Search This Blog

Showing posts with label Ransomware. Show all posts

IT Services Remain Disrupted At Two Colleges Of Ireland After Ransomware Attacks

 

Two IT universities of Ireland the National College of Ireland (NCI) and the Technological University of Dublin have been hit by a cyber attack. 

Recently, both the aforementioned universities have reported ransomware attacks on their system. Currently, the National College of Ireland is working 24 hours to restore its IT services after suffering a massive cyber attack. Consequently, the institution is forced to go with an offline IT system. 

"NCI is currently experiencing a significant disruption to IT services that have impacted a number of college systems, including Moodle, the Library service, and the current students’ MyDetails service," the college reported on Saturday. 

An advisory that has been released by some press institutions said that two third-level institutions that are experiencing cyber-attacks, particularly ransomware attacks – in their regard, there is no definite timeline for when the IT services will be fully restored. 

In the wake of the attack, the two institutions have immediately notified the students, staff, and other employees, about the cyber attacks. Subsequently, NCI’s IT suspended access to the systems and the campus building was also shut down for staff as well as the students until the IT services are fully recovered from the attacks. 

NCI has also notified the important inquiries pertaining to the attack, to the authorities including the national police service of the Republic of Ireland and the Data Protection Commissioner. 

"Please note that all classes, assessments, and induction sessions planned from today Tuesday 6th until this Thursday 8th April inclusive have been postponed and will be rescheduled for a later date," NCI added in a statement issued today. 

"…The College will issue a further update on Thursday afternoon in relation to classes and other events for Friday and beyond. As well as, Students with assignments due this week were told that "no late penalties will be applied while the outage remains in place." 

Meanwhile, students were also told not to access any system of the campus until Monday, April 12. They were also advised to avoid contacting the IT staff that is at present working on restoring attacked IT systems.

Canadian IoT Solutions Provider, Sierra Wireless Hit by a Ransomware Attack


Sierra Wireless, a Canadian IoT solutions provider said that it has reopened its manufacturing site's production after the company suffered a ransomware attack that breached its internal infrastructure and official website on March 20. When the company came to know about the attack, it called one of the world's best cybersecurity firms "KPMG," to help Sierra Wireless in the investigation and inquiry of the incident.

According to Sierra Wireless, "security is a top priority, and Sierra Wireless is committed to taking all appropriate measures to ensure the highest integrity of all of our systems. As the investigation continues, Sierra Wireless commits to communicating directly to any impacted customers or partners, whom we thank for their patience as we work through this situation." 

Currently, the staff at Sierra Wireless is working on re-installing the company's internal infrastructure, after the corporate website was brought back online. Besides this, the Canadian MNC said that ransomware attacks couldn't breach services and customer-oriented products as the internal systems that were attacked were separated. The company believes that the scope of the attack was limited to Sierra Wireless' corporate website and internal systems, it is confident that the connectivity services and products weren't affected, and the breach couldn't penetrate the systems during the incident. 

As of now, the company isn't expected to issue any firmware or software security updates or product security patches, which are generally required after the ransomware attack. The company hasn't disclosed the ransomware operator behind the attack, it has also not specified what data was stolen from the incident before the encryption could happen. 

The attack happened in March, after that the company took back its Q1 guidance. A company spokesperson said that Sierra wireless won't reveal any further information regarding the attack as per the company protocol, because the data involved is highly confidential and sensitive. Bleeping Computer reports, "Siera Wireless' products (including wireless modems, routers, and gateways) sold directly to OEMs are being used in IoT devices and other electronic devices such as smartphones, and an extensive array of industries." Stay updated for more news.

MIDC’s Server Hacked, Threat to Destroy Data

 

The server of Maharashtra Industrial Development Corporation was hacked as of late. The ransomware 'SYNack' affected the applications and database servers facilitated at the MIDC headquarters in Mumbai by encrypting the information put away in these servers. Hackers have demanded Rs 500 crore, they have mailed a demand of Rs 500 crore on MIDC's official mail ID, sources said. 

The malware additionally tainted some desktop PCs across various office areas of the MIDC. The assailants had attached a ransom note giving details of the assault and the steps needed to be taken to approach them for decryption of information. Nonetheless, no sum was directly referenced in the ransom note, a statement given by the MIDC expressed. After the hack, every one of the 16 regional workplaces in the state, including the head office in Mumbai, has been shut down. 

