Search This Blog

Showing posts with label Ransomware. Show all posts

Microsoft Issues Its First Ever ‘Targeted’ Warning ; Saving VPN Servers of Hospitals


Following a recent disclosure about Iranian hackers targeting on vulnerabilities in VPN servers like the Pulse Secure, Palo Alto Systems, Fortinet, and Citrix, Microsoft gave its first-ever 'targeted' warning to a few dozen hospitals, informing them of the vulnerabilities in their own virtual private network (VPN) appliances.

With the organizations depending all the more heavily on the VPN servers as the lockdowns are in full swing of the unfortunate outbreak of the Corona Virus. They had no other option except to fall back to this means to help telecommuters but that in the end has made that specific part of the system a weakness i.e a soft spot for ransomware attackers to target – specifically at hospitals with already stressed assets.

The Department of Homeland Security's Cybersecurity and Infrastructure Security Agency (DHS CISA) a month ago cautioned all organizations to fix VPN services, however, Microsoft is especially worried about hospitals' vulnerability to human-operated ransomware due to unpatched VPN servers.

One group the Microsoft team has been following is the REvil, otherwise known as Sodinokibi, ransomware gang, which is known for setting monstrous ransom demands for businesses and government agencies.

While the ransomware gang hasn't yet developed new attack techniques but instead has repurposed strategies from state-sponsored attacks for new campaigns that exploit the heightened requirement for information in the current coronavirus crisis.

The Microsoft Threat Protection Intelligence Team uncovered in a new post, "Through Microsoft's vast network of threat intelligence sources, and we identified several dozens of hospitals with vulnerable gateway and VPN appliances in their infrastructure."

"To help these hospitals, many already inundated with patients, we sent out a first-of-its-kind targeted notification with important information about the vulnerabilities," it added later.

When mentioning these new ransomware gangs the Microsoft team noted, “We haven't seen technical innovations in these new attacks, only social engineering tactics tailored to prey on people's fears and the urgent need for information."

And so the Multinational Technology's recommendation to hospitals and various other organizations is to follow three key steps to shield their VPN services from attacks:

  • Apply all available security updates for VPN and firewall configurations. 
  • Monitor and pay special attention to your remote access infrastructure. 
  •  Turn on attack surface reduction rules, including rules that block credential theft and ransomware activity. 

Apart from these, there are a few more published by Microsoft to further help mitigate these attacks.

Canada Cybersecurity: Health Care Industry Battles Cyberattacks as Experts Call-in Federal Support


Canada's hospitals and clinics are suffering massive cyber threats as the cyberattacks targeting the Canadian healthcare industry saw a sudden rise in number.

Researchers reported that the health-care sector is the most targeted sector in Canada amounting to a total of 48% of all security breaches in the country. Digital security of hospitals in Canada is being exposed to heavy risk as the growing number of data-breach incidents imply how the healthcare industry has become the new favorite of cybercriminals.

The issue has gained widespread attention that led to calls for imposing national cybersecurity standards on the healthcare industry. In order to tackle the problem effectively and protect the privacy of their patients, the institutions are required to update their cybersecurity arsenal for which the federal government's involvement is deemed necessary by the experts.

While commenting on the matter, Paul-Émile Cloutier, the president and CEO of HealthcareCAN, said: "My biggest disappointment at this moment is that it seems that anything that has to do with the health sector and cybersecurity is falling between the cracks at the federal level."

Cybersecurity experts expressed their concern in regard and put into perspective the current inability of the Canadian health system to cope up with the increasing risk.

Experts believe that information regarding a person's health can potentially be of more value to the cybercrime space than credit card data itself for an individual's health care identity contains data with unique values that remains the same over time such as the individual's health number or DOB, it assists hackers in stealing identities by making the process smooth.

Over the past year, various Canadian health-care institutions became victim of breaches including LifeLabs, one of the country's largest medical laboratory of diagnostic testing for healthcare, which was hit by a massive cyberattack compromising the health data of around 15 million Canadians. The private provider was forced to pay a ransom in order to retrieve the stolen customer data.

In another incident, attackers breached the computer networks of three hospitals in Ontario that led to a temporary shut down of diagnostic clinics and non-emergency cases were told to come back later.

New Malicious Program 'Nefilim' Threatens to Release Stolen User Data


Nefilim, a new malicious program that basically is ransomware that functions by encrypting files on affected systems, has become active in the cyber ecosystem since February 2020. After encryption of the files, it demands a ransom from the victims for the decryption of files, tools, and software. However, it is still unclear how the ransomware is being spread, sources reckon that it's distributed via susceptible Remote Desktop Services.

