Search This Blog

Showing posts with label Ransomware. Show all posts

Are Media Agencies the Next Target of Cybercriminals?

 

There is no denying the fact that cybercriminals have been exploiting the trust of people in media agencies. However, the ongoing situations have seen an incredible surge in cybercriminals needing to utilize each possible way to target media agencies.

Aside from direct attacks, they have even misused brand names to create counterfeit identities, which are then used to target 'potential victims'.

A couple of incidents throw light upon how and why these threat actors have set their sights on the media industry.

Some of them have been directly targeted generally through ransomware attacks.

Ritzau, the biggest independent news agency in Denmark, was targeted by a ransomware attack, prompting the compromise and encryption of more than one-fourth of its 100 network servers.

The computer servers at the Press Trust of India were also attacked by LockBit ransomware, which kept the agency from delivering news to its subscribers.

A few attackers very cleverly utilize the 'pretense' of media agencies to plan out their attacks.

Some time back, TA416 Able was found carrying out spear-phishing attacks by imitating journalists from the Union of Catholic Asia News, endeavoring to target the scope of victims, including diplomats for Africa and people in the Vatican.

Another incident happened when the U.S. seized 27 domain names that were utilized by Iran's Islamic Revolutionary Guard Corps (IRGC) for carrying out secretive influence campaigns, in which a few domains were suspected to be veritable media outlets.

OceanLotus had set up and operated a few websites, professing to be news, activist, or anti-corruption sites consistently. Furthermore, they traded off a few Vietnamese-language news websites and utilized them to load an OceanLotus web profiling framework.

Subsequently keeping these events in mind, experts recommend having sufficient safety measures, like frequent data backups, anti-malware solutions, and implementing Domain-based Message Authentication, Reporting & Conformance (DMARC).

Furthermore, recommendations were made on carrying out tests to distinguish and eliminate the risks of domain spoofing.


A quick look into malwares that installs ransomware : Remove them form your system immediately

 

We recently looked into ways phishing mails are evolving, attackers getting creative by the day. But a new trend has taken up the dark web, and soon phishing campaigns for ransomware and malware will be a thing of the past. With the sources equable of a small government, malware gangs have started collaborating within themselves and have come up with "initial access brokers," what these groups do is provide ransomware and other groups with already infected systems.
Compromised systems through RDP endpoints, backdoored networking devices, and malware-infected computers install ransomware into the network, this makes the ransomware attacker work as swiftly as cutting into the cake. 

 There are currently three types of bookers that serve ransomware : 

Selling compromised RDP endpoints: These bookers carry a brute remote desktop protocol (RDP) into corporate systems, sold as "RDP Shops". Ransom groups often choose systems that are integrated well within the network.

Selling hacked networking devices: Hackers sell pre hacked devices exploiting publically known vulnerabilities or weak spots like firewalls, VPN servers or others. Access to these devices is auctioned off on dark web forums.

Selling computers pre-infected with malware: This is the most popular way ransomware is spread. Hacking gangs spread their malware bots into well-established systems and sell them to the highest bidder who further injects ransomware into the system. 

The best protection against these attacks is to prevent them from happening. The first two infiltrations can be fended off using strong passwords, security measures, and regular updates. The third means (malware) is a bit complicated as it uses human blunder and tricks to invade the device.

Following is a list of malware that if you find in your system, drop everything and fix them out for they are sure to inject ransomware in your network:

  •  Emotet (Emotet-Trickbot-Ryuk) 
  •  Trickbot (Ryuk - Conti)
  •  BazarLoader (Ryuk) 
  • QakBot (MegaCortex-ProLock-Egregor) 
  •  SDBBot (Clop)
  •  Dridex (BitPaymer-DoppelPaymer) 
  • Zloader (Egregor-Ryuk)
  •  Buer Loader (Ryuk)

Managed.com Hosting Provider Hit by REvil Ransomware, $500K Ransom Demand


Managed hosting provider Managed.com has temporarily taken down all its servers and web hosting systems offline including clients' websites in response to a REvil ransomware attack that compromised public-facing web hosting systems. 
 
The threat actors behind the security incident that took place on Monday, 16th November are not known yet, however, the company said that it is involved with law enforcement agencies to investigate the matter and restore the services as securely as possible. As of now, it remains unclear if the attackers have stolen any data before the encryption of devices. 
 
Initially, the web hosting service refrained from revealing any details about the incident and posted an update claiming 'unscheduled maintenance' as the reason for the service interruption. However, later on, the company disclosed that it had encountered a ransomware attack that affected their systems and files containing critical data. 
 
In a status update, Managed.com said, "November 17, 2020 – On Nov.16, the Managed.com environment was attacked by a coordinated ransomware campaign. To ensure the integrity of our customers’ data, the limited number of impacted sites were immediately taken offline. Upon further investigation and out of an abundance of caution, we took down our entire system to ensure further customer sites were not compromised. Our Technology and Information Security teams are working diligently to eliminate the threat and restore our customers to full capacity. Our first priority is the safety and security of your data. We are working directly with law enforcement agencies to identify the entities involved in this attack. As more information is available, we will communicate directly with you." 
 
