Search This Blog

Showing posts with label Ransom. Show all posts

New Malicious Program 'Nefilim' Threatens to Release Stolen User Data


Nefilim, a new malicious program that basically is ransomware that functions by encrypting files on affected systems, has become active in the cyber ecosystem since February 2020. After encryption of the files, it demands a ransom from the victims for the decryption of files, tools, and software. However, it is still unclear how the ransomware is being spread, sources reckon that it's distributed via susceptible Remote Desktop Services.

As per the head of SentinelLabs, Vitali Krimez and Michael Gillespie from ID Ransomware, the code employed in Nefilim resembles much that of Nemty's, another file-encrypting ransomware that steals user data by restricting access to documents and multimedia using the AES-256 algorithm. As to the speculations of security researchers, it is likely that the authors of the first ransomware have a role to play in Nefilim's creation and distribution. However, due to the uncertainty revolving around the operation source of the new ransomware, experts also point towards a possibility of the source code being somehow obtained by the new malicious actors to develop a new variant.

While the encryption is underway, all the affected files are added with ".NEFILIM" extension. For instance, a file previously named "xyz.png" would start appearing as "xyz.png.NEFILIM" after the encryption takes place. The completion of the process is followed by a ransom note being created on the infected user's desktop titled "NEFILIM-DECRYPT.txt", "A large amount of your private files have been extracted and is kept in a secure location. If you do not contact us in seven working days of the breach we will start leaking the data. After you contact us we will provide you proof that your files have been extracted." the note reads.

As per the sources, for money matters, Nefilim primarily pins its hopes on email communications instead of a Tor payment site after the removal of the Ransomware-as-a-Service (RaaS) component and it stands out as one major difference. According to the analysis carried out by Gillespie, it has been made clear that as of now there exists no way to retrieve files without paying the ransom because the ransomware is reported to be completely secure. As a result of that, victims are being threatened to pay the demanded amount within a week or else the data stolen will be exposed by the attackers.

Texas Hit with a Series of Coordinated Ransomware Attack




Texas is currently hit with an 'unprecedented' of ransomware attacks that has significantly focused on local government entities in the state, with at least 23 impacted by the attacks.

The attacks which seem to have been led by a single threat actor are said to have of begun in the morning of August 16. It is additionally presumed that 23 may not be the final count considering that right now the details are at 'a minimum' with the Department of Information Resources (DIR), who is leading the investigation into the attacks.

The local Texas authorities, like the DIR, Texas Division of Emergency Management, and Texas Military Department are still investigating the origin of the attack, also involved are the federal agencies such as the Department of Homeland Security, Federal Bureau of Investigation – Cyber, and Federal Emergency Management Agency (FEMA).

In its original statement released on late Friday, DIR says that while investigations regarding the origins of the attack are continuous, their principle need is to aid the response and recuperation of 'affected entities'.

DIR is driving the reaction to what it calls a "coordinated ransomware attack" however does not unveil which organizations are affected. This is a result of security concerns involving the matter.

In an updated statement on Saturday, DIR said that the frameworks and systems of the State of Texas have not been influenced by this attack. Until more details rise, the strain of file-encrypting malware, which is said to be the one responsible for the attack as well as the perpetrator(s) ransom demand, still remains very unclear.

Forensic services firm pays ransom after cyber-attack

The UK's biggest provider of forensic services has paid a ransom to criminals after its IT systems were disrupted in a cyber-attack, BBC News has learned.

Eurofins Scientific was infected with a ransomware computer virus a month ago, which led British police to suspend work with the global testing company.

At the time, the firm described the attack as "highly sophisticated".

BBC News has not been told how much money was involved in the ransom payment or when it was paid.

The National Crime Agency (NCA) said it was a "matter for the victim" as to whether a ransom had been paid.

The agency, which is investigating the attack, said: "As there is an ongoing criminal investigation, it would be inappropriate to comment."

Eurofins previously said the attack was "well-resourced" but three weeks later said its operations were "returning to normal".

Cyber-attack hits police forensic work

It said it would also not comment on whether a ransom had been paid or not.

