Two new groups have recently appeared on the cyber threat landscape. Although both are financially motivated, they employ significantly different methods of attack. Here is a detailed analysis of their operations, targets, and tactics.

Description and Modus Operandi

D4RK 4RMY is a newly emerged group that focuses exclusively on data extortion. Unlike traditional ransomware operators who encrypt victim systems, D4RK 4RMY’s operations are centered entirely on data exfiltration.

Their method is as follows:

1. The group gains unauthorized access to a target’s network.
2. They then exfiltrate significant volumes of sensitive business information.
3. Following the theft, they threaten to publish the stolen data unless a ransom is paid.

There is currently no evidence to suggest that D4RK 4RMY uses any encryption software (ransomware). Their tactics are limited to non-encrypting extortion, a strategy increasingly observed among modern cybercriminal syndicates.

To apply pressure, the group maintains a dedicated leak site on the dark web via a .onion domain. This platform is used to list and shame its victims as part of its coercion tactics. As of the latest available information, the site features eight victims, including two universities in the United States, a Taiwan-based information technology firm, and two metals and mining companies located in South Africa and Thailand, respectively.

Description

Yurie is a newly identified ransomware group, named after Yūrei, a spirit in Japanese folklore. Despite the cultural reference suggesting a Japanese origin, cybersecurity researchers assess that the group is more likely based in Morocco, where the earliest ransomware samples were traced.

The group employs a double extortion model:

1. Encryption: The victim’s files are encrypted using ransomware.
2. Data Exfiltration: Sensitive data is stolen before encryption. The group then threatens to publish this data on their dedicated .onion leak site if the ransom is not fulfilled.

At present, Yurie’s leak site lists three confirmed victims across the industrial, food supply, and retail sectors, located in India, Sri Lanka, and Nigeria. The emergence of Yurie highlights how readily threat actors can weaponize publicly available ransomware source code with minimal modifications. This significantly lowers the barrier to entry, enabling relatively low-skilled actors to establish themselves in the ransomware ecosystem without substantial technical expertise or resource investment.

Modus Operandi (Technical Details)

Yurie ransomware operates using a codebase largely derived from the open-source “Prince” ransomware project, available on GitHub. The code is written in the Go programming language, which offers benefits such as cross-platform compatibility and certain detection challenges for antivirus vendors.

Encryption Process:

• Upon execution, the malware enumerates all available drives and initiates parallel encryption processes.
• Affected files are appended with the .Yurei extension.
• The encryption algorithm used is ChaCha20. A unique key and nonce are generated per file.
• This key and nonce are then encrypted using ECIES with the attacker’s public key.
• The malware also monitors for newly attached network drives and adds them to its encryption queue.

Key Weakness:

A notable shortcoming that underscores its relative lack of sophistication is that the ransomware does not delete Volume Shadow Copies. This omission leaves victims with potential recovery options through Windows’ built-in snapshot functionality.