"Upon further investigation and out of an abundance of caution, we took down our entire system to ensure further customer sites were not compromised. Our Technology and Information Security teams are working diligently to eliminate the threat and restore our customers to full capacity. Our first priority is the safety and security of your data. We are working directly with law enforcement agencies to identify the entities involved in this attack,” the service further told in a statement. 
 
According to multiple sources, REvil, a ransomware-as-a-service infamously known for carrying out large attacks previously has demanded a $500,000 ransom in Monero to receive a decryption key. REvil has attacked big names like Kenneth Cole, Travelex, Brown-Forman, GSMLaw and SeaChange in the past.

Also known as Sodinokibi ransomware, REvil was first spotted in April 2019, it attacks Windows PCs to encrypt all the files on local drives (besides those enlisted in their configuration file) and leaves a ransom note on affected systems with instructions to get the files decrypted in turn of the demanded ransom.

Factories have become a major target for malware attacks

In the third quarter, the industry was attacked by various hacker groups - including RTM and TinyScouts, as well as ransomware operators. For example, according to Positive Technologies, the operators of the Maze ransomware program conducted a successful attack on Hoa Sen Group, the largest manufacturer of steel sheets in Vietnam. During the attack, personal data of employees, internal correspondence and other confidential information were stolen.

"This year, the vast majority of criminal groups switched to working with encryption programs since attackers realized that they can earn no less than in the case of a successful attack on a Bank, and technical execution is much easier," explained Anastasiya Tikhonova, head of APT Research at Group-IB.

According to her, more groups and partner programs have joined the "big game hunt”. 

"The size of the ransom has also increased significantly: cryptolocker operators often ask for several million dollars, and sometimes even several tens of millions. For example, the OldGremlin group, consisting of Russian-speaking hackers, actively attacks exclusively Russian companies: banks, industrial enterprises, medical organizations and software developers," explained Tikhonova.

The expert believes that one of the weakest links in the information security chain is still a person. "There are examples when an operator of a large industrial enterprise got bored, wanted to listen to music, and plugged a 3G modem directly into the USB port of the SCADA control and monitoring system.. And how many "trusted laptops” were there that employees brought from a business trip", concluded Tikhonova.

The expert believes that the danger of using Internet of things devices (IoT) is that it is problematic for advanced engineers to determine the fact of compromise. Target systems are assembled from a fairly large number of devices, and it is almost impossible to monitor and respond to possible security events and threats without additional solutions and human resources.

Government in Australia issues Clop Ransomware warning to Healthcare Organizations

 

The Australian Cyber Security Center has issued a security alert for the health sector to check their barriers and defenses against potential ransomware attacks especially the Clop Ransomware that uses SDBBot Remote Access Tool (RAT).
The ACSC (Australian Cyber Security Center) wrote that they, "observed increased targeting activity against the Australian Health sector by actors using the SDBBot Remote Access Tool (RAT)." 

 The SDBBot RAT is almost exclusively used by the TA505 group, their attack technique follows phishing and spam email campaigns to infect malware but from 2019, they started using SDBBot payload as a remote way to access systems. 

 ACSC further mentioned, "SDBBot is comprised of 3 components. An installer that establishes persistence, a loader that downloads additional components, and the RAT itself. "Once installed, malicious actors will use SDBBot to move laterally within a network and exfiltrate data. SDBBot is [also] a known precursor of the Clop ransomware"

 As the Australian Government says, SDBBot is also known as a precursor of the Clop Ransomware, which in recent months have become one of the most lethal ransomware, researchers also call it "big-game hunting ransomware" or "human-operated ransomware." 

 The Clop ransomware group keep their eye on the big picture, they first choose to widen their access to a maximum number of systems, till then they hold back their playload, and only when they have reached the maximum or the whole network will they manually deploy the ransomware. This way, the organization has no way to stop the infection midway and the payout is huge in a hundred thousand dollars and if the victim fails to pay the ransom, all their data is leaked on the malware's "leak website". 

Other countries like the UK and the US also predict a potential attack by Ryuke or Trickbot and issues a similar warning some weeks back. Australian Cyber Security Centre (ACSC) also warned Australian companies in October about Emotet malware, which is used contemporaneity with Trickbot. "Upon infection of a machine, Emotet is known to spread within a network by brute-forcing user credentials and writing to shared drives. Emotet often downloads secondary malware onto infected machines to achieve this, most frequently Trickbot," the ACSC wrote. With the new alert, companies need to be very diligent in their protection and testing mechanism in order to prevent themselves from an attack.