It added it was "collaborating with law enforcement" in the UK and elsewhere.

The ransomware attack hit the company, which accounts for over half of forensic science provision in the UK, on the first weekend in June.

Ransomware is a computer virus that prevents users from accessing their system or personal files. Messages sent by the perpetrators demand a payment in order to unlock the frozen accounts.

Eurofins deals with over 70,000 criminal cases in the UK each year.

It carries out DNA testing, toxicology analysis, firearms testing and computer forensics for police forces across the UK.

Forensic science work has been carried out by private firms and police laboratories in England and Wales since the closure of the government's Forensic Science Service in 2012.

'Court hearings postponed'

An emergency police response to the cyber-attack was led by the National Police Chiefs' Council (NPCC) to manage the flow of forensic submissions so DNA and blood samples which needed urgent testing were sent to other suppliers.

Hit by Ransomware Attack, US Town Agrees to pay Attackers $600,000 in Bitcoin



Riviera Beach, a small city which is located just north of West Palm Beach, fall prey to a massive cyber attack, wherein the hackers paralyzed the city's computer systems and have asked the city council to pay a $600,000 ransom in Bitcoin in order to have the data released.

With the hope of regaining the access to the encrypted data in the cyber attack, the officials of the Florida town conducted a meeting this week where the council agreed to pay the criminals 65 Bitcoin, a difficult to track currency.

Reportedly, it was after an employee of the town's police division accessed a phishing email, the virus which paralyzed all the computer systems in the city was unleashed.

To spread the word about the ransomware attack amongst the residents, a notice was posted on the city website which stated that they had undergone a data security event and was "working with our internal management team third-party consultants to address all issues."

Commenting on the matter, Mr. Rebholz, a principal for Moxfive, a technology advisory firm, said, “The complexity and severity of these ransomware attacks just continues to increase,”

“The sophistication of these threat actors is increasing faster than many organizations and cities are able to keep pace with.” He added.

A number of American cities have fallen prey to similar, computer-based breaches wherein the attackers demanded heavy ransoms for the restoration of the networks. Recently, Baltimore experienced a similar attack and though they refused to pay the ransom, the attack cost the city $18 million to fix damages.


New Ransomware Strain Hits the Chinese Web; Infects 100K PCs




More than 100,000 Chinese users have had their Windows PCs infected with yet another strain of ransomware that encodes their records and files all the while requesting a 110 yuan (~$16) ransom. The inadequately composed ransomware is known to have been scrambling local documents and taking credentials for various Chinese online services.

As of now there has been no threat made to international users as the ransomware is only determined to focusing on the Chinese web only.

The individual or the group behind the activity are only utilizing Chinese-themed applications to appropriate the ransomware by means of local sites and discussions at the same time asking for ransom payments through the WeChat payment service, just accessible in China and the contiguous areas.


A report from Chinese security firm Huorong, the malware, named 'WeChat Ransom' in a few reports, came into existence on December 1 and the quantity of infected systems has developed to more than 100,000 as of December 4.

Security specialists who analysed the attack said that other than encoding records, the ransomware additionally incorporated an information-stealing component that collected login credentials for a few Chinese online services, like Alipay, Baidu Cloud, NetEase 163, Tencent QQ, and Taobao, Tmall, and Jingdong.

Chinese security organizations examining the malware concur that it is a long way from a complex risk that can be effortlessly defeated. Although it professes to delete the decryption key if the victim neglects to pay the ransom by a specific date, document recuperation is as yet conceivable in light of the fact that the key is hardcoded in the malware.

Specialists from Huorong examining this ransomware string have found a name, a cell phone number, a QQ account, and an email address that could enable police to identify and catch the thief.

This most recent ransomware campaign anyway is additionally not the first occasion when those Chinese-based ransomware creators have utilized WeChat as a ransom payment dealing strategy. The ones who committed this deadly error in the past have been captured by the officials within months.

The Chinese police, in general, have a decent reputation of capturing the hackers within weeks or months after a specific malware crusade stands out as truly newsworthy.