Introducing Wing, New Ransomware-as-a-Service
Key Findings
- On January 28, 2024, positive-reputation English-speaking actor “blackhunt” announced a new Ransomware-as-a-Service (RaaS) operation known as Wing on the predominantly Russian-speaking dark web forum RAMP; it is the first RaaS launched on the forum in 2024.
- Wing is touted as a state-of-the art ransomware tool with multiple features designed to facilitate effective deployment and defense evasion.
- At the time of writing, ZeroFox has observed no instances of active deployment of the Wing ransomware strain, although victims are likely to emerge in the coming weeks.
- However, the announcement of the RaaS operation in English only is indicative of the trend observed in Q4 2023 whereby English-speaking actors are willing to enter the ransomware scene, which has been traditionally dominated by Russian-speaking operatives.
Details
On January 28, 2024, positive-reputation English-speaking actor “blackhunt” announced a new RaaS operation known as Wing on the predominantly Russian-speaking dark web forum RAMP. This is the first RaaS operation launched on RAMP in 2024, following seven such operations launched in 2023. (Several additional operations were announced in 2023 implicitly under the call for affiliates or pentesters.)
Wing is touted as a state-of-the art ransomware tool with multiple features designed to facilitate effective deployment and defense evasion, including:
- Three modes of encryption (and a changing encryption algorithm for each file)
- Multithreading
- Lateral propagation
- Persistence mechanisms
- Destruction of backups
- A “private” anti-recovery implementation
The post also states that affiliates can customize their copy and their ransom note and can refer other affiliates to receive 10 percent of the profits of their successful extortions.
Post announcing the launch of the Wing RaaS operation
Source: ZeroFox Intelligence
At the time of writing, ZeroFox has observed no instances of active deployment of the Wing ransomware strain, although victims are likely to emerge in coming weeks. The post indicates that 2024 will see continued diversification across the ransomware and digital extortion (R&DE) threat landscape with new operations emerging frequently, continuing the trend seen in 2023.
However, the announcement of the RaaS operation in English only—suggesting the threat actor is unable to speak Russian—indicates a continuation of the trend observed in Q4 2023 suggesting that English-speaking actors are willing to enter the ransomware scene, which has traditionally been dominated by Russian-speaking operatives.
Recommendations
- Implement secure password policies with phishing-resistant multi-factor authentication, complex passwords, and unique credentials.
- Configure ongoing monitoring for Compromised Account Credentials.
- Proactively monitor for compromised accounts being brokered in deep and dark web forums.
- Leverage cyber threat intelligence to inform the detection of R&DE threats; their associated tactics, techniques, and procedures (TTPs); and Indicators of Compromise (IOCs).
- Ensure critical, proprietary, or sensitive data is always backed up to secure, off-site, or cloud servers at least once per year—and ideally more frequently.
- Adopt a Zero-Trust cybersecurity posture based upon a principle of least privilege.
- Implement network segmentation to separate resources.
- Develop a comprehensive incident response strategy.
- Configure email servers to block emails with malicious indicators, and deploy authentication protocols to prevent spoofed emails.
- Deploy a holistic patch management system, and ensure all business IT assets are updated with the latest software as quickly as possible.
- Should your organization be impacted by a data breach, utilize ZeroFox Incident Response Services to swiftly deploy IDX data breach products and services to mitigate the impact to you and your customers.
Dan Curtis
Senior Intelligence Analyst
Dan has over 10 years of experience in delivering intelligence analysis, threat intelligence, and security management solutions to customers and stakeholders across the public and private sectors. Having worked in a diverse span of high-tempo environments, Dan is well-versed in producing and delivering the timely intelligence needed to understand the tactical and strategic threats faced by organizations and individuals.