Enel Group attacked by Netwalker, demanding a whooping $14 million

 

Energy Company Enel Group has yet again been hit by malware, making it a second this year. The energy group has been demanded a ransom of 14 million dollars for the decryption key and to not reveal the stolen data by Netwalker ransomware.
Enel Group is an Italian multinational Power company, operating in 30 countries working in electricity generation and distribution, as well as in the distribution of natural gas. With a revenue of $90 billion, it ranks 87th in Fortune Global 500. 

Earlier this year in June, Enel Group was attacked by Snake ransomware also known as EKANS but then the attack was caught beforehand and was not successful. Contrary to now, when Netwalker not only successfully encrypted the power company's system but also leaked their data on its website. 

Enel Group has still not confirmed if the attack was true but bleepingcomputer confirms the attack as data given by Netwalker reveals info of Enel employees. 

The attackers connected to Enel Group writs, "Hello Enel. Don't be afraid to write us.", and still the power company maintained their silence and as is the norm when the victim doesn't engage with the hackers the ransom doubles and now Enel Group's ransom stands at a whopping 14 million dollars.

 Netwalker claims that they stole 5 terabytes of data and today the ransomware leaked the Enel Group's data to their data leak site. This was bound to happen since Enel Group neither engaged the hackers nor did they in any way showed any signs of an attack. Now, Netwalker is pressuring the Resource company in succumbing to the demands as they leak their data and threaten to (in their words) "analyze every file for interesting things" to be further leaked on the dark web. 

 Enel Groups better have an ace in their sleeves or a very good cyber hacker to get their data back.

United States Charged Six Russian Intelligence Officers with Involvement in An Unrestricted Huge Hacking Campaign

 


With involvement in an 'unrestricted huge hacking campaign', which incorporates the famous Petya ransomware attacks which have focused mainly on Ukraine in 2015, as of late, the Justice Department has charged six Russian intelligence officers. 

Residents and nationals of the Russian Federation (Russia)the six officials were also in Unit 74455 of the Russian Main Intelligence Directorate (GRU), a military intelligence agency of the General Staff of the Armed Forces.

 

The government claimed that the group that had attacked Ukraine has likewise hacked different computers promoting the 2018 Winter Olympics in South Korea. It likewise hacked and leaked emails of people related to Emmanuel Macron's 2017 campaign for president of France. 

Besides this, they additionally focused on the companies exploring the poisoning of former Russian operative Sergei Skripal two years ago in Britain. 

All the six hackers are GRU officers; the government said that for over two years, they had battled tirelessly to recognize these Russian GRU Officials who interweaved in a global campaign of hacking, disruption, and destabilization, representing the most dangerous and destructive cyber-attacks ever.

The GRU burrowed into three electrical administration systems and cluttered circuit breakers remotely, it was one of the first cyber-attacks and had a cyber firm that consistently focused on critical infrastructure.

The authorities had at first scrutinized and reprimanded North Korea for the strike yet later found that the GRU utilized North Korean hacking tools to throw off the experts. 

That is the motivation behind why the special agent of FBI Michael Christman insisted that the warrant is the result of over two years of strong investigation by the FBI, a position that was kept up by an agent who worked the case.

Here are the names and the acts done by the hackers referenced below: -

 

The FBI has regularly indicated that Russia is very equipped for a cybersecurity adversary, and the information uncovered in this statement shows how omnipresent and harming Russia's cyber activities are. 

While Russia is probably not going to capture the detainees, it is unlikely that they will attain any trial too.

Iranian Hackers Are Using Thanos Ransomware To Attack Organizations In the Middle East and South Africa

 

Cybersecurity experts discovered clues connecting cybersecurity attacks to Thanos ransomware, which is used by Iranian state-sponsored hackers. Researchers from ClearSky and Profero investigated significant Israel organizations and found cyberattacks linked to an Iranian state-sponsored hacking group named "Muddywater." Experts noticed repetitive patterns with two tactics in these attacks. Firstly, it uses infected PDF and Excel files to attach malware from the hackers' servers if they download and install them. Secondly, Muddywater mines the internet in search of unpatched MS Exchange email servers. 

It exploits the vulnerability "CVE-2020-0688" and deploys the servers with web shells, and again attaches the similar malware after downloading and installing the files. However, according to ClearSky, the second malware is not your everyday malware that is common but rather a unique malware with activities that have been noticed only once before. The Powershell threat is called "Powgoop" and was discovered last month by the experts. Palo Alto Network says that Thanos malware was installed using Powgoop. Besides this, Hakbit or Thanos malware has used other malware strains to install the ransomware called "GuLoader," coded in Visual Basic 6.0, different from other malware strains. 

"On July 6 and July 9, 2020, we observed files associated with an attack on two state-run organizations in the Middle East and North Africa that ultimately installed and ran a variant of the Thanos ransomware. The Thanos variant created a text file that displayed a ransom message requesting the victim transfer "20,000$" into a specified Bitcoin wallet to restore the files on the system," says the Palo Alto report. 

