Search This Blog

Showing posts with label Ransomware. Show all posts

British American Tobacco’s Romanian Platform Faces Data Breach; Ransomware Demands Bitcoins

British American Tobacco (BAT)’ s Romanian web platform compromised due to a ransomware attack and data breach.
BAT which is a United Kingdom-based company is one of the most gigantic manufacturers of nicotine and tobacco products.
Reportedly, the data breach was first ascertained on an Irish “unsecured Elastisearch server” with around 352 GB of data. Allegedly, the hackers had breached the data’s location.
The ransom request was waiting for the onlookers on the server in the form of a "readme" file wherein they had demanded a “Bitcoin payment” in exchange for “not deleting their data”.
Per sources, the cyber-researchers had discovered the data breach on a “server connected to the web platform YOUniverse.ro” which is part of the Romania promotional campaign for BAT, pursuing adult smokers.
The compromised data encompasses users’ “Personally Identifiable Information” (PII), like name, gender, email address, phone number, date of birth, source IP and cigarette and tobacco product preference.

Allegedly, tobacco advertising is mostly prohibited by the Romanian law, while exempting certain sorts of promotional campaigns and event sponsorship aiming at existing smokers over 18 years of age.
The platform in question aided Romanians to win tickets to events and parties studded with local and international performing stars.
Regardless of the numerous attempts made by the team to contain the breach, the database had been unprotected for the past two months and was finally contained on November 27, 2019.
According to sources, the research team has been after the company’s local branch, the global company, the server’s host, Romania’s National Authority for Consumer Protection (ANPC) and the Certification Authority (CA) for some clarification.
The CA was the only organization to revert to the team. The Romanian journalists who were contacted along with the authorities are yet to answer.   

Three Common Forms of Ransomware Infecting 1,800 businesses, Warns Dutch Govt



Around 1,800 companies are being affected by ransomware across the globe, according to a confidential report by the National Cyber Security Centre (NCSC) in the Netherlands. The report does not specify the names of the affected organizations but indicates that the targeted are the big players from different industries including chemical, health, construction, food, entertainment, and automobile. Most of these companies deal with revenue streams of millions and billions.

In the recent past, ransomware attacks have been on a rise and are being widely publicized as well, but due to the rapid increase in the number of ransomware attacks, many of these go unnoticed and hence unreported. As a result, the number of affected companies as per the NCSC report is likely conservative. Reportedly, the affected organizations are on their own as they recuperate from the attack by either being forced to pay the ransom or resorting to untainted backups to restore files.

NCSC's report enlists three file-encrypting malware pieces namely LockerGoga, MegaCortex, and Ryuk that are to be blamed for the malware penetration, these pieces of malware use a similar digital infrastructure and are "common forms of ransomware." While drawing other inferences, NCSC reckons the utilization of zero-day vulnerabilities for the infection. The dependence upon the same digital infrastructure implies that the attackers setting-up the attacks transferred the threat onto the victim's network via a single network intruder.

Professionals in intruding corporate networks tend to find allies who are involved in ransomware dealings and being experts they are always inclined to spot the best amongst all for whom they gladly pay a lump sum amount of money as salaries on a monthly basis in turn for proficient penetration testers that can potentially travel via infected networks without being detected. Here, the level of access provided determines how high the prices can go up to.

Cybercriminals are not likely to stop spreading ransomware as long as there are victims who are paying the ransom as they have no other option to fall back on, NCSC strictly recommends that organizations strengthen their security net to avoid falling prey to ransomware attacks carried out every now and then these days. 

An IT contractor accidentally takes down NYPD's high-tech fingerprint database with a ransom malware!


The much-coveted and popular in news for keeping juveniles fingerprints data, the New York Police Department's fingerprint unit yet again gained much attention as it was shut down for hours because of ransomware.


The NYPD was hit by this ransom malware when they hired a third-party IT, contractor, to set up a digital display at the police academy in Queens on October 5 last year. And when he connected his tainted NUC mini-PC to the police network, the virus attached itself to the system. The virus immediately spread to 23 machines linked to the department's LiveScan fingerprint tracking system.

