Search This Blog

Showing posts with label Ransomware. Show all posts

Hackers Leak Tons of Personal Data as IndiaBulls Fails to Meet the First Ransomware Deadline


Hackers demanding ransom released data, as the IndiaBull failed to meet the first ransom deadline. It happened after a 24-hour ransomware warning was issued, and when the party was unable to make ends meet, the hackers dumped the data. According to Cyble, a Singapore based cybersecurity agency, the hackers have threatened to dump more data after the second deadline ends. The hackers are using ransomware, which the experts have identified as "CLOP."


The hackers stole the data from IndiaBulls and released around 5 Gb of personal data containing confidential files and customer information, banking details, and employee data. It came as a warning from the hackers, in an attempt to threaten the other party, says a private cybersecurity agency.

About the data leak-
The dumped data resulted in exposing confidential client KYC details like Adhaar card, passport details, Pan card details, and voting card details. The leak also revealed personal employee information like official ID, contact details, passwords, and codes that granted access permission to the company's online banking service. The IndiaBulls' spokesman said that the company was informed about the compromise of its systems on Monday; however, the data leaked is not sensitive. When asked about the data leak incident that happened on Wednesday, he said that the company had nothing to say.

The cybersecurity agency, however, tells a different story. It says that the spokesperson's information is incorrect as the attack did not happen on Monday. It also says that it requires some time to carry out such an attack, in other words, the transition phase from initial attack to extortion. The company may have been confused or misguided, say the cybersecurity experts. In a ransomware attack, the hacker makes it impossible for the user to access the files by encrypting them. Most of the time, the motive behind the ransomware threat is money, which is quite the opposite of state-sponsored hackers, whose aim is to affect the systems. In the IndiaBulls' incident, hackers encrypted the files using CLOP ransomware. It is yet to confirm how the hackers pulled this off, but according to Cyble, it was mainly due to vulnerabilities in the company's VPN.

Texas Hit By a Human-Operated Ransomware That Targets against Government Agencies and Enterprises



May 2020 was not a good month for both the Texas Courts and the Texas Department of Transportation (TxDOT) as the month marked the discovery of a new ransomware called Ransom X, being effectively utilized in human-operated and focused on attacks against government agencies and enterprises.

Advanced Intel's Vitali Kremez discovered a 'ransom.exx' which was believed to be the name of the ransomware. As this is human-operated ransomware, as opposed to one distributed by means of phishing or malware, when executed the ransomware opens a console that shows info to the attacker while it is running.

As indicated by Kremez, Ransom.exx works to terminate 289 procedures identified with security software, database servers, MSP softwares, remote access devices, and mail servers.

Ransom X will likewise play out a series of orders all through the encryption process that:
Clear Windows event logs
Delete NTFS journals
Disable System Restore
Disable the Windows Recovery Environment
Delete Windows backup catalogs
Wipe free space from local drives.

The commands executed are listed below:
cipher /w %
s wbadmin.exe delete catalog –quiet 
bcdedit.exe /set {default} recoveryenabled no 
bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures 
schtasks.exe /Change /TN "\Microsoft\Windows\SystemRestore\SR" /disable 
wevtutil.exe cl Application 
wevtutil.exe cl System 
wevtutil.exe cl Setup 
wevtutil.exe cl Security 
wevtutil.exe sl Security 
/e:false fsutil.exe usn deletejournal /D C: 

The ransomware then starts to encrypt the entirety of the information on the computer and affix a custom extension related to the victim to each encrypted record.

As observed below, the custom extension for the Texas Department of Transportation attack was .txd0t.


Furthermore, when completed, the Ransom X console will show the number of encoded files and how long it took to finish it. In every folder that was scanned during the encryption procedure, a ransom note named![extension]_READ_ME!.txt will be made.

This ransom note incorporates the company name, and email address to contact, and guidelines on the most proficient method to pay the ransom.

As observed below, the ransom note is modified for a certain victim that is enduring an attack, which for this situation is the Texas Department of Transportation.


However, in the case of Texas where the attack made its significant hit it is to be noted that at the hour of the attack, it was not comprehended what ransomware focused on the government agencies.

In any case, because of the limited visibility into this ransomware operation, there is no data with respect to the ransom sums or whether they steal information as a major aspect of the attack.

This ransomware has now been broken down, analyzed, and seems secure, which implies that it is highly unlikely to decrypt the files for nothing.

Cognizant Reveals Employees Data Compromised by Maze Ransomware


Leading IT services company, Cognizant was hit by a Maze Ransomware attack earlier in April this year that made headlines for its severity as the company confirmed undergoing a loss of $50-$70 million in their revenues. In the wake of the ransomware attack, Cognizant issued an email advisory alerting its clients to be extra secure by disconnecting themselves for as long as the incident persists.

Cognizant is one of the global leading IT services company headquartered in New Jersey (US). It started in 1994 as a service provider to Dun & Bradstreet companies worldwide; later in 1998, it became independent when D&B split into three, and one group of companies came under Cognizant corporation. Since then, the company has grown leaps and bounds making a name for its consulting and operation services in the industry.

The threat actors involved carried out the attack somewhere between 9-11 April, during this period of three days when the company was facing service disruptions, the operators mined a considerable amount of unencrypted data that included credit card details, tax identification numbers, social security numbers, passport data, and driving license information of the employees.