The total data of all the industrial estates, entrepreneurs, government elements, and different plans identified with MIDC is accessible on an online system. The whole work has come to a halt since last Monday after the hack. The MIDC approached the police after which the Cyber Crime Police started their probe into the hacking incident, joint commissioner of police, crime, Milind Bharambe affirmed to the FPJ. 

 A statement issued by the MIDC read, "On Sunday, March 21, at around 2:30 AM, we received automated alerts that our applications were down. On further analysis during the day, the ransomware attack was confirmed. MIDC’s applications are hosted on ESDS cloud (services managed by ESDS, Cloud Service Provider) and local servers (managed by MIDC internal team). We have Trend Micro anti-virus license for end-point security monitoring. The details of the ransomware were shared with Trend Micro for further analysis." 

"As an immediate measure, the MIDC systems were disconnected from the network to contain the spread of the virus. The backup files for different application servers were stored on a different network segment on Cloud DC and were not infected. As per the recommendations from Cyber Security experts, several steps are being taken to control the spread of virus and minimize the impact," the statement read further.

CNA Hit by a Phoenix CryptoLocker Ransomware Attack

 

Insurance giant, CNA had to shut down its systems and temporarily close its website due to a novel ransomware attack. A new version of the Phoenix CryptoLocker malware was used in the attack, which happened earlier this week. The attack is believed to be linked to the Evil Corp hacking group. 

CNA, a Chicago-based company is the seventh-largest commercial insurance provider in the world. According to a statement published on the home page of the website on Sunday, March 21, the company affirmed that they have “sustained a sophisticated cybersecurity attack”. “The attack caused a network disruption and impacted certain CNA systems, including corporate email,” they added. 

Though CNA was the target of recent ransomware named Phoenix CryptoLocker, according to a report, the organization did not comment on the nature of the incident. CryptoLockers are a common form of ransomware that encrypts files on the computers it infects and demands a ransom from the victims in return for the key to decrypt them. 

As per the report, the cybercriminals behind Phoenix CryptoLocker are probably well-known groups, such as the cybercrime group Evil Corp, which lately reappeared after a short break from cybercrime. The effect of the group's most recent attack was so extreme that CNA detached its systems from its network "out of an abundance of caution" and is now offering workarounds for employees wherever possible so that the company can continue to service its customers, according to the company. The ransomware apparently encrypted data on over 15,000 machines on CNA's company network, as well as remote-working employees' computers who were connected to the company's VPN at the time of the attack. 

The ransomware appended ‘the.phoenix’ extension to encrypted files and generated a ransom note called ‘PHOENIX-HELP.txt’ while encrypting computers. Even though sources said CNA will restore from backups, the company has not verified anything. 

According to the report, based on similarities in the code from former ransomware used by Evil Corp, sources assume Phoenix CryptoLocker is a result of the same community. Evil Corp utilized WastedLocker ransomware to encrypt victims' files in past ransomware threats, such as the one against GPS technology provider Garmin last year. Indeed, the cybercriminal organization has made millions of dollars through several nefarious operations, including stealing banking credentials with the Dridex banking trojan and then making illicit money transfers from unsuspecting victims' bank accounts. 

The attack on CNA could also have a huge impact on certain businesses, particularly those who have cyber insurance policies with the organization. Hacking the insurer's network and stealing insurance details about their customers couldn't have been a better way to generate a list of insured companies to strike. It's uncertain if the cybercriminals stole unsecured files before encrypting CNA's devices at this point. However, since ransomware operations have made stealing unencrypted data a standard technique, it's possible that some data was stolen during the attack.

Ransomware Attacks Targeting UK’s Education Sector Increased, says NCSC

 

According to the warning by GCHQ's cybersecurity arm, NCSC, there has been a substantial spike in the number of ransomware attacks targeting the education sector over the last month, just as schools were getting ready to resume in-person classes. 

Ransomware attacks on the UK education sector have been on the rise, according to a new report. This includes developments seen in August and September 2020, along with attacks that have occurred since February 2021. It also offers mitigation recommendations to help in the defense of this sector. 

According to the report, senior leaders must recognize the magnitude of the threat and the ability of the ransomware to cause serious harm to their organizations in terms of information exposure and access to important services. 