Deputy Commissioner for Information Technology Jessica Tisch said the officers discovered the malware within hours and contacted the cyber command and joint terrorism task force to solve the potential threat. We wanted to get to the bottom of this,' Tisch said. 'Was this plugged in maliciously was really important for us to get to the bottom of this.'

The ransomware was not executed but the fingerprints system was shut down for hours and were switched back on the next morning. Precautionary, 200 computers were reinstalled throughout the city to be safe.

The NYPD said, 0.1 percent of computers were attacked by the breach but the threat potential was large, as once inside the system, they could access case files and privileged data. The virus, ransomware locks the data, unless a 'ransom' is paid, fortunately, it could not execute the command and they shut down the system.

The IT contractor that accidentally bought the malware was questioned but not arrested.

Experts told the New York Post that breaches in public databases pose a serious security issue. Adam Scott Wandt, a professor of cybersecurity at John Jay College of Criminal Justice in Manhattan, said any breach put information at risk of being stolen. 'It's a fairly complex world that we live in,' he added. 'Everything is linked together. The government normally does a fairly good job of keeping hackers out, but every now and then there is a breach.'

Finland Municipalities and Government Agencies Prepare for Possible Cyberattack


Finland is adapting to protect itself from a secret criminal organization warning to attack cyber-security if the country fails to pay Bitcoins as the ransom money. 

"Around two hundred Finland government bodies and districts participated in the preparation. The situation reportedly concerns a possible group of hackers asking Bitcoin ransom before prosecuting several attacks on cybersecurity," concludes the reports of YLE. The threats are said to be given by #Tietovuoto321, a crew of criminal hackers. According to reports, the group sent Bitcoin ransom blackmails to more than 200 Finnish government agencies, in response to which the Finland authorities have taken steps.


Organizations prepared for further warnings- The training Taisto is conducted by the Population Register Centre, aiming for supporting the technologization of the nation and computerized assistance in Finland. The Population Register Centre works for the Ministry of Finance. As of now, public agencies and bodies noticed their websites and cybersecurity vulnerable to hacking recently. Therefore, a training program is said to be scheduled in the coming days. "The voluntary bodies have reacted happily," says General Secretary, Population Register Centre. He further says, "The institutions in recent times have started waking up to new attacks daily and it is becoming a matter of concern for the nation."

Cases of Ransomware threats have increased- 
The attacks demanding ransoms have multiplied in recent times. Government bodies have become a simple target for hackers all around the world. In a new report published by Hard Fork, "The American government had to pay the hackers to recover their health institutions' data servers."In a data breach incident last month in Mexico, the hackers demanded Bitcoins valued $4.9 million from a government-owned oil company named Pemex.

But it's not all sad and gloomy. In a surprising change of events recently, a user sufferer of ransomware claimed vengeance on his enemies by hacking the database that supported their virus, publishing 1000 deciphering codes for other victims to help them get their money back. In the present times, it is quite difficult to completely divert such warnings in the actual course, but the training tries to support institutions' capacities to fight an invasion.

Technology Company Hit by Ransomware Attack, Prevented Access to Crucial Patient Records


Virtual Care Provider Inc, a Wisconsin based technology company that provides cloud data hosting, security, and access management to more than 100 nursing homes was hit by a ransomware attack carried out by Russian hackers. The involvement of Ryuk encryption prevented access to crucial medical records of the patients and administration data related to the medication. After encrypting all the data hosted by the company for its patients and clients, attackers demanded a $14 million ransom in bitcoin in turn for a digital key that would unlock access to the data. Unable to afford the ransom, the company owner said that she is fearful of the consequences of the incident which could lead to the premature death of certain patients and the shutdown of her business.

Reportedly, the ransomware was spread via a virus known as 'TrickBot', the company told that it is 'feverishly working' to regain access to crucial data. The officials estimated that about 20% of the company's servers were compromised during the attack.

