Search This Blog

Showing posts with label Ransom. Show all posts

A Look at the Triple Extortion Ransomware

 

Ransomware has traditionally concentrated on encryption, but one of the most common recent additions is the exfiltration and threatening disclosure of critical data in a "double extortion" assault. Threat actors, on the other hand, must continually develop new ways to enhance the effect of a successful assault since the financial incentives are so high. One of the most recent methods is known as "triple extortion," which adds another way to extort money from targets. 

The prospect of stolen data being released online has been a typical point of leverage for criminals seeking further ransom payments in what is known as double extortion. More than 70% of ransomware assaults now include exfiltrate data, demonstrating how quickly this type of attack tactic has become the norm.

Threat actors have lately introduced another layer to ransomware assaults based on this approach. In other words, this latest ransomware advancement means that a ransomware assault no longer stops at the first victim. Ransom demands may now be directed towards a victim's clients or suppliers under triple extortion. At the same time, other pressure points such as DDoS attacks or direct media leaks are added to the mix. 

The more leverage the perpetrators have in a ransomware assault, the more likely the victim is to pay. If the gang is successful in not just encrypting vital systems but also downloading sensitive data and threatening to leak it, they will have the upper hand and will be able to demand payment if the victim does not have sufficient backup procedures. 

According to Brian Linder, a cybersecurity evangelist at Check Point Software, triple extortion has become more common in the previous six months, with ransomware gangs making robocalls to customers, shareholders, partners, the press, and financial analysts if the victimised organisation fails to fall victim to the first two extortion efforts. 

“So, imagine if you don’t pay the ransom, we’re going to let all the stock analysts know that you’ve been attacked and likely drive some percentage of your market value out of the market,” Linder says. “We do expect this to be highly exploited. It’s fairly easy to do.” 

Depending on the attacker's initial effectiveness in infiltrating the network, they can get access to information about the victim's clients, including names and phone numbers, and have automated messages ready to go. 

Companies and organizations that retain client or customer data, as well as their own, are the most apparent targets for ransomware operations that go beyond single or double extortion. Healthcare organizations are obvious targets in this regard. As a result, the first known instance of triple extortion occurred late last year when hackers obtained access to Vastaamo, a Finnish physiotherapy provider. Threat actors demanded money directly from the thousands of Vastaamo clients whose records they were able to exfiltrate, rather than contacting the provider for a ransom.

New Zealand Banks and Post Offices Hit by a Cyber Attack

 

On Wednesday, the websites of a number of financial institutions in New Zealand, as well as the country's national postal service, were momentarily unavailable due to a cyber-attack, according to officials. A DDoS (distributed denial of service) attack targeting a number of organizations in the nation has been reported, according to the country's Computer Emergency Response Team (CERT). 

Minister David Clark, who is in charge of the digital economy and communications, said CERT has informed him that "a number" of organizations have been compromised. “At this time, efforts to ascertain the impact of this incident are ongoing. I won’t get ahead of this process,” Clark said, in a statement. “CERT assures me it is actively engaging with affected parties to understand and monitor the situation.” 

CERT's objective is to assist businesses and government agencies on how to respond to and prevent cyber-attacks. It also collaborates with other government institutions and law enforcement, such as the National Cyber Security Centre (NCSC). 

According to local media sources, Australia and New Zealand Banking Group's (ANZ.AX) New Zealand site and NZ Post were among the websites hit by the attack. ANZ informed clients through Facebook that it was aware that some of them were unable to use online banking services. "Our tech team are working hard to get this fixed, we apologize for any inconvenience this may cause," the post said. 

The "intermittent interruptions" on NZ Post's website were caused by a problem with one of its third-party suppliers, according to the company. Several Kiwibank clients took to social media to complain outages at the little institution, which is partially controlled by the New Zealand Post. In a Twitter post, Kiwibank apologized to clients and said it was trying to resolve "intermittent access" to its app, online banking, phone banking, and website. 

A DDoS assault overloads a website with more traffic than it can manage, causing it to fail. While the identity of the attacker and their motivation are unknown in this case, the goal might be to extract a ransom from the victim in order for the assault to be stopped. During the NZX assault, Minister for Intelligence Agencies Andrew Little expressed the government's advice: Don't pay the ransom.

Cyber Firm: Ransomware Group Demanding $50M in Accenture Security Breach

 

The hacking group behind a ransomware attack on global solution provider powerhouse Accenture has demanded $50 million in ransom, as per the cybersecurity firm that saw the demand. 

According to a tweet from Cyble, a dark web and cybercrime monitoring company, the threat actor is seeking $50 million in return for more than 6 TB of data. 

On Thursday, Accenture responded it had no additional information to add to its statement, pointing CRN to a statement issued on Wednesday that claimed it had "contained the matter and isolated the affected servers" and that "there was no impact on Accenture's operations, or on our clients' systems." 

The hacking group apparently used LockBit ransomware to target Accenture, which is ranked No. 1 on CRN's Solution Provider 500 for 2021, in the attack revealed on Wednesday. 

As per Emsisoft, a cybersecurity firm located in New Zealand, LockBit is a ransomware strain that stops users from accessing infected devices until a ransom payment is completed. The incident arises after a ransomware assault on Kaseya in July, which involved a $70 million ransom demand to decrypt victim files. Kaseya later stated that it had acquired a decryptor for the REvil ransomware, but it had not paid the ransom. 

“At the end of the day, paying the ransom is never a good idea,” stated Douglas Grosfield, founder and CEO of Kitchener, Ontario-based Five Nines IT Solutions, in an interview with CRN. 

“The majority of folks that do end up paying the ransom don’t necessarily get all of their data back. And what you do get back, you can’t trust. There could be a payload there—a ticking time bomb—that will make it easier for the perpetrators to get in again.” 

He stated that ransomware groups targeting IT service companies such as Accenture is unsurprising. “The only surprise is that it took the bad guys this long to figure out that service providers are a pretty juicy target,” he added. 

According to Grosfield, the Accenture incident serves as a reminder of the proverb, "physician, heal thyself," which states that IT service providers must verify their own systems are safe to propose security solutions to their own clients. 