Ransomware encrypts servers and files, making it impossible for businesses to provide services. Cybercriminals are anticipating that the need for schools and colleges to provide instruction would lead to target organizations succumbing to extortion requests and paying a bitcoin ransom in return for the decryption key required to recover the network. More importantly, cybercriminals have begun to warn that if the ransom is not paid, they will disclose confidential data taken from the network during the attack. Many elevated cases have arisen in which cybercriminals have carried out their attacks by exposing confidential data to the public, mostly via the darknet's “name and shame” websites. 

"In recent incidents affecting the education sector, ransomware has led to the loss of student coursework, school financial records, as well as data relating to COVID-19 testing," the agency said. 

Ransomware attacks can be crippling to businesses, taking a considerable period for victims to recover and restore vital services. These activities can also be high-profile in nature, gaining a lot of attention from the public and the media. 

There are many ways for ransomware attackers to gain entry to a victim's network. Remote Desktop Protocol (RDP) is one of the most commonly used protocols for remote desktop activities, according to the NCSC, allowing staff to access their office desktop computers or servers from a remote device over the internet. Ransomware attackers often use insecure RDP and virtual private networks (VPN) configurations to gain initial access to victims' computers. 

"This is a growing threat and we strongly encourage schools, colleges, and universities to act on our guidance and help ensure their students can continue their education uninterrupted", says NCSC. 

To protect against malware and ransomware threats, the NCSC suggests that businesses must adopt a "defense in depth" technique. Having an effective plan for vulnerability management and deploying security fixes, protecting remote web services with multi-factor encryption, and installing and activating anti-virus programs are all cybersecurity guidelines for schools, colleges, and universities to secure their networks from ransomware attacks. 

REvil Ransomware Gang Introduces New Malware Features which can Reboot Infected Devices

 

The ransomware gang REvil introduced a special malware feature that allows attackers to reboot infected devices after encryption. REvil emerged in April 2019 and is also recognized by the names Sodinokibi and Sodin. The ransomware gang was linked to many important attacks, including attacks in May 2020 on popular law firm Grubman Shire Meiselas and Sacks and also an attack in April 2020 on Travelex, a London-based currency exchange that paid a $2.3 million ransom for recovering its data. 

The MalwareHunter team researchers recently tweeted that the REvil operators have introduced two new command lines named 'AstraZeneca' and 'Franceisshit,' in Windows Safe Mode, which is utilized to reach the initialization screen for Windows devices. 

"'AstraZeneca' is used to run the ransomware sample itself in the safe mode, and 'Franceisshit' is used to run a command in the safe mode to make the PC run in normal mode after the next reboot," team of MalwareHunter tweeted. 

However it is not special, but the strategy is definitely uncommon, said the analysts. REvil implements this feature most likely as it will help the Ranking software to avoid detection by certain security devices because these functions allow attackers to encrypt the files in windows safe mode. 

"Causing a Windows computer to reboot in safe mode can disable software, potentially even antivirus or anti-ransomware software, that is working to keep your computer safe," says Erich Kron, security awareness advocate at the security firm KnowBe4. "This would then allow the attackers to make changes that may otherwise not be allowed in normal running mode." 

By tracking computers for unusual rebooting activities and by implementing successful data loss protection checks, organizations can deter malicious acts. Since REvil mainly uses compromised RDPs and mail phishing for distribution, it is essential for organizations, ideally through multi-factor authentication, to ensure that all Internet-accessible RDP instances are protected and that their employees are trained on high-quality security sensitives which can help them identify and track phishing attacks. 

Lately, the gang allegedly attacked Taiwan PC maker ‘Acer’ in an on-site version of Microsoft Exchange server, exploiting the unpatched ProxyLogon defect. 

The REvil Gang has gradually strengthened its malware and adapted various new methods of extortion. As of now, it frequently aims at bigger companies looking for significantly greater pay-outs, names, and shames via its devoted leak and targets cyber-insurance victims.

Data From These Two Universities Stolen and Published Online by Clop Ransomware Group

 

The Clop ransomware group has officially published online the grades and social security numbers for students at the University of Colorado and the University of Miami. 

From December, threat agents related to the Clop Ransomware Group had started to attack Accellion FTA servers and steal the data stored on their servers. These servers are used by companies to exchange confidential files and information with non-organizational people. The ransomware gang approached the companies and asked for $10 million in bitcoins and if the demand is not fulfilled then they would publish the stolen information on the internet. 

Since February, the team of Clop Ransomware has started to publish the compromised files that were stolen due to the flaws in the Accellion FTA file-sharing servers. Later this week the Clop Ransomware Gang began posting screenshots of compromised files from the Accellion FTA server that is used by Miami University and Colorado University. In February, Colorado University (CU) revealed a cyberattack that mentioned that the threat actors had stolen data through a vulnerability of Accellion FTA. 

