Search This Blog
Load More
Trendy Right Now

Popular Posts

Showing posts with label Ransomware. Show all posts
REvil
Cyber Attacks Nuclear Agency Ransomware REvil

Objectives for Ransomware Attack Against Nuclear Contractor Sol Oriens Remain Unknown

 

New Mexico-based government contractor Sol Oriens was attacked by the Russian REvil ransomware group that sparked worries in the national security community, because of the company's work with the Department of Energy's National Nuclear Security Administration.

However, the motives for the attack remain unknown. Sol Oriens confirmed it was targeted in May, according to CNBC's Eamon Javers, and the corporation stated no sensitive or important security-related material was compromised. The company's website remained down as of Friday, and Mother Jones reported that it had been down since June 3. Sol Oriens has yet not confirmed if the attack was ransomware. 

According to Michael DeBolt, senior vice president of intelligence at Intel 471, Sol Oriens was targeted by REvil, the same group that was accused of targeting meat manufacturer JBS. 

“From the REvil blog, all indications are that Sol Oriens was a target of opportunity, and not of design tied to some state-sponsored entity,” DeBolt stated. 

“However the sensitive nature of this particular victim did not elude the REvil operators and affiliates responsible for the attack. In fact, they explicitly threatened to reveal ‘documentation and data to military agencies of our choice [sic]’ and shared proof by way of screenshots on their name and shame blog. Even so, these actors primarily remain financially motivated.” 

According to Gary Kinghorn, senior director of marketing and alliances at Tempered Networks, the vulnerability of the information in this breach appears to be less than catastrophic if it was restricted to personal information and contacts, but there's no way of knowing if it went further than that. The goals of this attack, according to Kinghorn, are clearly useful to geopolitical opponents, and enterprises must be aware of the immense sophistication and resources behind these operations, regardless of purpose. 

Kinghorn added, “Organizations, particularly those holding DoE-class information and secrets, have to realize that yesterday’s security tools are no longer enough and are too error-prone to justify.” 

“The National Security Agency has already strongly suggested that government agencies move to zero trusts and even ensure encryption of all data in motion. These advanced steps can effectively make networks unhackable. However, right now, organizations are still weighing the costs and ROI until they get exposed like this to make changes.”
Read more »
United States
Babuk Ransomware Evil Corp FBI malware Ransomware United States

New Evil Corp Ransomware Disguised as PayloadBin to Avoid Sanctions

 

The new PayloadBIN ransomware has been linked to the Evil Corp cybercrime gang, which rebranded to avoid US Treasury Department restrictions issued by the Office of Foreign Assets Control (OFAC). The Evil Corp gang, also known as the Indrik Spider and the Dridex gang, began as a ZeuS botnet affiliate. They eventually organized a group dedicated to disseminating the Dridex banking virus and downloader via phishing emails. 

According to the FBI, Dridex was used to steal more than $100 million from banks in more than 40 nations. Following that, the software was utilized as a loader to install the BitPaymer ransomware on victims' computers. Two Russian nationals, Maksim Yakubets and Igor Turashev were indicted by a US grand jury in December 2019 for allegedly running Evil Corp. 

Yakubets was functioning "as Evil Corp's head and is answerable for overseeing the group's illicit cyber activities," the Treasury Department claimed at the time, after assisting with money laundering and the GameOver/Zeus botnet and malware operation. It said Yukabets had been working for Russia's Federal Security Service, or FSB, since at least 2017, and that it had previously sanctioned the FSB for assaults against US targets. It also announced a $5 million reward for information leading to his apprehension. 

The Babuk gang said that they would stop using ransomware encryption and instead focus on data theft and extortion after breaching the Metropolitan Police Department in Washington, DC, and taking unencrypted data. The Babuk data leak site had a graphic makeover at the end of May, and the ransomware gang rebranded as 'payload bin.' 

On Thursday, BleepingComputer discovered PayloadBIN, a new ransomware strain linked to the rebranding of Babuk Locker. When the ransomware is installed, the ransomware will append the . PAYLOADBIN extension to encrypted files. The ransom message is also known as 'PAYLOADBIN-README.txt,' and it claims that the victim's "networks are LOCKED with PAYLOADBIN ransomware." 

BleepingComputer suspected Babuk of lying about their plans to move away from ransomware and relaunched under a new name after discovering the sample. After examining the new ransomware, both Emsisoft's Fabian Wosar and ID Ransomware's Michael Gillespie confirmed that it is a rebranding of Evil Corp's prior ransomware operations.
Read more »
U.S
Cyber Security Ransomware Ransomware attack U.S

Ransomware Hits News Stations in US, Affects Local Broadcast

 

Two local television news stations have been shut down since Thursday, experts say it because of a ransomware attack on their parent company. Parent company Cox media group, which owns NBC affiliate WPXI in Pittsburgh, and ABC affiliate WFTV in Orlando, Florida, told their managers to shut down their company phones and computers. The employees have to communicate using only personal phones and text messages. However, both stations still somehow managed to run local broadcasts at the station, but their operations are somewhat limited. 

Cox has refused to release any statement about the attack, but experts believe that the ransomware was behind the attack where hackers breached the network and held the files hostage in demand of ransom.  

According to experts, if an incident in IT expands to its multiple organizations, it is most likely a ransomware attack. Experts believe that the primary reason for the attack where it is unplanned and widespread IT exploit is a ransomware breach. It can also be malware that is used to plant ransomware software. It is less likely than any other form of cyberattack can cause this shutdown.  

