The Good

A two-year FBI investigation into LockBit ransomware has led to charges this week against a dual Russian-Canadian citizen for allegedly conducting ransomware attacks on U.S. and other organizations around the world.

Mikhail Vasiliev, 33, was arrested in Ontario, Canada on Wednesday on charges of conspiring to damage protected computers and transmitting ransom demands in connection with doing so. He is now awaiting extradition to the U.S.

Documents filed in the case state that since the LockBit RaaS (ransomware-as-a-service) first appeared in 2020, it has been used in over 1000 attacks and garnered its operators tens of millions of dollars in confirmed ransom payments. However, Deputy AG Lisa Monaco had a message for those involved: “Let this be yet another warning to ransomware actors…we will use every available tool to disrupt, deter and punish cyber criminals.”

It’s also not the first time Canadian police and the FBI have cooperated to arrest individuals believed to be involved in ransomware: Back in 2021, Canadian national Sébastien Vachon-Desjardins was arrested in Canada and subsequently sentenced to 20 years in a U.S. prison for his role in Netwalker ransomware attacks.

The Bad

Despite wins like those above, it’s clear that the profits from ransomware and data extortion as well as the ease of conducting such attacks continue to incentivise threat actors. This week, the Health Sector Cybersecurity Coordination Center (HC3) warned that Venus ransomware is targeting U.S. healthcare entities via publicly exposed Remote Desktop Services.

HC3 says that Venus ransomware is targeting Windows devices that companies have failed to protect with a firewall or other defenses, allowing attackers to gain initial access via the Remote Desktop Service. Typically, threat actors discover vulnerable services through internet search services such as Shodan or purchase access from Initial Access Brokers.

Reports suggest that Venus ransomware is likely being operated by several independent cybercrime groups. HC3 says that the malware has been observed reaching out to IP addresses in a wide variety of countries, including Denmark, France, Great Britain, Ireland, Japan, the Netherlands, Russia and the United States.

At present, there are no data leak sites associated with Venus intrusions, and the operators appear to be relying solely on file locking to extort money from victims. Ransom demands are said to start at around $20,000. Victims are reminded that paying a ransom by no means ensures either that encrypted data will be unlocked or that the organization will not suffer further harm.

The Ugly

In cybersecurity, trust is always a weak point that attackers will seek to abuse, and this week’s Most Odious award goes to the threat actors behind the latest attempts to infect users of open source projects hosted on PyPI and GitHub.

Researchers this week spotted a malicious package on PyPI called “ApiColor” that reached out to a remote URL to download and execute code hidden in a .png file. The ApiColor package installed a steganography module and retrieved and executed a further second-stage malware payload.

The threat actors had set up multiple accounts on GitHub with code repositories that included the malicious PyPI package in their dependencies, hoping to infect developers or organizations that used the open source GitHub repositories. The PyPI package has since been taken down, but malware linked to some of the fake users accounts remains on GitHub at the time of writing.

Supply chain attacks on PyPI and Rust’s crate.io are not unknown, and seeding malicious code via GitHub repositories to infect developers and ultimately downstream users has also been seen before (e.g., in XCSSET malware). Steganography is also a common tactic for hiding malware.

However, what makes this attack of particular concern is precisely that the vectors and TTPs are neither novel nor sophisticated, and yet the attackers invested a considerable amount of time and effort setting up an elaborate infrastructure in the knowledge that trust in external code dependencies is still a blind spot for many organizations. The warning shots have been fired, and security teams need to be sure that they are on top of the supply chain risk across their software stack.