates and Patching:
    • Regularly update and patch systems to fix vulnerabilities and prevent exploitation.
  5. Backup and Disaster Recovery (BDR):
    • Establish and regularly test backup and disaster recovery processes to ensure quick data restoration.

Proactive security measures, employee awareness, and a comprehensive backup strategy are crucial to mitigating the risk of Midas ransomware attacks.

Back

Copyright © 2024 RASOC all rights reserved