Meanwhile, in Orlando, the employees were asked to not go to the office on Thursday and Friday, however, they weren't told clearly what happened with the computer networks of the company. An employee in Pittsburgh said that the company on Thursday morning shut down its servers as a safety measure to avoid any security breach. 

As of now, the staff has been restricted off the computer networks, so there's not much that they can do, the situation has also become a bit tense at the stations. Actors are continuously attacking US organizations, schools, hospitals, and businesses for a long time. 

But the issue became a major threat when recently, the US federal government faced a major problem when an attack on the country's one of the biggest company Colonial Pipeline led to stoppage of gas supply for 5 days in the US. 

"Many of the most prolific ransomware gangs, including those responsible for the JBS and Colonial hacks, speak Russian and have at least some members based in Russia who appear to operate with impunity, leading President Joe Biden to say he's "looking closely" at retaliating," reports NBC news.  
Read more »
REvil
Cyber Attacks FujiFilm Ransomware REvil

Business Operation Gets Shut Down as FujiFilm Suffers An Attack

 

On Wednesday 2nd June, Fujifilm released a short statement to reveal the illegitimate infiltration of its server by foreign parties. However, it did not specify that whether the ransomware component used in the attack was recognized, whether any information was exfiltrated from its Internet, or whether attackers approached them for a ransom. 

Earlier on 4th June, Japan's global Fujifilm group formally announced that perhaps a ransomware attack that impacted corporate operational activities had been committed earlier in this week. 

“FUJIFILM Corporation is currently carrying out an investigation into possible unauthorized access to its server from outside of the company. As part of this investigation, the network is partially shut down and disconnected from external correspondence,” stated Fujifilm. 

In various interactions with Fujifilm employees though, it looked internally that ransomware was responsible for the attack and that the business had to disconnect pieces of its network around the world. 

Fujifilm advised their staff to shut down their laptops and all other servers immediately at roughly 10:00 AM EST on Tuesday. The network failure also blocked the email, the billing system, and the reporting system from being accessed. Fujifilm has also incorporated warning to its consumers of disruption of their operation to alert their customers. 

Whereas the ransomware gang behind the attack has still not been named, the REvil ransomware campaign is thought to be the case. The REvil ransomware gang will infiltrate a system and steadily expand to several other machines while collecting unencrypted data via the remote access offered by the Trojan. 

Once they get access to a domain admin account in the Windows domain and collect valuables, then they can use the ransomware to encrypt devices across the system. 

Operation DarkSide ransomware targeted last month the largest US petroleum pipeline, the Colonial Pipeline. In certain States it caused the pipeline to be shut down.

Last month, the Conti ransomware group attacked the HSE, the public health service in Ireland, and the Department of Health, leading to a major disturbance in health care services. 

"It will be a topic of discussion in direct, one-on-one discussions — or direct discussions with President Putin and President Biden happening in just a couple of weeks," Psaki said at the press briefing.
Read more »
Ransomware
Cox Media Group Cyber Attacks Network Security Ransomware

Hackers Reportedly Target Cox Media Group Stations



‘Cox Media Group’, is one of the largest media conglomerates in the United State, earlier today, the organization has to put down its live streams for television and radio stations. According to the sources, the attack has been deemed unprecedented due to which Cox Media programs were inaccessible across the country. 

The Cox Media Group has ownership of 33 television stations in 20 markets, 54 radio stations in 10 markets, various multi-platform streaming videos, and several digital platforms. The TV stations in markets like Pittsburgh; Boston; Dayton, Seattle; Ohio; Oklahoma, and Tulsa, are a mixture of major network affiliates like ABC, CBS, FOX, NBC, etc. 

A report has been published by Inside Radio that disclosed the technical details of the attack wherein it was mentioned that the attack took place on the morning of the 3rd June and crashed the internal networks and streaming capabilities including the mobile apps and web streams properties. However, official websites of Cox Media and several programs kept running without any harm but some programs have to be rescheduled.

“This morning we were told to shut down everything and log out our emails to ensure nothing spread. According to my friends at affiliate stations, we shut things down in time to be safe and should be back up and running soon,” a Cox employee shared with media. 

Notably, the incident didn’t impact traditional pay-TV feeds for the channels. Meanwhile, the Dish Network reported that its network didn’t experience any issue regarding ransomware attack, so far; Dish Network is the broadcaster that made a deal with Cox Media for about 14 channels in December 2020. 

Deputy National Security Adviser Anne Neuberger on Thursday issued an open letter requesting organizations to take security precautions against ransomware attacks. 

Nowadays, many tech giants and several cybersecurity firms are taking ransomware attacks way more seriously, still, the gaps in prevention persist. 
Read more »
Scripps
Data Breach data security Ransomware Ransomware attack Scripps

Scripps Health Care Facility Reported Ransomware

 


Scripps Health care facility has reported on Tuesday that the organization has started sending alert notifications to nearly 150,000 individuals after a group of threat actors has stolen the sensitive data of people during a ransomware attack on one of its local health care facility on 01st May. 

What is Scripps Health care and how this works? 

Scripps is a nonprofit health care facility in San Diego, California, United States. The medical firm operates five hospitals and 19 outpatient facilities. The firm also treats a half-million patients around the year through 2,600 affiliated physicians. In addition, Scripps Healthcare also runs several medical education programs and research programs. 