Accenture claims to have contained the assault, however, this is a questionable assertion. The firm confirmed the ransomware assault in an emailed response to a request for information from CRN but stated it had no impact on the organization. 

“Through our security controls and protocols, we identified irregular activity in one of our environments. We immediately contained the matter and isolated the affected servers. We fully restored our affected servers from back up. There was no impact on Accenture’s operations, or on our clients’ systems,” Accenture wrote. 

However, a CNBC reporter spoke on Wednesday that the hackers behind the Accenture attack uploaded over 2,000 files to the dark web, including PowerPoint presentations and case studies. 

On Wednesday, VX Underground, which claims to possess the Internet's largest collection of malware source code, tweeted a timer allegedly from the hacking group, indicating how the time until the attack on Accenture's data would begin. The timer's timer ultimately ran out. The LockBit ransomware gang published 2,384 files for a short period, according to VX-Underground, however, those files were unavailable due to Tor domain issues, most likely due to excessive traffic. 

The LockBit attack clock was restarted with a new date of Aug. 12, 2021, 20:43 UTC, or 4:43 p.m. ET Thursday, according to the group. 

The Accenture incident, according to Ron Bradley, vice president of third-party risk management firm Shared Assessments, is "a perfect example of the distinction between business resiliency and business continuity," he told Threatpost on Wednesday. 

“This particular example with Accenture is interesting in the fact that it was a known/published vulnerability,” Bradley continued. “It highlights the importance of making sure systems are properly patched in a timely manner. The ability for Accenture to manage the repercussions of potentially stolen data will be an important lesson for many organizations going forward.” 

According to Hitesh Sheth, president, and CEO of cybersecurity firm Vectra, all organizations should expect such assaults, but especially a global consultancy firm with many links. 

“First reports suggest Accenture had data backup protocols in place and moved quickly to isolate affected servers,” he informed Threatpost on Wednesday. “It’s too soon for an outside observer to assess the damage. However, this is yet another reminder to businesses to scrutinize security standards at their vendors, partners, and providers. Every enterprise should expect attacks like this – perhaps especially a global consulting firm with links to so many other companies. It’s how you anticipate, plan for and recover from attacks that counts.” 

LockBit encrypts files with AES encryption and generally asks a high-five-figure ransom to decrypt the data. LockBit's procedures are mostly automated, allowing it to operate with little human monitoring once a victim has been hacked, according to Emsisoft. It may be used as the foundation for a ransomware-as-a-service business model, in which ransomware authors can utilize it in exchange for a share of the ransom payments.

Conti Group Exploited Vulnerable Microsoft Exchange Servers

 

According to cybersecurity consultancy firm Pondurance, the Conti ransomware gang is now using backdoors that are still active. On-premises Microsoft Exchange email servers that have been patched are still vulnerable. 

Pondurance researchers stated, "Despite patching, thousands of devices might still be compromised". Conti appears to be targeting firms that patched the Exchange issues initially attacked by Chinese attackers but failed to detect and remove the backdoor access that had already been installed.

On March 4th, Microsoft released emergency fixes for four vulnerabilities in its on-premises Exchange email servers. The Biden administration officially accused a group working for China's Ministry of State Security in July of running a string of attacks against vulnerable Microsoft Exchange email servers this year that disrupted thousands of firms in the United States and around the globe. 

The US has not authorized China for its aggressive cyber operations, according to Anne Neuberger, the US deputy national security advisor for cyber and emerging technologies, who stated last week that the US is first aiming to establish an international consensus on how to respond. 

Meanwhile, Chinese advanced persistent threat organizations have been discovered abusing vulnerabilities in Microsoft Exchange servers to breach telecommunications provider networks in Southeast Asia in an attempt to capture confidential communications from customers. 

The Pondurance researchers discovered one instance in which an unlicensed and exploited remote monitoring and management agent was deployed on an on-premises Exchange server. 

"The unauthorized RMM tool remained present on the victim machine for approximately four months and granted the ability for remote interaction with the victim machine," Pondurance says. "In July, the RMM tool was used by outside actors to install additional malicious frameworks, including Cobalt Strike. The resulting actions concluded with the installation of Conti ransomware." 

According to the researchers, the company patched Exchange without first ensuring that any previously established backdoor access had been deleted. 

"Pondurance recommends searching for unauthorized ScreenConnect services installed on on-premises Exchange servers that were vulnerable to [the flaw exploit] at some point," Pondurance stated.

"These services should be present within the registry and would have generated 'Service Created' event logs (event ID 7045) at the time of install in March 2021. You may also find ScreenConnect-related folders created in the filesystem under 'C:ProgramData,' 'C:Program Files (x86),' and 'C:WindowsTemp.'" 

Fat Face, a British clothing and accessory retailer paid Conti a $2 million ransom in March to unlock its computers after Conti accessed numerous files containing sensitive data. The organization has also been linked to healthcare-related attacks. After a Conti ransomware assault on Ireland's Health Service Executive in May, the FBI issued a warning to healthcare institutions and first responder networks, urging them to take precautions to avoid being a victim. 

Furthermore, after complaining about the profit share, a dissatisfied Conti affiliate reportedly released important training material from the ransomware group. Conti, a ransomware-as-a-service group, recruits affiliates to hack networks and encrypt devices in exchange for a cut of the ransom money.

According to Bleeping Computer, a security researcher published a post written by an outraged Conti affiliate who publicly exposed information about the ransomware campaign. 

According to the study, this information contains IP addresses for Cobalt Strike C2 servers as well as a 113 MB package including many tools and training materials for conducting ransomware operations. As per the Bleeping Computer report, the affiliate also wrote on a prominent Russian-speaking hacking site claiming he had been paid $1,500 as part of an attack, while the gang members made millions.

Black Hat 2021: Zero-days, Ransoms and Supply Chains

 

During Black Hat 2021, Corellium COO Matt Tait warned that the amount of zero-days exploited in the open is "off the charts." 

The primary concerns Tait highlighted during his Wednesday keynote were a significant rise in the number of zero-days identified and exploited in the wild, stolen zero-days, and supply chain assaults. 

He claims that all three are to blame for several big breaches in the last two years, including the Colonial Pipeline, Kaseya, SolarWinds, and Microsoft Exchange hacks. As per his keynote, the number of zero-days discovered and exploited in the wild has reached heights in the previous years. 

