Acronis Blog
Acronis Cyber Protection Center
Acronis Security Team

Latest stories from Acronis Security Team

December 09, 2022 — 9 min read
Acronis
December 09, 2022 — 9 min read
KmsdBot: DDoS and cryptomining combined
On November 10, 2022, the Akamai Security Intelligence Response Team published an article with the description of the newly spotted KmsdBot, which infected their honeypot. Gaming company FiveM, which provides software for GTA V for hosting custom private servers (and happens to be Akamai’s client), became the first victim. During their investigation, researchers found many samples that were built for different architectures.
November 28, 2022 — 9 min read
Acronis
November 28, 2022 — 9 min read
AXLocker ransomware doesn’t change files’ extensions
AXLocker is a ransomware that was found by malware researcher ‘S!ri,’ who posted it on Twitter. Later, it was discovered that AXLocker does not only encrypt files but also steals victims’ Discord credentials and uploads them to its own Discord server. Specifically, the AXLocker ransomware steals tokens stored on a local computer when the user logs in to Discord. It’s not packed or obfuscated.
November 25, 2022 — 8 min read
Acronis
November 25, 2022 — 8 min read
Killnet ransomware — a wiper from the Chaos family
Killnet is a Russian hacker group, previously known for providing DDoS services. At the end of October 2022, the security channel PCrisk discovered the first sample of Killnet ransomware. The group, via a Telegram channel, also announced a ransomware attack on an Italian chemical factory.
September 22, 2022 — 9 min read
Acronis
September 22, 2022 — 9 min read
RapperBot: A new threat for IoT devices
On June 22, 2022, CNCERT IoT Threat Research Team and NSFOCUS FuYingLab monitored a new botnet that was attacking IoT devices. Naming the threat ‘RapperBot,’ researchers found more than 5,000 compromised hosts, but no attack commands were spotted. In analyzing samples, cybersecurity analytics found similarities with Mirai Bot, whose source code has been leaked.
August 25, 2022 — 9 min read
Acronis
August 25, 2022 — 9 min read
SideWinder uses weaponized Word documents to compromise victims’ machines
The SideWinder APT group was first discovered in 2018, and since earlier this year has been actively targeting military, defense and other industries in South Asia. They used to spread phishing emails with Word files that downloaded additional files to decode, drop and start the malware, which collects and uploads victims’ data to remote servers. They've since infected Android devices with malicious apps in Google Play.
August 16, 2022 — 11 min read
Acronis
August 16, 2022 — 11 min read
Hydrox: A new wiper attacks
Hydrox was first spotted by Twitter user Petrovich on July 29, 2022. On August 3, EnigmaSoft described this threat as a harmful malware that actually wipes users' data. This conclusion was made from a “ransom note” which didn’t actually contain any credentials or links for paying the ransom.
July 26, 2022 — 8 min read
Acronis
July 26, 2022 — 8 min read
Symbiote: A new stealthy malware for Linux
Symbiote is a new Linux malware that steals users’ data and provides a backdoor to threat actors. It was discovered in June, 2022 and is characterized as a very stealthy malware. It uses a lot of evasion techniques, such as hooking functions, capturing TCP traffic and hiding its own files. It collects users' data and exfiltrates it on DNS servers.
July 22, 2022 — 12 min read
Acronis
July 22, 2022 — 12 min read
CloudMensis: a new macOS threat
In April 2022, ESET researchers found a yet-unknown backdoor on macOS. It was named CloudMensis due to the fact that it uses different public cloud storage for C2 communication. CloudMensis looks for different types of documents, captures keyboard input, searches local emails and can take screen captures.
June 28, 2022 — 7 min read
Acronis
June 28, 2022 — 7 min read
Important details About BlackCat: The new version of the ALPHV ransomware-as-a-service
On March 16, 2022, security specialists identified a new version of BlackCat ransomware (so named because the software displays a black cat on the victim’s payment site). These experts also noted that some previous YARA rules no longer match, which will make it difficult to find malicious files.
May 06, 2022 — 9 min read
Acronis
May 06, 2022 — 9 min read
Details about ZingoStealer: The new, free malware-as-a-service variant
On March 18, 2022, the Telegram public group published a post detailing the release of a new version of malware, a Windows data stealer called ZingoStealer. The group created a chat bot to field information requests, deliver more information, and even enable downloads of ZingoStealer. Later, the developer announced that cryptomining functionality was added to the stealer in order to maximize profits from its operations.
April 22, 2022 — 14 min read
Acronis
April 22, 2022 — 14 min read
HermeticWiper and HermeticRansom delivered via Active Directory GPO
On February 23, 2022, a new data wiper and ransomware were deployed on a large number of devices in the Ukraine, as ESET Research reported on Twitter. Just before this, a couple of Ukrainian government sites and services were subjected to DDoS attacks. Cybersecurity specialists discovered that the malware was deployed via Microsoft Active Directory GPO. In addition to the disk wiper and ransomware, a worm component was deploy
March 16, 2022 — 9 min read
Acronis
March 16, 2022 — 9 min read
WhisperGate malware targets Ukrainian government sites
Multiple government sites in Ukraine were shut down on January 13, 2022, the result of a large-scale cyberattack by the WhisperGate malware. Microsoft Intelligence named this activity "DEV-0586" and identified it as destructive malware that used to be ransomware. Its main purpose is to disrupt the system and damage files beyond the possibility of their recovery.
November 30, 2021 — 9 min read
Acronis
November 30, 2021 — 9 min read
VenomRAT: A remote access tool with dangerous consequences
The first messages about VenomRAT started to appear in June 2020. By analyzing the code, analysts concluded that this new threat is a modified fork of Quasar RAT. The malware itself was introduced on malware-oriented forums, in posts advertising it as an effective tool to remotely access computers for $150 per month.