Designated as both high-impact and high-risk by the researchers, ransomware-as-a-service (RaaS) named “Monster” was first seen in March 2022. Researchers identified it largely due to its similarities with Zeppelin RaaS, which also uses the Delphi programming language. Zeppelin was notable for attacking tech and healthcare companies in Europe and the U.S. As Rohner notes, “The Zeppelin variant was visibly distinct. Its binaries are designed to quit running on machines that are based in Russia and some other ex-USSR countries. This is similar to Monster, which also quits if it finds out the host machine is located in one of the twelve Commonwealth of Independent States.”
As researchers dug deeper, they noticed the developers of Monster seemed to have included indicators of compromise (IoCs) in the malware’s makeup that pointed the finger at other threat groups. This might be a tactic to slow attribution by research organizations and law enforcement. The use of other threat groups’ IoCs was also seen in Monti ransomware, and researchers are watching to see if this is a new trend in malware developer behavior.
Monster is yet another sign that organizations should anticipate further adoption of a RaaS business model among threat actors. According to Preciado, the allure of this model, when coupled with an initial access broker (IAB), is that it effectively eliminates the most challenging parts of orchestrating a cyberattack: writing code, and performing initial intrusions of victims’ machines.
Preciado explains another concern around Monster, “We are seeing a growing trend in uncommon programming languages being used in malware. Delphi is one of them. We’ve seen some in Rust and Go as well.” BlackBerry research indicates two main reasons threat actors use exotic languages:
To learn more about the use of lesser-known program languages being utilized in malware, download the free report: Old Dogs, New Tricks: Attackers Adopt Exotic Programming Languages.
The BlackBerry Incident Response team can work with organizations of any size and across any vertical, to evaluate and enhance their endpoint security posture and proactively maintain the security, integrity, and resilience of their network infrastructure. For emergency assistance, please email us at DLIR@blackberry.com, or use our handraiser form.
David Steinberg-Zwirek is an Editorial Intern at BlackBerry.
© 2022 BlackBerry Limited. All rights reserved.