Introducing Wing, New Ransomware-as-a-Service

Key Findings

• On January 28, 2024, positive-reputation English-speaking actor “blackhunt” announced a new Ransomware-as-a-Service (RaaS) operation known as Wing on the predominantly Russian-speaking dark web forum RAMP; it is the first RaaS launched on the forum in 2024.
• Wing is touted as a state-of-the art ransomware tool with multiple features designed to facilitate effective deployment and defense evasion.
• At the time of writing, ZeroFox has observed no instances of active deployment of the Wing ransomware strain, although victims are likely to emerge in the coming weeks.
• However, the announcement of the RaaS operation in English only is indicative of the trend observed in Q4 2023 whereby English-speaking actors are willing to enter the ransomware scene, which has been traditionally dominated by Russian-speaking operatives.

Details

On January 28, 2024, positive-reputation English-speaking actor “blackhunt” announced a new RaaS operation known as Wing on the predominantly Russian-speaking dark web forum RAMP. This is the first RaaS operation launched on RAMP in 2024, following seven such operations launched in 2023. (Several additional operations were announced in 2023 implicitly under the call for affiliates or pentesters.)

Wing is touted as a state-of-the art ransomware tool with multiple features designed to facilitate effective deployment and defense evasion, including:

• Three modes of encryption (and a changing encryption algorithm for each file)
• Multithreading
• Lateral propagation
• Persistence mechanisms
• Destruction of backups
• A “private” anti-recovery implementation

The post also states that affiliates can customize their copy and their ransom note and can refer other affiliates to receive 10 percent of the profits of their successful extortions.

Post announcing the launch of the Wing RaaS operation
Source: ZeroFox Intelligence

At the time of writing, ZeroFox has observed no instances of active deployment of the Wing ransomware strain, although victims are likely to emerge in coming weeks. The post indicates that 2024 will see continued diversification across the ransomware and digital extortion (R&DE) threat landscape with new operations emerging frequently, continuing the trend seen in 2023.

However, the announcement of the RaaS operation in English only—suggesting the threat actor is unable to speak Russian—indicates a continuation of the trend observed in Q4 2023 suggesting that English-speaking actors are willing to enter the ransomware scene, which has traditionally been dominated by Russian-speaking operatives.

Recommendations

• Implement secure password policies with phishing-resistant multi-factor authentication, complex passwords, and unique credentials.
• Configure ongoing monitoring for Compromised Account Credentials.
• Proactively monitor for compromised accounts being brokered in deep and dark web forums.
• Leverage cyber threat intelligence to inform the detection of R&DE threats; their associated tactics, techniques, and procedures (TTPs); and Indicators of Compromise (IOCs).
• Ensure critical, proprietary, or sensitive data is always backed up to secure, off-site, or cloud servers at least once per year—and ideally more frequently.
• Adopt a Zero-Trust cybersecurity posture based upon a principle of least privilege.
• Implement network segmentation to separate resources.
• Develop a comprehensive incident response strategy.
• Configure email servers to block emails with malicious indicators, and deploy authentication protocols to prevent spoofed emails.
• Deploy a holistic patch management system, and ensure all business IT assets are updated with the latest software as quickly as possible.
• Should your organization be impacted by a data breach, utilize ZeroFox Incident Response Services to swiftly deploy IDX data breach products and services to mitigate the impact to you and your customers.