While giving further insights into the security incident, Cognizant said in its SEC filing, “Based on the investigation to date, we believe the attack principally impacted certain of our systems and data.”

“The attack resulted in unauthorized access to certain data and caused significant disruption to our business. This included the disabling of some of our systems and disruption caused by our taking certain other internal systems and networks offline as a precautionary measure."

“The attack compounded the challenges we face in enabling work-from-home arrangements during the COVID-19 pandemic and resulted in setbacks and delays to such efforts,” the filing read.

“The impact to clients and their responses to the security incident have varied,” the company added.

Ransomwares evolving: Cybercriminals collaborating and auctioning data


Ransomware are soon becoming the most feared disease of cyber-world, started from simple encryption of the victim's computer and files, they have now evolved to stealing and selling data. But it's not limited to just that, now these stolen data will be auctioned off to the highest bidder if the ransom is not paid.


Sodinokibi/REvil group recently launched its auction website from its own blog. Their first debut was an auction of files retrieved (stolen) from a Canadian agriculture company whose ransom was not paid. The starting bid - $50,000 Monero cryptocurrency.

These auction websites are quite beneficial for these hackers, first by creating potential of monetization and second by putting additional pressure on the victims to pay up the ransom. Even governments and cybersecurity vendors spend millions for this kind of data, employing people to lurk the dark web for sensitive data on elite class. Now, they can directly buy this from these auction sites.

The REvil group was also rumored to sell files on pop singer Madonna which they hacked from entertainment law firm Grubman Shire Meiselas & Sacks.

Brett Callow, a threat analyst at Emsisoft says, “The auctions may be less about directly creating revenue than they are about upping the ante for future victims. Having their data published on an obscure site is bad enough, but the prospect of it being auctioned and sold to competitors or other criminal enterprises may chill companies to the bone and provide them with an additional incentive to meet the criminals’ demands.” 

He further thinks that soon other ransomware groups will follow REvil with their own auction schemes.

“REvil’s launch of [an] online auction was, in many ways, a logical and inevitable progression as ransomware groups constantly seek out new ways to monetize attacks and apply additional pressure to companies,” Callow said. “In the same way that other ransomware groups adopted [the Maze ransomware group’s] encrypt-and-exfiltrate strategy, it’s almost inevitable that other groups will also adopt REvil’s encrypt-exfiltrate-and-auction strategy.”

Joining Forces

Another tactic by these groups is joining forces, the idea of helping each other, and increasing their threat value. The infamous Maze ransomware has partnered with LockBit (not many financial details have been shared) and they even published LockBut's stolen data on their own data leak website.

Maze also announced that they are in talks with another ransomware group and may collaborate with a third ransomware operation.

The First Ransomware Attack and the Ripples It Sent Forward In Time


What was once a simple piece of malware discovered just 20 years ago this month exhibited its capacity which transformed the entire universe of cyber-security that we know of today?

Initially expected to just harvest the passwords of a couple of local internet providers, the malware, dubbed as 'LoveBug' spread far and wide, infecting more than 45 million devices to turn into the first piece of malware to truly take businesses offline.

LoveBug was the shift of malware from a constrained exposure to mass demolition. 45 million compromised devices daily could rise to 45 million daily payments.

Be that as it may, eleven years before anybody had known about LoveBug, the IT industry saw the first-ever main case of ransomware, as AIDS Trojan. AIDS Trojan which spread through infected floppy disks sent to HIV specialists as a feature of a knowledge-sharing activity.

The 'lovechild' of LoveBug and AIDS Trojan was the ransomware that followed, with GPCoder and Archievus hitting organizations around the globe through which the hackers additionally bridled ecommerce sites to discover better ways to receive payments.

The protection industry responded by taking necessary steps with 'good actors' cooperating to decipher the encryption code on which Archievus depended, and sharing it broadly to assist victim with abstaining from paying any ransom.

From that point forward the 'cat and mouse' game has proceeded with viruses like CryptoLocker, CryptoDefense, and CryptoLocker2.0 constructing new attack strategies, and the protection industry executing new defenses. Presently ransomware has become increasingly sophisticated and progressively prevalent as targets today are more averse to be individuals since large businesses can pay enormous sums of cash.

And yet, data protection has become progressively sophisticated as well, with certain four areas that should now be a part of each business' ransomware strategy: protect, detect, respond, and recover. Social engineering and phishing are also presently becoming progressively central to the success of a ransomware attack.

The LoveBug was effective in a scattergun fashion, yet at the same time depended on social engineering.

Had individuals been less disposed to open an email with the subject line ‘I love you', the spread of the malware would have been 'far more limited'.

Nevertheless, the users presently ought to be more alert of the increasingly diverse threats in light of the fact that inexorably, hackers are expanding their threats data exfiltration or public exposure on the off chance that they feel that leaking data may be progressively 'persuasive' for their targets.

Thus so as to react to the issue, it's essential to have backup copies of data and to comprehend the nature and estimation of the information that may have been undermined in any way.

Hackers who were preparing attacks on hospitals arrested in Romania


Romanian law enforcement officials stopped the activities of the cybercriminal group PentaGuard, which was preparing to carry out attacks on Romanian hospitals using ransomware.