In a letter addressed to the company's clients, obtained via the Milwaukee Journal Sentinel, Christianson and Koch said that VCPI is "prioritizing servers that provide Active Directory access, email, eMAR, and EHR applications. We will be communicating status updates often and transparently, and, in preparation for service restoration, recommending to you the most efficient manner for your users to regain authenticated access."

Operated by WIZARD SPIDER (eCrime group), Ryuk is a targeted, well-planned and sophisticated ransomware that has targeted large organizations, primarily those that supply services to other businesses. It is employed to target the enterprise ecosystem and has mainly focused on wire fraud in the recent past. Despite having relatively low technical abilities and being under constant development since its release in August 2018, Ryuk has successfully encrypted hundreds of systems, storage and data centers in all the companies it attacked.

VCPI chief executive and owner Karen Christianson said, “We have employees asking when we’re going to make payroll,” “But right now all we’re dealing with is getting electronic medical records back up and life-threatening situations handled first.”

“We’ve got some facilities where the nurses can’t get the drugs updated and the order put in so the drugs can arrive on time,” she further told. “In another case, we have this one small assisted living place that is just a single unit that connects to billing. And if they don’t get their billing into Medicaid by December 5, they close their doors. Seniors that don’t have a family to go to are then done. We have a lot of [clients] right now who are like, ‘Just give me my data,’ but we can’t.”

Alert! A Method that Allows Hackers to make Ransomware in your Windows Unseen.


Cyber-Security company Nyotron has caught a new way that lets hackers modify Microsoft files in a unique style that subsisting anti-ransomware are unable to identify.

Ransomware is one of the most common cyber-security menaces. "It is said to be the top 2 widely used technique used by hackers, as in the case of hijacking 28 computers appeared," confirms Verizon's data breach inquiry report. Unfortunately, for the present time, it is proving quite hard to be identified. The ransomware can permit attackers to avoid the present computer securities by depending on a data system, which is the ‘rename’ selection in the Windows operating system. This detour can be performed in just two rows of the cipher. That is how simple it is for hackers.



What is Ransomware? 

Ransomware is a sort of harmful virus, intended to reject entrance to a network system or information. For access to the data, the malware demands a ransom to be paid. It normally grows through fraud e-mails or by hitting an affected website that is unfamiliar. Ransomware is disastrous to a person or an institution.

"The firm has obeyed declaration disciplines and urged all safety businesspeople to discuss the issue. Moreover, to examine if the system is infected or not, the company has provided users a fresh new tool," says Nir Gaist, Founder and Chief Technology Officer at Nyotron. Gaist further adds, "The unusual style of file alteration 'RIPlace' suggests that while technology might not ‘cover’ the virus, let's say, it helps adjust data on a computer stealthily. Therefore, from the warning player outlook, it is our only hope for identifying 'Ransomware.' The firm has also explained how the RIPlace technique allows ransomware to dodge the detection and infect computers despite Symantec Endpoint Protection and Windows Defender Antivirus software being installed.

"Recently, there was a vulnerability discovered in Canon cameras which allowed the hackers to perform ransomware attacks," say the experts from Check Point, a cyber-security company. The company examined if the DSLR's image transference custom could be misused to let an attacker hack the DSLR and affect it with the virus. However, the attacker, in this case, was obliged to be close to the camera to affect it. The issue sparked caution, as it could be used to exploit different kinds of devices.

Windows Security Warning- Ransomware is Rapidly Growing and Got Difficult to Guard Against




Security experts are predicting an unusual rise in ransomware attacks and a strategic change in the cybercrime ecosystem which is directed to evade detection and fail the existing defense mechanisms against it. As the ransomware attacks will expand in scale with a heightened influence, few dominant players currently present are expected to disperse themselves into multiple smaller ones.