 According to ClearSky, they stopped these attacks before hackers could cause any damage; however, keeping in mind the earlier episodes, the company is now on an alarm. As per experts at ClearSky, they believe that Muddywater uses Thanos ransomware to hide its attacks and infiltrations. They say, "We assess that the group is attempting to employ destructive attacks via a disguised as ransomware attacks. Although we didn't see the execution of the destruction in the wild, due to the presence of the destructive capabilities, the attribution to nation-state sponsored threat actor."

Ryuk Ransomware Making Comeback with New Tools and Techniques

 

Ryuk ransomware has gained immense popularity in the notorious sphere of cybercrime by 2019. It has been on a rise both in terms of its reach and complexity as it goes about demanding ransoms worth multi-million-dollars from large organizations, local governments, and healthcare institutions. 
 
In one of their latest development, the operators of the malware have configured it to deploy a Trojan named ‘BazarLoader’ which is operated by the same threat group that is behind Trickbot. However, BazarLoader Trojan is equipped with advanced techniques to evade detection; the potential for long term infection in BazarLoader hints towards a change that the operators have brought in Ryuk’s plan of action. 
 
Ryuk is well-planned and targeted ransomware that is being operated since 2018 by WIZARD SPIDER, a Russia-based operator of the TrickBot banking malware, and the criminals behind this ransomware largely focus on big companies in order to acquire an exorbitant amount in ransom. 
 
After gaining access, Ryuk is programmed to permeate network servers as files are exchanged between systems. The malware is circulated via malicious email attachments and once it gathers all the important data from a given network, it lets the authors of Ryuk Ransomware acquire administrator credentials and gain access to the harvested data from the network, the malware does so by opening a shell back to the actors operating the threat. 
 
It takes only 29 hours to successfully carry out a complete attack on the network it is targeting; the process entails the entire series of incidents beginning from the spam mail to the successful encryption of data, as per the findings of DFIR. 
 
Threat actors behind ransomware attacks are rapidly evolving their attack vectors as the count of Ransomware attacks surge up to 365 percent over the past year. Owing to its ever-expanding operations, Ryuk made it to the notorious list of ransomware gangs having their own data leak websites wherein they release the data of companies who refuse to pay the demanded amount. 
 
The malware is continually changing itself to become more and more sophisticated, leaving companies with no option but to pay the extortionate amounts. The threat has expanded its reach beyond just private organizations and has also been recorded to target National services’ computers.

Warning Issued to End Cyberattacks Risk Running Afoul of Sanctions Rules by The U.S. Treasury Department

 

The U.S. Treasury Department recently issued a warning to cyber insurers and other financial institutions that 'facilitate payments' to hackers to end cyberattacks hazard crossing paths with sanctions rules. 

The warnings, referred to as 'malignant programs' known as ransomware and came in from Treasury's Office of Foreign Assets Control (OFAC)and Financial Crimes Enforcement Network (FinCEN).

The warnings also added to the additional worries of the cyber insurers, who have been 'ramping up' rates and attempting to control the exposure to vulnerable customers on account of flooding exorbitant ransomware claims as of late.

Hackers utilized ransomware to bring down frameworks that control everything from hospital billing to manufacturing and halted simply in the wake of accepting 'hefty payments', commonly paid in cryptocurrency.

Ransomware payment requests have seen quite a rise amidst the pandemic as people have chosen to work remotely and hackers target online systems. 

The normal ransomware payments bounced by 60% to $178,254 between the first and second quarters, as per Coveware, a firm that arranges and negotiates cyber ransom payoffs. The cyber policies frequently cover such ransoms, data recovery, legitimate liabilities, and arbitrators fluent in hackers' local dialects. 

Sumon Dantiki, a King and Spalding LLC legal advisor who exhorts on national security and cyber matters says that advanced insurers and financial establishments are now mindful of the sanctions concern. “Will victims who are insured still decide to make the payments?” Dantiki said. “This type of public advisory could affect the calculus there.” 

A subsequent FinCEN report even highlighted a developing industry of forensic firms that assist associations with responding to cyberattacks, including handling the payments.

OFAC referred to cyberattacks dating to 2015 that were traced back to hackers in sanctioned nations, like North Korea and Russia.

Nonetheless, while it is clearly evident that the US can force economic and trade sanctions on nations that support terrorism or disregard human rights, it will be the financial institutions that ultimately draw in with them or a few individuals can confront prosecution and penalties in the end.


LockBit Ransomware Emerging as a Dangerous Threat to Corporate Networks


LockBit, a relatively new Ransomware that was first identified performing targeted attacks by Northwave Security in September 2019 veiled as.ABCD virus. The threat actors behind the ransomware were observed to be leveraging brute-force tactics and evasion-based techniques to infect computers and encrypt files until the victim pays the ransom.

LockBit enables attackers to move around a network after compromising it quickly; it exploits SMB, ARP tables, and PowerShell to proliferate the malware through an infected network.