Four hackers were arrested, and searches were conducted at their place of residence (at three addresses in Romania and one address in Moldova). According to the Romanian Directorate for Investigating Organized Crime and Terrorism (DIICOT), hackers had various malicious programs at their disposal, including Trojans for remote access, ransomware, as well as tools for defacing sites and SQL injections.

In addition, hackers developed malicious computer applications for use in computer attacks, such as rasomware-cryptolocker and RAT (Remote Trojan Access). Such malicious attacks were directed against several state institutions, as in Bucharest.

During the investigation, it became clear that cybercriminals planned to attack hospitals. The attackers intended to send phishing emails on the subject of COVID-19 to medical institutions, and use them to infect networks with ransomware Locky or BadRabbit, encrypt files and demand a ransom for recovery. According to the Romanian media, this is how the cybercriminals wanted to protest against the quarantine measures taken by the Romanian government.

This type of attack makes it possible to block and seriously disrupt the functioning of the IT infrastructure of these hospitals. They are part of the healthcare system, which currently plays a decisive and decisive role in combating the pandemic with the new coronavirus.

The hacker group PentaGuard has existed since about 2000. In January 2001, the group carried out a massive deface of the sites of the British and Australian governments. Over the past few years, PentaGuard has not conducted any deface campaigns but has remained active on hacker forums. In January 2020, the group resumed defacing attacks.

ProLock Ransomware Operators Join Hands with QakBot Trojan to Infect Victims' Networks


'Human-operated ransomware' has been on a rise with the emergence of ProLock in the month of March, the new ransomware came as a successor to 'PwndLocker', another variant of malware targeting all the major industries from finance, retail to healthcare and governmental organizations as well. Notably, in late April, the attack targeting the largest ATM provider in the United States, Diebold Nixdorf was the first major attack carried by ProLock where the attackers only compromised the company's corporate network while their ATMs and customer networks were left untouched, according to the media reports.

In order to acquire access to targets' networks, ProLock has joined hands with financial malware primarily targeting businesses, QakBot. Since its initial online fraud attacks, the banking trojan has constantly evolved to specialize in SOCKS proxy, anti-research capabilities and to effectively steal victims' online banking credentials. The malware has been upgraded so much so that one of its present variants can even incapacitate securing software functioning at the endpoints. Interestingly, the assistance of QakBot that distinguishes the malware from other ransomware operators further strengthens the operations of ProLock as it helps the malware with credential dumping and anti-detection techniques.

ProLock makes use of RDP and QakBot to set the attack into motion, it assists the threat actors in evading detection and with persistence. Researchers told QBot specializes in bypassing detection as it is programmed to check out for its latest version and replace its current version with the newest one. Meanwhile, in order to acquire persistence in the network, the attackers use authentic accounts for RDP. RDP allows the malware to move laterally across networks and accumulate data, which later is exfiltrated through a command-line tool. Side by side, the files are being encrypted by ProLock that adds a .proLock, .pr0Lock or .proL0ck extension to all the encrypted files and leaves a ransom note demanding a ransom in turn for their data. However, as of now, ProLock doesn't have a website to publish victims' stolen data in case they are denied ransom.

“ProLock uses many similar techniques as other ransomware operators to achieve their goals,” said Oleg Skulkin, senior digital forensics analyst at Group-IB in a recent analysis. “At the same time, however, the group does have its own unique approach. With more and more cybercrime groups showing interest in enterprise ransomware deployment campaigns, some operators may be involved in deploying different ransomware families, so we’ll likely see more overlaps in tactics, techniques, and procedures.”

SeaChange, Video Delivery Software Solutions Provider Hit By Sodinokibi Ransomware


SeaChange, a leading supplier of video delivery software solutions has been attacked by the authors of Sodinokibi ransomware. Reportedly, the operators have published images of the data they claim to have obtained after encrypting the systems and are threatening the Waltham, Massachusets based company to leak the stolen data.

SeaChange International has offices in Poland and Brazil, it is a remotely managed video solution provider with around 50 million subscribers across the globe. BBC, DISH, COX, DNA, Quickline, RCN, and Starhub are a few names amongst their 200+ video provider customers.

The cybercriminals behind Sodinokibi ransomware have been actively involved in posting illegally obtained data of victims onto their leak website since 2019 and then demanding a ransom for the release of the same. Lately, attackers have increasingly employed this strategy of building pressure on non-paying victims and converting them into a paying one by releasing the stolen data bit by bit, starting from smaller parts.

In this particular case, the attackers created a webpage by the company's name and published the images of the allegedly stolen data on that page, it contained a screenshot of folders on one of the SeaChange's servers targeted by the attackers, a driver's license, insurance certificates and a cover letter for a proposal sent to Pentagon for video-on-demand service. However, the operators did not specify the ransom amount at that time.

While denying to provide further data, Sodinokibi operators said, "Thank you for your interest and your questions, but I really can't answer. We publish confidential information about companies if they ignore us for a long time or decide not to pay. Otherwise, we are not ready to share any information about them in their own interests, including share which companies we have encrypted, how much data we have stolen, etc."