As per the head of SentinelLabs, Vitali Krimez and Michael Gillespie from ID Ransomware, the code employed in Nefilim resembles much that of Nemty's, another file-encrypting ransomware that steals user data by restricting access to documents and multimedia using the AES-256 algorithm. As to the speculations of security researchers, it is likely that the authors of the first ransomware have a role to play in Nefilim's creation and distribution. However, due to the uncertainty revolving around the operation source of the new ransomware, experts also point towards a possibility of the source code being somehow obtained by the new malicious actors to develop a new variant.

While the encryption is underway, all the affected files are added with ".NEFILIM" extension. For instance, a file previously named "xyz.png" would start appearing as "xyz.png.NEFILIM" after the encryption takes place. The completion of the process is followed by a ransom note being created on the infected user's desktop titled "NEFILIM-DECRYPT.txt", "A large amount of your private files have been extracted and is kept in a secure location. If you do not contact us in seven working days of the breach we will start leaking the data. After you contact us we will provide you proof that your files have been extracted." the note reads.

As per the sources, for money matters, Nefilim primarily pins its hopes on email communications instead of a Tor payment site after the removal of the Ransomware-as-a-Service (RaaS) component and it stands out as one major difference. According to the analysis carried out by Gillespie, it has been made clear that as of now there exists no way to retrieve files without paying the ransom because the ransomware is reported to be completely secure. As a result of that, victims are being threatened to pay the demanded amount within a week or else the data stolen will be exposed by the attackers.

Stay Wary of Third-Party Apps: Malware App 'CovidLock' Locks User Out of their Phone


In an attempt to block misinformation from being spread by developers taking advantage of the COVID-19 charged environment, Google started prevention by blocking any search made for terms "COVID-19" and "coronavirus" on Google Play Store. It identified certain developers' malicious intent of exploiting user's concerns regarding the new coronavirus. As of now, Google's attempt to block searches has yielded positive results with the search for the aforementioned keywords returns no results at all on the Play Store.

Once you are out of the Play Store searching for the same, considering the installation of third-party apps, it becomes a matter of great concern as developers are embedding ransomware in apps named after the new coronavirus to delude uninformed users.

Recently, DomainTools, a Threat Intelligence company found an app known as "CovidLock" that is ransomware in the facade of 'coronavirus tracking app'. The app will appear to be a real-time tracker for the coronavirus but it will function as a malware that will lock the user out of his phone and ask for a ransom of $100 in bitcoin within a time period of 48 hours. If the affected user fails to provide the demanded ransom in the given time, he receives threats of his social media accounts being exposed online and the data stored onto his device being permanently deleted. It further notifies that his device is constantly monitored and in case he attempts to do anything stupid, everything will be automatically deleted.

However, a piece of good news is that the new mobile devices are secured against such attacks as Google has added defense against it. But in cases of users running versions older than Android Nougat, there are chances of their device being infected by this malware. To stay on a safer side, users are being advised to stick to the Google Play Store when downloading apps. Turning to unauthorized third-party sources invites great danger to user security especially at a time when our concerns and fears can be exploited and used against us. 

Durham City, North Carolina Hit by Ransomware Attack



On Friday, The City of Durham, North Carolina suffered a cyberattack wherein Ryuk Ransomware crippled the city's IT systems and compromised its public safety phone networks. According to media reports, the city first experienced a phishing attack that eventually allowed the Ryuk Ransomware to develop onto its IT systems. In an immediate response, Durham shut down its network to prevent the attack from further spreading onto the entire network. All-access to the DCI Network for the Durham Police Department, the Durham Sheriff’s Office and their communications center had been temporarily disabled. Ryuk is well-planned and targeted ransomware that is being operated since 2018 by WIZARD SPIDER, a Russia-based operator of the TrickBot banking malware. After gaining access, Ryuk is programmed to permeate network servers as files are exchanged between systems.

As of now, there are no traces of data being stolen, however, users are advised to stay wary of phishing emails acting to be from the city officials. Alongside this, the attack led to the shut down of Durham's 911 call center and caused its Fire Department to be deprived of phone service. Ryuk's technical capabilities are relatively low, however, it has successfully targeted various small to large organizations across the world and encrypted hundreds of systems, storage, and data centres. Usually, the malware corrupt networks after they have been infected by the TrickBot Trojan, a malware designed to illegally harvest users' private data via phishing.

The malware is circulated via malicious email attachments and once it gathers all the important data from a given network, it lets the authors of Ryuk Ransomware acquire administrator credentials and gain access to the harvested data from the network, the malware does so by opening a shell back to the actors operating the threat.

"According to the SBI, the ransomware, named Ryuk, was started by a Russian hacker group and finds its way into a network once someone opens a malicious email attachment. Once it's inside, Ryuk can spread across network servers through file shares to individual computers," WRAL reported.