A statement has been released by the firm in which a medical professional said, that the company has just begun notifying victims so that they can take protective measures against this attack which would allow them to safeguard their personal information from further misuse. “About 2.5 percent of those — nearly 3,700 — are said to have had their Social Security and/or driver’s license numbers taken. For those, the company said, it will provide complimentary credit monitoring and identity protection support services,” he further added. 

As per the information shared by the firm, the cybercriminals have stolen clinical credential data that includes the address of the individuals, patient account number, date of birth, medical record number, health insurance information, doctor’s name, and medical data, etc. Reportedly, the data was stolen from the system, however, the firm did not disclose which system the information came from. 

The breach has forced medical professionals at all levels of the healthcare facility to work differently because the system was at risk. Professionals have to use paper charts for their document work. Additionally, access to the important clinical data, including previous test results, was also unavailable for weeks. 

The health care facility further said that the investigation is being conducted on the attack and at present, they are unable to disclose all the technical details. “We still don’t know what the rest of the document seems to be related to. We have started an extensive manual review of these documents…”

“…This is a time-consuming process that can take months, but we will notify affected individuals and organizations as soon as possible in accordance with applicable regulatory requirements,” Scripps added.
Read more »
Ransomware
BazaLoader malware Phishing Campaign Ransomware

This Entertainment-Themed Campaign Installs Malware in User Computer System

 

A popular phishing campaign tries to somehow get users to believe that they've enrolled in the film streaming platform to force customers to call on a phone number for cancellation – a technique that contains BazaLoader malware that harms the computer. 

BazaLoader is a C++ downloader for installing and performing other modules. In April 2020, BazaLoader was first observed by Proofpoint. 

BazaLoader develops a backdoor on Windows machines that could be exploited to provide initial access to other malware attacks - even ransomware. Ryuk Ransomware is generally delivered through BazaLoader, which can have severely harmful consequences to a successful compromise amongst cybercriminals. The operation of BazaLoader demands important human contact in the implementation and installation of the BazaLoader backdoor. 

The operator of the threat used customer service agents to lead victims to download and install the malware unwittingly. This campaign represents a broader pattern used as part of a sophisticated attack chain by BazaLoader threat actors that use call centers. 

The initial stage of the effort, which is detailed by cybersecurity investigators at Proofpoint, involves distributing tens of thousands of phishing emails affirming to come from 'BravoMovies,' a bogus movie streaming platform created by cybercriminals themselves. 

The site seems plausible and people behind it generated false film posters utilizing open-source pictures that are available online – but the way the site has numerous orthographic mistakes can suggest that something must be wrong if one looks very carefully. 

The email received states that the victim has subscribed and charged $39.99 a month - but if they contact a support number, that suspected subscription may be terminated. 

When the user contacts the number to which they are associated, the "customer service" professional claims to walk them through the withdrawal procedure – but what they are doing tells the unwitting victim how they may install BazaLoader on their computer systems. 

These are done by directing the caller to a "Subscription" website, wherein part of the procedure invites users to click a Microsoft Excel downloading link. This document contains macros that will silently upload BazaLoader to the system if it is activated, spreading malware on the victim's PC. 

"Malicious attachments are often blocked by threat detection software. By directing people to phone the call center as part of the attack chain, the threat actors can bypass threat detection mechanisms that would otherwise flag its attachments as spam," Sherrod DeGrippo, senior director of threat research and detection at Proofpoint, told ZDNet. 

"Social engineering is the key to this attack chain and threat actors depend upon their social engineering lures to cause recipients to take any action to complete the attack chain and get the malware on the target's machine," said DeGrippo further added. 

It should also be pointed out that while getting an e-mail claiming that the user's credit card will be billed if they do not answer, with the creation of a sense of urgency such as this is a common method employed in phishing operations to make a user obey instructions.
Read more »
XSS
Bitcoin Cyber Security DarkSide Ransomware REvil XSS

DarkSide Affiliates Claim Gang's Bitcoin Deposit

 

Multiple associates have protested about not being charged for past services since the DarkSide ransomware operation was shut down a week ago, and have filed a petition for bitcoins in escrow on a hacker forum. Escrow systems are popular in Russian-language cybercriminal cultures to prevent scams between sellers and buyers. The deposit is a direct message from ransomware operations that they mean business. 

DarkSide is a ransomware vulnerability that has been active since at least August 2020, when it was used in a cyberattack against the Colonial Pipeline in Georgia, causing a significant fuel supply disruption along the US East Coast. The malware is distributed as a service to various cybercriminals through an affiliate scheme and, like other well-known ransomware threats, uses double extortion, combining file encryption with data theft, and is installed on compromised networks through manual hacking techniques. 

DarkSide deposited 22 bitcoins on the famous hacker forum XSS to gain the confidence of potential partners and expand the operation. The wallet is administered by the site's administrator, who also serves as a guarantor for the gang and an arbitrator in the event of a dispute. 

Many analysts believe the group used an escape scam to retain the ransom money they received from their network of affiliates. DarkSide operators, on the other hand, claim to have halted operations as a result of US government pressure following the assault on the Colonial Pipeline. 

Last year, the REvil ransomware deposited $1 million in Bitcoin to a separate hacking website in order to recruit new members. This action demonstrated that they trusted the forum administrator with the money and that there was plenty to be made. 

