The LostTrust ransomware operation is believed to be a rebrand of MetaEncryptor, using virtually equivalent knowledge leak websites and encryptors.
LostTrust started attacking organizations in March 2023 however didn’t develop into extensively identified till September, after they started using an information leak web site.
Presently, the information leak web site lists 53 victims worldwide, with some having their knowledge leaked already for not paying a ransom.
It’s unclear if the ransomware gang solely targets Home windows gadgets or in the event that they make the most of a Linux encryptor as effectively.
A rebrand of MetaEncryptor
MetaEncryptor is a ransomware operation that’s believed to have launched in August 2022, amassing twelve victims on their knowledge leak web site by means of July 2023, after which no new victims had been added to the location.
This month, a brand new knowledge leak web site for the ‘LostTrust’ gang was launched, with cybersecurity researcher Stefano Favarato rapidly noticing it makes use of the identical actual template and bio as MetaEncryptor’s knowledge leak web site.
“We’re a gaggle of younger individuals who determine themselves as specialists within the area of community safety with a minimum of 15 years of expertise,” reads an outline on each the MetaEncryptor and LostTrust knowledge leak websites.
“This weblog and this work are ONLY business use, moreover not the principle one. Now we have nothing to do with politics, intelligence companies and the NSB.”
BleepingComputer additionally discovered that each the LostTrust [VirusTotal] and MetaEncryptor [VirusTotal] encryptors are nearly equivalent, with some minor adjustments to ransom notes, embedded public keys, ransom notice names, and encrypted file extensions.
Moreover, cybersecurity researcher MalwareHunterTeam instructed BleepingComputer that LostTrust and MetaEncryptor are based mostly on the SFile2 ransomware encryptor. This relation is additional backed up by an Intezer scan displaying numerous code overlap between the LostTrust and SFile encryptors.
Because of the vital overlap between the 2 operations, it’s believed that LostTrust is a rebrand of the MetaEncryptor operation.
The LostTrust encryptor
BleepingComputer discovered a pattern of the LostTrust encryptor and carried out a short evaluation beneath.
The encryptor could be launched with two non-compulsory command line arguments, –onlypath (encrypt a selected path) and –enable-shares (encrypt community shares).
When launched, the encryptor will open a console displaying the present state of the encryption course of, as proven beneath.
Supply:BleepingComputer
Notice the ‘METAENCRYPTING‘ string within the encryptor, indicating it’s a modified MetaEncryptor encryptor.
When executed, LostTrust will disable and cease quite a few Home windows companies to make sure all recordsdata could be encrypted, together with any companies containing the Firebird, MSSQL, SQL, Change, wsbex, postgresql, BACKP, tomcat, SBS, and SharePoint strings.
The encryptor can even disable and cease extra companies related to Microsoft Change.
When encrypting recordsdata, the encryptor will append the .losttrustencoded extension to encrypted file’s names, as illustrated beneath.
Supply: BleepingComputer
Ransom notes named !LostTrustEncoded.txt will likely be created in each folder on the machine, with the risk actors introducing themselves as prior white hat hackers. Nonetheless, after being poorly paid, they determined to modify to cybercrime.
“Our workforce has an intensive background in authorized and so referred to as white hat hacking. Nonetheless, purchasers normally thought-about the discovered vulnerabilities to be minor and poorly paid for our companies,” reads the LostTrust ransom notice.
“So we determined to alter our enterprise mannequin. Now you perceive how necessary it’s to allocate an excellent funds for IT safety.”
Supply: BleepingComputer
These ransom notes comprise info on what occurred to the corporate’s recordsdata and embrace a singular hyperlink to the ransomware gang’s Tor negotiation web site.
The negotiation web site is naked bones, with solely a chat function permitting firm representatives to barter with the risk actors.
Supply: BleepingComputer
BleepingComputer was instructed that ransom calls for for LostTrust assaults vary from $100,000 to thousands and thousands.
Information leak web site used to extort victims
Like different ransomware operations, LostTrust makes use of a Tor knowledge breach web site that’s used to extort corporations by threatening to leak their stolen knowledge if a ransom isn’t paid.
LostTrust has 53 victims on their knowledge leak web site, with some corporations already having their knowledge leaked.
Supply: BleepingComputer
At the moment, it’s not identified if paying a ransom demand will result in the deletion of knowledge and a working decryptor.