As per the findings that followed the investigations initiated by the city, the malware employed in the attack was found to be having Russian origins, however, the exact origin of the attack still remains unknown and the investigation regarding the same is underway.

Bretagne Télécom recovered 30 TB data in a ransomware attack by DoppelPaymer


Bretagne Télécom, a cloud service provider was hacked by DoppelPaymer, ransomware that exploited CVE-2019-19781 vulnerability in unpatched servers.


Bretagne Télécom is a French cloud hosting telecommunications company that provides a range of services like telephony, Internet and networking, hosting, and cloud computing services to roughly 3,000 customers with 10,000 servers.

Fortunately this is a success story with a happy ending, as the ransom attack was a failure with no data loss and no ransom paid. The company could restore the encrypted system and data from backups on Pure Storage FlashBlade arrays.

Around 30 TB data was encrypted

The attack took place in the first half of January, on the unpatched servers making them vulnerable to attack. The attackers started scanning the vulnerable servers from Jan 8 and attacked two days later. The company soon released patches to overcome the vulnerability with the final patch being published on January 24.

The DoppelPaymer's operators infiltrated around 148 machines with data from "around thirty small business customers", as Bretagne Télécom CEO Nicolas Boittin told LeMagIT.

The DoppelPaymer Ransomware hackers demanded a ransom of 35 bitcoins (~$330K) for decrypting the system. Ofcourse, the company restored the data and didn't require the "decrypting services" from the hackers. Using the Pure Storage FlashBlade arrays' Rapid Restore feature, Bretagne Télécom could restore all of the customer's data.

"We found the time when the attackers installed the scheduled encryption tasks. Once these tasks and the malware were removed, we were able to return to operational conditions."

"It is not the first time that this has happened to customers. But most of the time, they are self-managing, so we didn't interfere," Boittin added.

"Ransomware from our customers, there may not be one per month, but not far. And we never paid. I refuse to fuel a parallel economy where we would give pirates the means to improve their systems to attack us again."
The company personally decrypted and stored data from each customer without a network, some even took six hours. They could efficiently tackle the attack by considering them as data breaches, most of the companies do that resulting in compromise of sensitive information even before the encryption takes place.

Ransomware Hits Media Monitoring Company 'TV Eyes'


The latest ransomware has attacked 'TV Eyes,' a company that offers campaign monitoring services to TV and radio news broadcasts. PR agencies and newsrooms across the world mostly use TV Eyes service to keep a trace of their broadcast. "The ransomware infected the business somewhere around post-midnight on Thursday, 30th of January," said TV Eyes CEO David Ives in a conversation with ZDNet. The ransomware has damaged crucial TV Eyes servers and communications workstations, affecting the network mainly in the US, along with some other areas.


"We are still calculating the total damage caused by the ransomware to the company's network. However, the company has begun making retrieval attempts," said David to ZDNet. He further says, "TV Eyes is not thinking of paying the ransom demanded by the hackers. Instead, we are reviving the situation from existing backups and focusing on strengthening the affected network infrastructure." "MMS (Media Monitoring Suite), the main product of the TV Eyes company, is not in function since the last 2 days," according to various sources at PR agencies that worked with TV Eyes.

The TV Eyes service gives a platform that allows agencies in monitoring TV telecasts and Radio broadcasts mainly in the U.S (state and other 210 markets) and influential global media organizations. The Media Monitoring Suite-MMS permits the users to seek beyond podcasts for new keywords and also set up an email account for notifications of new events. TV Eyes is a very helpful tool for several journalists, PR agencies, and political parties for campaigning. David says there's no news confirming the comeback of the TV Eyes service in the near time. However, the company is working to restore services as soon as possible.

"The kind of services that companies like TV Eyes offer is often an easy target for the hackers because they know how much dependent and reliable the users of these tools are. Therefore, hackers know that such companies are vulnerable as their users are relying on them for the safety of their data," says Paul Martini, CEO, Iboss (cloud security company). The users of the TV Eyes service are concerned about the privacy of their data, which contains crucial financial information too.

Malware Attack! Oregon County's Network Smashed By a Ransomware?


Per local news and reports, allegedly, a cyber-attack shook the Tillamook County of Oregon, USA when it rendered the local government’s services ineffective.

Apparently owing it to the cyber-attack, the county officials are back to basics with all their daily tasks and are working about the crisis.

When the computers in the various departments of the county started misbehaving, that’s when the officials grasped the severity of the situation and immediately warned the IT department.

That is when the IT department comprehended that the systems had been infected with encrypting malware. To contain the infection, all the affected servers and devices were instantly isolated.