The actors behind the Clop ransomware have started to post compromised data screenshots, including university files, university grades, academic records, registration details, and biographical information of students. 

While the University of Miami did not report any data breach, it used a protected 'SecureSend' file sharing program that had since been shut down. "Please be advised that the secure email application SecureSend (secure.send.miami.edu) is currently unavailable, and data shared using SecureSend is not accessible," reads the University's SecureSend page. 

Although the University of Miami never confirmed a security incident, still screenshots of patient information were released by the Clop ransomware operation. This information covers medical history, demographic analyses, and telephone numbers and email addresses. The data supposedly robbed from the University of Miami belongs to the patients of the health system of the University. 

"While we believe based on our investigation to date that the incident is limited to the Accellion server used for secure file transfers, we continue to enhance our cybersecurity program to further safeguard our systems from cyber threats. We continue to serve our University community consistent with our commitment to education, research, innovation, and service," the University of Miami wrote. 

The ransomware gang has only published few screenshots at this time but is likely to release more documents to force victims to pay in the future.

Electronics Giant Acer Hit by $50 MIllion Ransomware Attack

 

The ransomware gang known as ‘REvil’ stole confidential files from computer giant Acer and demanded an unprecedented ransom of US$50 million. The group also posted online images of allegedly stolen spreadsheets, bank balances, and bank texts, in order to prove their claims of having hacked into the Taiwan company’s network.

According to security researchers, hackers may have exploited a Microsoft Exchange vulnerability to gain entry into the company’s network. The $50 million demand of Acer is the largest-ever ransom demand to become publicly known, Callow said, larger than the $42 million REvil wanted from celebrity law firm Grubman Shire Mieselas & Sacks, who counted Nicki Minaj, Mariah Carey, and Lebron James among its clients. 

When asked about the situation, Acer wouldn’t admit that it was a ransomware attack, only telling Bleeping Computer in a statement that it has “reported recent abnormal situations observed to the relevant law enforcement and data protection authorities in multiple countries.” In the request for  further details, Acer replied, “there is an ongoing investigation and for the sake of security, we are unable to comment on details.” 

According to the Record’s report, Acer’s name appeared on the REvil ransomware group’s list of companies that do not pay extortion fees. With the help of malware intelligence analyst Marcelo Rivero, The Record managed to track down the gang’s other dark web portal, which clearly displayed the $50 million ransom the gang demands from Acer and the online chat the gang was using to communicate to the company’s representatives.

Before the attack, Advanced Intel’s Andariel cyberintelligence platform detected that the REvil gang recently targeted a Microsoft Exchange server on Acer’s domain and used the ProxyLogon vulnerability to install their ransomware.

FBI Warns of PYSA Ransomware Attacks on Educational Institutions

 

The Federal Bureau of Investigation (FBI) has issued a warning notifying of an increase in PYSA ransomware attacks targeting educational institutions. While singling out educational institutions, the FBI notes the PYSA ransomware surge is also targeting government bodies, private firms, and the healthcare department in the US and the UK.

PYSA, also known as Mespinoza was first discovered in October 2019. It has the capability of exfiltrating and encrypting files and data, with the threat actors specifically targeting higher education, K-12 schools, and seminars. 

The advisory issued by the FBI stated: “These actors use PYSA to exfiltrate data from victims prior to encrypting victim’s systems to use as leverage in eliciting ransom payments. The cyber actors then exfiltrate files from the victim’s network, sometimes using the free opensource tool WinSCP5, and proceed to encrypt all connected Windows and/or Linux devices and data, rendering critical files, database, virtual machines, backups, and applications inaccessible to users.”

The attackers often use phishing and Remote Desktop Control (RDP) attacks for initial access to targeted networks and then use tools such as PowerShell Empire, Mimikatz, and Koadic to gain further access. They also gather and exfiltrate sensitive files from the victims’ networks, including personally identifiable information (PII), payroll tax information, and other types of data that could be used to force the victims to pay a ransom under the threat of leaking the stolen info.

The FBI researchers have also discovered Advanced Port Scanner and Advanced IP Scanner used by the attackers to conduct network reconnaissance. These are open-source tools that allow users to identify open network computers and discover the versions of programs on those ports. From there, threat actors are deploying various open-source tools for lateral movement. 