The developers rely on third parties to spread the malware via any means the third party devises. After successfully infecting the network, the attacker redirects the victim to a payment site operated by them. The victim is then subjected to threats of data leak until the ransom is paid to the attackers.

Modus operandi of the attack

The attackers drop the payload that is hidden under the '.text' sections, evading conventional AV's mechanism from catching the file while running a scan in the disk, the file is compressed by the attackers with a unique format.

Upon being executed, the file runs a scan on the entire LAN network and attempts to establish a connection to the hosts via SMB port (445) to spread the infected file across the entire internal network.

Then in order to bypass the need for User Control, the command "C:\WINDOWS\SysWOW64\DllHost.exe /Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}" is run by an instance of SVCHOST.exe which is running by the process DLLhost.exe.

After that, the 'backup.exe' file executes the payload and encrypts most of the victim's files, changing their extensions to 'lockbit'. In the end, leaving a ransom note under the name 'Restore-My-Files.txt' in various folders on the host.

As per sources, the top targets of LockBit were located in the U.S., the U.K, China, India, Germany, France, and Indonesia. Experts suggest that users worldwide should strengthen their security defenses. It is also recommended to store the backups of important files separately so that it's hard to be accessed through a network.

Giving insights into a particular case, Patrick Van Looy, a cybersecurity specialist for Northwave, told BleepingComputer, "In this specific case it was a classic hit and run. After gaining access through brute-forcing the VPN, the attacker almost immediately launched the ransomware (which he could with the administrator account that he had access to). It was around 1:00 AM that the initial access took place, after which the ransomware was launched, and at around 4:00 AM the attacker logged off. This was the only interaction that we have observed."

Emotet Botnet Operators Switching to a New Template Named ‘Red Dawn’


Emotet malware has been continually evolving to the levels of technically sophisticated malware that has a major role in the expansion of the cybercrime ecosystem. First discovered as a simple banking Trojan, Emotet’s roots date back to 2014 when it attempted to steal banking credentials from affected machines.

However, after going through multiple upgrades, since then, it has taken upon various roles- to exemplify, it has leveled up its threat game long ago to become a “loader”; it gathers data and sends it via an encrypted channel to its command and control (C2) servers, it also downloads modules to further the functionality.

The threat actors, actively involved in the rapid expansion of “Emotet” as a service, have devised a new method of attacking their targets by making them access infected documents. Until a while ago, the operators of Emotet have been using an iOS-themed document template in their botnet campaigns, the template informed victims that the document was created on iOS and that in order to view the content properly, he needs to ‘Enable Content’.

However, this is not the scenario anymore. In its newer campaigns, the notorious botnet is reported to be employing a new template, named ‘Red Dawn’ by Emotet expert, Joseph Roosen, for its red accent colors.

While displaying the message, “This document is protected”, the Red Dawn template informs the user that the preview is unavailable and in order to view the document, he is required to click on ‘Enable Content’ or ‘Enable Editing’ button.

After the user is being tricked into accessing the document via the steps he was asked to follow, Emotet malware gets installed on his system following the execution of macros. Once the system is successfully infected, Emotet malware may proceed to deliver other malware and ransomware namely Trickbot and Qbot or Conti and ProLock respectively.

“#Emotet AAR for 2020/09/02: Only a couple malspams at dayjob. It looks like JP is getting targeted heavily now by E1/E2 and E3. Seeing templates on all 3! The new regex for E1 is stupid and I bet Yuri thought that was epic, well nope, even easier to block, new regex in report. TT”, Joseph Roosen said in his related Tweet.

Nefilim Ransomware Evolving Rapidly: Top Targets at a Glance


Ransomware has continually expanded both in terms of threat and reach as threat actors continue to devise fresh methods of introducing new ransomware variants and malware families. One such newly emerged ransomware that was first identified at the end of February 2020, Nefilim, threatens to release victims’ encrypted data if they are unable to pay the ransom. With a striking code resemblance to that of Nemty 2.5 revenge ransomware, Nefilim is most likely to be distributed via exposed Remote Desktop Protocol, according to Vitali Kremez, an ethical hacker at SentinelLabs.

Earlier this month, researchers from threat intelligence firm Cyble, discovered a post by the authors of Nefilim ransomware, claiming to have hacked The SPIE Group, an independent European market leader for technical services in the fields of energy. As per the claims made by the operators in the post, they are in the possession of around 11.5 GB of company’s sensitive data that include corporate operational documents- company’s telecom services contracts, dissolution legal documents, infrastructure group reconstruction contacts and a lot more.

Since April 2020, Nefilim has targeted multiple organizations around the globe, narrowing down on the regions- South Asia, South America, Oceania, North America, and Western Europe. Going by the count of attacks disclosed publicly, manufacturing comes on top as the most preferential and hence the most targeted industries by the operators of Nefilim ransomware; Mas Holdings, Fisher & Paykel, Aban Offshore Limited, Stadler Rail were some of the major targets. Other industries infiltrated by Nefilim are communication and transportation; Orange S.A. and Toll Group, Arteris SA being some of the top targets respectively. One important thing to notice here is that the ransomware has spared the healthcare and education sector entirely as of now, interestingly, no organization from the two aforementioned sectors has been targeted.