There is no sincere evidence to show if the malware was used for a ransomware attack but it sure is being conjectured on the affirmative. Per sources, no request for a ransom has been posted so far.

Allegedly, the Oregon city was recently struck by a cyber-attack of the same nature about a week ago.

The damage is of such a severe type that along with infecting all of the county’s computers and servers it has seriously harmed both the online and offline phone systems given the “VoIP” (Voice over Internet Protocol) that they employ.

Per sources, to rummage the details of the cyber-attack including the source, type, and magnitude of the attack, the county especially engaged a “digital forensic” team from a well-known cyber-security organization.

There is no doubting the fact that the Oregon county systems have been shut by the attack indefinitely and there is no knowing when they’d be back on operations.

With quite a substantial population to be hit by a cyber-attack of such severity, Oregon County has never before experienced a similar attack. Hence they can’t exactly mention their modus operandi to their plan of mitigation.

Sources mention that the county officials have decided to subcontract a few response operations to counter the attack and its repercussions.

The cyber-crisis management team happens to be the best at what they do and are efficiently working towards containing and mending the damages done by the malware.

Sodinokibi Ransomware threats Travelex to release data, if ransom not paid.



The Sodinokibi Ransomware attackers are pressuring Travelex, a foreign exchange company to pay a 6 million dollar ransom amount or risk going their data public, the attackers warn that they will either release or sell the stolen data that contains users' personal information. 


Travelex was attacked on 31st by New Year's Eve ransomware Sodinokibi Ransomware, the operators stole 5 GB un-encrypted data and later encrypted the company's whole network. 

The Sodinokibi Ransomware operators in conversation with BleepingComputer stated that they are demanding 3 million dollars ransom or they would release the data containing "DOB SSN CC" and other. The ransom was later doubled to 6 million dollars. 

Meanwhile, the exchange company Travelex is still stating that no evidence of any stolen data exists. 

"Whilst the investigation is still ongoing, Travelex has confirmed that the software virus is ransomware known as Sodinokibi, also commonly referred to as REvil. Travelex has proactively taken steps to contain the spread of the ransomware, which has been successful. To date, the company can confirm that whilst there has been some data encryption, there is no evidence that structured personal customer data has been encrypted. Whist Travelex does not yet have a complete picture of all the data that has been encrypted, there is still no evidence to date that any data has been exfiltrated."

In further conversations with BleepingComputer, the operators said even if the company is denying that any data was stolen they are negotiating the ransom price and would benefit even if the ransom is not paid. 

"If this were true, they would not bargain with us now. On the other hand, we do not care. We will still benefit if they do not pay. Just the damage to them will be more serious."

And the Sodinokibi operators are right, they would benefit either way if Travelex does pay the ransom and if it doesn't then they'll simply sell the data. As for Travelex, it will inevitably suffer damage - by paying the ransom, public release of data or if the data is sold to other actors. 

SNAKE Ransomware Targets Entire Corporate Systems?


The new Snake Ransomware family sets out to target the organizations’' corporate networks in all their entirety, written in Golang and containing a significant level of obfuscation, the observations and disclosure for the attacks were made by a group of security specialists from the MalwareHunterTeam.

The Ransomware upon successful infection subsequently erases the machine's Shadow Volume Copies before ending different processes related to SCADA frameworks, network management solutions, virtual machines, and various other tools.

After that, it continues to encrypt the machine's files while skirting significant Windows folders and system files. As a feature of this procedure, it affixes "EKANS" as a file marker alongside a five-character string to the file extension of each file it encrypts. The threat wraps up its encryption routine by dropping a ransom note entitled "Fix-Your-Files.txt" in the C:\Users\Public\Desktop folder, which instructs victims to contact "bapcocrypt@ctemplar.com" so as to purchase a decryption tool.

The ransom note of SNAKE ransomware (Source: Bleeping Computer)

“It is clearly evident from the language in the ransom note, that this Ransomware specifically targets the entire network rather than individual workstations. Further indicating that any decryptor that is purchased will be for the network and not individual machines, but it is too soon to tell if they would make an exception.”
 - This is what Bleeping Computer said in a blog post on SNAKE. 

Nonetheless, the rise of SNAKE Ransomware highlights the critical requirement for organizations to defend themselves against a Ransomware infection.

While making effective use of the suggestions to forestall a Ransomware infection in the first place, they ought to likewise consider 'investing' into a solution like Tripwire File Analyzer for the purpose of distinguishing suspicious documents and conduct on the network.

Clop Ransomware Upgraded, Now can Terminate 663 Windows Processes


In February 2019, Michael Gillespie from MalwareHunter Team founded Clop ransomware that has been evolving to reach its full potential and now a variant of the same can terminate a total of 663 Windows processes.