Ransomware infects the victim's computer by locking down the hard drive and encrypting the data present onto the system, then the attacker asks the victim to pay the demanded ransom in due time and if the victim fails to do so, the data is gone forever. The virus spreads across infected networks via a worm and encrypts several machines in a row. After an in-depth analysis of various 'Windows security threats' such as coin miners, file-less malware, ransomware, PUAs, banking Trojans, Global cybersecurity company, Bitdefender concluded that out of all, the threat posed by ransomware is growing rapidly. Reportedly, it has grown 74 percent, year on year. GandCrab had been one of the most prevalent and sophisticated ransomware since its arrival in 2018, it kept on strengthening its defense and upgrading its delivery methods to bypass detections. After its death, ransomware experienced its first and indeed a steep fall in the cybercrime ecosystem in terms of severity of a particular threat. However, a new birth means several new players will enter the scene and might hit the security layers even harder than GandCrab, experts have the potential candidates under the radar. One such threat is being anticipated from 'Sodinokibi (aka REvil or Sodin)'.

The upsurge in ransomware attacks in 2019 has led the U.S. Cybersecurity and Infrastructure Security Agency (CISA) to declare that it was nearing to qualify as a "large-scale cyber event." According to an August 2019 publication, ransomware "has rapidly emerged as the most visible cybersecurity risk playing out across our nation's networks."

"The fall of GandCrab, which dominated the ransomware market with a share of over 50 percent, has left a power vacuum that various spinoffs are quickly filling. This fragmentation can only mean the ransomware market will become more powerful and more resilient against combined efforts by law enforcement and the cybersecurity industry to dismantle it," the report reads.

Windows Users Beware of the “Complete Control” Hack Attack; Update Imperative!





The hardware device drivers of Microsoft Windows due to a common design flaw left the entire systems of users compromised giving it to a recently resuscitated Remote Tojan Access (RAT).

The RAT brought about a hack attack tool with a modified format which as it turns out is absolutely free of cost.

The NanoCore RAT as it’s called, has been hovering around the dark web for quite some time now. It was sold initially for $25 which is a minimal amount for a hacking tool for Windows OS.

NanoCore’s cracked version, as soon as it appeared caused quite a commotion amongst researchers and hackers.

Initially the “premium plugins” were especially paid for privileges but the latest cracked version has it all for free.

The NanoCore coder had to be arrested given the rising familiarity of the product and the fact that he was a part cybercrime!
Despite that, NanoCore thrived and generated other tool variants RAT, Surprise Ransomware, LuminosityLink and of course the free “highly modified” latest version.

The NanoCore RAT, per researchers is controlled by way of easy security measures, no particular entry troubles and a really uncomplicated interface to aid even the novice hackers.

There was an outburst of campaigns using the very malware including:
·       Remote shutdown and restart of Windows systems
·       Remote file browsing on the infected system
·       Access and control of Task Manager, mouse and Registry editor
·       Disabling webcam lights to spy
·       Taking over open webpages
·       Recovering passwords and obtaining credentials
·       Remotely operated “locker” for encryption

Owing it to the long presence of NanoCore the techniques it uses are well known to the researchers. Scripting, registry keys and malicious attachments are the three main categories that the researchers found out.


The scripting threat’s basic solution is to check Microsoft office files for macro code and “anomalous execution” of legitimate scripting programs like PowerShell or Wscript.

The registry keys should be monitored for updates and patch cycles and rigorous security implementations should be made for behavioural detection.

Windows users should immediately go ahead and get their systems updated and make sure all their applications are running the way they actually should.

Additionally, Windows 10, 8.1 and 7 users should especially keep a keen check on regular updates and patching!

State of Texas Hit By a Ransomware Attack; 23 Agencies Shut Down!





The state of Texas got hit recently by a cyber-attack as a result of which 23 government agencies were taken down offline.

Per the DIR (Department of Information Resources) of Texas most of the aggrieved parties were small local government agencies which are unnamed so far.

The Texas state networks however are still unharmed. The State Operations center of the state has been rigorously working towards the problem.

Sources mention that all the state and federal agencies handling the case hint at the fact that the attack was coordinated by a single actor.

The attack has been categorized as a sure shot ransomware attack. Per sources in it was a stain which was identified as “Nemucod”.

