A number of ransomware gangs have stopped using malware to encrypt targets’ files and have switched to a data theft/extortion approach to get paid; 0mega – a low-profile and seemingly not very active threat actor – seems to be among them.
About the 0mega ransomware operation
0mega (spelled with a zero) is a relative newcomer to the ransomware/extortion business.
Evidence of its activities were first spotted roughly a year ago, when one victim – a UK-based electronics repair and refurbishment company – apparently refused to pay and the gang leaked company data on its dedicated leak site.
The gang used ransomware that added the “.0mega” extension to encrypted files, but a sample of the malware hasn’t been found.
Of course, the fact that the leak site only lists a few victims does not mean there haven’t been many others. One victim organization’s data was leaked and then removed, according to Lawrence Abrams.
SaaS account compromise + data theft = extortion
Obsidian Security’s threat research team has been called in to help tease out the details of an attack that resulted in data theft from an unnamed company’s Sharepoint Online assets, and they believe the threat actor behind the attack is 0mega.
The attackers first compromised one of the company’s Microsoft Global admin service accounts that did not have multi-factor authentication enabled, then used it to create a new Microsoft AD user called 0mega and added various permissions to it (Global Administrator, SharePoint Administrator, Exchange Administrator, Teams Administrator).
“The compromised service account granted the 0mega account site collection administrator capabilities to multiple SharePoint sites and collections, while also removing existing administrators. Over 200 admin removal operations occurred within a 2-hour period,” the team shared.
0mega removes existing admins (Source: Obsidian Security)
The attackers then exfiltrated hundreds of company files and uploaded thousands of text files to draw attention to the data exfiltration. Those files – named PREVENT-LEAKAGE.txt – contained instructions on how to get in touch with the threat actor to start payment negotiations (via a chat room on a Tor site).
According to information shared by Obsidian with Help Net Security, the attackers threaten that if payment (in bitcoin) isn’t made, they will post details publicly.
A different approach
“This approach is different from what has been observed in the wild, where some companies had their SharePoint 365 instances ransomed when attackers encrypted files on a compromised user’s machine or a mapped drive and then synchronized them to Sharepoint,” the team pointed out.
They told Help Net Security that their post-compromise investigation happened in “the late first half of 2023.”
They don’t know the credentials for the hijacked service account were compromised or whether the company ultimately paid the ransom.
But they say that the accounts, the infrastructure, etc. “suggest the known 0mega operators performed this operation,” and have released indicators of compromise to help other organizations stymie potential attacks.