While it was first discovered, it did not demonstrate any unique quality which made it stand out amid other ransomware variants, it was merely another likewise addition in the ransomware ecosystem like others that existed since 2017. However, it has continued to take various forms since its discovery and is emerging with all new and integrated process killer that affects several processes of Windows 10 apps, office applications, programming IDEs, languages and text editors.

As per the sources, it was noted in March 2019, that the attackers behind Clop Ransomware started to target entire networks instead of individual systems, they changed the ransom note to imply the same. The same year also witnessed a sudden disruption in the services of Clop Ransomware wherein they abruptly changed and disabled services for Microsoft SQL Server, MySQL, Microsoft Exchange, BackupExec and other enterprise software.

In 2019, while warning the organizations and businesses regarding app-killing malware, the Federal Bureau of Investigation (FBI) reported that the ransomware threat now is even amplified as the attackers are continually upgrading themselves, they have devised ways to bypass detection and be more effective in their operations. Organizations are being warned by investigative agencies to keep abreast of such potential threats and build a security net to guard their systems.

While commenting on the matter, Abrams, editor-in-chief for Bleeping Computer said, "It is not known why some of these processes are terminated," Bleeping Computer editor-in-chief, Abrams, said, "especially ones like Calculator, Snagit, and SecureCRT, but it’s possible they want to encrypt configuration files used by some of these tools."

Meanwhile, in a conversation with SC Media UK, Javvad Malik, security awareness advocate at KnowBe4, told "Clop is a variant of the CryptoMix ransomware family, but has been evolving rapidly in the last year to disable an increasingly large number of windows processes,"

"The main goal of Clop is to encrypt all files in an enterprise and request a payment to receive a decryptor to decrypt all the affected files," read the McAfee report in August.

"To achieve this, we observed some new techniques being used by the author that we have not seen before. Clearly, over the last few months, we have seen more innovative techniques appearing in ransomware."

Alert! USB Flash Drive Malware: Threats Decoded!


The cybercriminals have gotten all the savvier when it comes to finding out new ways of administering malware into the victims’ devices.

The next in the list happens to be “Malicious USB sticks”. These are employed whenever an attacker needs a “physical” entrance to a computer or any device for that matter.

The first related incident goes back a decade when the highly malicious, “Stuxnet” worm was disseminated to attack Iranian networks by means of USB sticks.

An “unattended” USB flash drive might as well cause an equally malicious problem if plugged into a host network or system. These drives could be carrying viruses or even ransomware.

The ultimate motive of these drives could range from easy-going hacking into systems to disrupting major businesses and their operations.

These USB sticks are extremely malicious and could lead to major setbacks and cyber harm for victim organizations and their clients and other individuals at large.

Reportedly, there are several other malware that are carried and transmitted through USB flash drives and per sources they encompass of:

1. The “Flame” modular computer malware
2. The “Duqu” collection of computer malware


There are numerous things, threats, and risks that a malicious USB flash drive poses to its users. Backdoors, Trojans, ransomware attacks and information stealing are common endeavors.


As per sources, browser hijackers could also be installed to mislead the users to the hackers’ website where adware, grey ware, malware or spyware could be injected in the device.

The users could follow the following safety and protection mechanisms to steer clear of the contingencies of the aforementioned attacks:

1. Updating the computer and other device software on a regular basis is a must. All the essential patches must be downloaded to clear the vulnerabilities.
2. Enable all the security features on the devices. Fingerprint authentication is a good option in such cases.
3. Keep all your USB flash drives absolutely secure and safe and prepared against hackers.
4. Never plug in unauthorized or unknown USB flash drives in your business devices especially those at your workplace.
5. Keep separate drives for work and home devices.

Rise of the Ransomware Attacks Leads to an Increase Extortion Demands of Cyber Criminals


As there happens a rise in the number of ransomware attacks doubled is the number of organizations surrendering to the extortion demands of cybercriminals in the wake of succumbing to such attacks particularly this year in contrast with the previous one.

As indicated by figures in the recently released 2019 CrowdStrike Global; Security Attitude Security, the total number of organizations around the globe that pay the ransom subsequent to succumbing to a supply-chain attack has dramatically increased from 14% of victims to 39% of those influenced.

While cybersecurity suppliers and law enforcements suggest that victims don't fund crime by surrendering to the blackmail requests/ extortion demands, at times organizations see it as the fastest and easiest method for re-establishing their networks.

In the UK explicitly, the number of organizations that have encountered a ransomware attack and followed through on the demanded price for the decryption key stands at 28% – twofold the 14% figure of the previous year.