“Educational institutions are big targets for hackers as thousands of people’s sensitive information is potentially involved, and the substantial shift towards e-learning has made them even more appealing to hackers and ransomware. These attacks on schools can bring education to a halt while potentially exposing every student and teacher’s personal data within the organization. Parents are also targeted and may be coerced into paying ransom for personal information or school assignments if information falls into bad actors’ hands,” James Carder, CSO at LogRhythm stated.

Malware WannaCry And Vulnerability EternalBlue Remain at Large

 

One specific aspect of malware and one vulnerability continues to develop as security companies have been reconstructing the highest trends in the past weeks that is - WannaCry and EternalBlue. WannaCry spreads quickly since Windows Server Message Block Version 1, also known as EternalBlue, had a vulnerability to a broad flaw. Microsoft had already fixed the vulnerability, CVE-2017-0143 - effectively, shortly before WannaCry was released - with its system update MS17-010.
For example, the security agency Trend Micro claims that WannaCry, trailed by cryptocurrency miners, and Emotet has been the most popular form of malware family found last year. Whereas Emotet was newly disrupted by police departments.

“The one thing that really keeps WannaCry prevalent and active is the fact that it is wormable ransomware,” says Rik Ferguson, vice president of security research at Trend Micro. "Couple that with the fact that Shodan showed me just now that there remain 9,131 internet-facing machines vulnerable to MS17-010 and you quickly begin to understand why it continues to propagate." 

The National Security Agency, which apparently developed the exploit for the SMB v1 flaw, seems to have started the EternalBlue. This exploit was then leaked or robbed by the Shadow Brokers Party in 2017 and eventually obtained and leaked. Two months later, EternalBlue-targeting was released, with many analysts claiming it was created by North Korean hackers, who then might have lost all control of the WannaCry. 

Although WannaCry seems to be the malware frequently detected, it does not imply that it is the most harmful or even most of the devices contain it. Not all such codes are published and even if they are, they don't guarantee success. 

However, everything being favorable, the continued circulation of WannaCry shows that at least some unencrypted devices remain infected. Regrettably, certain unencrypted systems asymptotically decrease, never reaching zero. In 2020, Conficker - a Malware Family that was initially identified as targeting a vulnerability in Microsoft Server - was the 15th largest form of malware by Trend Micro. "Other variants after the first Conficker worm spread to other machines by dropping copies of itself in removable drives and network shares," according to Trend Micro. 

Though ransomware profits may be rising, the most frequently viewed malware in the wild has improved little in recent times from a quantitative point of view. 

The Finnish security company, F-Secure, for example, lists network exploits and file handling errors as the most malicious code attacks in 2020. And the most frequently viewed form of attempted exploit still battles the EternalBlue vulnerability of SMB v1. "There are three different threat detections that contributed to this: Rycon, WannaCry, and Vools," Christine Bejerasco, vice president of security firm F-Secure, Tactical Defense Unit, stated.

University of the Highlands and Islands Deals with a Sudden Cyber Attack

 

A persistent 'cyber incident' occurred at the University of the Highlands and Islands, which disrupted its services and networks on all of its campuses. The UHI network of 13 colleges and academic institutions was restricted to its students on Monday 8th of March, along with the Inverness and Perth colleges. In an advisory to students and staff around 13 sites in the northernmost portion of the UK, 'most facilities' – including their digital training environment at Brightspace – have been affected. The notice put up in the regard read that “All classes currently online because of the restrictions caused by COVID-19 will continue as normal wherever possible. Some students will attend campuses for practical classes as directed by their local course or campus contact.” 
"We are currently working to isolate and minimize impact from this incident with assistance from external partners. We do not believe personal data has been affected," said the university, adding: "The source of the incident is not yet known." 

An e-mail was sent out to the students stating that the apparent intrusion was not compromised by Office 365, Cisco Webex, OneDrive, the Teams, and e-mail services. The same information was also released on the UHI website. Administrators were of the belief that personally identifiable information was not compromised, and they affirmed the same.

Ransomware is a malware that encodes everything and allows victims to read a ranking document. The perpetrators behind such incidents usually claim huge payouts for the decryption key in exchange for decoding the victim's files in Bitcoin or equivalent cryptocurrencies. The actors are often copying the confidential files from the system of the victim and demand a second ransom to prohibit their disclosure; this is an increasingly prevalent variant. 