"This is both in the government sector, doing espionage, and in the financially motivated crimeware industry, ransomware. It's getting to the point now where it's beginning to overwhelm our ability to respond in the defensive sector," Tait stated during the keynote. 

He added attackers would most likely need a chain of flaws to attack a system and obtain access. To accomplish so, they'll need to create a complete zero-day chain 

"And these things are very expensive thanks to platform security investments. Every time an attacker has a full chain and wants to use it, that's a risk. The possibility that the zero-day chain or some aspects of that intrusion gets detected can be a very expensive cost for the attacker." 

Similarities in high-profile attacks

He added that top attacks like the one on the Colonial Pipeline at first sight, which caused gas shortages in some places, and the more recent NSO Pegasus campaign, which targeted 50,000 targets across a variety of mobile devices. At first glance, they all appear to be quite different however, a deeper examination indicates certain similarities. 

According to Tait, the attacks that resulted in physical, real-world problems were massive ransomware-based attacks. Furthermore, they all appear to be driven by supply chain compromises linked with large volume and often indiscriminate targeting. The usage of stolen days is the third and most prominent. 

He explained, North Korea, for instance, targeted security researchers to obtain access to specific studies. That research was used to enable some of these major operations, including the Microsoft Exchange email server attack, in which Chinese-nation state hackers exploited several zero-day vulnerabilities. 

"In both the Kaseya hack and exchange hacks, there's credible evidence that security researchers found these vulnerabilities, these exact vulnerabilities and written exploits for them and at some point between that and the patch being released, or shortly after, somehow these proof of concepts, these working exploits managed to get into the hands of these offensive actors who used them," Tait stated. 

"Governments are interested in taking your zero-days and your need to secure your systems and your vendor communications properly. In the event that you have these, do be careful what you publish. Of course, it's your exploits, do what you want with it -- but be aware that there are trade-offs associated with this." 

The reason is related to the lowest possible price. If a government can obtain a free zero-day, it affects the economics of utilizing it, according to Tait, because losing it costs nothing. Stolen zero-day does modify the economics of zero-day exploitation. 

The rising danger of supply chain attacks

Tait described supply chain assaults as a whole different type of cybercrime danger. The entire economics of mass exploitation, he explains, is turned upside down because of supply chain attacks. 

According to the security expert, bug bounty programs should be re-evaluated and ensure that vulnerabilities are revealed and patched as soon as possible to aid safeguard the software supply chain. 

According to Tait, researchers are now motivated to "sit on" high-impact vulnerabilities in the hopes of developing them into "full chain" attacks. While these chains provide the highest reward payouts, each day a zero-day stays unpatched is a possibility for another, possibly malicious third party to discover it. They utterly reshape the entire economics of mass exploitation, according to him. 

The time it takes for a supply chain assault to be discovered, according to Ryan Olson, vice president of threat intelligence at Palo Alto Networks' Unit 42 division, is the major issue. Companies might be hacked for months before they realize they've been hacked. It's especially terrible for smaller software companies without an IT department or a security operations center. 

Supply chain assaults, according to Tait, may be used for cyber espionage, such as in the instance of SolarWinds, when high-profile clients were harmed, as well as physical harm, such as ransomware. Tait concluded supply chain infections can only be fixed by platform vendors arguing that government intervention or regulation will do little to address the problem.

USD 50 Million Ransom Demanded from Saudi Aramco Over Leaked Data

 

Saudi Arabia's state oil firm admitted on Wednesday that data from the corporation was leaked and that the files are now being used in a cyber-extortion effort including a USD 50 million ransom demand. The data was presumably leaked by one of the company's contractors. Saudi Aramco, the Saudi Arabian Oil Co., notified The Associated Press that it "recently became aware of the indirect release of a limited amount of company data which was held by third-party contractors."

Saudi Aramco is a public Saudi Arabian oil and gas enterprise headquartered in Dhahran. It is expected to be one of the world's most profitable corporations as of 2020. Saudi Aramco has the world's second-biggest proven crude oil reserves, with about 270 billion barrels (43 billion cubic metres), as well as the world's greatest daily oil production. 

The Master Gas System, operated by Saudi Aramco, is the world's biggest single hydrocarbon network. It handles about one hundred oil and gas fields in Saudi Arabia, including 288.4 trillion standard cubic feet (scf) of natural gas reserves, and its crude oil production totaled 3.4 billion barrels (540 million cubic metres) in 2013. The Ghawar Field, the world's largest onshore oil field, and the Safaniya Field, the world's largest offshore oil field, are both operated by Saudi Aramco. 

The oil company did not specify which contractor was affected, nor did it clarify whether the contractor was hacked or if the information was released in some other way. "We confirm that the release of data was not due to a breach of our systems, has no impact on our operations and the company continues to maintain a robust cybersecurity posture," Aramco said. 

The AP found a page on the darknet, a section of the internet kept behind an encrypted network and accessible only through specific anonymity-providing tools, that claimed the extortionist had 1 terabyte of Aramco data. The page offered Aramco the chance to have the data destroyed for USD 50 million in cryptocurrency, with a countdown counting down from USD 5 million, most likely to put pressure on the corporation. It's still unknown who's behind the ransom plot. 

Aramco has previously been the victim of cyber-attacks. The so-called Shamoon computer virus, which destroyed hard drives and then flashed a picture of a burning American flag on computer displays, affected the oil behemoth in 2012. Aramco was compelled to shut down its network and destroy over 30,000 machines as a result of the attack. Later, US officials blamed the strike on Iran, whose nuclear enrichment programme had just been targeted by the Stuxnet virus, which was most likely created by the US and Israel.

Operations of the LockBit Ransomware Group: A Quick Look

 

Researchers have investigated on how LockBit, one of the more recent ransomware organisations, operates. 

As per the instances this year, ransomware has emerged as one of the most disruptive forms of cybercrime. So far, the world has witnessed the Colonial Pipeline ransomware crisis, which resulted in fuel supply shortages throughout sections of the United States; continuous troubles with Ireland's national health care; and systematic interruption for meat processing major JBS as a result of the infection. 