Be that as it may, on the grounds that the victims are as yet paying the ransom – which normally amounts up to six-figure sum – cybercriminals will keep on directing ransomware campaigns and likely broaden them further, particularly as the possibility of them getting captured is low.

In any case, notwithstanding the accomplishment of ransomware attacks – particularly those that have undermined the whole infrastructure of entire organizations – there are some generally straightforward and simple methods for averting the attacks doing any harm.

In the event that organizations guarantee that every one of the frameworks and programming on the network is fixed with the most recent security updates, it goes 'a long way' to preventing ransomware attacks from being effective the same number of campaigns depend on the abuse of the known vulnerabilities.

Organizations ought to likewise guarantee that default passwords aren't utilized on the system and, where conceivable, two-factor verification ought to be applied as this will counteract any hacker who figures out how to break the system from moving around and causing more damage.

However, in case of a ransomware attack being effective, organizations can guarantee they don't have to make the payment by normally creating a backup of their system and guaranteeing that the backup is stored offline.

New Orleans: Mayor Declares State of Emergency after a Cyberattack


The city of New Orleans after being hit by a cyberattack, declared a state of emergency wherein the employees and officials were asked to shut down the computers, power down devices by unplugging and take down all servers as a cautionary measure. As a part of the incident, The Nola.gov website was also down.

Officials suspect the involvement of ransomware as the attacks demanding ransom has become increasingly common in the recent past and ransomware was detected as per Mayor LaToya Cantrell, however, there is no confirmatory lead on the matter as the city has not received any ransom demand from the attackers.

Earlier this year, in November, The State of Louisiana was hit by a ransomware attack which prompted officials to shut down government websites and deactivate other digital services and consequently, a state of emergency was being declared by the governor. As per the sources, it is the gravest cyber attack the state had witnessed till date, it took about two weeks for the authorities to restore all the systems and make them functional again. The attack was followed by aggressive measures being taken by the security officers who classified the attack being a "sophisticated and coordinated" one. As per the latest findings, it remains unclear whether the two attacks are linked to each other or not.

While drawing other correlations, New Orleans Mayor LaToya Cantrell referenced the attack back to one where several school systems in Louisiana were attacked by malware. The compromised school systems were from Sabine, Morehouse, and Ouachita, according to the reports by CNN.

“Out of an abundance of caution, all employees were immediately alerted to power down computers, unplug devices & disconnect from WiFi. All servers have been powered down as well,” stated a tweet from New Orleans’ Office of Homeland Security & Emergency Preparedness.

During a press conference in regard of the matter, Mayor LaToya Cantrell said, “We have a unified command, we’re here with not only our local partners but our state and federal partners as well, which includes our national guard, Louisiana state police, FBI, the state fusion center and secret service."

Maze Ransomware Exfiltrated Data of Southwire Firm, Threatens to Publish if Ransom Not Paid


Maze ransomware, a variant of Chacha Ransomware that has been leading the charge of various ransomware attacks lately, now claimed responsibility for yet another cyber attack, this time on North America's most prominent wire and cable manufacturer, Southwire that generates household and industrial cables, utility products, portable and electronic cord products, OEM wire products, engineered products, and metal-clab cables for more than 50% of Northern America. It's a leading wire producing company with over 7,500 employees and has been around for seven decades now.

The attackers surreptitiously infiltrated company data and demanded a ransom of approximately $6 million (859 BTC) for a safe release of the data which reportedly is all set to be published in case the company fails to pay the demanded amount.

Maze Ransomware was originally discovered by Jérôme Segura, a security researcher at Malwarebytes in the month of May, earlier this year. Since then, the malware strain has gained massive popularity and is continuously becoming more and more active. While organizing various malspam campaigns, it has been discovered that its affiliates are essentially more dangerous.

On Monday, around the time when the company's website suffered the ransomware attack, admins located a message posted in Imgur demanding a ransom of 850 BTC from the company. In the wake of which, a topic was started on Reddit where Snooze16, seemingly an employee of the company, while putting the situation in perspective, said, “I went into the offices yesterday afternoon. Everyone was headed home – no computers. It looks like their site is still down. The IT guy that was there told me that the plant called him at 5 am asking how to shut the servers down. Bad time of year not to be shipping.”

In a conversation with the Chronicle, Jason Pollard, vice president of Talent Acquisition and Communications for the wire manufacturer, told, "We immediately self-quarantined by shutting down the entire network,"

"The incident did cause some disruption in our ability to make and ship our products."

"The safety of our employees, the quality of our products and our commitment to our customers are critically important to us. Today, we’re bringing critical systems back online, prioritizing manufacturing and shipping functions that enable us to create and send the product to our customers. We are dedicated to restoring all systems and bringing all of our employees back to work as safely and as quickly as possible." He further added.