Nefilim uses a number of ways including P2P file sharing, Free software, Spam email, Torrent websites, and Malicious websites, to infiltrate organizations’ IT systems. Designed specially to penetrate Windows PCs, Nefilim actively abuses Remote Desktop Protocol and uses it as its primary attack vector to infiltrate organizations. It employs a combination of two distinct algorithms AES-128 and RSA-2048 to encrypt the target’s data that is later leaked on their websites known as Corporate Leaks- when victims’ fail to pay the ransom.

Users are advised to stay wary of exposed ports and security departments shall ensure closing off unused ports, experts have also recommended to ‘limit login attempts’ for Remote Desktop protocol network admin access from settings to stay guarded.

REvil/Sodinokibi Ransomware Specifically Targeting Food and Beverages Organizations



REvil, also known as Sodinokibi ransomware was first spotted in April 2019, it attacks Windows PCs to encrypt all the files on local drives (besides those enlisted in their configuration file) and leaves a ransom note on affected systems with instructions to get the files decrypted in turn of the demanded ransom. It shares a similar code as GandCrab ransomware and is said to be distributed by the authors of the aforementioned ransomware which saw a steep decline in its activity with the arrival of REvil. The claim regarding similarity was based on observations made by experts that point towards an identical set of techniques used in attacks, similar countries targeted, and the language.

The ransomware strain exploits an Oracle WebLogic vulnerability to elevate privileges and in order to generate and propagate encryption keys; REvil makes use of an Elliptic-curve Diffie Hellman key exchange algorithm. Let’s take a look at its latest activities.

As per sources, the ransomware tries not to attack systems belonging to Iran, Russia other countries that were once a part of the Soviet Union. However, it has affected a number of organizations across various other regions. In the year 2020, REvil attackers have limited their infection to North American and Western European organizations, targeting National Eating Disorders Association, Agromart Group, etc, and Atlas Cars, Plaza Collection, etc respectively.

The ransomware operators have developed a special interest in the manufacturing sector; food and beverage distributing businesses have seen an unprecedented number of ransomware attacks lately. The top targets from the industry include Harvest Food Distributers, Brown Forman Daniel’s, Sherwood Food Distributers, and Lion. Other industries that were heavily targeted by REvil range from media, retail, entertainment, health, IT, transport, real estate, government, energy, and non-profit.

How does it operate?

REvil begins with exploiting the CVE-2018-8453 vulnerability and proceeds to eliminate resource conflicts by terminating blacklist processes before the process of encryption. It wipes the contents of blacklisted folders and then encrypts files on local storage devices and network shares, finally exfiltrating basic host information.

Initially, REvil was noticed to be attacking businesses by exploiting vulnerabilities, But, since the past year, the operators have started employing common infection vectors namely phishing and exploit kits.

A City In Colorado Attacked, Forced to Pay $45,000 Ransom


Lafayette city from Colorado had to pay a ransom amount worth $45,000 for decryption of files that were encrypted in July, as the City was unable to restore the data from the backup. The town was attacked on 27th July, and the ransomware cyberattack affected people's smartphones, emails, and payment services. During the attack, the City didn't offer any explanation about what caused the problems. It asked its people to call 911 or emergency services if they were facing trouble with the outage. After a few days of the incident, Lafayette informed the citizens that the town had suffered a cyberattack. All the systems were encrypted by the hackers, which caused the outage problem.


The City managed to recover the lost financial data, but it had to pay a ransom of $45,000 to hackers (anonymous) for retrieving data. The recipient of the payment, an unknown identity, has offered a decryption software in return for the refund. The town on its official website says, "system servers and computers are currently being cared for and rebuilt. Once complete, data will be restored to the system, and operations will resume. No permanent damage to hardware has been identified. While core City operations continue, online payment systems have not resumed. At this time, the City is unable to estimate a timeline that all systems will be back up and running."

The city Mayor Harkens decided not to reveal the attacker's identity to the people as it might compromise their negotiation terms. As per the reports, neither user data nor the credit card credentials was stolen. The mayor has advised townpeople to stay wary of any suspicious activity in their accounts.

The Lafayette town must be lucky as the hackers demanded a minimal amount of ransom in return. According to experts, in cases like these, the ransom demand can go from a hundred thousand to millions of dollars. "System servers and computers are currently being cleaned and rebuilt. Once complete, data will be restored to the system, and operations will resume. No permanent damage to hardware has been identified," says the town's website.

WastedLocker ransomware uses a sophisticated trick by abusing Windows features to avoid detection


WastedLocker has been in the highlights for a successful attack on wearable tech and smartwatch manufacturer Garmin and was paid around 10 million for a decryption key. The ransomware is rumored to be working for the Russian Hacking group Evil Corp, a notorious hacking crew with numerous high profile attacks in their resume.


