Amidst the ongoing Russo-Ukrainian war, hackers from Italy have decided to join forces with an infamous cyber attacker group in Russia. Azzasec is an Italian hacktivist group who has been involved in anti-Israel campaigns and has teamed up with the infamous pro-Russian hacktivists Noname057(16). Azzasec has a large network of partner groups, whereas Noname05716 is selective in their allies. The alliance between these two nefarious groups signifies a potential increase in the scale and sophistication of cyberattacks on Ukraine and its allies.

Understanding the AzzaSec Ransomware

On June 26, 2024, NoName formally announced on its social media channels about the alliance. “Today we have formed an alliance with the Italian hacker group AzzaSec, which is one of the TOP 3 coolest hack teams in Italy! We are always open to cooperation with various trance around the world!” the post read. [caption id="attachment_79189" align="alignnone" width="837"] Source: X[/caption] AzzaSec is an infamous actor that infects computers and encrypts files. It later demands a ransom for its decryption. Once a computer is infected, AzzaSec assigns the '.AzzaSec' extension to the filenames. It alters files such as '1.png' to '1.png.AzzaSec' and '2.pdf' to '2.pdf.AzzaSec.' Additionally, it changes the desktop wallpaper and provides a ransom note via a pop-up window like the screenshot below. [caption id="attachment_79190" align="alignnone" width="1828"] Source: X[/caption] The group demands ransom through Bitcoin. AzzaSec’s sophisticated encryption techniques and the secrecy of cryptocurrency transactions make it increasingly difficult for authorities to crackdown and defuse the cybercriminals. AzzaSec recently announced the release of a Windows ransomware builder. The group claimed that their ransomware could bypass major antivirus solutions such as Windows 10 / 11 Defender, Avast, Kaspersky, and AVG. AzzaSec’s emergence into the ransomware scene signals a reminder for organizations and individuals alike to upgrade their cybersecurity measures and remain vigilant against online threats.

Inglorious Past of NoName

NoName057(16) , on the other hand,  first emerged in March 2022 and is known for its cyber-attacks on Ukrainian, American, and European government agencies, media, and private companies. The group is considered one of the biggest unorganised and free pro-Russian activist group. Renowned for its widespread cyber operations, NoName057(16) has garnered notoriety for developing and distributing custom malware, notably the DDoS attack tool, the successor to the Bobik DDoS botnet. [caption id="attachment_79192" align="alignnone" width="1280"] Source: X[/caption] According to a report by Google-owned Mandiant, NoName057(16), along with other Russian state hackers, pose the biggest cyber threat to elections in regions with Russian interest. “Mandiant is tracking multiple self-proclaimed hacktivist groups primarily conducting DDoS attacks and leaking compromised data in support of Russian interests. These groups claim to have targeted organizations spanning the government, financial services, telecommunications, transportation, and energy sectors in Europe, North America, and Asia; however, target selection and messaging suggests that the activity is primarily focused on the conflict in Ukraine. Relevant groups include KillNet, Anonymous Sudan, NoName057(16), JokerDNR/DPR, Beregini, FRwL_Team (aka "From Russia with Love"), and Moldova Leaks,” Google stated in its threat intelligence report in April. The alliance between AzzaSec and NoName057(16) raises serious concerns about the evolving cyber threat landscape. With a combined skillset for ransomware deployment and large-scale attacks, these groups pose a significant risk to organizations and governments aligned with Ukraine. As the Russo-Ukrainian war rages on, the digital front is likely to see further escalation in cyberattacks.  It is crucial for targeted nations and organizations to bolster their cybersecurity defenses, implement robust incident response plans, and collaborate on international efforts to counter these cyber threats. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

Hacktivist group AzzaSec has announced the release of a Windows ransomware builder. The builder was posted via the Telegram channel on June 23, 2024. Designed in .NET, this malicious software features sophisticated functionality including SHA 512 and AES encryption, ensuring its undetectable (FUD) status with minimal risk of detection, as verified by its single hit on KleenScan. AzzaSec claims their ransomware can bypass major antivirus solutions such as Windows 10 / 11 Defender, Avast, Kaspersky, and AVG. In addition to its encryption prowess, the builder includes anti-virtual machine, anti-debugging, and anti-sandbox capabilities, as demonstrated in a revealing demo video shared alongside the announcement. This video showcases how decryption keys and victim information are stored securely on a centralized Command and Control (C2) server.

AzzaSec Announces New Windows Ransomware Builder

[caption id="attachment_78968" align="alignnone" width="373"] Source: Dark Web[/caption] Pricing for AzzaSec's ransomware varies, from $300 for a single-use stub to a subscription model costing up to $4500 for six months. The source code for this Windows ransomware builder is also available for purchase at a steep $8000. The development of AzzaSec's ransomware marks a new advancement in cyber threats, highlighting the evolution of ransomware-as-a-service (RaaS). This model not only empowers threat actors with turnkey tools but also commodifies cyber extortion, potentially increasing the frequency and impact of ransomware attacks globally. The group's announcement highlights a growing trend where malicious actors leverage sophisticated technologies and monetization strategies to maximize their impact on unsuspecting victims. As cybersecurity defenses evolve, so do the tactics of those seeking illicit gains through digital means.

Features and Functionality of the Windows Ransomware Builder

In their Telegram post, AzzaSec described their ransomware's capabilities in detail. Developed with VB.NET and weighing 10MB, the ransomware utilizes a unique algorithm for encryption. It operates with a fully undetectable structure, boasting a detection rate of only 1 out of 40 on KleenScan. Tested against various security solutions including Windows Defender, Avast, Kaspersky, and AVG, AzzaSec ensures its malware's effectiveness in compromising systems. The ransomware functions by connecting to a C2 server, where decryption keys and device information are stored. This approach allows the threat actors to monitor and control the ransomware's impact remotely. Furthermore, the ransomware includes anti-virtual machine, anti-debugging, and anti-sandbox features, making it resilient against common security countermeasures. AzzaSec also outlined its pricing strategy: $300 for a single-use stub, escalating to $4500 for a six-month subscription. For those seeking full control, the source code is available for $8000, enabling other threat actors to customize and deploy the ransomware independently. AzzaSec's emergence into the ransomware scene signals a reminder for organizations and individuals alike to upgrade their cybersecurity measures and remain vigilant against online threats. As ransomware-as-a-service models become more accessible, preemptive cybersecurity measures and incident response plans are essential defenses against these ever-present dangers.