14 hours Ago
Although current high-profile news events are more often to be found used as bait in the realm of organized phishing crime to hook victims into clicking links, one cybercrime group has taken political conspiracy theory and woven it into ransomware code in an attempt to throw law enforcement off the scent. Welcome to the very strange world that is the DOGE Big Balls ransomware threat. If you think the threat from ransomware attackers is all but over, then you are very wrong indeed.
While the amount paid in ransoms is declining the attacks themselves are not only surging but evolving fast. With new ransomware groups employing tools to brute force VPN and firewall passwords , old groups wanting to make friends with the FBI , and some even, I kid you not, moving the ransomware threat to snail mail , the danger is far from over. An April 14 report from threat intelligence platform Cyble, has detailed how one ransomware group is leveraging provocative political commentary, conspiracy theory, and even the name and address of a high-profile individual within the Department Of Government Efficiency to manipulate, misattribute and draw attention while sowing the seeds of confusion.
That ransomware threat is called DOGE Big Balls. Although the ransomware payload itself is a highly-customized version of an existing malware threat known as Fog, the threat actors behind the latest attacks have renamed their threat to DOGE Big Balls Ransomware, likely to attract media attention and stand out from the crowd. Mea culpa, it’s working.
It’s relatively basic in attack methodology, leveraging a ZIP file with a deceptive shortcut that ultimately executes a multi-stage Windows Powershell infection chain. A known vulnerability, CVE-2015-2291, is exploited to get the necessary kernel-level access to enable privilege escalation. Where things get more unusual, however, is that the ransomware scripts include political commentary and conspiracy theory in the code.
“By introducing conspiracy-laced commentary in the code and ransom notes,” Cyble threat intelligence analysts said, “the threat actor demonstrates a psychological play designed to unsettle and distract victims during critical moments of response.” These statements include the likes of “The CIA didn’t kill Kennedy you idiot. Oswald is a very deranged person that felt ostracized by his own country.
“ The ransomware demand text itself references 19-year-old software engineer and DOGE worker Edward Coristine, known online as Big Balls, and about whom much has been written in the media regarding his alleged past. Not only do the attackers falsely claim that Coristine is the threat actor behind the ransomware attack, but they include his full home address and telephone number. “The use of Coristine’s name and the DOGE reference in the ransomware could be a tactic to malign him and the DOGE initiative,” Cyble said.
I have reached out to DOGE for a statement..