Double Extortion- A Ransomware Tactic That Leaves The Victims With No Choice!


In addition to all the reasons ransomware were already dangerous and compulsive, there’s another one that the recent operators are employing to scare the wits out of their targets.

Cyber-criminals now tend to be threatening their victims with publishing and compromising their stolen data if the ransom doesn’t get paid or any other conditions aren’t followed through with.

The tactic in question is referred to as “Double Extortion” and quite aptly so. Per sources, its usage emerged in the latter half of 2019 apparently in use, by the Sodinokibi, DopplePaymer and Clop ransomware families.

Double extortion is all about doubling the malicious impact a normal ransomware attack could create. So the cyber-criminals try and stack up all sorts of pressure on the victims in the form of leaked information on the dark web, etc.

They just want to make sure that the victims are left with no other option but to pay the ransom and meet all the conditions of the attack, no matter how outrageous they are.

The pattern of Double Extortion was tracked after a well-known security staffing company from America experienced the “Maze ransomware” attack and didn’t pay up the 300 Bitcoin which totaled up to $2.3 Million. Even after they were threatened that their stolen email data and domain name certificates would be used for impersonating the company!

Per sources, all of the threatening wasn’t without proof. The attackers released 700 MB of data which allegedly was only 10% of what they had wrested from the company! And what’s more, they HIKED the ransom demand by 50%!

According to sources, the Maze ransomware group has a website especially fabricated to release data of the disobliging organizations and parties that don’t accept their highly interesting “deals” in exchange for the data.

Reportedly, ranging from extra sensitive to averagely confidential data of dozens of companies and firms from all the industries has found its way to the Maze ransomware website.

Clearly impressed by it many other operators of similar intentions opened up their own versions of the above-mentioned website to carry forward their “business” of threatening companies for digital currency and whatnot! They sure seem to have a good sense of humor because per sources the blog names are the likes of “Happy Blog”.

Per reports, the Sodinokibi ransomware bullied to leak a complete database from the global currency exchange, Travelex. The company had to pay $2.3 Million worth Bitcoin to get the attackers to bring their company back online.


Per reports of the researchers, the attackers would always release some kind of proof that they have the extremely valuable data of the company, before publishing it, to give the company a fair chance at paying up the ransom demanded.

Usually, these attacks are a win-win for the attackers and a “lose-lose” for the victims because if they decide not to pay up they would be putting their company in a very dangerous situation with all the valuable data compromised online for anyone to exploit, they would have to report the breach and they would have to pay a considerably high fine to the data privacy regulator. And if they pay up, they would be losing a giant plop of money! And sadly the latter feels like a better option.

Hospitals happen to be the organizations that are the most vulnerable to these attacks because of all the sensitive health-related data their databases are jam-packed with on any other day and additionally due to the Coronavirus outbreak.

The organizations could always follow the most widely adapted multi-layered security measures for keeping their data safe obviously including updating systems, keeping backups and keeping data protected in any way they possibly can.

The most conscientious gangs of the many ransomware families, per sources, have promised to not attack hospitals amidst this pandemic. But that doesn’t stop the other mal-actors from employing cyber-attacks.

The cyber-crime forecasters have mentioned that the year 2020 would be quite a difficult year for these organizations what with the lock-down and no easier (malicious) way to earn money, apparently? Food for thought!


L4NC34 Ransomware Teaches That Ransomware Attacks Ought To Never Be Trifled With




There is no denying the fact that whenever the word ransomware is mentioned computers are an instinctive afterthought to have been largely infected by the same. The impact is without a doubt an extremely serious one and so it always escapes our notice that it’s the websites also that are touched upon by this impact.

While Ransomware is normally thought to be a method wherein files are encrypted in a super-perplexing way, alongside a ransom note asking hundreds to thousands of dollars’ worth of cryptocurrency.

Typically this is kind of the reality — however, attackers aren't very similar to each other and not all may have the technical ability or would even attempt to go to such lengths.

Thus as of late, there was a case where the entire website files were apparently encrypted and had their file names changed to affix a ".crypt".

Among the files, we additionally found the ransom note one might usually discover in this type of malware, but this one was somewhat unusual — it wasn't an HTML or a .txt file. Rather, the ransom note was actually located inside a PHP file and appeared to contain actual capacities.

Here is a more critical look at the file.



The code of the malicious PHP file is as follows:

'.base64_decode('PHRpdGxlPkw0TkMzNCBSYW5zb213YXJlPC90aXRsZT4KPGx[pbmsgcmVj[REDACTED BASE64 CODE]dCBNYWlsIDogbDRuYzM0MEBnbWFpbC5jb20=').'

At first glance, nothing looks particularly surprising here, when decoded the result is:

L4NC34 Ransomware "; } function decdir($dir){ $files = array_diff(scandir($dir), array('.', '..')); foreach($files as $file) { if(is_dir($dir."/".$file)){ decdir($dir."/".$file); }else { decfile($dir."/".$file); } } } decdir($_SERVER['DOCUMENT_ROOT']); echo "
Webroot Decrypted
"; unlink($_SERVER['PHP_SELF']); unlink('.htaccess'); copy('htabackup','.htaccess'); echo 'Success !!!'; } else { echo 'Failed Password !!!'; } exit(); } ?>

L4NC34 ransomware


Your Website Is Encrypted

Don't Change the Filename because it Can Damage the File If You Want to Return You Must Enter the Password First
Send Me $10 For Back Your Website

Bitcoin Address :


Contact Mail: l4nc340@gmail.com

Now the portions of code responsible for displaying the ransom note, along with the actual decryption process for the files are very clearly visible.