Notably, UHI's description has a lot in common with early stages of previous ransomware attacks. The standard account is unreported "cyber incidents," unexpectedly knocking out vast sections of IT services around an organization. Incidents of this kind have taken place in the past year with an increasing frequency in insurance, charity, and other businesses along with educational institutions.

The best practices while tackling ransomware are not to deal with the cash demands of the perpetrators. However, the distressed organisations, whose plans can buy the offenders off and clear the attack, are gradually turned towards cyber insurance firms.

CompuCom MSP Hit By DarkSide Ransomware Cyberattack

 

CompuCom, a US-managed service provider, has witnessed a DarkSide ransomware attack. It has resulted in a service outage and users are disconnecting from the MSP's network so the spread of the malware can be prevented. 

CompuCom is an IT managed services provider (MSP) that supplies remote support to its customers, includes repairing hardware and software, and provides various other technical facilities to the companies. 

CompuCom is owned by ODP Corporation (Office Depot/Office Max), additionally, it gives employment opportunities to a maximum of 8,000 people. 

It was around the weekend, CompuCom witnessed an outage that had prevented clients from getting access to the company's customer portal to open troubleshooting tickets. When customers visit the portal, the website simply is displaying an error message. "An error occurred while processing your request." Website reads. 

In a conversation with Press CompuCom told that they have started informing its users and warned them against the malware attack. However, the company has not revealed to its customers the type of attack that has occurred and whether it was ransomware or not. Multiple people in conversation with the press stated that “this was a ransomware attack”, however, the officials had not confirmed. 

Additionally, when the press talked with affected customers, it has been known that CompuCom had disconnected their access to some customers so the attack can be prevented. Another client told, “Some of us had detached from CompuCom's VDIs (Virtual Desktop Infrastructure) to ensure their data was not affected by the attack”.

CompuCom issued a statement in which they stated that the company had witnessed a 'malware incident', and there's no evidence of it spreading to customers' systems. 

"Certain CompuCom information technology systems have been affected by a malware incident which is affecting some of the services that we provide to certain customers. Our investigation is in its early stages and remains ongoing. We have no indication at this time that our customers' systems were directly impacted by the incident...”

“...As soon as we became aware of the situation, we immediately took steps to contain it and engaged leading cybersecurity experts to begin an investigation. We are also communicating with customers to provide updates about the situation and the actions we are taking. We are in the process of restoring customer services and internal operations as quickly and safely as possible,”

“...We regret the inconvenience caused by the interruption and appreciate the ongoing support of our customers." – CompuCom reported. 

But today, CompuCom's customers shared a 'Customer FAQ Regarding Malware Incident' that gives even thorough details of the attack, than given by the company. 

"Based on our expert's analysis to date, we understand that the attacker deployed a persistent Cobalt Strike backdoor to several systems in the environment and acquired administrative credentials. These administrative credentials were then used to deploy the Darkside Ransomware," the CompuCom FAQ reads.

Kaspersky detected new ransomware attack on Russian companies

Kaspersky Lab has recorded a series of targeted attacks targeting Russian financial and transport companies. Hackers used a previously unknown ransomware virus

According to a statement from Kaspersky Lab, since December 2020, ten Russian financial and transport companies have been subjected to hacker attacks using the previously unknown Quoter ransomware. Experts believe that the Russian-speaking group RTM is engaged in this.

The hackers sent out phishing emails, choosing topics that they calculated should force the recipient to open the message, for example, "Request for refund", "Copies of documents from the last month" and so on. As soon as the recipient clicked on the link or opened the attachment, the RTM Trojan was downloaded to their device.

Then the attackers tried to transfer money through accounting programs by replacing the details in payment orders or manually using remote access tools. If they failed, they used Quoter, which encrypted the data using the AES cryptographic algorithm and left contacts for communication with hackers. If the recipient did not respond, they threatened to make the stolen personal data publicly available and attached evidence, and demanded about $1 million as a ransom.

Sergey Golovanov, a leading expert at Kaspersky Lab, warned that the attacks pose a serious threat to companies, as hackers use several tools at once: a phishing email with a banking Trojan and an encryption program.

"Among the features of this campaign is that the Russian-speaking RTM attackers changed the tools used for the first time, moreover, now they are attacking Russian companies," said Mr. Golovanov, noting that usually encryption programs are used in attacks on foreign organizations.