But the security researchers at Sophos discovered how the ransomware was using the inner workings of Windows to avoid detection by anti-ransomware tools and the method they say is quite ingenious and sophisticated.

 "That's really sophisticated stuff, you're digging way down into the things that only the people who wrote the internals of Windows should have a concept of, how the mechanisms might work and how they can confuse security tools and anti-ransomware detection," Chester Wisniewski, a principal research scientist at Sophos said.
How WastedLocker uses Windows Cache to hide itself 

Usually, anti-ransomware softwares monitor Operating System files for any suspicious behavior like an unknown process performing various functions like opening a file, writing to it, and then closing the file - it will trigger behavior detection and catch any malicious file. But WastedLocker, unlike other traditional ransomware stores the files on Windows Cache and operates from that file and not the original.

 Windows cache to speed up processes, stores commonly used files in it so as when the system requires a command, it first checks for the file in the cache and load it from there rather than the drive making the operation much faster.

 This ransomware opens a file in the Cache, read it there and close the original file. The software will now encrypt the file stored on the cache and not the original. When many changes are done on the file, the file becomes "dirty" and Windows Cache updates the original file with the changes. Since all these commands are done by a legitimate source and Windows itself - it tricks the detection software into believing the process is a system originated and legit thereby bypassing exposure.

 This ability to go undetected makes WastedLocker the most lethal ransomware we have seen yet.

The Council of the EU and Its First-Ever Sanctions against Persons or Entities Involved in Various Cyber-Attacks



The Council of the European Union imposed its first-ever sanction against persons or entities engaged with different cyber-attacks focusing on European citizens and its member states. 

The sanctions imposed include a ban for people traveling to any EU nations and a freeze of assets on persons and entities. 

The order has been issued against six individuals and three entities liable for or associated with different cyber-attacks. Out of the six individuals sanctioned they include two Chinese citizens and four Russian nationals. 

The companies associated with carrying out these cyber-attacks incorporate an export firm situated in North Korea, and technology companies from China and Russia.

The entities responsible for or engaged with different cyber-attacks incorporate some publicly referred to ones as 'WannaCry', 'NotPetya', and 'Operation Cloud Hopper,' just as an endeavored cyber-attack against the organization for the prohibition of chemical weapons.




As per the European Council, the detailed of these persons or entities are: 

 1. Two Chinese Individuals—Gao Qiang and Zhang Shilong—and a technology firm, named Tianjin Huaying Haitai Science and Technology Development Co. Ltd, for the Operation Cloud Hopper. 

 2. Four Russian nationals (also wanted by the FBI) — Alexey Valeryevich, Aleksei Sergeyvich, Evgenii Mikhaylovich, and Oleg Mikhaylovich—for attempting to target the Organisation for the Prohibition of Chemical Weapons (OPCW), in the Netherlands. 

 3. A Russian technology firm (exposed by the NSA) — Main Centre for Special Technologies (GTsST) of the Main Directorate of the General Staff of the Armed Forces of the Russian Federation—for the NotPetya ransomware attack in 2017 and the cyber-attacks directed at a Ukrainian power grid in the winter of 2015 and 2016. 

 4. A North Korean export firm — Chosun Expo, for the WannaCry ransomware attack that made havoc by disrupting information systems worldwide in 2017 and linked to the well-known Lazarus group. 

The Council says, “Sanctions are one of the options available in the EU's cyber diplomacy toolbox to prevent, deter and respond to malicious cyber activities directed against the EU or its member states, and today is the first time the EU has used this tool." 

As indicated by the European Union, the two Chinese nationals who carried out Operation Cloud Hopper are members from the APT10 threat actor group, otherwise called 'Red Apollo,' 'Stone Panda,' 'MenuPass' and 'Potassium.' 

On the other hand, the four Russian nationals were agents of the Russian Intelligence agency GRU who once expected to hack into the Wi-Fi network of the OPCW, which, if effective, would have permitted them to compromise the OPCW's on-going investigatory work.

Aberystwyth University and others affected by Blackbaud Global Ransomattack


Aberystwyth University, a 148-year-old mid-Wales institution was attacked via a hack on Blackbaud, a US company that deals with education financial management and administration software.

 It was among the 20 institutions that were affected by the ransomware attack including the University of York, Loughborough University, University of London, and University College, Oxford. The welsh university with an influx of 10,000 students every year said, "no bank account or credit card details were taken".

 The ransomware attack occurred around May of this year and targeted Blackbaud which is associated with many education institutes thereby the attack sent shockwaves to at least twenty institutes from the US, UK, and Canada. The company did end up paying the ransom and said that, "confirmation that the copy [of data] they removed had been destroyed" but they were criticized for not informing about the hack and data risk to the victims until July that is after a month of the attack.