However, this code contains a few specific characteristics that are worth noting.

$input = $_POST['pass']; $pass = "9c6679accb84e3ef938b1f4c24158355"; if(isset($input)) { if(md5($input) == $pass) {


This 'snippet' basically verifies if the password inputted on the page coordinates the hardcoded md5 hash. That appears to be somewhat odd; one may expect that the alleged key was not hardcoded — yet if so, at that point there might be a purpose behind these apparently encrypted files.

This next bit is answerable for the ransomware's file decryption function:

function decfile($filename){ if (strpos($filename, '.crypt') === FALSE) { return; } $decrypted = gzinflate(file_get_contents($filename)); file_put_contents(str_replace('.crypt', '', $filename), $decrypted); unlink('crypt.php'); unlink('.htaccess'); unlink($filename); echo "$filename Decrypted !!!
";


While there really isn’t anything special or very complex about it. The decryption process just seems to take into account the actual contents of the file and then gzinflate them.

From what is clearly evident here, it’s safe to assume that the only way this hacker “encrypted” the files was to gzdeflate the files and change their file name.

This is what one of the encrypted files looked like:



Backing up to the original ransom note/script and modifying it to execute the decryption function without affecting anything else.

We can go ahead and run it either through a terminal or through the browser directly. And when done so with the following command:

$php ransom.php
Webroot Decrypted
Success !!!


What’s visible is the decrypted contents of the previous file, which look as expected.



Well, thankfully the ransomware encryption was easily and quickly reverted without paying the $10 fee.

But the question that still stands strong is that since it’s so easy to reverse this infection, ‘Did someone ever even end up paying the attacker?’

The answer to which can be found if we take a look at the bitcoin wallet address



Fortunately, it appears that there were no transactions on this wallet. Ideally, that implies that none of the infected sites wound up paying the ransom and had the option to return the malignant file without issues.

In any case, this being observed the Ransomware attacks ought to never be trifled with as in the United States alone, potential expenses surpassed $7.5 billion in 2019. What's more, much like other ransom included crimes, but still, there's no guarantee that paying a ransom will end in a positive result.

Microsoft Issues Its First Ever ‘Targeted’ Warning ; Saving VPN Servers of Hospitals


Following a recent disclosure about Iranian hackers targeting on vulnerabilities in VPN servers like the Pulse Secure, Palo Alto Systems, Fortinet, and Citrix, Microsoft gave its first-ever 'targeted' warning to a few dozen hospitals, informing them of the vulnerabilities in their own virtual private network (VPN) appliances.

With the organizations depending all the more heavily on the VPN servers as the lockdowns are in full swing of the unfortunate outbreak of the Corona Virus. They had no other option except to fall back to this means to help telecommuters but that in the end has made that specific part of the system a weakness i.e a soft spot for ransomware attackers to target – specifically at hospitals with already stressed assets.

The Department of Homeland Security's Cybersecurity and Infrastructure Security Agency (DHS CISA) a month ago cautioned all organizations to fix VPN services, however, Microsoft is especially worried about hospitals' vulnerability to human-operated ransomware due to unpatched VPN servers.

One group the Microsoft team has been following is the REvil, otherwise known as Sodinokibi, ransomware gang, which is known for setting monstrous ransom demands for businesses and government agencies.

While the ransomware gang hasn't yet developed new attack techniques but instead has repurposed strategies from state-sponsored attacks for new campaigns that exploit the heightened requirement for information in the current coronavirus crisis.

The Microsoft Threat Protection Intelligence Team uncovered in a new post, "Through Microsoft's vast network of threat intelligence sources, and we identified several dozens of hospitals with vulnerable gateway and VPN appliances in their infrastructure."

"To help these hospitals, many already inundated with patients, we sent out a first-of-its-kind targeted notification with important information about the vulnerabilities," it added later.

When mentioning these new ransomware gangs the Microsoft team noted, “We haven't seen technical innovations in these new attacks, only social engineering tactics tailored to prey on people's fears and the urgent need for information."

And so the Multinational Technology's recommendation to hospitals and various other organizations is to follow three key steps to shield their VPN services from attacks:

  • Apply all available security updates for VPN and firewall configurations. 
  • Monitor and pay special attention to your remote access infrastructure. 
  •  Turn on attack surface reduction rules, including rules that block credential theft and ransomware activity. 

Apart from these, there are a few more published by Microsoft to further help mitigate these attacks.

Canada Cybersecurity: Health Care Industry Battles Cyberattacks as Experts Call-in Federal Support


Canada's hospitals and clinics are suffering massive cyber threats as the cyberattacks targeting the Canadian healthcare industry saw a sudden rise in number.

Researchers reported that the health-care sector is the most targeted sector in Canada amounting to a total of 48% of all security breaches in the country. Digital security of hospitals in Canada is being exposed to heavy risk as the growing number of data-breach incidents imply how the healthcare industry has become the new favorite of cybercriminals.