Researchers discovered a series of allegations made by members of a hacking forum who claimed to have played various roles in the DarkSide ransomware gang's operations. Some associates assisted in the pentesting of threats or organizational breaches. According to Elliptic, a blockchain research company, the Darkside ransomware gang has received over $90 million in ransom payments from its victims since October 2020. 

“In total, just over $90 million in Bitcoin ransom payments were made to DarkSide, originating from 47 distinct wallets.” reads the report published by the Elliptic. “According to DarkTracer, 99 organizations have been infected with the DarkSide malware – suggesting that approximately 47% of victims paid a ransom and that the average payment was $1.9 million.”
Read more »
Russian Cyber Security
malware Ransomware Russia Russian Cyber Security

Experts reported a twofold increase in the activity of ransomware hackers in Russia

The authors of the study called the growth "staggering." Since the beginning of April, experts have been monitoring ransomware attacks on more than 1 thousand organizations on a weekly basis. At the end of the first quarter of 2020, this figure was below 600.

"So far, there is no reason to reduce the number of attacks", said Sergey Zabula, head of the group of systems engineers working with partners of Check Point Software Technologies in Russia.
According to him, a 100 percent increase in the number of incidents can be observed at the end of 2021.

"Attackers will continue to invent new, more sophisticated attacks to grow their businesses and steal large amounts of money. And if companies do not pay special attention to training their employees and improving the level of cybersecurity of the organization as a whole, the size of the damage will grow," the expert said.

"ESET data also indicates a twofold increase in the number of incidents involving encryption viruses in 2021", said Vitaly Zemskikh, the company's technical director for Russia and the CIS. According to him, this is due to the neglect of information security in many organizations.

"Moreover, ransomware viruses are one of the most understandable ways to commercialize efforts for hackers", added Kaspersky Lab cybersecurity expert Dmitry Galov.

In addition, it became known that in April 2021, the number of powerful DDoS attacks on game servers in Russia increased by 30 times. According to StormWall experts, DDoS attacks were carried out using a new incarnation of the well-known Layer7 botnet, consisting of 25 thousand infected Internet of Things (IoT) devices.
Read more »
Russian Hackers
Hacker Forum malware Ransomware Russia Russian Hackers

The famous Russian-language hacker forum has banned the mention of ransomware

XSS is a well-known forum where users discuss all kinds of vulnerabilities, exploits, malware, and ways to penetrate other people's networks. Ransomware was also actively discussed there, moreover, among the forum participants there are representatives of Ransomware groups who actively recruited new partners to work on the "Ransomware-as-a-Service" (RaaS) model.

The decision to ban the discussion of Ransomware was made personally by the forum administrator.

The administrator stated that Ransomware is usually not interesting from a technical point of view, while the main purpose of the forum is "knowledge".

"We are a technical forum, we learn, research, share knowledge, write interesting articles. The goal of Ransomware is only to earn money. The goals are not the same," the forum administrator wrote.

He noted that there is a degradation: newcomers see "crazy virtual millions" that are paid from time to time as a ransom for unlocking data, and think that they will be able to get them. Therefore, beginners "do not want anything, do not learn anything, do not code anything, even just do not think, their whole life is reduced to "encrypt - get $”.

The administrator of XSS Forum also said that there is too much PR around the topic, as well as "nonsense, hype, noise" and even politics. The topic of Politics is obviously related to the Ransomware attack on the Colonial Pipeline, which led to a large-scale crisis in the United States.

"The word "ransom" was equated with a number of unpleasant phenomena — geopolitics, extortion, state hacking. This word has become dangerous and toxic," the forum administrator said.

So he decided to ban everything related to Ransomware. Even old forum threads related to this topic will be deleted.

According to Alexey Vodiasov, technical director of SEC Consult Services said that Ransomware is really a way to make quick money with very little effort. It is possible that after the attack on the Colonial Pipeline, US law enforcement agencies may launch an intensive campaign against the cyber underground.

Read more »
US Washington
Babuk Cyber Attacks D.C Police Ransomware US Washington

Washington DC Police Hit by the Worst Ransomware Ever

 

In the U.S. capital, the police department experienced a major information leak after declining to satisfy the extortion demands of a Russian-speaking ransomware syndicate. As per the experts, the US police department has been hit by the worst ransomware ever. 

On Thursday 13th May, the Gang, identified as the Babuk Squad, published on the dark web, some thousands of confidential documents from the Washington Metropolitan Police Department. Hundreds of police officer intelligence documents, containing feeds from other agencies, such as the FBI and Secret Service, were discovered through a report by The Associated Press. 

Ransomware attacks have reached epidemic proportions as international gangs paralyze local and state governments, police, hospital, and private companies' computer networks. They need substantial payments for deciphering or to prevent the online leakage of stolen information. 

The Colonial Pipeline was shut down last week by a cyber-attack which caused gasoline stockpiling and panic buying across southeast sections of the nation's largest fuel pipeline. 

This Police data leak is "perhaps the most significant ransomware incident to date," due to the risks it poses for officers and civilians, said Brett Callow, a threat analyst and ransomware specialist at the Emsisoft security company. 

Most documents contained security details from many other law enforcement authorities regarding the inauguration of President Joe Biden, along with a connection to a militia group "embedded source." 

The two pipe bombs abandoned at the location of the Democratic Committee and the Republican National Committee before the revolt in the American Capitol on January 6 were studied by the FBI in one document. Yet another document explains the details. This involves "big data pull" from cell towers, as well as plans to "analyze purchases" of Nike shoes that a concerning individual uses. 

