Security News > 2023 > May > Iranian hackers use new Moneybird ransomware to attack Israeli orgs

A suspected Iranian state-supported threat actor known as 'Agrius' is now deploying a new ransomware strain named 'Moneybird' against Israeli organizations.
Check Point's researchers who discovered the new ransomware strain believe that Agrius developed it to help expand their operations, while the use of 'Moneybird' is yet another one of the threat group's attempts to cover their tracks.
In the next phase of the attack, Agrius fetches the Moneybird ransomware executable from legitimate file hosting platforms like 'ufile.io' and 'easyupload.io.
Upon launch, the C++ ransomware strain will encrypt target files using AES-256 with GCM, generating unique encryption keys for every file and appending encrypted metadata at their end.
Unlike previous attacks linked to Agrius, Moneybird is believed to be ransomware, rather than a wiper, meant to generate revenue to fund the threat actors' malicious operations.
For Agrius Moneybird is still an effective business-disruption tool, and further development leading to the release of newer, more capable versions might make it a formidable threat to a broader range of Israeli organizations.
News URL
Related news
- Hackers Exploit Paragon Partition Manager Driver Vulnerability in Ransomware Attacks (source)
- TechRepublic EXCLUSIVE: New Ransomware Attacks are Getting More Personal as Hackers ‘Apply Psychological Pressure” (source)
- Hackers Exploiting SimpleHelp RMM Flaws for Persistent Access and Ransomware (source)
- Hacker pleads guilty to SIM swap attack on US SEC X account (source)
- US indicts 8Base ransomware operators for Phobos encryption attacks (source)
- RA World Ransomware Attack in South Asia Links to Chinese Espionage Toolset (source)
- Chinese espionage tools deployed in RA World ransomware attack (source)
- whoAMI attacks give hackers code execution on Amazon EC2 instances (source)
- Microsoft: Hackers steal emails in device code phishing attacks (source)
- Lee Enterprises newspaper disruptions caused by ransomware attack (source)