By 2031, ransomware assaults are expected to cost $265 billion globally, and settlements are now routinely in the millions of dollars, as in the case of JBS. However, there is no guarantee that decryption keys are suitable for their intended use, or that paying once guarantees that a business will not be targeted again. 

According to a Cybereason report issued this week, up to 80% of organisations that were victimised by ransomware and paid the ransom have experienced a second attack, possibly by the same threat actors. 

The danger of ransomware to businesses and essential infrastructure has grown to the point where it was brought up during a meeting between US President Joe Biden and Russian President Vladimir Putin at the Geneva summit. 

Prodaft Threat Intelligence (PTI) published a study (.PDF) on LockBit and its affiliates on Friday. 

According to the study, LockBit, which was previously known as ABCD, uses a RaaS model to give affiliate groups a central control panel where they can produce new LockBit samples, monitor their victims, make blog articles, and view statistics on the success — or failure — of their attacks. 

LockBit affiliates frequently purchase Remote Desktop Protocol (RDP) access to servers as an initial attack vector, however, they may also employ traditional phishing and credential stuffing approaches. 

"Those kinds of tailored access services can be purchased in as low as $5," Prodaft says, "making this approach very lucrative for affiliates." 

Exploits are also utilised to attack vulnerable systems, including Fortinet VPN vulnerabilities on victim machine that have not been fixed. As per the forensic studies of machines attacked by LockBit affiliates, threat organisations will frequently try to find "mission-critical" systems first, such as NAS devices, backup servers, and domain controllers. The data is subsequently exfiltrated, and packages are typically uploaded to services such as MEGA's cloud storage platform. 

After that, a LockBit sample is manually installed, and files are encrypted using an AES key that is generated. Backups are erased, and the system wallpaper is replaced with a ransom notice with a link to a.onion website address where decryption software can be purchased. The website also offers a free decryption 'trial,' in which one file (less than 256KB in size) can be decoded. 

If victims contact attackers, a chat window in the LockBit panel is used to communicate with them. The ransom demand, payment date, method (typically in Bitcoin (BTC)), and directions on how to obtain bitcoin are frequently discussed. Prodaft gained access to the LockBit panel, which revealed affiliate usernames, victim counts, registration dates, and contact information. 

The study team stated that evidence in the affiliate names and addresses indicate that some may also be linked with Babuk and REvil, two other RaaS organisations; however, the inquiry is still ongoing. 

LockBit affiliates look for an average of $85,000 from each victim, with 10 to 30% of that going to the RaaS operators, and the ransomware has attacked thousands of machines around the world. The software and services industry accounted for more than 20% of the victims on the dashboard. 

"Commercial and professional services as well as the transportation sector also highly targeted by the LockBit group," Prodaft says. "However, it should be noted that the value of the ransom is determined by the affiliate after various checks using online services. This value does not solely depend on the sector of the victim." 

LockBit's leak site was unavailable at the time of publication. After breaking into LockBit's systems, the researchers decrypted all of the platform's accessible victims.

Cyber Attackers Faced a Denial After Fujifilm Refused to Pay Ransom

 

Image Source: https://thebeachmuse.com/

Japanese conglomerate Fujifilm, earlier this month on Wednesday 2nd June published a short statement to reveal the illegitimate infiltration of its server by foreign parties. The unauthorized entry on 01 June was recognized by Fujifilm – which is formerly known for selling photographic films but today develops biotechnology, chemical, and other digital imaging devices. 

It re-established operations with backups and its PR systems now are fully operating in the United States, Europe, the Middle East, and Africa and are back to business as usual, according to a Fujifilm-spokesperson. 

However,  information such as strains of ransomware, delivery channels, damage scale, and the ransom requested by the cyber gang has not been disclosed. The corporation has not responded to the request for comments from the Information Security Media Group. 

Chloe Messdaghi, an independent cybersecurity disruption consultant and researcher, says Fujifilm apparently “took the first responsible steps of recognizing the situation and systematically shutting all systems down to examine the attack. There may have been some hiccups and bumps, but because they had done the solid work of ensuring their data backups and restoration processes were current, they were able to decline to pay extortion and their disruption to business was minimal.” 

S-RM Cyber Security, Risk, and Intelligence Consultancy anticipate that 46% of all cyber attacks were ransomware attacks between January 1, 2021, and March 31, 2021. 

The Colonial Pipeline and JBS meat processing company, and the D.C. Metro Police Department, have been the victims of some of the largest recent attacks in the U.S. 

In the wake of the attacks, the White House called on companies to enhance their cybersecurity. As per the reports, president Joe Biden ordered a federal probe ransomware task committee. 

Other businesses that were recently attacked by Ransomware but declined to pay ransom included CD Projekt Red, Ireland's State Health Service Provider, Health Service Executive; Canon, and Bose. Meanwhile, the Colonial Pipeline Co., which paid $4.3 million to DarkSide in May for a flawed decryptor, was one of the ransomware victims who decided to pay their attackers. The U.S. Department of Justice then recovered the number of bitcoins paid at 2.3 million dollars. 

The U.S. subsidiaries of the biggest meat processor in the world, JBS in Brazil, have lately given REvil's attackers an 11 million dollar ransom for their assurance that a decryption tool and a "guarantee" will not be released by them. 

The FBI has urged the victims to not pay the ransom and said, “Paying a ransom doesn’t guarantee you or your organization will get any data back. It also encourages perpetrators to target more victims and offers an incentive for others to get involved in this type of illegal activity.” 

The senior consultant of the risk management research organization, Shared Assessments, Charlie Miller, states the key elements for a risk management ransomware program involve upgrading the risk response plan, establishing a data boot to enable malware-free data recovery, offering corporate managers cyber-attack simulation programs to help evaluate and respond to risk, and purchasing cyber insurance.

JSWorm: A Notorious Ransomware

 

The ransomware threat environment has been shifting over the last few years. Following the major ransomware outbreaks of 2017, such as WannaCry, NotPetya, and Bad Rabbit, many ransomware actors have switched to the covert yet the lucrative strategy of "big-game hunting." The news of ransomware triggering a service interruption at a multinational enterprise has become commonplace. 