The aforemetioned ransomware generally “encrypts files and then at the end adds the .JSE extension”, a researcher mentioned.

Allegedly, the US have been the target for a lot of cyber-attacks of late. With an apparent total of 53% of the entire global number, the US have been victimized the most by cyber-attacks.

A state emergency was declared on Louisiana in July this year in response to a ransomware attack on school computer systems.

The situation is very critical from the point of cyber-security as municipalities falling prey to such attacks and ransomware in particular is not a good sign at all.

Mass scale attacks and their increase in number are disconcerting on so many levels. Because threat actors willing to put so many efforts, like the researchers like to say, are numerous.

Texas Hit with a Series of Coordinated Ransomware Attack




Texas is currently hit with an 'unprecedented' of ransomware attacks that has significantly focused on local government entities in the state, with at least 23 impacted by the attacks.

The attacks which seem to have been led by a single threat actor are said to have of begun in the morning of August 16. It is additionally presumed that 23 may not be the final count considering that right now the details are at 'a minimum' with the Department of Information Resources (DIR), who is leading the investigation into the attacks.

The local Texas authorities, like the DIR, Texas Division of Emergency Management, and Texas Military Department are still investigating the origin of the attack, also involved are the federal agencies such as the Department of Homeland Security, Federal Bureau of Investigation – Cyber, and Federal Emergency Management Agency (FEMA).

In its original statement released on late Friday, DIR says that while investigations regarding the origins of the attack are continuous, their principle need is to aid the response and recuperation of 'affected entities'.

DIR is driving the reaction to what it calls a "coordinated ransomware attack" however does not unveil which organizations are affected. This is a result of security concerns involving the matter.

In an updated statement on Saturday, DIR said that the frameworks and systems of the State of Texas have not been influenced by this attack. Until more details rise, the strain of file-encrypting malware, which is said to be the one responsible for the attack as well as the perpetrator(s) ransom demand, still remains very unclear.

Cyber security Team Identified Ransomware Utilized to Compromise City Power



Residents of Johannesburg using pre-paid electricity meters were not able to load the electricity purchased from City Power and were also unable to purchase further electricity due to a ransomware attack which compromised City Power's database.

Earlier, City Power said while the variant of ransomware utilized to carry out the attack remains unknown, they have the encrypted network, applications, and database being restored and rebuilt by their ICT department.

Easing off the customers, Isaac Mangena, the utility's spokesperson, said, "We want to assure residents of Johannesburg that City Power systems were able to proactively intercept this and managed to deal with it quicker."

"Customers should also not panic, as none of their details were compromised," Mangena assured.

On Friday, City Power announced that their cybersecurity team identified the variant of malware which temporarily paralyzed the city's computer systems.

Reportedly, the email systems took the hardest hit by the ransomware and were taking a while to recover and be functional again.

While giving updates, Mangena said “The virus samples have been taken to the external labs for analysis and testing,”

“Our IT technicians have also recovered and, in [a] few instances, reconstructed most of the systems,, applications, and data that was threatened, using backup files.”

Victims of the cyber power attack along with the customers, have been raging since the incident happened and encrypted the computer databases, applications and network.

City Power turned to external cyber security experts who worked in association with their team to tackle the issue.


Ransomware Attack Leaves Johannesburg without Power




A key electricity supplier for the largest South African city, Johannesburg, experienced a massive ransomware attack which led to the shutdown of the city's computer systems on Thursday.

In a series of tweets, City Power announced that the ransomware virus encrypted all their databases, applications and networks; all of which is being reconstructed by their ICT department.

They further told that the customers may not be able to access their website and may not be able to purchase electricity units until the issue has been sorted out by their ICT department.

As the website continued to be offline, the victims resorted to social media in order to report the issues occuring with their electricity supplies.

The type of ransomware employed in the attack is still a matter of question, however, with the magnitude, the power of this cyber power attack can be gauged. Besides, restricting customers from buying pre-paid electricity, it also affected the attempts made by City Power to respond to localized blackouts.