In response to an AP request for comments, the police department didn't initially respond but has reported earlier that personal data was compromised. 

Some of the information was subsequently leaked, exposing personal data from background checks of some officials, including information on previous use of drugs, financial conditions, and — in at least one instance — regarding past sexual assault. 

“This is going to send a shock through the law enforcement community throughout the country,” Ted Williams, a former officer at the department who is now a lawyer, told The Associated Press. 

Williams further added that it makes it harder for officers to do their work because of background checks and administrative files publicly disclosed.

“The more the crooks know about a law enforcement officer, the more the crooks try to use that for their advantage,” he said. 

Recently the Babuk community demanded $4 million to not publish the archives, but only around $100,000 was provided. The Ministry did not say whether it offered it. Any discussions will show the difficulty of the issue of ransomware, with the police forced to consider paying for criminal gangs.
Read more »
Ransomware
CISA Colonial Pipeline cyber attack DarkSide FBI Ransomware

FBI – CISA Published a Joint Advisory as Colonial Pipeline Suffers a Catastrophic Ransomware Attack

 

Following a catastrophic ransomware assault on a Colonial Pipeline, the FBI and the US Cybersecurity and Infrastructure Security Agency (CISA) published a joint advisory. The notice, issued on Tuesday 11th May, contains information on DarkSide, malware operators running a Ransomware-as-a-Service (RaaS) network. 

DarkSide is in charge of the latest Colonial Pipeline cyber assault. Past Friday - 7th May, the fuel giant has said that a Cyberattack had obliged the company, which was found to be an intrusion of DarkSide affiliates, to stop pipeline activities and to pull the IT systems offline. 

Cybercriminal gangs use DarkSide for data encryption and to gain entry to a victim's server. These groups attempt to disclose the information if the victim is not paying the ransom. DarkSide leverage groups have recently targeted organizations, including production, legal, insurance, healthcare, and energy, through various sectors of CI. 

Colonial pipeline is yet to be recovered, and the FBI is engaged with them as a key infrastructure supplier – one of which provides 45% of the fuel of the East Coast and typically provides up to 100 million gallons of fuel per day. 

"Cybercriminal groups use DarkSide to gain access to a victim's network to encrypt and exfiltrate data," the alert says. "These groups then threaten to expose data if the victim does not pay the ransom. Groups leveraging DarkSide have recently been targeting organizations across various CI sectors including manufacturing, legal, insurance, healthcare, and energy." 

The ransomware from DarkSide is available to RaaS clients. This cybercriminal template has become prominent because only a core team needs to create malware that can be transmitted to other people. 

RaaS can also be offered on a subscription basis as a ransomware partner, and/or the developers may earn cuts in income when a ransom is paid. In exchange, developers continue to enhance their 'product' malware. 

Furthermore the FBI - CISA advisory also provides tips and best practices to avoid or mitigate ransomware threats. 

The most important defense act against ransomware is prevention. It is crucial to follow good practices to defend against attacks by ransomware, that can be damaging to a person or an organization. 

"CISA and FBI urge CI [critical infrastructure] asset owners and operators to adopt a heightened state of awareness and implement recommendations [...] including implementing robust network segmentation between IT and OT networks; regularly testing manual controls; and ensuring that backups are implemented, regularly tested, and isolated from network connections," the agencies say. "These mitigations will help CI owners and operators improve their entity's functional resilience by reducing their vulnerability to ransomware and the risk of severe business degradation if impacted by ransomware."
Read more »
Ransomware
3 Tribes CISA Cyber Security NASCIO Ransom Ransomware

Three Affiliated Tribes—The Mandan, Hidatsa & Arikara Suffers Ransomware Attack

 

On the 28th of April Three Affiliated Tribes – the Mandan, Hidatsa, and Arikara nation – informed their workers that they have been hacked with their server and believed it was ransomware. The community has not accessed files, email, and sensitive information since the server was hacked. 

Ransomware is a sort of malware that, as per the Homeland Security Department, attempts to publish information or restrict access until a ransom is paid. The Federal Bureau of Investigation, reports that 4,000 ransomware attacks are initiated daily, with an attack is conducted every 40 seconds. 
 
A document with details that the intrusion was linked with ransomware was sent to all Three Affiliate Tribes employees on April 28th. The one thing that it does, is changing file locations and file names of the document, stated Mandan, Hidatsa & Arikara CEO Scott Satermo. “Share this text, call, or use other methods as we have no way of sending an email notification at this time.” 

“Ransomware is running rampant in governments throughout the world,” said National Association of State Chief Information Officers (NASCIO) Director of Policy & Research Meredith Ward in an email to Native News Online. “Many local governments have been hit very hard.” 

NASCIO is a 501c(3)(h) non-profit framework that has its main advocacy and policy goal, as objectives and has a provision of insight and advice on the consequences of legislation, policies, and proposals relating to technology. On 14 October 2020, 30 Member States identified financial fraud as being a major cause of infringement over the past year compared with 10 states in 2018, states a report issued by NASCIO. The main causes of infringements still lie in external sources: malicious (68%), external-source web services (81%), and increased hacktivism (86%). 

Although ransomware attacks may appear popular, yet they aren't recorded widely in the various tribes. There are currently no statistical databases if and how often these cyberattacks impact tribes. Unless the rescue has been charged, ransomware actors also attempt and threaten the selling or leaking of exfiltrated data or authentication information as per the Cybersecurity & Infrastructure Security Agency (CISA). Ransomware attacks among national, local, tribal and territorial (SLTT) government bodies and critical infrastructure organizations have become exceedingly common in recent years. 