The issue has gained widespread attention that led to calls for imposing national cybersecurity standards on the healthcare industry. In order to tackle the problem effectively and protect the privacy of their patients, the institutions are required to update their cybersecurity arsenal for which the federal government's involvement is deemed necessary by the experts.

While commenting on the matter, Paul-Émile Cloutier, the president and CEO of HealthcareCAN, said: "My biggest disappointment at this moment is that it seems that anything that has to do with the health sector and cybersecurity is falling between the cracks at the federal level."

Cybersecurity experts expressed their concern in regard and put into perspective the current inability of the Canadian health system to cope up with the increasing risk.

Experts believe that information regarding a person's health can potentially be of more value to the cybercrime space than credit card data itself for an individual's health care identity contains data with unique values that remains the same over time such as the individual's health number or DOB, it assists hackers in stealing identities by making the process smooth.

Over the past year, various Canadian health-care institutions became victim of breaches including LifeLabs, one of the country's largest medical laboratory of diagnostic testing for healthcare, which was hit by a massive cyberattack compromising the health data of around 15 million Canadians. The private provider was forced to pay a ransom in order to retrieve the stolen customer data.

In another incident, attackers breached the computer networks of three hospitals in Ontario that led to a temporary shut down of diagnostic clinics and non-emergency cases were told to come back later.

New Malicious Program 'Nefilim' Threatens to Release Stolen User Data


Nefilim, a new malicious program that basically is ransomware that functions by encrypting files on affected systems, has become active in the cyber ecosystem since February 2020. After encryption of the files, it demands a ransom from the victims for the decryption of files, tools, and software. However, it is still unclear how the ransomware is being spread, sources reckon that it's distributed via susceptible Remote Desktop Services.

As per the head of SentinelLabs, Vitali Krimez and Michael Gillespie from ID Ransomware, the code employed in Nefilim resembles much that of Nemty's, another file-encrypting ransomware that steals user data by restricting access to documents and multimedia using the AES-256 algorithm. As to the speculations of security researchers, it is likely that the authors of the first ransomware have a role to play in Nefilim's creation and distribution. However, due to the uncertainty revolving around the operation source of the new ransomware, experts also point towards a possibility of the source code being somehow obtained by the new malicious actors to develop a new variant.

While the encryption is underway, all the affected files are added with ".NEFILIM" extension. For instance, a file previously named "xyz.png" would start appearing as "xyz.png.NEFILIM" after the encryption takes place. The completion of the process is followed by a ransom note being created on the infected user's desktop titled "NEFILIM-DECRYPT.txt", "A large amount of your private files have been extracted and is kept in a secure location. If you do not contact us in seven working days of the breach we will start leaking the data. After you contact us we will provide you proof that your files have been extracted." the note reads.

As per the sources, for money matters, Nefilim primarily pins its hopes on email communications instead of a Tor payment site after the removal of the Ransomware-as-a-Service (RaaS) component and it stands out as one major difference. According to the analysis carried out by Gillespie, it has been made clear that as of now there exists no way to retrieve files without paying the ransom because the ransomware is reported to be completely secure. As a result of that, victims are being threatened to pay the demanded amount within a week or else the data stolen will be exposed by the attackers.

Stay Wary of Third-Party Apps: Malware App 'CovidLock' Locks User Out of their Phone


In an attempt to block misinformation from being spread by developers taking advantage of the COVID-19 charged environment, Google started prevention by blocking any search made for terms "COVID-19" and "coronavirus" on Google Play Store. It identified certain developers' malicious intent of exploiting user's concerns regarding the new coronavirus. As of now, Google's attempt to block searches has yielded positive results with the search for the aforementioned keywords returns no results at all on the Play Store.

Once you are out of the Play Store searching for the same, considering the installation of third-party apps, it becomes a matter of great concern as developers are embedding ransomware in apps named after the new coronavirus to delude uninformed users.

Recently, DomainTools, a Threat Intelligence company found an app known as "CovidLock" that is ransomware in the facade of 'coronavirus tracking app'. The app will appear to be a real-time tracker for the coronavirus but it will function as a malware that will lock the user out of his phone and ask for a ransom of $100 in bitcoin within a time period of 48 hours. If the affected user fails to provide the demanded ransom in the given time, he receives threats of his social media accounts being exposed online and the data stored onto his device being permanently deleted. It further notifies that his device is constantly monitored and in case he attempts to do anything stupid, everything will be automatically deleted.

However, a piece of good news is that the new mobile devices are secured against such attacks as Google has added defense against it. But in cases of users running versions older than Android Nougat, there are chances of their device being infected by this malware. To stay on a safer side, users are being advised to stick to the Google Play Store when downloading apps. Turning to unauthorized third-party sources invites great danger to user security especially at a time when our concerns and fears can be exploited and used against us. 