Commenting on the matter, a spokesman for City Power said, for the people affected, "These are the people on the pre-paid system[s] and would at any given day buy electricity,"

"Those people were not able to access the system." he added.




Sonicwall Cyber Threat Report 2019 Finds Escalation in Ransomware Attacks-As-A-Service


Based on the real world data from more than 1 million international security sensors in more than 200 nations, SonicWall made public the discoveries from its mid-year update of the 2019 through the 'SonicWall Cyber Threat Report'.

With the global malware volume going down by 20%, researchers found a 15% increment in ransomware attacks comprehensively.

This expansion in ransomware-as-a service, open-source malware kits and cryptojacking utilized by cybercriminals comprised of the major highlights of the new data found.

"Organizations continue to struggle to track the evolving patterns of cyber-attacks — the shift to malware cocktails and evolving threat vectors — which makes it extremely difficult for them to defend themselves," said SonicWall President and CEO Bill Conner.

"In the first half of 2019, SonicWall Real-Time Deep Memory Inspection (RTDMI) technology unveiled 74,360 'never-before-seen' malware variants. To be effective, companies must harness innovative technology, such as machine learning, to be proactive against constantly-changing attack strategies,” he added later.

In the first part of 2019, SonicWall also observed a 55% increase in IoT attacks, a number that outpaces the initial two quarters of the previous year, all because organizations and purchasers keep on connecting devices to the web without appropriate safety measures.



Free Scheme, 'The No More Ransom Project' Saving Thousands from Ransomware Attacks


A free scheme known as, 'The No More Ransom project' which was founded by Europol, police in the Netherlands, and McAfee is recorded to have prevented cyber-attack victims from paying heavy ransoms and assisted over 200,000 people in saving approximately $108m (£86m).

Along with advice and recommendations, the project delivers software which is configured to recover computer files that get encrypted during ransomware attacks.

With the introduction of 14 new tools in the year 2019 itself, the project having over 150 global partners can now decrypt a total of 109 variants of infection.

Referencing from the explanation given by, Steven Wilson, head of Europol's European Cybercrime Centre (EC3), “When we take a close look at ransomware, we see how easy a device can be infected in a matter of seconds. A wrong click and databases, pictures and a life of memories can disappear forever. No More Ransom brings hope to the victims, a real window of opportunity, but also delivers a clear message to the criminals: the international community stands together with a common goal, operational successes are and will continue to bring the offenders to justice.”

The project made determined and successful efforts to take down various ransomware campaigns including  GandCrab, which is amongst one of the most hostile ransomware campaigns of all time.

GandCrab continued making headlines in 2018 and in 2019, the cyber world saw an upsurge in the number of ransomware attacks targeting large organizations.

Commenting on the matter, Mr. Woser told BBC, "Projects like No More Ransom have been crucial when it comes to fighting ransomware on a global level, with pretty much all major parties cooperating on a global and daily basis, sharing intel[igence] in real-time - except for the US.

"The US should consider the success of the No More Ransom Project to be a call to action.

"Better cooperation between the private sector and law enforcement could result in fewer ransom demands being paid.

"That would make cyber-crime less profitable and, consequently, reduce the financial incentive for groups to commit cyber-crime."




Cyber-Crime On Rise; One of A Kind Ransomware Hits Cloud Computing Giant iNSYNQ!







iNSYNQ, the cloud hosting giant recently was targeted by a ransomware attack which led to the company’s servers being shut down to confine the damage.

The Microsoft, Sage, and Intuit host provides customers with cloud-based virtual desktops aimed at hosting business applications.

The attack was executed by an unknown party and affected the iNSYNQ clients making the data inaccessible, as was mentioned in a citing from the sources.

The servers of the infected organization were immediately shut down and the next step was to safeguard the clients’ data and backup.

Cyber-security experts have been hired by the organization to help restore the infected data and eradicate any further possibility of such attacks.

The backups aren’t yet available to the customers despite repeated requests for them. The company’s doing everything in their control to mitigate the situation.