Group-IB also warned about hacker attacks from RTM. According to the company, from September to December 2018, they sent more than 11 thousand malicious emails to financial institutions from addresses faked for government agencies. The emails contained a malicious attachment. They had fake PDF icons, and after running the file extracted from the archive, the computer was infected. On average, one successful theft of this type brought the attackers about 1.1 million rubles ($15,000).

CLoP Hacker Group Purloined Data From Jones Day

 

A dispute has broken out over the provenance of stolen information between US law firm Jones Day and the CLoP ransomware group after some of the association's assets were leaked on the dark web. The hacker group CLoP has posted a huge tranche of stolen records to a dark web “leak site,” asserting it snatched them from the law firm during a recent cyberattack. Such sites are regularly utilized by hackers to goad a victim into paying a ransom. CLoP's site is freely accessible and was verified for its existence.

In correspondence with the Wall Street Journal, the CLoP gang professed to have acquired more than 100GB of material directly from Jones Day's servers and said it previously contacted the firm with ransom demands on 3 February 2021. Jones Day has not engaged with the gang, hence the leak. In any case, the WSJ proceeded to report that Jones Day – which is among various law firms scrutinized for its connections to previous president Trump – has denied its organization was breached and demands that the information was stolen in a supply chain attack on Accellion’s legacy file transfer product, FTA, which was publicly disclosed in January 2021. 

Accellion was first informed regarding a zero-day vulnerability in its FTA product – which is quickly moving toward end-of-life – in December 2020. It released a patch within 72 hours, but the initial incident turned out to be just the first of a series of exploits used to attack its service over the following weeks. “Our latest release of FTA has addressed all known vulnerabilities at this time,” said Accellion CISO Frank Balonis. “Future exploits, however, are a constant threat. We have encouraged all FTA customers to migrate to kiteworks for the last three years and have accelerated our FTA end-of-life plans in light of these attacks.

“Emsisoft's Brett Callow said: “If CLoP published Jones Day’s data and Jones Day says the data leaked a result of the attack on Accellion, the logical conclusion would be that CLoP was responsible for that attack – and that means they may have data relating to other Accellion customers.”

RiskSense Report Affirms Surge in Vulnerabilities Associated with Ransomware

 

In recent years, the threat from Ransomware has grown enormously. The ransomware attacks have started to threaten more web applications, open-source platforms, and systems as attackers explore more precise pathways to the biggest and most important data stores of organizations. 

In the year 2019, a research report showed the total vulnerabilities associated with ransomware were 57 which quadrupled in the year 2020 to 223, whereas the total counting of the ransomware families hiked from 19 to 125. The vast majority of faults in ransomware attacks– almost 96 percent, were reported in public before 2019. Software-as-a-service (SaaS) apps emerged as a new ransomware target with the largest number of faults with successful exploits patterns. Lastly, more than 15 operational families are offered ransomware-as-a-service, allowing almost everyone to initiate ransomware attacks without coding or safety skills. 

Approximately 40% of 223 CVEs connected to recent ransomware attacks are vulnerable to five common protection vulnerabilities which are identified as: permissions, privileges, and access controls; injection code, improper input validation, incorrect operating constraints inside memory buffer boundaries, and confidential information disclosure to the unauthorized consumer. The report published by RiskSense states that these overlaps "make it easy for ransomware families to predict new vulnerability disclosures with similar characteristics." 

Srinivas Mukkamala, CEO, and co-founder of RiskSense said their analysis shows that both short-term patterns, like COVID-19 that drive more companies onto the Internet, as well as more advances in digital transformation and cloud acceptance across the sector, contribute to this increased attack surface. These aspects have merged to pushed many companies with misconfigurations, and will most likely be abused by malware organizations, to implement technology – such as cloud applications, VPNs, and home network. 

Mukkamala further added that “All of [those trends] actually opened up the aperture and attack surface for ransomware to target and if you look at the vulnerabilities, you can clearly see that your SaaS has been targeted, your backup as a service has been targeted, your remote access services have been targeted and interestingly, we’re looking at your open-source libraries being targeted.” 

RiskSense also detects the increasing usage by state-supported, specialized persistent threat groups of many of the same vulnerabilities. These groups would certainly not infect malware payload entities, but increasingly use the same security vulnerabilities and misconfigurations. 

Often organizations do not actually have the expertise or security officers to keep up, and RiskSense research shows that several different weaknesses in the typical attack chain are abused, depending on metrics such as the gravity of the Common Vulnerability Scoring System to assign priority to the job can be folly. Some of the firms, provide their own method, using data analysis to determine which current bugs are related to exploits seen in the wild, for what they call patch intelligence. 

