Backmydata ransomware

Backmydata ransomware targets Remote Desktop Protocol (RDP) vulnerabilities, including weak credentials. Upon gaining a foothold, Backmydata establishes persistence, disables firewalls, encrypts, and exfiltrates data. It also deletes backups to prevent victims from restoring their systems without paying the ransom. It was linked to the Romanian hospitals attack in Feb 2024.

CryptoLocker

CryptoLocker is a Trojan horse that infects your computer and then searches for files to encrypt. This includes anything on your hard drives and all connected media — for example, USB memory sticks or any shared network drives. In addition, the malware seeks out files and folders you store in the cloud. Only computers running a version of Windows are susceptible to Cryptolocker; the Trojan does not target Macs.

Flame

Flame, also known as Flamer, sKyWIper, and Skywiper, is modular computer malware discovered in 2012 that attacks computers running the Microsoft Windows operating system. The program is used for targeted cyber espionage in Middle Eastern countries.

LightlessCan malware

The LightlessCan backdoor: ESET says LightlessCan is a successor to BlindingCan, based on source code and command ordering similarities, featuring a more sophisticated code structure, different indexing, and enhanced functionality.

The malware replicates many native Windows commands like ping, ipconfig, netstant, mkdir, schstasks, systeminfo, etc., so it can execute them without appearing in the system console for better stealthiness against real-time monitoring tools. Since those commands are closed-source, ESET comments that Lazarus has either managed to reverse engineer the code or drew inspiration from the open-source versions. Another interesting aspect reported by ESET is that one of the LightlessCan payloads they sampled was encrypted and could only be decrypted using a key dependent on the target’s environment.

This is an active protection measure to prevent outside access to the victim’s computer, for example, by security researchers or analysts.

This discovery underscores that Lazarus’ Operation Dreamjob is not solely driven by financial objectives, such as cryptocurrency theft, but also encompasses espionage goals.