searchtwitterarrow rightmail strokearrow leftmail solidfacebooklinkedinplusangle upmagazine plus
Help Net Security - Daily information security news with a focus on enterprise security.
Help Net Security - Daily information security news with a focus on enterprise security.
  • News
  • Features
  • Expert analysis
  • Videos
  • Events
  • Whitepapers
  • Industry news
  • Product showcase
  • Newsletters
Zeljka Zorz
Zeljka Zorz, Editor-in-Chief, Help Net Security
June 7, 2023
Share

0mega ransomware gang changes tactics

A number of ransomware gangs have stopped using malware to encrypt targets’ files and have switched to a data theft/extortion approach to get paid; 0mega – a low-profile and seemingly not very active threat actor – seems to be among them.

About the 0mega ransomware operation

0mega (spelled with a zero) is a relative newcomer to the ransomware/extortion business.

Evidence of its activities were first spotted roughly a year ago, when one victim – a UK-based electronics repair and refurbishment company – apparently refused to pay and the gang leaked company data on its dedicated leak site.

The gang used ransomware that added the “.0mega” extension to encrypted files, but a sample of the malware hasn’t been found.

Since then, stolen data of two additional victims has been leaked.

Of course, the fact that the leak site only lists a few victims does not mean there haven’t been many others. One victim organization’s data was leaked and then removed, according to Lawrence Abrams.

SaaS account compromise + data theft = extortion

Obsidian Security’s threat research team has been called in to help tease out the details of an attack that resulted in data theft from an unnamed company’s Sharepoint Online assets, and they believe the threat actor behind the attack is 0mega.

The attackers first compromised one of the company’s Microsoft Global admin service accounts that did not have multi-factor authentication enabled, then used it to create a new Microsoft AD user called 0mega and added various permissions to it (Global Administrator, SharePoint Administrator, Exchange Administrator, Teams Administrator).

“The compromised service account granted the 0mega account site collection administrator capabilities to multiple SharePoint sites and collections, while also removing existing administrators. Over 200 admin removal operations occurred within a 2-hour period,” the team shared.

0mega ransomware

0mega removes existing admins (Source: Obsidian Security)

The attackers then exfiltrated hundreds of company files and uploaded thousands of text files to draw attention to the data exfiltration. Those files – named PREVENT-LEAKAGE.txt – contained instructions on how to get in touch with the threat actor to start payment negotiations (via a chat room on a Tor site).

According to information shared by Obsidian with Help Net Security, the attackers threaten that if payment (in bitcoin) isn’t made, they will post details publicly.

A different approach

“This approach is different from what has been observed in the wild, where some companies had their SharePoint 365 instances ransomed when attackers encrypted files on a compromised user’s machine or a mapped drive and then synchronized them to Sharepoint,” the team pointed out.

They told Help Net Security that their post-compromise investigation happened in “the late first half of 2023.”

They don’t know the credentials for the hijacked service account were compromised or whether the company ultimately paid the ransom.

But they say that the accounts, the infrastructure, etc. “suggest the known 0mega operators performed this operation,” and have released indicators of compromise to help other organizations stymie potential attacks.

More about
  • account hijacking
  • data theft
  • extortion
  • Obsidian Security
  • ransomware
  • SaaS
Share this

Featured news

  • Evolving conversations: Cybersecurity as a business risk
  • CISO’s compass: Mastering tech, inspiring teams, and confronting risk
  • GenAI in software surges despite risks
Guide: SaaS Offboarding Checklist

Sponsored

eBook: 9 Ways to Secure Your Cloud App Dev Pipeline

Free entry-level cybersecurity training and certification exam

Guide: Attack Surface Management (ASM)

Don't miss

Evolving conversations: Cybersecurity as a business risk

CISO’s compass: Mastering tech, inspiring teams, and confronting risk

GenAI in software surges despite risks

Chalk: Open-source software security and infrastructure visibility tool

Critical zero-days in Exim revealed, only 3 have been fixed

Cybersecurity news
Help Net Security - Daily information security news with a focus on enterprise security.
© Copyright 1998-2023 by Help Net Security
Read our privacy policy | About us | Advertise
Follow us