According to the law, under General Data Protection Regulation (GDPR) the company is supposed to report a significant data breach to data authorities within 72 hours. Both the UK and Canada data authorities were made aware of a data breach only last week.

 ICO (UK's Information Commissioner's Office) spokeswoman said: "Blackbaud has reported an incident affecting multiple data controllers to the ICO. We will be making inquiries to both Blackbaud and the respective controllers, and encourage all affected controllers to evaluate whether they need to report the incident to the ICO individually."

 Impact on Aberystwyth University

 The 148-year-old institute in Wales reassured that no student data was affected and the "stolen data has now been destroyed and has no reason to believe it was misused".

 Blackbaud confirmed to the university that no financial details of bank or credit were taken. A spokesperson from the university said, "We take data security extremely seriously. We are urgently investigating this incident and are awaiting further details from Blackbaud.

 "We are in the process of contacting those online portal users and recipients of our alumni and supporter e-newsletters whom we believe may have been affected."  

Orange Confirms Ransomware Attack Compromising Data of 20 Enterprise Customers


Orange, the fourth-largest mobile operator in Europe has confirmed that it fell prey to a ransomware attack wherein hackers accessed the data of 20 enterprise customers. The attack targeted the 'Orange Business Services' division and was said to have taken place on the night of 4th July and was continued into the next day, ie., 5th July.

Orange is a France based multinational telecommunications corporation having 266 million customers worldwide and a total of 1,48,000 employees. It is a leading provider of global IT and telecommunications services to residential, professional, and large business clients. It includes fixed-line telephone, mobile communications, Internet and wireless applications, data transmission, broadcasting services, and leased line, etc.

The attack was brought to light by Nefilim Ransomware who announced on their data leak site that they acquired access to Orange's data through their business solutions division.

In a conversation with Bleeping Computer, the company said, "Orange teams were immediately mobilized to identify the origin of this attack and has put in place all necessary solutions required to ensure the security of our systems." Orange further told that the attack that occurred on the night of 4th July affected an internal IT platform known as, "Le Forfait Informatique", it was hosting data belonging to 20 SME customers that were breached by attackers, however, there were no traces of any other internal server being affected as a result of the attack. Giving insights, Tarik Saleh, a senior security engineer at DomainTools, said, "Orange certainly followed best practices by promptly disclosing the breach to its business customers, who will need to take all the possible precautions to make their data unusable in future attacks: changing the password of their accounts and looking out for potential phishing or spear-phishing emails."

While commenting on the security incident, Javvad Malik, Security Awareness Advocate at KnowBe4, said that in these times, it is essential, "that organizations put in place controls to prevent the attack from being successful, as even if they have backups from which they can restore, this won't bring back data that has been stolen."

"As part of this, organizations should implement a layered defensive strategy, in particular against credential stuffing, exploitation of unpatched systems, and phishing emails which are the main source of ransomware. This includes having technical controls, the right procedures, and ensuring staff has relevant and timely security awareness and training," he further added.

Indian Organizations Suffer the Most in Public Cloud Security Incidents



In a survey of 26 countries for public Cloud security incidents, India emerges as the nation which endured the hardest hits the previous year with 93 percent of the nation's organizations encountering the problem.

The survey included more than 3,500 IT managers across 26 nations in Europe, the Americas, Asia Pacific, the Center East, and Africa that currently host data and workloads at hand in the Public Cloud.

The cybersecurity incidents that Indian organizations suffered most included ransomware (53 percent) and other malware (49 percent), exposed data (49 percent), compromised accounts (48 percent), and cryptojacking (36 percent), said the report titled "The State of Cloud Security 2020" by cybersecurity company Sophos.

While Europeans seem to have endured the least level of security incidents in the Cloud, an indicator that compliance with General Data Protection Regulation (GDPR) guidelines are assisting with protecting organizations from being undermined.

However, India still hasn't enforced a data protection law.

Chester Wisniewski, Principal Research Scientist at Sophos said in a statement, "Ransomware, not surprisingly, is one of the most widely reported cybercrimes in the public Cloud."

 "The recent increase in remote working provides extra motivation to disable Cloud infrastructure that is being relied on more than ever, so it's worrisome that many organizations still don't understand their responsibility in securing Cloud data and workloads," Wisniewski added later.

"Cloud security is a shared responsibility, and organizations need to carefully manage and monitor Cloud environments in order to stay one step ahead of determined attackers."

According to the report, more than 55 percent of Indian organizations and businesses revealed that cybercriminals obtained access through the stolen Cloud provider account credentials.

Regardless of this, only 29 percent said managing access to Cloud accounts is a top area of concern. Albeit 'accidental exposure' keeps on plaguing organizations, with misconfigurations exploited in 44 percent of reported attacks on Indian organizations.

With 76 percent of organizations utilizing the Public Cloud, detection and response are driving the Cloud security concern for IT managers in India while data security still stays as a top concern across the world for organizations.