Durham City, North Carolina Hit by Ransomware Attack



On Friday, The City of Durham, North Carolina suffered a cyberattack wherein Ryuk Ransomware crippled the city's IT systems and compromised its public safety phone networks. According to media reports, the city first experienced a phishing attack that eventually allowed the Ryuk Ransomware to develop onto its IT systems. In an immediate response, Durham shut down its network to prevent the attack from further spreading onto the entire network. All-access to the DCI Network for the Durham Police Department, the Durham Sheriff’s Office and their communications center had been temporarily disabled. Ryuk is well-planned and targeted ransomware that is being operated since 2018 by WIZARD SPIDER, a Russia-based operator of the TrickBot banking malware. After gaining access, Ryuk is programmed to permeate network servers as files are exchanged between systems.

As of now, there are no traces of data being stolen, however, users are advised to stay wary of phishing emails acting to be from the city officials. Alongside this, the attack led to the shut down of Durham's 911 call center and caused its Fire Department to be deprived of phone service. Ryuk's technical capabilities are relatively low, however, it has successfully targeted various small to large organizations across the world and encrypted hundreds of systems, storage, and data centres. Usually, the malware corrupt networks after they have been infected by the TrickBot Trojan, a malware designed to illegally harvest users' private data via phishing.

The malware is circulated via malicious email attachments and once it gathers all the important data from a given network, it lets the authors of Ryuk Ransomware acquire administrator credentials and gain access to the harvested data from the network, the malware does so by opening a shell back to the actors operating the threat.

"According to the SBI, the ransomware, named Ryuk, was started by a Russian hacker group and finds its way into a network once someone opens a malicious email attachment. Once it's inside, Ryuk can spread across network servers through file shares to individual computers," WRAL reported.

As per the findings that followed the investigations initiated by the city, the malware employed in the attack was found to be having Russian origins, however, the exact origin of the attack still remains unknown and the investigation regarding the same is underway.

Bretagne Télécom recovered 30 TB data in a ransomware attack by DoppelPaymer


Bretagne Télécom, a cloud service provider was hacked by DoppelPaymer, ransomware that exploited CVE-2019-19781 vulnerability in unpatched servers.


Bretagne Télécom is a French cloud hosting telecommunications company that provides a range of services like telephony, Internet and networking, hosting, and cloud computing services to roughly 3,000 customers with 10,000 servers.

Fortunately this is a success story with a happy ending, as the ransom attack was a failure with no data loss and no ransom paid. The company could restore the encrypted system and data from backups on Pure Storage FlashBlade arrays.

Around 30 TB data was encrypted

The attack took place in the first half of January, on the unpatched servers making them vulnerable to attack. The attackers started scanning the vulnerable servers from Jan 8 and attacked two days later. The company soon released patches to overcome the vulnerability with the final patch being published on January 24.

The DoppelPaymer's operators infiltrated around 148 machines with data from "around thirty small business customers", as Bretagne Télécom CEO Nicolas Boittin told LeMagIT.

The DoppelPaymer Ransomware hackers demanded a ransom of 35 bitcoins (~$330K) for decrypting the system. Ofcourse, the company restored the data and didn't require the "decrypting services" from the hackers. Using the Pure Storage FlashBlade arrays' Rapid Restore feature, Bretagne Télécom could restore all of the customer's data.

"We found the time when the attackers installed the scheduled encryption tasks. Once these tasks and the malware were removed, we were able to return to operational conditions."

"It is not the first time that this has happened to customers. But most of the time, they are self-managing, so we didn't interfere," Boittin added.

"Ransomware from our customers, there may not be one per month, but not far. And we never paid. I refuse to fuel a parallel economy where we would give pirates the means to improve their systems to attack us again."
The company personally decrypted and stored data from each customer without a network, some even took six hours. They could efficiently tackle the attack by considering them as data breaches, most of the companies do that resulting in compromise of sensitive information even before the encryption takes place.

Ransomware Hits Media Monitoring Company 'TV Eyes'


The latest ransomware has attacked 'TV Eyes,' a company that offers campaign monitoring services to TV and radio news broadcasts. PR agencies and newsrooms across the world mostly use TV Eyes service to keep a trace of their broadcast. "The ransomware infected the business somewhere around post-midnight on Thursday, 30th of January," said TV Eyes CEO David Ives in a conversation with ZDNet. The ransomware has damaged crucial TV Eyes servers and communications workstations, affecting the network mainly in the US, along with some other areas.


"We are still calculating the total damage caused by the ransomware to the company's network. However, the company has begun making retrieval attempts," said David to ZDNet. He further says, "TV Eyes is not thinking of paying the ransom demanded by the hackers. Instead, we are reviving the situation from existing backups and focusing on strengthening the affected network infrastructure." "MMS (Media Monitoring Suite), the main product of the TV Eyes company, is not in function since the last 2 days," according to various sources at PR agencies that worked with TV Eyes.

The TV Eyes service gives a platform that allows agencies in monitoring TV telecasts and Radio broadcasts mainly in the U.S (state and other 210 markets) and influential global media organizations. The Media Monitoring Suite-MMS permits the users to seek beyond podcasts for new keywords and also set up an email account for notifications of new events. TV Eyes is a very helpful tool for several journalists, PR agencies, and political parties for campaigning. David says there's no news confirming the comeback of the TV Eyes service in the near time. However, the company is working to restore services as soon as possible.

