Cybersecurity researchers have identified a new Russian-speaking ransomware group called Masque, which has emerged as a significant threat to businesses since early 2023. The group has successfully executed at least ten confirmed attacks primarily targeting small and medium-sized enterprises in Russia, demonstrating sophisticated tactical approaches and custom malware development capabilities.
Attack Vectors and Technical Infrastructure
Masque’s primary infection vector leverages the critical Log4Shell vulnerability (CVE-2021-44228) in the widely-used Log4j library. The group specifically targets publicly accessible VMware Horizon servers, using them as initial access points for lateral movement within victim networks. Their arsenal includes well-established penetration testing and remote access tools such as AnyDesk, Chisel, LocaltoNet, and the credential harvesting tool Mimikatz.
Operational Tactics and Network Movement
While employing relatively straightforward attack methodologies, Masque demonstrates professional operational security practices. The group typically maintains presence within compromised networks for periods ranging from several days to two weeks, utilizing standard remote access protocols including RDP and SSH, with occasional deployment of WinRM and SMBExec for lateral movement. Notably, the group appears to prioritize rapid ransomware deployment over data exfiltration.
MystiqueLoader: Advanced Custom Malware
Security analysts have discovered a sophisticated new tool in Masque’s arsenal – MystiqueLoader, masquerading as dwm.exe. This compact 47KB loader represents a significant technical advancement, featuring DNS-based command and control capabilities and sophisticated in-memory execution techniques to evade detection. The development of this custom tool suggests ongoing technical evolution within the group’s capabilities.
Ransom Demands and Communication Protocols
Initial ransom demands typically range from 5 to 10 million rubles (approximately $55,000-$110,000 USD), with payments requested in Bitcoin (BTC) or Monero (XMR). The group implements unique operational security measures, including the use of separate Tox messenger identifiers for each victim, indicating a structured and organized approach to their criminal enterprise.
The emergence of Masque underscores the critical importance of maintaining robust cybersecurity practices, particularly for organizations operating public-facing services. Security teams should prioritize patching known vulnerabilities, implementing comprehensive network monitoring solutions, and maintaining secure, offline backup systems. Additionally, organizations should consider implementing network segmentation and zero-trust architectures to minimize the impact of potential compromises. The sophistication of groups like Masque demonstrates the evolving nature of ransomware threats and the necessity for proactive security measures.
