Close Menu
Cybercrime and Ransomware

Microsoft Revokes 200+Certificates to Disrupt Ransomware Attack

Staff WriterBy No Comments4 Mins Read0 Views

Quick Takeaways

  1. Microsoft disrupted Vanilla Tempest’s Rhysida ransomware campaign by revoking over 200 certificates used to sign malware, making detection easier.
  2. Vanilla Tempest, also known as Vice Spider/ Society, has targeted education and healthcare sectors since 2021, deploying various file encryptors.
  3. The hackers signed fake Microsoft Teams setup files to install a backdoor named Oyster, which facilitated Rhysida ransomware deployment.
  4. Despite the disruption, the threat group may adapt with new certificates and tactics, implying ongoing risks.

Underlying Problem

Microsoft announced on Wednesday that it successfully disrupted a campaign by the cybercriminal group Vanilla Tempest, also known as Vice Spider or Vice Society, which aimed to deploy its ransomware payload, Rhysida. This group has historically targeted sectors like education and healthcare, employing a variety of ransomware tools such as BlackCat and Zeppelin, but recently shifted to predominantly using Rhysida. Microsoft’s intervention involved revoking over 200 digital certificates used by the hackers to digitally sign their malicious files, thereby impairing their ability to distribute untraceable malware. The hackers had been deploying fake Microsoft Teams setup files—hosted on deceptive domains like ‘teams-download.buzz’ and ‘teams-install.run’—to trick victims into installing malware. When victims executed these files, a backdoor called Oyster was installed, allowing the attackers to deploy Rhysida ransomware. This operation was facilitated by the use of trusted signing services like DigiCert and GlobalSign, illustrating the hackers’ efforts to evade detection. While Microsoft’s takedown temporarily hampers the threat, the group is likely to adapt by obtaining new certificates and changing tactics, underscoring the ongoing cat-and-mouse game between security defenders and cybercriminals.

Potential Risks

Microsoft recently disrupted Vanilla Tempest, a cybercriminal group also known as Vice Society, known for ransomware attacks, notably deploying Rhysida ransomware since 2023 after losing their leak site. These hackers predominantly targeted healthcare and education sectors, signed their malware with over 200 certificates to evade detection, and used sophisticated tactics like SEO poisoning and counterfeit Microsoft Teams installers to infect their victims. They deployed backdoors such as Oyster to facilitate ransomware deployment, signing malicious files with trusted authorities like DigiCert and GlobalSign, which made detection more challenging. While Microsoft’s intervention hampers their operations by revoking these certificates—potentially hindering the group’s ability to spread malware temporarily—threat actors will likely adapt by acquiring new certificates and refining their strategies. This incident exemplifies the ongoing cybersecurity challenge posed by advanced, resourceful hacking groups that leverage legitimate tools and trusted signatures to conduct disruptive and damaging cyberattacks across critical sectors.

Possible Actions

In the rapidly evolving landscape of cybersecurity threats, swiftly addressing certificate revocations is crucial to maintaining organizational integrity and preventing widespread damage, as exemplified by the recent action of Microsoft revoking over 200 certificates to disrupt a ransomware campaign.

Immediate Response:
Quickly identify affected systems and isolate them from the network to prevent further spread of malicious activity.

Patch and Update:
Ensure all software, especially security tools and operating systems, are up to date with the latest patches to close any vulnerabilities.

Certificate Management:
Review and revoke any compromised or outdated certificates, and replace them with valid, secure certificates issued by trusted authorities.

Enhanced Monitoring:
Increase monitoring of network activity for signs of ransomware or other malicious behaviors, emphasizing suspicious certificate usage.

User Communication:
Inform users about potential security risks and advise on safe practices, including recognizing phishing or suspicious links related to certificate issues.

Security Protocols:
Implement multi-factor authentication and strict access controls to limit potential points of intrusion and lateral movement.

Collaborate and Report:
Coordinate with cybersecurity organizations and law enforcement agencies to share intelligence and receive guidance on mitigating ongoing threats.

Advance Your Cyber Knowledge

Discover cutting-edge developments in Emerging Tech and industry Insights.

Access world-class cyber research and guidance from IEEE.

Disclaimer: The information provided may not always be accurate or up to date. Please do your own research, as the cybersecurity landscape evolves rapidly. Intended for secondary references purposes only.

Cyberattacks-V1

Share.
Avatar photo

John Marcelli is a staff writer for the CISO Brief, with a passion for exploring and writing about the ever-evolving world of technology. From emerging trends to in-depth reviews of the latest gadgets, John stays at the forefront of innovation, delivering engaging content that informs and inspires readers. When he's not writing, he enjoys experimenting with new tech tools and diving into the digital landscape.

Related Posts

Comments are closed.