LostTrust Ransomware Detection: SFile and Mindware Advancement, Successor of MetaEncryptor Gang

Novel LostTrust ransomware emerged in the cyber threatscape in early spring 2023. However, the adversary campaign hit the headlines only in September when ransomware operators were observed leveraging data leak sites and payloads quite similar to the offensive tools used by the MetaEncryptor gang. Defenders are raising concerns in response to the growing threats as over 50 LostTrust victims from across the globe have been compromised by ransomware intrusions.

Detect LostTrust Ransomware Attacks

The emergence of multi-extortion ransomware attacks that put more pressure on the victims fuels the need for strengthening defensive capabilities to preempt such threats. LostTrust ransomware campaigns that have been causing a stir since the turn of fall 2023 expose multiple global organizations to growing risks of intrusions. SOC Prime Platform offers a new Sigma rule for the LostTrust ransomware attack detection available via a link below:

Possible Payload Execution Activity of LostTrust Ransomware Campaign by Detection of CommandLine Parameters (via process_creation)

This detection algorithm is written by our keen Threat Bounty developer, Aung Kyaw Min Naing. Join the ranks of SOC Prime’s crowdsourced initiative to make your contribution to collective cyber defense by writing, sharing, and earning a chance to monetize your own detection code. 

The above-mentioned Sigma rule is mapped to the MITRE ATT&CK framework addressing the Impact tactic and Data Encrypted for Impact technique (T1486). Check for tailored intelligence linked to content and instantly convert the code to multiple query language formats of the corresponding SIEM, EDR, XDR, and Data Lake solutions.

When detecting emerging threats, time is of paramount value. Click Explore Detections to drill down to over 800 Sigma rules for ransomware detection and delve into CTI, check out adversary TTPs, find mitigations, and reach other actionable metadata to never miss a bit.  

Explore Detections

LostTrust Ransomware Analysis

Modern ransomware families tend to apply double and multi-extortion approaches to enhance their offensive capabilities. In early fall 2023, a novel multi-extortion threat known as the LostTrust ransomware came to the spotlight, with the first attacks performed back in March. According to the research by SentinelOne, LostTrust has evolved from SFile and Mindware ransomware families. They all exhibit capabilities similar to MetaEncryptor ransomware, which allows the assumption that LostTrust can be a rebrand of the latter. Moreover, MetaEncryptor and LostTrust share similarities in data leak sites and encryptors they apply.

LostTrust payloads actively seek out and terminate a wide range of critical services and operations, primarily linked to Microsoft Exchange, MSSQL, SharePoint, Tomcat, etc. Also, malware attempts to eliminate VSS and clear all Windows Event Logs. 

The shared capabilities among Mindware, SFile, and LostTrust serve as evidence that the latter is an evolution of this lineage. For instance, LostTrust malicious strains are based on SFile. Similarly to its predecessors, LostTrust deals with exclusions via pattern/string, while its encryption inclusions and exclusions are akin to those of Mindware and SFile ransomware. In addition, the ransom note structure in the LostTrust campaigns is similar to Mindware operations.

As for the leak sites, some of the victims listed on LostTrust’s resources had previously been featured on leak sites related to Royal, LockBit 3, and Medusa ransomware operators. 

The increasing risks of emerging ransomware attacks require prompt attention from defenders to help organizations prevent reputational damage. Rely on Threat Detection Marketplace to explore a global feed of 300K+ context-enriched detection algorithms matching your industry, threat profile, organization-specific log sources, and tech stack in use.