Since the discovery of JSWorm ransomware in 2019, numerous variants have gained popularity under various names such as Nemty, Nefilim, Offwhite, and others. As part of each “rebranded” edition, several versions were released that changed various aspects of the code, renamed file extensions, cryptographic schemes, and encryption keys. 

JSWorm is a ransomware variant of the GusCrypter malware family. Its purpose is to extort money from victims by encrypting all personal data and requesting a ransom for the decryption key. It's a member of the GusCrypter clan. JSWorm is typically transmitted via spam email attachments. 

The malware also leaves a ransom note, JSWORM-DECRYPT.html, instructing victims to contact criminals via the NIGER1253@COCK.LI email address if they want their data back. Since JSWorm belongs to a well-known ransomware family, it's possible that the encryption will be permanent. 

Although JSWorm ransomware does not encrypt system files, it does modify your system in other ways. As a result of the altered Windows Registry values, ransomware is launched every time the user restarts the device. These modifications, however, are made after the encryption and ransom demand have been completed. 

JSWorm was available as a public RaaS from its inception in 2019 until the first half of 2020, and it was observed spreading through the RIG exploit kit, the Trik botnet, fake payment websites, and spam campaigns. The public RaaS was closed in the first half of 2020, and the operators turned to big-game hunting. An initial intrusion was discovered thanks to the use of weak server-side applications (Citrix ADC) and insecure RDP access. 

The files are encrypted with a 256-bit key using a custom modification of the Blowfish cypher. The key is generated by concatenating the strings user name, system MAC address, and volume serial number at the start of the programme execution. The content of each of the victim's files is encrypted using a custom version of Blowfish. The encryption is limited to 100,000 bytes, most likely to speed up the encryption of large files. The initial data is overwritten by the encrypted data.

Three Affiliated Tribes—The Mandan, Hidatsa & Arikara Suffers Ransomware Attack

 

On the 28th of April Three Affiliated Tribes – the Mandan, Hidatsa, and Arikara nation – informed their workers that they have been hacked with their server and believed it was ransomware. The community has not accessed files, email, and sensitive information since the server was hacked. 

Ransomware is a sort of malware that, as per the Homeland Security Department, attempts to publish information or restrict access until a ransom is paid. The Federal Bureau of Investigation, reports that 4,000 ransomware attacks are initiated daily, with an attack is conducted every 40 seconds. 
 
A document with details that the intrusion was linked with ransomware was sent to all Three Affiliate Tribes employees on April 28th. The one thing that it does, is changing file locations and file names of the document, stated Mandan, Hidatsa & Arikara CEO Scott Satermo. “Share this text, call, or use other methods as we have no way of sending an email notification at this time.” 

“Ransomware is running rampant in governments throughout the world,” said National Association of State Chief Information Officers (NASCIO) Director of Policy & Research Meredith Ward in an email to Native News Online. “Many local governments have been hit very hard.” 

NASCIO is a 501c(3)(h) non-profit framework that has its main advocacy and policy goal, as objectives and has a provision of insight and advice on the consequences of legislation, policies, and proposals relating to technology. On 14 October 2020, 30 Member States identified financial fraud as being a major cause of infringement over the past year compared with 10 states in 2018, states a report issued by NASCIO. The main causes of infringements still lie in external sources: malicious (68%), external-source web services (81%), and increased hacktivism (86%). 

Although ransomware attacks may appear popular, yet they aren't recorded widely in the various tribes. There are currently no statistical databases if and how often these cyberattacks impact tribes. Unless the rescue has been charged, ransomware actors also attempt and threaten the selling or leaking of exfiltrated data or authentication information as per the Cybersecurity & Infrastructure Security Agency (CISA). Ransomware attacks among national, local, tribal and territorial (SLTT) government bodies and critical infrastructure organizations have become exceedingly common in recent years. 

The Department of the Interior overturned a judgment of Trump-era on 22nd March 2021 which decided that a section of the Missouri River on the Fort Berthold Indian Reserve will belong to the government of North Dakota. The decision was made days after the very first American Indian to become Secretary of the Interior Department, Laguna Pueblo Debra Haaland, was sworn in. The change could offer Mandan, Hidatsa, and Arikara tribal members billions of dollars in revenue. 

The U.S. Congress assesses legislation including the State and Local Cybersecurity Improvement Act. If enacted, the law will provide several billion cybersecurity financing through the Cybersecurity and Infrastructure Security Agency to state, local governments and 25 million US dollars for tribal governments. In September 2020 it was discussed in the House Homeland Security Committee and voted in two-party terms, but it still resides in the Senate.

Babuk Quits Ransomware Encryption, Focuses on Data-Theft Extortion

 

The Babuk ransomware group has decided to close the affiliate program and switch to an extortion model that does not rely on encrypting victim computers, according to a new message sent out today by the gang. The clarification comes after the group posted and then deleted two announcements yesterday about their intention to close the project and release the malware's source code. 

The group seems to have taken a different path than the ransomware-as-a-service (RaaS) model, in which the hackers steal data before deploying the encryption stage to use as leverage in ransom payment negotiations. 

Babak's newly announced model is nearly identical except for the data encryption part, according to a third "Hello World" message posted on their leak site. In other words, the cybercriminals will run an extortion-without-encryption operation, demanding a ransom for data stolen from compromised networks. 

“Babuk changes direction, we no longer encrypt information on networks, we will get to you and take your data, we will notify you about it if you do not get in touch we make an announcement,” stated Babuk ransomware. 

Maze ransomware began exfiltrating data in November 2019 in order to boost ransom demands. All big ransomware operations quickly adopted it. In starting of 2021, Clop ransomware exploited zero-day vulnerabilities in Accellion's File Transfer Appliance to ran a series of data-theft attacks on high-value companies without encrypting systems. The group stole a large number of files and demanded large sums of money in exchange for not leaking or trading the information. 

Several victims paid tens of millions of dollars in ransom. Babuk ransomware claims that despite being a new team on the ransomware scene, they are already well-known in the industry because they have “the best darknet pentesters.” 

The benefits of this extortion business for Babuk are currently unclear, but the group will have to exfiltrate greater amounts of data than with encryption. Babuk reports one victim from whom they claim to have copied 10 terabytes of data on their leak site. The group claims to have stolen 250GB of data from the Metropolitan Police Department (MPD) in their most recent attack. It's also possible that this will increase the group's benefit, either by requiring higher ransoms or by selling the data to competitors or other parties. 