The Department of the Interior overturned a judgment of Trump-era on 22nd March 2021 which decided that a section of the Missouri River on the Fort Berthold Indian Reserve will belong to the government of North Dakota. The decision was made days after the very first American Indian to become Secretary of the Interior Department, Laguna Pueblo Debra Haaland, was sworn in. The change could offer Mandan, Hidatsa, and Arikara tribal members billions of dollars in revenue. 

The U.S. Congress assesses legislation including the State and Local Cybersecurity Improvement Act. If enacted, the law will provide several billion cybersecurity financing through the Cybersecurity and Infrastructure Security Agency to state, local governments and 25 million US dollars for tribal governments. In September 2020 it was discussed in the House Homeland Security Committee and voted in two-party terms, but it still resides in the Senate.
Read more »
US
Cyber Security Maze Ransomware Ransomware Ransomware attack US

Ransomware Hits US Defense Contractor BlueForce

A ransomware attack hit U.S defense contractor Blueforce, says Hatching Triage sample, and a Conti ransomware chat. Ransomware in the Hatching Triage page consisted of a ransom threat likely to be from an attacker who hit the victim with Conti Ransomware strain. Tech Target's sister website LMagIT found the sample which was sent to SearchSecurity. 

The note said that all the victim's files were encoded by CONTI ransomware, attacker told the victim to google about if he weren't aware of what the strain is, and said that all information has been encrypted with the software and couldn't be restored by any method unless the victims contact the team directly. 

If the victim tried anything suspicious with recovery software, the attacker warned that all files will get damaged, and told the victim to continue at his own risk. "Conti ransomware was first reported in mid-2020, and like many other modern ransomware families, it extorts victims by not only encrypting data but threatening to publish it, too. Recent Conti victims include several London schools, as well as fashion retailer FatFace. It was also a member of the Maze ransomware cartel when it was active," said SearchSecurity. The threat also included a .onion link and a standard URL to an active chat between a negotiator from Blueforce and Conti actor. 

Blueforce is Virginia-based which builds nexus between the Department of State (DoS) and Department of Defense (DoD) via a sophisticated mix of interagency, international development expertise, and cross-functional defense. The conversation dates back to April 9, actor enquired if the target was willing to negotiate. After about 2 weeks, the victim replied with a request saying all the files were encrypted and to help. 

The attacker asked the victim for identification, Blueforce responded last week, asked for the following procedure, and also enquired whether any data was encrypted. According to SearchSecurity "the threat actor responded in the affirmative and demanded 17 bitcoins (worth nearly $969,000 as of this writing). In addition, the response included a list and data pack of files to verify that Conti had breached the company and exfiltrated data. The chat has not been updated since."

Read more »
Russia
Australia Avaddon Data Breach NSW Ransomware Russia

New South Wales Labor Party Hit By Avaddon Threat Attackers Demand Ransom


On Wednesday afternoon New South Wales (NSW) police unit has disclosed an apparent ransomware attack on the New South Wales labor party. 

Global cybercriminals group has given a 10 days timeline to the labor party to pay a ransom or else the illicitly accessed credentials will be put into the public domain including driver’s licenses, images of passports, and employment contracts.

According to the data, the ransomware operational group named Avaddon, which emerged in Russia is found to be behind the recent breach. Additionally, for further information Sydney City Police Area Command, has already begun its inquiries against the attack. 

The Avaddon ransomware was originated in the middle of 2020 in an underground forum(where participants exchange information on abusive tactics and engage in the sale of illegal goods and services, which are a form of online social network (OSN). Research suggests that Avaddon has been linked to various malicious activities, including data compromise and leaked credentials of at least 23 organizations as of February this year. 

Further, a research university, Rey Juan Carlos in Spain has published a research paper in which it disclosed that the Avaddon ransomware uses distributed denial-of-service attacks against its victims that denied to pay the ransom. 

“NSW Labor, the company does not want to cooperate with us, so we give them 240 hours to communicate and cooperate with us. If this does not happen before the time counter expires, we will leak valuable company documents…” 

“…We have a large amount of data on contracts, a lot of confidential information, confidential contracts, driver’s licenses, passports, employment contracts, information about employees, resumes, and more,” Avaddon said in a post on its website. 

Prior to this cyberattack, Austrian high profile organizations have been targeted including the email systems of the Commonwealth and West Australian parliaments that were taken offline this year. Now, a major political party has become a victim of cyber threats; however, this is the first time when cyber attackers have tried to extort an Australian political party for their financial advantages. 

Josh Lemon, managing director of digital forensics and incident response at business advisory firm Ankura, said most of the screenshots contained keywords such as “sensitive” and “confidential”. 

“Although it’s a little bit abstract, as someone who isn’t the victim, it’s intended to provide proof to the actual victim,” Mr. Lemon added. 
Read more »
Ransomware
Cyber Attacks Israel Low ransom Ransomware

N3TW0RM Ransomware: Emerges in Wave of Cyberattacks in Israel

 

In a surge of cyberattacks that began last week, a new ransomware group known as 'N3TW0RM' is targeting Israeli companies. 

N3TW0RM, like other ransomware gangs, has set up a data leak platform where they threaten to release stolen files to threaten victims into paying a ransom. At least four Israeli companies and one nonprofit organization were successfully breached in this wave of attacks, according to Israeli news outlet Haaretz. 

