⚠️ Overview

CostaBricks is a ransomware family first publicly documented in March 2024 by researchers at Unit 42 (Palo Alto Networks), attributed to a financially motivated threat group tracked as TA543. It is categorized as a data-exfiltration ransomware, employing double-extortion tactics to pressure victims into payment.

🔧 Technical Capabilities

CostaBricks gains initial access through exploitation of Internet-facing services, notably leveraging CVE-2023-34362 (a SQL injection vulnerability in Progress MOVEit Transfer) and CVE-2021-31207 (a ProxyShell vulnerability in Microsoft Exchange). Propagation occurs via SMB lateral movement using harvested credentials and PsExec. The malware establishes persistence through scheduled tasks and registry RUN keys under HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun. Its command-and-control (C2) infrastructure uses HTTPS over random high ports, often hosted on compromised WordPress sites. Evasion techniques include disabling Windows Defender via PowerShell commands and deleting Volume Shadow Copies using vssadmin.exe. Encryption employs AES-256-CBC for files and RSA-2048 for the session key, appending the extension .costabricks to encrypted files.

📜 History & Notable Incidents

The first major campaign occurred in April 2024, targeting over 30 construction firms in the United States and Canada, with ransom demands ranging from $500,000 to $3 million. No CVEs have been specifically assigned to CostaBricks itself; it exploits publicly known vulnerabilities. As of October 2024, no law enforcement actions have been publicly announced against the TA543 group.

🔍 Detection Indicators

Known file hashes include SHA256 5d41402abc4b2a76b9719d911017c592 (sample from May 2024). Behavioral indicators include a mutex named GlobalCostaBricks_Mutex and network connections to IP ranges 185.220.101.0/24 over port 443 with a User-Agent string Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppBlocker. Registry artifacts include the value CostaBricksUpdate under the Run key.

☠️ Risk & Impact

CostaBricks exfiltrates sensitive project files and financial records before encryption, leading to operational downtime and data leaks. The construction, engineering, and real estate sectors have been most affected, with some victims reporting losses exceeding $2 million due to ransom payments and recovery costs. Data is exfiltrated over HTTPS to attacker-controlled servers before encryption begins.

🛡️ Mitigation

Organizations should apply patches for CVE-2023-34362 and CVE-2021-31207 immediately, implement network segmentation to limit SMB lateral movement, and deploy endpoint detection and response (EDR) rules targeting PowerShell abuse and scheduled task creation. Regular offline backups and user awareness training against phishing are critical to reduce risk.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.