The clients’ data backups were on the unaffected servers but on the same network nevertheless.

The problem is not related with stolen data it is actually about the data being encrypted and hence being inaccessible.

On a mysterious note, the twitter account of iNSYNQ seems to have disappeared and is no longer accessible.

The data will take a good amount of time to reach the clients’ because after it’s retrieved it will be needed to be checked for any residual traces of the malware.

The company though, did not forget to mention that the kind of malware that hit them was of a new kind and had never been detected before.

Due to security reasons the organization can’t reveal much about the complexities of the attack and the entire situation because it might lead to the customers’ data being in danger.

With the help of leading experts the process of backing the data up is on full speed and the organization’s trying their hardest to get their clients’ data back to them.

Ransomware and their Proliferation; Major Cyber-Crime Hazards In View





Per latest reports, all around the globe, only last year we faced a hike in losses that occur due to malicious activities or cyber-crime.

Only earlier this year, cities Baltimore and Maryland of U.S. were attacked by a ransomware where computer networks got locked up and made making transactions impossible.

The administrators denied the demands for a ransom of $76,000 in exchange for unlocking systems but now have been encumbered with an estimate of $18 million to rebuild and/or restore the city’s’ computer networks.

Usually when hit by ransomware or any other malicious agent there are some pretty hard-hitting choices that the victim organizations have to face.

Two Florida cities had to pay a sum total of $1 million as ransom this year after which the same malicious group attacked the state court of Georgia.

The above data of losses generating from ransomware attacks rising by 60% was cited by the Internet Society’s Online Trust Alliance.

Since 2013, around 170 county, city and state government networks have been victims with 22 incidents being only this year.

The cities are not prepared against cyber-crime and hence are being repeatedly attacked as mentioned by a researcher at Stanford.

To pay or not to pay? This is a raging question when it comes to ransoms. FBI warns against it but researchers say that there is no clear side that could be chosen by victims who have their important data locked.

It hence becomes obvious that what needs to be done is what happens to be the best for the organization which means considering paying ransom in some cases.

To or not to pay is secondary where primary issue still happens to be with the software updates and lack of backups and security measures the users take.


Ransomware found exploiting former Windows flaw

Researchers at cybersecurity firm Kaspersky have uncovered new encryption ransomware named Sodin (Sodinokibi or REvil) that exploits a recently discovered Windows vulnerability to get elevated privileges in an infected system. The ransomware takes advantage of the architecture of the central processing unit (CPU) to avoid detection - functionality that is not often seen in ransomware.

"Ransomware is a very popular type of malware, yet it's not often that we see such an elaborate and sophisticated version: using the CPU architecture to fly under the radar is not a common practice for encryptors," said Fedor Sinitsyn, a security researcher at Kaspersky.

"We expect a rise in the number of attacks involving the Sodin encryptor, since the amount of resources that are required to build such malware is significant. Those who invested in the malware's development definitely expect if to pay off handsomely," Sinitsyn added.

The researchers found that most targets of Sodin ransomware were found in the Asian region: 17.6 percent of attacks have been detected in Taiwan, 9.8 percent in Hong Kong and 8.8 percent in the Republic of Korea.

However, attacks have also been observed in Europe, North America and Latin America, Kaspersky said, adding that the ransomware note left on infected PCs demands $2500 worth of Bitcoin from each victim.

The vulnerability CVE-2018-8453 that the ransomware uses was earlier found to be exploited by the FruityArmor hacking group. The vulnerability was patched on October 10, 2018, Kaspersky said.

To avoid falling victim to Sodin threats, make sure that the software used in your company is regularly updated to the most recent versions, said Kaspersky researchers.

Security products with vulnerability assessment and patch management capabilities may help to automate these processes, they added.

Florida city to pay $600,000 to a ransomware gang





The city council of  Riviera Beach, Florida, have voted unanimously to pay more than $600,000 in Bitcoins to a ransomware gang who had held its computer systems hostage for three weeks. 

The ransomware spread throughout the city’s computer network, after an employee clicked on a malicious link in an email. 