"The kind of services that companies like TV Eyes offer is often an easy target for the hackers because they know how much dependent and reliable the users of these tools are. Therefore, hackers know that such companies are vulnerable as their users are relying on them for the safety of their data," says Paul Martini, CEO, Iboss (cloud security company). The users of the TV Eyes service are concerned about the privacy of their data, which contains crucial financial information too.

Malware Attack! Oregon County's Network Smashed By a Ransomware?


Per local news and reports, allegedly, a cyber-attack shook the Tillamook County of Oregon, USA when it rendered the local government’s services ineffective.

Apparently owing it to the cyber-attack, the county officials are back to basics with all their daily tasks and are working about the crisis.

When the computers in the various departments of the county started misbehaving, that’s when the officials grasped the severity of the situation and immediately warned the IT department.

That is when the IT department comprehended that the systems had been infected with encrypting malware. To contain the infection, all the affected servers and devices were instantly isolated.

There is no sincere evidence to show if the malware was used for a ransomware attack but it sure is being conjectured on the affirmative. Per sources, no request for a ransom has been posted so far.

Allegedly, the Oregon city was recently struck by a cyber-attack of the same nature about a week ago.

The damage is of such a severe type that along with infecting all of the county’s computers and servers it has seriously harmed both the online and offline phone systems given the “VoIP” (Voice over Internet Protocol) that they employ.

Per sources, to rummage the details of the cyber-attack including the source, type, and magnitude of the attack, the county especially engaged a “digital forensic” team from a well-known cyber-security organization.

There is no doubting the fact that the Oregon county systems have been shut by the attack indefinitely and there is no knowing when they’d be back on operations.

With quite a substantial population to be hit by a cyber-attack of such severity, Oregon County has never before experienced a similar attack. Hence they can’t exactly mention their modus operandi to their plan of mitigation.

Sources mention that the county officials have decided to subcontract a few response operations to counter the attack and its repercussions.

The cyber-crisis management team happens to be the best at what they do and are efficiently working towards containing and mending the damages done by the malware.

Sodinokibi Ransomware threats Travelex to release data, if ransom not paid.



The Sodinokibi Ransomware attackers are pressuring Travelex, a foreign exchange company to pay a 6 million dollar ransom amount or risk going their data public, the attackers warn that they will either release or sell the stolen data that contains users' personal information. 


Travelex was attacked on 31st by New Year's Eve ransomware Sodinokibi Ransomware, the operators stole 5 GB un-encrypted data and later encrypted the company's whole network. 

The Sodinokibi Ransomware operators in conversation with BleepingComputer stated that they are demanding 3 million dollars ransom or they would release the data containing "DOB SSN CC" and other. The ransom was later doubled to 6 million dollars. 

Meanwhile, the exchange company Travelex is still stating that no evidence of any stolen data exists. 

"Whilst the investigation is still ongoing, Travelex has confirmed that the software virus is ransomware known as Sodinokibi, also commonly referred to as REvil. Travelex has proactively taken steps to contain the spread of the ransomware, which has been successful. To date, the company can confirm that whilst there has been some data encryption, there is no evidence that structured personal customer data has been encrypted. Whist Travelex does not yet have a complete picture of all the data that has been encrypted, there is still no evidence to date that any data has been exfiltrated."

In further conversations with BleepingComputer, the operators said even if the company is denying that any data was stolen they are negotiating the ransom price and would benefit even if the ransom is not paid. 

"If this were true, they would not bargain with us now. On the other hand, we do not care. We will still benefit if they do not pay. Just the damage to them will be more serious."

And the Sodinokibi operators are right, they would benefit either way if Travelex does pay the ransom and if it doesn't then they'll simply sell the data. As for Travelex, it will inevitably suffer damage - by paying the ransom, public release of data or if the data is sold to other actors. 

SNAKE Ransomware Targets Entire Corporate Systems?


The new Snake Ransomware family sets out to target the organizations’' corporate networks in all their entirety, written in Golang and containing a significant level of obfuscation, the observations and disclosure for the attacks were made by a group of security specialists from the MalwareHunterTeam.

The Ransomware upon successful infection subsequently erases the machine's Shadow Volume Copies before ending different processes related to SCADA frameworks, network management solutions, virtual machines, and various other tools.

After that, it continues to encrypt the machine's files while skirting significant Windows folders and system files. As a feature of this procedure, it affixes "EKANS" as a file marker alongside a five-character string to the file extension of each file it encrypts. The threat wraps up its encryption routine by dropping a ransom note entitled "Fix-Your-Files.txt" in the C:\Users\Public\Desktop folder, which instructs victims to contact "bapcocrypt@ctemplar.com" so as to purchase a decryption tool.

The ransom note of SNAKE ransomware (Source: Bleeping Computer)

“It is clearly evident from the language in the ransom note, that this Ransomware specifically targets the entire network rather than individual workstations. Further indicating that any decryptor that is purchased will be for the network and not individual machines, but it is too soon to tell if they would make an exception.”
 - This is what Bleeping Computer said in a blog post on SNAKE. 

Nonetheless, the rise of SNAKE Ransomware highlights the critical requirement for organizations to defend themselves against a Ransomware infection.

While making effective use of the suggestions to forestall a Ransomware infection in the first place, they ought to likewise consider 'investing' into a solution like Tripwire File Analyzer for the purpose of distinguishing suspicious documents and conduct on the network.