Two Israeli companies, H&M Israel and Veritas Logistic have already been mentioned on the ransomware gang's data leak, with the threat actors allegedly leaking data stolen during the Veritas attack. According to Israeli media and BleepingComputer, the ransomware gang has not demanded especially large ransoms in comparison to other enterprise-targeting attacks. Veritas' ransom demand was three bitcoins, or roughly $173,000, as per Haaretz, while another ransom note shared with BleepingComputer indicates a demand of four bitcoins, or roughly $231,000. 

As per the WhatsApp message circulated by Israeli cybersecurity researchers, the N3TW0RM ransomware shares several characteristics with the Pay2Key attacks that took place in November 2020 and February 2021. 

Pay2Key has been linked to the Fox Kitten hacking group, an Iranian nation-state hacking group whose mission was to disrupt and damage Israeli interests rather than collect a ransom payment. At this time, no hacker groups have been linked to the N3TW0RM attacks. 

One source in the Israeli cybersecurity industry told BleepingComputer that N3TW0RM is also being used to sow havoc for Israeli interests as given the low ransom demands and lack of response to negotiations. However, according to Arik Nachmias, CEO of incident response firm Honey Badger Security, the attacks in N3TW0RM's case are motivated by money. 

While encrypting a network, threat actors typically distribute a standalone ransomware executable to each system they want to encrypt but N3TW0RM uses a client-server model. The N3TW0RM threat actors install a programme on a victim's server that will listen for connections from the workstations, thus according to samples [VirusTotal] of the ransomware seen by BleepingComputer and conversations with Nachmias. 

The threat actors then use PAExec to deploy and execute the'slave.exe' client executable on every device that the ransomware will encrypt, according to Nachmias. When encrypting files, the '.n3tw0rm' extension will be appended to their titles. 

According to Nachmias, the server portion would save the keys in a file and then instruct the clients to start encrypting devices. This strategy helps the threat actor to keep all aspects of the ransomware activity inside the victim's network without having to rely on a remote command and control server.

However, it increases the attack's complexity and can allow a victim to recover their decryption keys if all of the files are not deleted after the attack.
Read more »
Switzerland
Cyber Attacks Ransomware Swiss Cloud Switzerland

Ransomware Hackers Target Popular Cloud Service Provider 'Swiss Cloud'

 

Swiss Cloud, a Switzerland-based cloud hosting provider, suffered a ransomware attack that seriously impacted its server infrastructure. The incident took place on Tuesday, April 27, according to Swiss Cloud’s status page. 

The company, which is one of Switzerland’s major hosting providers, said on Friday in an update posted on its website that it’s working to restore affected servers from existing backups. 

“After the cyber-attack on April 27, work is proceeding to clean up the systems and restore normal operations at swiss cloud computing ag. The backup systems can be used for recovery. Parts of the complex server network affected by the attack must first be cleaned up individually and reconfigured with the corresponding temporal effects. The work to clean up and restore the servers, for which swiss cloud computing ag is supported by specialists from the system partners of HPE and Microsoft, gives reason to be confident that the systems will be available again in the coming week. The work will also continue on weekends in 24-hour shifts.” reads a statement posted by the company on its website. 

More than 6,500 clients affected

While the incident did not affect the company’s entire server infrastructure—spread among different data centers across Switzerland, the disruption has impacted server availability for more than 6,500 customers. One of the most high-profile customers impacted by Swiss Cloud’s outage is Sage, a company that delivers payroll and HR software for German-speaking nations. 

However, while the company might be confident regarding the timeline of its recovery plan, similar ransomware attacks have also taken place at other cloud and web hosting providers over the past few years. In most cases, recovery efforts lasted weeks, not days. This includes incidents at Managed.com, Equinix, CyrusOne, Cognizant, X-Cart, A2 Hosting, SmarterASP.NET, Dataresolution.net, iNSYNQ, and Internet Nayana, just to name the larger attacks. 

Web hosting and cloud infrastructure providers are not particularly targeted by the ransomware groups, but once they’re breached, they usually face some of the largest ransom demands. This is because even the smallest downtime they suffer trickles down to all their customers, and providers face immense pressure to restore services from all sides. This pressure is also why some companies choose to pay the ransom demand even if they have backups.
Read more »
Ransomware
Babuk Data theft extortion malware Ransom Ransomware

Babuk Quits Ransomware Encryption, Focuses on Data-Theft Extortion

 

The Babuk ransomware group has decided to close the affiliate program and switch to an extortion model that does not rely on encrypting victim computers, according to a new message sent out today by the gang. The clarification comes after the group posted and then deleted two announcements yesterday about their intention to close the project and release the malware's source code. 

The group seems to have taken a different path than the ransomware-as-a-service (RaaS) model, in which the hackers steal data before deploying the encryption stage to use as leverage in ransom payment negotiations. 

Babak's newly announced model is nearly identical except for the data encryption part, according to a third "Hello World" message posted on their leak site. In other words, the cybercriminals will run an extortion-without-encryption operation, demanding a ransom for data stolen from compromised networks. 

“Babuk changes direction, we no longer encrypt information on networks, we will get to you and take your data, we will notify you about it if you do not get in touch we make an announcement,” stated Babuk ransomware. 

