Now Iran's state-backed hackers are turning to ransomware

Iranian ransomware attacks are being launched in waves every six to eight weeks on average.
Written by Liam Tung, Contributing Writer

Microsoft has detailed the activities of six Iranian hacker groups that are behind waves of ransomware attacks that have arrived every six to eight weeks since September 2020. 

Russia is often seen as the home of the biggest cyber-criminal ransomware threats, but state-sponsored attackers from North Korea and Iran have also shown a growing interest in ransomware. 

Microsoft said Iranian hacking groups are using ransomware to either collect funds or disrupt their targets, and are "patient and persistent" while engaging with their targets – although they will use aggressive brute-force attacks.

SEE: A winning strategy for cybersecurity (ZDNet special report)

The most consistent of the six Iranian threat groups is one Microsoft tracks as Phosphorus (others call it APT35). Microsoft has been playing cat and mouse with the group for the past two years. While initially known for cyber espionage, Microsoft details the group's strategies for deploying ransomware on targeted networks, often using Microsoft's Windows disk-encryption tool BitLocker to encrypt victim files. 

Other cybersecurity firms last year detected a rise in ransomware from Iranian state-backed hackers using known Microsoft Exchange vulnerabilities to install persistent web shells on email servers and Thanos ransomware.    

According to Microsoft, Phosphorus was also targeting unpatched on-premise Exchange servers and Fortinet's FortiOS SSL VPN in order to deploy ransomware.

In the second half of 2021, the group started scanning for the four Exchange flaws known as ProxyShell that were initially exploited as zero days by Beijing-backed hackers.

Microsoft released patches for CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065 in April. ProxyLogon was one of several exploits that made up ProxyShell. 

An account by security specialist DFIR Report notes Phosphorus used BitLocker on servers and DiskCryptor on PCs. Their activity stood out because it didn't rely on ransomware-as-a-service offerings that are popular among cyber criminals and didn't create custom encryptors. 

"After compromising the initial server (through vulnerable VPN or Exchange Server), the actors moved laterally to a different system on the victim network to gain access to higher value resources," the Microsoft Threat Intelligence Center (MSTIC) notes in a blogpost

"From there, they deployed a script to encrypt the drives on multiple systems. Victims were instructed to reach out to a specific Telegram page to pay for the decryption key."

The group also tries to steal credentials by sending "interview requests" to targeted individuals through emails that contain tracking links to confirm whether the user has opened the file. Once a response is received from the target user, the attackers send a link to a list of interview questions and then a link to a fake Google Meeting, which would steal login details.

SEE: Ransomware: It's a 'golden era' for cyber criminals - and it could get worse before it gets better

Other groups mentioned in Microsoft's report included an emerging Iranian hacking group that recently targeted Israel and US organizations in the Persian Gulf with password-spraying attacks

Microsoft highlights that the adoption of ransomware aided the Iranian hackers' efforts in espionage, disruption and destruction, and to support physical operations. Their arsenal of attacks included ransomware, disk wipers, mobile malware, phishing, password-spray attacks, mass exploitation of vulnerabilities, and supply chain attacks.        

Editorial standards