Security News > 2023 > May > Iranian hackers use new Moneybird ransomware to attack Israeli orgs

A suspected Iranian state-supported threat actor known as 'Agrius' is now deploying a new ransomware strain named 'Moneybird' against Israeli organizations.
Check Point's researchers who discovered the new ransomware strain believe that Agrius developed it to help expand their operations, while the use of 'Moneybird' is yet another one of the threat group's attempts to cover their tracks.
In the next phase of the attack, Agrius fetches the Moneybird ransomware executable from legitimate file hosting platforms like 'ufile.io' and 'easyupload.io.
Upon launch, the C++ ransomware strain will encrypt target files using AES-256 with GCM, generating unique encryption keys for every file and appending encrypted metadata at their end.
Unlike previous attacks linked to Agrius, Moneybird is believed to be ransomware, rather than a wiper, meant to generate revenue to fund the threat actors' malicious operations.
For Agrius Moneybird is still an effective business-disruption tool, and further development leading to the release of newer, more capable versions might make it a formidable threat to a broader range of Israeli organizations.
News URL
Related news
- TechRepublic EXCLUSIVE: New Ransomware Attacks are Getting More Personal as Hackers ‘Apply Psychological Pressure” (source)
- Suspected Iranian Hackers Used Compromised Indian Firm's Email to Target U.A.E. Aviation Sector (source)
- Hunters International ransomware claims attack on Tata Technologies (source)
- Toronto Zoo shares update on last year's ransomware attack (source)
- Microsoft: North Korean hackers join Qilin ransomware gang (source)
- Live Ransomware Demo: See How Hackers Breach Networks and Demand a Ransom (source)
- Ransomware gang creates tool to automate VPN brute-force attacks (source)
- SANS Institute Warns of Novel Cloud-Native Ransomware Attacks (source)
- ⚡ THN Weekly Recap: Router Hacks, PyPI Attacks, New Ransomware Decryptor, and More (source)
- BlackLock ransomware claims nearly 50 attacks in two months (source)