RaaS operations have become so large in terms of affiliates that it's difficult to keep track of anything. This has recently translated into technological and management changes that have resulted in victims losing data due to faulty decryption tools or having to deal with multiple attacks by the same group.

This happened with Conti, Lockbit, and REvil and these issues affected many ransomware gangs that were dependent on their reputation of a party that respects their end of the deal to demand higher ransoms.

A Ransomware Group Made $260,000 in 5 Days

 

A ransomware group made $260,000 by remotely encrypting files on QNAP computers using the 7zip archive software in an interval of five days. After a ransomware operation called Qlocker exploited vulnerabilities on their computers, QNAP NAS users all over the world discovered their files had been encrypted as of Monday. 

While most ransomware groups spend a significant amount of time developing their malware to make it powerful, feature-rich, and safe, the Qlocker gang didn't have to do so. Rather, they scanned for QNAP devices that were connected to the Internet and manipulated them with the recently disclosed flaws. 

The threat actors were able to use these exploits to remotely run the 7zip archival utility and password secure all of the files on the victims' NAS storage devices. Using a time-tested encryption algorithm built into the 7zip archive utility, they were able to encrypt over a thousand devices in just five days. To access all of a victim's computers and not leak their stolen data, enterprise-targeting ransomware usually demands ransom payments ranging from $100,000 to $50 million. 

Qlocker, on the other hand, chose a different audience: customers and small-to-medium-sized businesses that use QNAP NAS computers for network storage. The threat actors seem to have a good understanding of their goals since their ransom demands were just 0.01 Bitcoins or around $500 at today's Bitcoin rates. 

Since the Qlocker ransomware uses a series of Bitcoin addresses that are rotated around, BleepingComputer collected the addresses and tracked their payments. Security researcher Jack Cable discovered a short-lived bug that allowed him to recover passwords for 55 victims for free. He gathered ten separate Bitcoin addresses that the threat actors were rotating with victims when using this bug and shared them with BleepingComputer. 

BleepingComputer has since collected an additional ten bitcoin addresses, bringing the total number of bitcoin addresses used by the Qlocker threat actors to 20. The 20 bitcoin addresses have received ransom payments totaling 5.25735623 Bitcoins at this time which equates to around $258,494 in today's money. Unfortunately, as users make the difficult decision to pay a ransom to retrieve their files, the number of ransoms will likely rise over the weekend and into the next week. 

This ransomware campaign is still active, with new victims being reported daily. To patch the vulnerabilities and defend against these ransomware attacks, all QNAP users must upgrade the latest versions of the Multimedia Console, Media Streaming Add-on, and Hybrid Backup Sync software. Users can also protect their NAS devices so that potential attacks are more difficult to carry out.

Hackers Demand $50 Million Ransom From Apple

 

A Russian hacking group claims to have obtained schematics for some yet-to-be-released Apple products. The hackers have demanded a $50 million ransom in exchange for not leaking any of the designs they have on hand. 

According to a report by Bloomerg, the group gained access to sensitive data by hacking into Quanta, an Apple supplier that produces MacBooks and other products. The Taiwan-based third-party manufacturer has reported the data leak. 

The threat actors from the hacking group called REvil, first tried to extort money from Quanta in exchange for the stolen data. When Quanta declined to pay to recover the stolen data, the hackers turned their attention to Apple, the company's largest customer. According to a report by The Record, the group announced their intentions in a message posted on a dark website. 

REvil started sharing stolen photographs of Apple products as proof before Apple’s Spring Loaded event that was hosted virtually earlier this week. The hacking group shared 21 screenshots of the newly released iMac's schematics, which had not been made public before the launch. The post thus came as a testament to the legitimacy of the stolen data. 

Aside from iMac pictures, the group also shared images of the M1 MacBook Air, which was released in 2020, and manufacturing diagrams for an unreleased laptop. Notably, all of the diagrams included a disclaimer that read, “This is Apple's property, and it must be returned.” 

The hacking group has threatened to release new data every day before Apple or Quanta pays the $50 million ransom. The group is attempting to receive the ransom by May 1. Besides Apple, Quanta Computer has a long list of clients, including some of the most well-known names in the laptop industry. HP, Dell, Microsoft, Toshiba, LG, Lenovo, and other companies are among them. 

REvil has hinted in a post on the dark web that it has data from other companies as well. The REvil operators wrote, “Our team is negotiating the sale of vast quantities of classified drawings and gigabytes of personal data with many major brands.” 

The implications of the cyber-attack and the resulting data leak are still unclear.

New REvil Ransomware Version Automatically Logs Windows into Safe Mode

 

The REvil Ransomware is unstoppable when it comes to ingenious hacking tactics and techniques. The well-known ransomware has escalated its attack vector once again, this time by changing the victim's login password in order to reboot the computer into Windows Safe Mode. 

While malicious groups are constantly upgrading their attack strategies in order to fight security measures, the threat actors behind the REvil ransomware are especially skilled at honing their malware in order to make their attack campaigns more effective.

Last month, security researcher R3MRUM discovered a new sample of the REvil ransomware that improves the new Safe Mode encryption method by changing the logged-on user’s password and setting Windows to automatically login on reboot. The ransomware would update the user's password to ‘DTrump4ever’ if the -smode statement is used. 

Afterward, the ransomware configures the following Registry values for Windows to automatically log in with the new account information. It is currently unknown whether new REvil ransomware encryptor samples will continue to use the ‘DTrump4ever' password, but at least two samples submitted to VirusTotal in the last two days have done so. 

This latest strategy exemplifies how ransomware groups are actively refining their tactics in order to effectively encrypt users' devices and demand a ransom payment. 

Asteelflash, a world-leading French EMS company, confirmed last week that it has been the target of a cybersecurity incident, identifying the involvement of REvil ransomware. After initially setting the ransom at $12 million in Monero crypto, the attackers demanded Asteelflash pay a whopping $24 million ransom. However, as the negotiations didn’t reach a point of agreement in time, the actors raised the ransom to double the amount and leaked the first sample of the exfiltrated files. 