British American Tobacco’s Romanian Platform Faces Data Breach; Ransomware Demands Bitcoins

British American Tobacco (BAT)’ s Romanian web platform compromised due to a ransomware attack and data breach.
BAT which is a United Kingdom-based company is one of the most gigantic manufacturers of nicotine and tobacco products.
Reportedly, the data breach was first ascertained on an Irish “unsecured Elastisearch server” with around 352 GB of data. Allegedly, the hackers had breached the data’s location.
The ransom request was waiting for the onlookers on the server in the form of a "readme" file wherein they had demanded a “Bitcoin payment” in exchange for “not deleting their data”.
Per sources, the cyber-researchers had discovered the data breach on a “server connected to the web platform YOUniverse.ro” which is part of the Romania promotional campaign for BAT, pursuing adult smokers.
The compromised data encompasses users’ “Personally Identifiable Information” (PII), like name, gender, email address, phone number, date of birth, source IP and cigarette and tobacco product preference.

Allegedly, tobacco advertising is mostly prohibited by the Romanian law, while exempting certain sorts of promotional campaigns and event sponsorship aiming at existing smokers over 18 years of age.
The platform in question aided Romanians to win tickets to events and parties studded with local and international performing stars.
Regardless of the numerous attempts made by the team to contain the breach, the database had been unprotected for the past two months and was finally contained on November 27, 2019.
According to sources, the research team has been after the company’s local branch, the global company, the server’s host, Romania’s National Authority for Consumer Protection (ANPC) and the Certification Authority (CA) for some clarification.
The CA was the only organization to revert to the team. The Romanian journalists who were contacted along with the authorities are yet to answer.   

Three Common Forms of Ransomware Infecting 1,800 businesses, Warns Dutch Govt



Around 1,800 companies are being affected by ransomware across the globe, according to a confidential report by the National Cyber Security Centre (NCSC) in the Netherlands. The report does not specify the names of the affected organizations but indicates that the targeted are the big players from different industries including chemical, health, construction, food, entertainment, and automobile. Most of these companies deal with revenue streams of millions and billions.

In the recent past, ransomware attacks have been on a rise and are being widely publicized as well, but due to the rapid increase in the number of ransomware attacks, many of these go unnoticed and hence unreported. As a result, the number of affected companies as per the NCSC report is likely conservative. Reportedly, the affected organizations are on their own as they recuperate from the attack by either being forced to pay the ransom or resorting to untainted backups to restore files.

NCSC's report enlists three file-encrypting malware pieces namely LockerGoga, MegaCortex, and Ryuk that are to be blamed for the malware penetration, these pieces of malware use a similar digital infrastructure and are "common forms of ransomware." While drawing other inferences, NCSC reckons the utilization of zero-day vulnerabilities for the infection. The dependence upon the same digital infrastructure implies that the attackers setting-up the attacks transferred the threat onto the victim's network via a single network intruder.

Professionals in intruding corporate networks tend to find allies who are involved in ransomware dealings and being experts they are always inclined to spot the best amongst all for whom they gladly pay a lump sum amount of money as salaries on a monthly basis in turn for proficient penetration testers that can potentially travel via infected networks without being detected. Here, the level of access provided determines how high the prices can go up to.

Cybercriminals are not likely to stop spreading ransomware as long as there are victims who are paying the ransom as they have no other option to fall back on, NCSC strictly recommends that organizations strengthen their security net to avoid falling prey to ransomware attacks carried out every now and then these days. 

An IT contractor accidentally takes down NYPD's high-tech fingerprint database with a ransom malware!


The much-coveted and popular in news for keeping juveniles fingerprints data, the New York Police Department's fingerprint unit yet again gained much attention as it was shut down for hours because of ransomware.


The NYPD was hit by this ransom malware when they hired a third-party IT, contractor, to set up a digital display at the police academy in Queens on October 5 last year. And when he connected his tainted NUC mini-PC to the police network, the virus attached itself to the system. The virus immediately spread to 23 machines linked to the department's LiveScan fingerprint tracking system.

Deputy Commissioner for Information Technology Jessica Tisch said the officers discovered the malware within hours and contacted the cyber command and joint terrorism task force to solve the potential threat. We wanted to get to the bottom of this,' Tisch said. 'Was this plugged in maliciously was really important for us to get to the bottom of this.'

The ransomware was not executed but the fingerprints system was shut down for hours and were switched back on the next morning. Precautionary, 200 computers were reinstalled throughout the city to be safe.