Maze ransomware began exfiltrating data in November 2019 in order to boost ransom demands. All big ransomware operations quickly adopted it. In starting of 2021, Clop ransomware exploited zero-day vulnerabilities in Accellion's File Transfer Appliance to ran a series of data-theft attacks on high-value companies without encrypting systems. The group stole a large number of files and demanded large sums of money in exchange for not leaking or trading the information. 

Several victims paid tens of millions of dollars in ransom. Babuk ransomware claims that despite being a new team on the ransomware scene, they are already well-known in the industry because they have “the best darknet pentesters.” 

The benefits of this extortion business for Babuk are currently unclear, but the group will have to exfiltrate greater amounts of data than with encryption. Babuk reports one victim from whom they claim to have copied 10 terabytes of data on their leak site. The group claims to have stolen 250GB of data from the Metropolitan Police Department (MPD) in their most recent attack. It's also possible that this will increase the group's benefit, either by requiring higher ransoms or by selling the data to competitors or other parties. 

RaaS operations have become so large in terms of affiliates that it's difficult to keep track of anything. This has recently translated into technological and management changes that have resulted in victims losing data due to faulty decryption tools or having to deal with multiple attacks by the same group.

This happened with Conti, Lockbit, and REvil and these issues affected many ransomware gangs that were dependent on their reputation of a party that respects their end of the deal to demand higher ransoms.
Read more »
Ransomware
Apple Cybersecurity Hacking Attack Ransomware

Hackers Attack Apple Prior to Launch Event, Demand Ransom

 

On the day when Apple was ready to declare a new series of products at its Spring Load Event, there happened a leak from an unexpected quarter. The infamous cybercrime gang REvil took the responsibility for stealing data and schematics from Apple's supplier 'Quanta computer' relating unreleased products. The gang also threatened to sell the data to the highest bidder if the target failed to pay a ransom of $50 Million. For the credibility of the attack, the hackers release caches of docs relating to upcoming MacBook Pros. iMac schematics have also been added since the last attacks. 

The suspenseful timing and links to Apple raise controversy about the attack. However, it is also a reflection towards the rising no of disturbing ransomware incidents that appear today. Hackers have evolved through years of developing their mass data encryption techniques to log targets out of their own devices. Presently, these gangs are more focused towards data theft and extortion as their primary means of attacks, while demanding hefty ransoms in the process. 

"Our team is negotiating the sale of large quantities of confidential drawings and gigabytes of personal data with several major brands. We recommend that Apple buy back the available data by May 1," said REvil in the stolen data post. Since the start, ransomware attacks have involved capturing the victim's device, encrypting files, and then demanding ransom through simple transactions, in return for providing the decryption key. 

Now, however, hackers have moved towards a unique approach, along with encrypting the files, they steal files and threaten to leak them, this gives them leverage over their victim, assuring ransom payment. Even if the victim recovers his data, the risk of a hacker leaking his data still persists. The Wired reports, "and in the past couple of years, prominent ransomware gangs like Maze have established the approach. Today incorporating extortion is increasingly the norm. And groups have even taken it a step further, as is the case with REvil and Quanta, focusing completely on data theft and extortion and not bothering to encrypt files at all."
Read more »
US
Europe FiveHands malware Ransomware SonicWall US

New FiveHands Ransomware Deploy Into SonicWall Internal System

 

Earlier this year, money-oriented cybercriminals leveraged a zero-day vulnerability that has been introduced by SonicWall in its Secure Mobile Access (SMA) 100 Series VPN appliances to install advanced ransomware studied as FiveHands, victims are reported to be North American and European networks. 

The operation was traced by FireEye’s Mandiant cyber analysts as “UNC2447’’. Analysts unit has informed that the group took advantage of the CVE-2021-20016 SonicWall bug to breach networks and further install FiveHands ransomware payloads before the vendor released patches in late February 2021. Further, the report also reads that the threat actor poses advanced skills in exploiting networks. 

Additionally, over the past half a year, a brand new cyber hacker group has been noticed to be exploiting a wide range of malware and creating pressure on ransomware victims into making payments. 

Previously in similar contexts, FireEye reported that the cyber attackers have been deploying ransomware families and malware such as FiveHands (a variant of the DeathRansom ransomware), Sombrat, the Cobalt Strike beacon, the Warprism PowerShell dropper, and FoxGrabber, additionally the new ransomware's actions also demonstrated signs of RagnarLocker and HelloKitty ransomware affiliation. 

“When affiliate-based ransomware is observed by Mandiant, uncategorized clusters are assigned based on the infrastructure used, and in the case of UNC2447 were based on the Sombrat and Cobalt Strike Beacon infrastructure used across 5 intrusions between November 2020 and February 2021,” FireEye reported. 

The group deployed a critical SQL injection flaw in SonicWall SMA100 series devices, which will give remote access to attackers and further, access to login credentials, session information, and other vulnerable appliances. 

The existence of the vulnerability was first observed in January 2021, when SonicWall warned its customers that the company's internal system has been attacked in a cyber operation that may have targeted zero-day vulnerabilities in the company’s secure remote access devices. CVE-2021-20016 was patched in February 2021 by SonicWall, however, FireEye reported that UNC2447 had exploited it before the patch was released. 

"UNC2447 monetizes intrusions by extorting their victims first with FIVEHANDS ransomware followed by aggressively applying pressure through threats of media attention and offering victim data for sale on hacker forums," Mandiant further added in a report published today.
Read more »
Subscribe to: Posts (Atom)