Acer, a computer manufacturer, was also hit by the REvil ransomware. REvil has demanded a ransom of $50 million, which may be the highest ever demanded ransom.

REvil has released a service for contact to news media, companies for the best pressure at no cost, and DDoS (L3, L7) as a paid service. Threat actors, or associated partners, will perform voice-scrambled VoIP calls to the media and victim’s business partners with information about the attack.

BCPS Hit by Conti Ransomware Gang, Hackers Demanded $40 Million Ransom

 

Several weeks ago, the Conti ransomware gang encrypted the systems at Broward County Public Schools and took steps to release sensitive personal information of students and staff except if the district paid a colossal $40 million ransom. Broward County Public Schools, the country's 6th biggest school district with an annual budget of about $4 billion, enlightened parents about a network outage on March 7 that adversely affected web-based teaching, but dependent on this new data, the incident was unmistakably much more serious. 

First reported by DataBreaches.net, the hackers took steps to disclose a huge trove of personal information, including the social security numbers of students, teachers, and employees, addresses, dates of birth, and school district financial contact information. "Upon learning of this incident, BCPS secured its network and commenced an internal investigation,” the statement continued. “A cybersecurity firm was engaged to assist. BCPS is approaching this incident with the utmost seriousness and is focused on securely restoring the affected systems as soon as possible, as well as enhancing the security of its systems." 

The hackers published screenshots of a text message from mid-March between them and a district official — clearly a negotiation for the hackers to deliver the documents back to the district. 

“The good news is that we are businessmen,” the text message from the hackers said. “We want to receive ransom for everything that needs to be kept secret, and don’t want to ruin your reputation. The amount at which we are ready to meet you and keep everything as collateral is $40,000,000.” 

After weeks of negotiations, the hackers in the end brought the proposal down to $10 million. Under district policy, that sum is the maximum it can pay without school board approval. 

Broward County's case was one of a few ransomware assaults that hit educational institutions in the past two weeks. The Clop ransomware gang was very active, with reported cases influencing the University of Maryland, Baltimore Campus (UMBC); the University of California, Merced; the University of Colorado; and the University of Miami. Jamie Hart, cyber threat intelligence analyst at Digital Shadows noticed that these assaults were led by the Clop gang and were targeted as a part of the Accellion FTA breach.

'Black Shadow' Infiltrates Israeli Finance Firm, Demand $570,000 in Ransom

 

The private information of thousands of Israelis was compromised on Saturday following a cyberattack on the database of a major Israeli financial service firm. The hacking group called ‘Black Shadow’ announced Saturday that it has managed to access the servers of an Israeli financial service firm, KLS capital. 

“We are here to inform you a (sic) cyber-attack against K.L.S CAPITAL LTD which is in Israel. Their servers are down and we have all their clients’ information. We want to leak some part of their data gradually. Part of our negotiation will be published later,” the group wrote on the Telegram app.

The hackers demanded 10 bitcoins ($60,000) in ransom from the Israeli investment firm, but it refused to negotiate. As a result, the hacker group leaked the obtained data on their Telegram channel. Black Shadow is the same hacking group that carried out a major cyberattack against Shirbit insurance company in December. 

A few hours before making the declaration, the hacking group deliberately published blurred images of the identification cards of two people who work with the firm. A few minutes after the announcement, they published a few more documents and have since published dozens of additional documents including identity cards, letters, invoices, images, scanned checks, database information, and much more, including the private information of the CEO of the firm.

Last year in December, a prominent cybersecurity firm reached out to KLS Capital and alerted them of a potential breach, flagging a vulnerability associated with their use of a so-called VPN. They said there was a simple ‘patch’ that could provide a solution; however, it appears that no action was taken at the time.

In response, KLS capital stated: “The Israeli cyber authority reached out to us three days ago to warn us against a looming cyber attack against us. This attack is very similar to other attacks Iran and its proxies have conducted against Israeli targets – including private and public bodies. Our management acted immediately to take down our servers and join forces with the national cyber directorate – which together with our experts are examining the event.” 

In recent months, threat actors targeted several Israeli organizations including Shirbit insurance company, the Amitial software company, Ben-Guiron University of the Negev, and Israel Aerospace Industries.

Threat Actors Attacked Israeli Tech Giant Ness Digital Engineering for Ransom

 

Ness Digital Engineering Company, an Israeli-based U.S. IT provider was targeted via ransomware cyberattack affecting computer networks in India, United States, and Israel too. No official statement has been given to the media by the local authorities but initial reports suggest that there's a high probability of Israel being the source of the attack following Ness branches around the globe.

Shahar Efal, CEO of Ness Israel said that the company’s clients which include government ministries, hospitals, and local municipalities were not compromised in the attack. All our systems had been tested by the experts and there is not a single breach into the company’s network or in its client’s database. Cybersecurity experts say the real issue is that the company’s supply chain is intact or it is breached in the attack, so far there are no reports of negotiations with the threat actors.

“The attack began last night, it is a serious, ongoing event. The company is trying to contain the attack internally and seemed, thus far, to have successfully contained it without risking customers”, a source involved in managing the attack told Ynet. The company reassured its clients by reiterating that Ness Israel was no longer connected to the global corporation and therefore was not affected by the cyberattack.

The company has collaborated with several other companies and government bodies such as the IDF, Israel Aerospace Industries, Israel Post, the Israel Airport Authority, and the Hebrew University. National Cyber Directorate stated this attack has no connection with Israel. Meanwhile, Cybersecurity Consultant Einat Meyron said that more than 150 servers in Israel and 1,000 servers around the globe are tested by McAfee.

A screenshot of the text presented as a part of the ransomware attack reads “Hello ness-digital-engineering! If you (sic) reading this message, it means your network was PENETRATED and all of your files and data has (sic) been ENCRYPTED by RAGNAR LOCKER!” The text directs the company to get in touch via live chat provided in the text to sort out the case and “make a deal”.

Ranger Locker ransomware technique was used by the threat actors to gain access to a victim’s network and perform exploration to locate network assets, backups and other critical files and manually install the ransomware and encrypt the victim’s data.