The NYPD said, 0.1 percent of computers were attacked by the breach but the threat potential was large, as once inside the system, they could access case files and privileged data. The virus, ransomware locks the data, unless a 'ransom' is paid, fortunately, it could not execute the command and they shut down the system.

The IT contractor that accidentally bought the malware was questioned but not arrested.

Experts told the New York Post that breaches in public databases pose a serious security issue. Adam Scott Wandt, a professor of cybersecurity at John Jay College of Criminal Justice in Manhattan, said any breach put information at risk of being stolen. 'It's a fairly complex world that we live in,' he added. 'Everything is linked together. The government normally does a fairly good job of keeping hackers out, but every now and then there is a breach.'

Finland Municipalities and Government Agencies Prepare for Possible Cyberattack


Finland is adapting to protect itself from a secret criminal organization warning to attack cyber-security if the country fails to pay Bitcoins as the ransom money. 

"Around two hundred Finland government bodies and districts participated in the preparation. The situation reportedly concerns a possible group of hackers asking Bitcoin ransom before prosecuting several attacks on cybersecurity," concludes the reports of YLE. The threats are said to be given by #Tietovuoto321, a crew of criminal hackers. According to reports, the group sent Bitcoin ransom blackmails to more than 200 Finnish government agencies, in response to which the Finland authorities have taken steps.


Organizations prepared for further warnings- The training Taisto is conducted by the Population Register Centre, aiming for supporting the technologization of the nation and computerized assistance in Finland. The Population Register Centre works for the Ministry of Finance. As of now, public agencies and bodies noticed their websites and cybersecurity vulnerable to hacking recently. Therefore, a training program is said to be scheduled in the coming days. "The voluntary bodies have reacted happily," says General Secretary, Population Register Centre. He further says, "The institutions in recent times have started waking up to new attacks daily and it is becoming a matter of concern for the nation."

Cases of Ransomware threats have increased- 
The attacks demanding ransoms have multiplied in recent times. Government bodies have become a simple target for hackers all around the world. In a new report published by Hard Fork, "The American government had to pay the hackers to recover their health institutions' data servers."In a data breach incident last month in Mexico, the hackers demanded Bitcoins valued $4.9 million from a government-owned oil company named Pemex.

But it's not all sad and gloomy. In a surprising change of events recently, a user sufferer of ransomware claimed vengeance on his enemies by hacking the database that supported their virus, publishing 1000 deciphering codes for other victims to help them get their money back. In the present times, it is quite difficult to completely divert such warnings in the actual course, but the training tries to support institutions' capacities to fight an invasion.

Technology Company Hit by Ransomware Attack, Prevented Access to Crucial Patient Records


Virtual Care Provider Inc, a Wisconsin based technology company that provides cloud data hosting, security, and access management to more than 100 nursing homes was hit by a ransomware attack carried out by Russian hackers. The involvement of Ryuk encryption prevented access to crucial medical records of the patients and administration data related to the medication. After encrypting all the data hosted by the company for its patients and clients, attackers demanded a $14 million ransom in bitcoin in turn for a digital key that would unlock access to the data. Unable to afford the ransom, the company owner said that she is fearful of the consequences of the incident which could lead to the premature death of certain patients and the shutdown of her business.

Reportedly, the ransomware was spread via a virus known as 'TrickBot', the company told that it is 'feverishly working' to regain access to crucial data. The officials estimated that about 20% of the company's servers were compromised during the attack.

In a letter addressed to the company's clients, obtained via the Milwaukee Journal Sentinel, Christianson and Koch said that VCPI is "prioritizing servers that provide Active Directory access, email, eMAR, and EHR applications. We will be communicating status updates often and transparently, and, in preparation for service restoration, recommending to you the most efficient manner for your users to regain authenticated access."

Operated by WIZARD SPIDER (eCrime group), Ryuk is a targeted, well-planned and sophisticated ransomware that has targeted large organizations, primarily those that supply services to other businesses. It is employed to target the enterprise ecosystem and has mainly focused on wire fraud in the recent past. Despite having relatively low technical abilities and being under constant development since its release in August 2018, Ryuk has successfully encrypted hundreds of systems, storage and data centers in all the companies it attacked.

VCPI chief executive and owner Karen Christianson said, “We have employees asking when we’re going to make payroll,” “But right now all we’re dealing with is getting electronic medical records back up and life-threatening situations handled first.”

“We’ve got some facilities where the nurses can’t get the drugs updated and the order put in so the drugs can arrive on time,” she further told. “In another case, we have this one small assisted living place that is just a single unit that connects to billing. And if they don’t get their billing into Medicaid by December 5, they close their doors. Seniors that don’t have a family to go to are then done. We have a lot of [clients] right now who are like, ‘Just give me my data,’ but we can’t.”