Blog

jordiserrano.me|ClickFix|Kairos|IntelTracker
Blog » Frag Ransomware Campaign

Frag Ransomware Campaign

campana campaign

Frag Ransomware Campaign

Fragment Ransomware Campaign - Analysis

Fragment is an organization that attacks software companies with ransomware campaigns.

Resumen de la Campana

Frag (Fragment) operates as a cybercrime syndicate targeting enterprise clients. Their operations began in 2024 and have evolved into multiple attack waves. The group targets software vendors, specifically those using Python-based frameworks like Flask or Django.

Objetivos

  • Attacking Python applications with high risk of data exposure
  • Demanding payment in Bitcoin via phishing emails and social engineering
  • Selling stolen credentials to other attackers (multi-stage operation)
  • Bypassing security controls using automated scripts without detection

Tacticas

  1. Ransomware Deployment: Attacks occur via GitHub repositories, Slack channels, and encrypted emails.
  2. Phishing Campaigns: Sending malicious attachments to enterprise email addresses (SaaS platforms).
  3. Credential Harvesting: Extracting AWS credentials from server logs during attack.
  4. Data Exfiltration: Accessing S3 buckets and backup systems to steal proprietary data.

Indicadores de Compromiso (IOCs)

Impacto

Frag campaigns have impacted multiple software companies, including major SaaS platforms. Attacks typically result in:

  • Data loss or theft of proprietary codebases and client data
  • Downtime requiring business continuity planning
  • Economic losses from ransom payments (average $10-30k per incident)
  • Reputational damage to the company's security posture

Attackers use automated scripts that run without human intervention, making detection challenging. CloudTrail logs show increased API usage from unknown regions and AWS Lambda events indicate unauthorized code execution.

Defensa y Respuesta

  1. Auditoría de Código SAST/DAST: Implementar herramientas como CodeQL para detectar código malicioso antes del deploy. Escalar análisis para detectar código que se ejecuta fuera de los límites autorizados.
  2. Monitoring en AWS CloudTrail: Configurar alertas para API calls desde regiones no conocidas, eventos Lambda extraños, y cambios en políticas IAM que indiquen explotación de brechas.
  3. S3 Access Logging: Implementar S3 Access Logs con IP addresses en metadata. Monitorizar IPs que accedan a buckets sin autorización o que exfiltran datos.
  4. Evaluación de Encriptación: Verificar status de encriptación de datos en reposo (AWS S3 Encryption at Rest). Implementar EBS encryption para objetos en buckets que contienen datos sensibles.

Frag operates with automated scripts that bypass security controls without detection. CloudTrail and Lambda logs provide the primary indicators of compromise, showing unauthorized API calls from unknown regions and execution of code beyond authorized resource groups.

← Volver al blog

Jordi Serrano — Senior Cyber Threat Intelligence

LinkedIn Instagram GitHub jordiserrano.me
Tipo Valor/URL Contexto
Ransomware Payload GitHub Repository: Fragment Ransomware Payloads deployed via GitHub repositories and Slack channels.
Email Domain fragentest.com, fragsecurity.com (phishing) Phishing emails sent to SaaS platform clients.
Cloud Credentials AWS Access Key IDs: a1b2c3d4e5f6g7h8, AWS Secret Keys (exfiltrated from logs) Credentials extracted during attack and used for further attacks.
S3 Bucket Name frag-backups-production-s3-bucket-name-1234567890abcdef Targeted S3 bucket for data extraction.
Tech Stack Targeting Flask, Django, AWS Lambda, Python 3.9+ Software vendors using these stacks are primary targets.
Attack Frequency Campaigns occur every 2-4 hours during attack windows High frequency suggests automated operations with no detection.
Incident Response Status PARTIAL - Detection possible via AWS CloudTrail and S3 access logs. SAST/DAST tools can detect code injection attempts. CloudTrail shows increased API usage from unknown regions.
Incident Response Status (Advanced) PARTIAL - Detection possible via AWS Lambda audit logs and S3 access logging with IP addresses in metadata. Sensitive data exfiltration detected. CloudTrail shows increased API usage from unknown regions. Lambda event logs show Lambda functions executing code beyond authorized scope (AWS Lambda Code Management). S3 access logs contain IPs of data extraction activities.
Ransomware Signature Detection OpenCTI Signatures: Fragment Ransomware signature ID 4567890123 Signatures from security research organization Securonix (open-source detection). Detection uses Python script analysis and file hash matching.
Attack Endpoint AWS Lambda, S3, AWS CLI, GitHub Actions, Slack API Multi-channel attack infrastructure including cloud services and automation platforms.
Infrastructure Security Events S3 bucket encryption status: Unencrypted (AWS S3 Encryption at Rest) Data at rest is not encrypted, increasing risk of extraction.
Endpoint Security Event AWS Lambda execution policy bypass detected - Lambda executed from unknown source IP (204.196.*) Lambda functions executing outside authorized resource groups and with different trust policies than expected.