"Ransomware is commonly delivered through phishing emails or via 'drive-by downloads,'" according to Homeland Security. "Phishing emails often appear as though they have been sent from a legitimate organization or someone known to the victim and entice the user to click on a malicious link or open a malicious attachment."

The attack has locked all files and shut down all the city's services. Operations have been down ever since, with the exception of 911 services, which were able to continue to operate, although limited.

According to the Palm Beach Post’s report the ransomware affected the city’s email, 911 calls couldn't enter into computer records, and systems that controlled the water utility were offline.

The city council first decided to resolve the issue by paying $941,000 for new computers, but now they have decided to pay the ransom.

The amount of money would be paid from the city's insurer, although it's unclear wether hackers will decrypt the locked files afterward or not. 

The city council refused to comment.  



Authors of GandCrab Ransomware Terminating their Operations after Making $2 Billion in Ransom Payments



The operators of Gandcrab ransomware are continuously maintaining and developing the ransomware and have released five different variants with no major difference between any two versions and the ransomware is known to be extra secured as it uses the “.bit” top-level domain which is not sanctioned by ICANN.

Gandcrab was distributed via various vectors that include exploit kits, spam mail, affiliated malware campaign and other social engineering methods. Along with plenty of malicious spam emails, attackers resort to ‘GrandSoft’ and ‘RIG’, two of the most popular exploit kits in order to distribute GandCrab. These spam emails are configured to befool users and make them download a script which further will download the ransomware and execute it.

Researchers have found that Gandcrab authors have made over $2billion from ransom payments, averaging around 2.5 million dollars per week. As per the observations made by David Montenegro and Damian, the owners of the ransomware told that they are to put their operations to an end now, after earning huge chunks of money (more than 150 million dollars a year) and cashing it out through legitimate sources.

The operators have discontinued the promotions of the ransomware and asked the concerned affiliates to terminate the distribution of the ransomware within the next 20 days. They have also asked the victims to pay the ransom; otherwise, the key will be deleted. However, it’s still a matter of question that whether the keys will be released after the authors shut down their operations.

Although, ransomware has been a constant threat in the field of cybersecurity for a long time but now it’s even deadlier due to the efforts invested by the threat actors in its development. Users are advised to stay equipped with products like ‘Acronis True Image 2019’ in order to stay protected against such ransomware attacks.



My SQL Servers on Windows Attacked by Hackers to Distribute GrandCrab Ransomware



One of the most widespread Ransomware, GrandCrab, which keeps on making headlines every now and then us being circulated via multiple kinds of attacks like exploit kit, compromised  websites, social media campaigns, and weaponized office documents. 

A new variant of GrandCrab Ransomware which is configured to attack Internet-facing MySQL servers on Windows has been detected by the researchers; the ransomware is also reported to hold around 40% share of the ransomware market. 

How does it attack?

The malicious operation begins with the injection of a corrupted DLL file into the database server with the help of SQL database commands.
As the attack proceeds, DLL is invoked in order to get hold of the ransomware payload which is hosted on the malicious server. 
Attacker secures a reliable connection with the database server and then advances to upload the corrupted helper DLL by employing set command; it is carried out in the form of hexadecimal characters. 
“Later they issued a command to concatenate binaries to a single file and them into the server’s plug-in directory. Also, they used several commands used to swap forward slash and backslash characters that seemed designed to make an end-run around security features,” researchers observed. 

Referencing from the study conducted by the Sophos researchers, "an intriguing attack this week from a machine based in the United States. We monitored both the behavior and network traffic generated by this honeypot and were surprised to see the honeypot (which runs under Linux) download a Windows executable.”

“What makes this interesting is that the IP address of this machine hosting the GrandCrab sample geolocates to Arizona, in the desert southwest region of the United States, and the user interface of the HFS installation on this machine is in simplified Chinese.”

Decoding the threat, they said, “it does pose a serious risk to MySQL server admins who have poked a hole through the firewall for port 3306 on their database server to be reachable by the outside world,”