LockBit Ransomware Emerging as a Dangerous Threat to Corporate Networks


LockBit, a relatively new Ransomware that was first identified performing targeted attacks by Northwave Security in September 2019 veiled as.ABCD virus. The threat actors behind the ransomware were observed to be leveraging brute-force tactics and evasion-based techniques to infect computers and encrypt files until the victim pays the ransom.

LockBit enables attackers to move around a network after compromising it quickly; it exploits SMB, ARP tables, and PowerShell to proliferate the malware through an infected network.

The developers rely on third parties to spread the malware via any means the third party devises. After successfully infecting the network, the attacker redirects the victim to a payment site operated by them. The victim is then subjected to threats of data leak until the ransom is paid to the attackers.

Modus operandi of the attack

The attackers drop the payload that is hidden under the '.text' sections, evading conventional AV's mechanism from catching the file while running a scan in the disk, the file is compressed by the attackers with a unique format.

Upon being executed, the file runs a scan on the entire LAN network and attempts to establish a connection to the hosts via SMB port (445) to spread the infected file across the entire internal network.

Then in order to bypass the need for User Control, the command "C:\WINDOWS\SysWOW64\DllHost.exe /Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}" is run by an instance of SVCHOST.exe which is running by the process DLLhost.exe.

After that, the 'backup.exe' file executes the payload and encrypts most of the victim's files, changing their extensions to 'lockbit'. In the end, leaving a ransom note under the name 'Restore-My-Files.txt' in various folders on the host.

As per sources, the top targets of LockBit were located in the U.S., the U.K, China, India, Germany, France, and Indonesia. Experts suggest that users worldwide should strengthen their security defenses. It is also recommended to store the backups of important files separately so that it's hard to be accessed through a network.

Giving insights into a particular case, Patrick Van Looy, a cybersecurity specialist for Northwave, told BleepingComputer, "In this specific case it was a classic hit and run. After gaining access through brute-forcing the VPN, the attacker almost immediately launched the ransomware (which he could with the administrator account that he had access to). It was around 1:00 AM that the initial access took place, after which the ransomware was launched, and at around 4:00 AM the attacker logged off. This was the only interaction that we have observed."

Paytm Mall Suffers Data Breach, Hackers Demanded Ransom


Paytm has allegedly suffered a huge data breach after a hacker group targeted the company's PayTM Mall database and demanded a ransom in return for the data. 
The hacker group, dubbed as 'John Wick' and has been known for hacking the database of companies under the pretense of helping them fix bugs in their frameworks. 

Global cyber intelligence agency Cyble stated that the John Wick hacker group had 'unhindered' access to Paytm Mall's whole production database through indirect access, which potentially influences all accounts and related info at Paytm Mall.

An official update Cyble states, “According to the messages forwarded to us by our source, the perpetrator claimed the hack happened due to an insider at Paytm Mall. The claims, however, are unverified, but possible. Our sources also forwarded us the messages where the perpetrator also claimed they are receiving the ransom payment from the Paytm mall as well. Leaking data when failing to meet hacker's demands is a known technique deployed by various cybercrime groups, including ransomware operators. At this stage, we are unaware that the ransom was paid..” 

The volume of info breached is presently unknown however, Cyble claims that attackers have made demands for 10 ETH, which is equivalent to USD 4,000. 

Paytm Mall spokesperson comments, "We would like to assure that all user, as well as company data, is completely safe and secure. We have noted and investigated the claims of a possible hack and data breach, and these are absolutely false. We invest heavily in our data security, as you would expect. We also have a Bug Bounty program, under which we reward responsible disclosure of any security risks. We extensively work with the security research community and safely resolve security anomalies." 

Nonetheless, 'John Wick' is known to have been broken into numerous Indian companies and collected ransom from different Indian organizations including OTT platform Zee5, fintech startups, Stashfin, Sumo Payroll, Stashfin, i2ifunding, through different aliases, like 'South Korea' and 'HCKINDIA'.

Nefilim Ransomware Evolving Rapidly: Top Targets at a Glance


Ransomware has continually expanded both in terms of threat and reach as threat actors continue to devise fresh methods of introducing new ransomware variants and malware families. One such newly emerged ransomware that was first identified at the end of February 2020, Nefilim, threatens to release victims’ encrypted data if they are unable to pay the ransom. With a striking code resemblance to that of Nemty 2.5 revenge ransomware, Nefilim is most likely to be distributed via exposed Remote Desktop Protocol, according to Vitali Kremez, an ethical hacker at SentinelLabs.

Earlier this month, researchers from threat intelligence firm Cyble, discovered a post by the authors of Nefilim ransomware, claiming to have hacked The SPIE Group, an independent European market leader for technical services in the fields of energy. As per the claims made by the operators in the post, they are in the possession of around 11.5 GB of company’s sensitive data that include corporate operational documents- company’s telecom services contracts, dissolution legal documents, infrastructure group reconstruction contacts and a lot more.

Since April 2020, Nefilim has targeted multiple organizations around the globe, narrowing down on the regions- South Asia, South America, Oceania, North America, and Western Europe. Going by the count of attacks disclosed publicly, manufacturing comes on top as the most preferential and hence the most targeted industries by the operators of Nefilim ransomware; Mas Holdings, Fisher & Paykel, Aban Offshore Limited, Stadler Rail were some of the major targets. Other industries infiltrated by Nefilim are communication and transportation; Orange S.A. and Toll Group, Arteris SA being some of the top targets respectively. One important thing to notice here is that the ransomware has spared the healthcare and education sector entirely as of now, interestingly, no organization from the two aforementioned sectors has been targeted.

Nefilim uses a number of ways including P2P file sharing, Free software, Spam email, Torrent websites, and Malicious websites, to infiltrate organizations’ IT systems. Designed specially to penetrate Windows PCs, Nefilim actively abuses Remote Desktop Protocol and uses it as its primary attack vector to infiltrate organizations. It employs a combination of two distinct algorithms AES-128 and RSA-2048 to encrypt the target’s data that is later leaked on their websites known as Corporate Leaks- when victims’ fail to pay the ransom.

Users are advised to stay wary of exposed ports and security departments shall ensure closing off unused ports, experts have also recommended to ‘limit login attempts’ for Remote Desktop protocol network admin access from settings to stay guarded.