Ransomware defense “is becoming more like an analytics play, where you’ve got to collect all your data and start prioritizing based on the exploitability and [whether] it's active right now,” stated Mukkamala.

Experts Confirm Shady Ransomware Business, Block-chain Transactions on Rise


 

Chainalysis, a blockchain investment firm, recently published a report that confirms that ransomware operating cybercrime groups don't always work in their own arena and often switch ransom suppliers, also called RaaS services, in a look-out for better profits. ZD Net says, "by taking out legitimate avenues for converting funds and reaching real-world profitability, Chainalysis believes RaaS operations would have a hard time seeing a reason to operate when they can't profit from their work." 

The research looked into Bitcoin funds transactions from victims to cybercriminals, and how the stolen money was split between various hacking groups active in the ransomware cyber attack. It also analyzed money laundering. However, to grasp these things, a surface knowledge of present ransomware is required. The ransomware landscape in the present time operates in the same way a modern business does. 

Today, many coders exist which build and rent these ransomware strains through RaaS service, similar to how modern software is offered today. Few coders are selective in renting these ransomware strains to a very limited group of people or groups better known as "affiliates," whereas some coders rent it to any user who has signed up for its use. In cyberattack incidents, it is usually these affiliates who are behind the orchestration of such attacks. The affiliates usually hack into government or corporate networks using emails, and then use these rented ransomware strains obtained via RaaS to infect and encrypt the systems. 

In a few incidents, experts observed, the affiliates have also been in multiple groups. Few specialize in intrusion and getting access, these are called initial access vendors, whereas others are well versed with spreading the initial access of hacked networks to maximize the ransomware damage. Chainalysis report, "while we can’t say for sure that Maze, Egregor, SunCrypt, or Doppelpaymer have the same administrators, we can say with relative certainty that some of them have affiliates in common. We also know that Maze and Egregor rely on the same OTC brokers to convert cryptocurrency into cash, though they interact with those brokers in different ways."

Cerber Ransomware Returns: Targeting Healthcare Industry

 

Cerber, a type of ransomware that once was the most popular choice for cybercriminals, has returned and is used for targeting health care organizations. In 2020, COVID-19 test technology, healthcare firms have driven digital innovation. However, it is important to note that unprecedented safety flaws also emerged with these advances, which cybercriminals rapidly sought to take advantage of. 

Cerber ransomware is ransomware-as-a-service (RaaS), which means that the attacker authorizes Cerber ransomware over the internet. Cerber has climbed up the category of sophisticated ransomware. In 2017, it was the most powerful ransomware family with 90 percent of all ransomware attacks on Windows systems at one point. Usually, the attacker can adapt and deliver the ransomware while retaining the entire currency, however by setting up Cerber, the developer and partner can send further execute the attack with less effort. 

Usually, ransoms were amounted to a few hundred dollars – a tiny sum relative to today's ransomware strikes that demanded hundreds of thousands or millions for a decryption key, yet Cerber's influence led several victims to settle ransom demands and provide Cerber's creators and affiliates with a lucrative business model. At times cyber attackers also spread ransomware via phishing e-mails or compromised websites. 

The cybersecurity researchers at security company - VMware Carbon Black have identified Cerber as the most common ransomware targeting healthcare as of late. Back in 2020, they found that there were 239.4 million attempted cyberattacks targeting VMware Carbon Black healthcare customers. The average number of attempted attacks in 2020 was 816 on average, a stupefying rise of 9,851 percent from 2019. 

The rise in attacks started in February when the pandemic began to spread globally. The number of attempted attacks rose by 51 percent between January and February when hackers turned their focus to vulnerable healthcare institutions, which witnessed a huge improvement in their way of working and handling patients. 

"Although old malware variants such as Cerber tend to resurface, these are often re-factored to include new tricks, though at the core are still leveraging tried and true techniques," stated Greg Foss, senior cybersecurity strategist at VMware Carbon Black. 

He further added, "All it takes is a quick search on the dark web for someone to license out a ransomware payload to infect targets. Today, it's unfortunately just as easy to sign up for a grocery delivery service as it is to subscribe to ransomware.” 

Unfortunately, hospitals are a frequent target for cyber criminals who spread ransomware because health care is focused on networks that are open to patients. This can also lead to hospitals making fast decisions to pay a ransom request because observably, it is the only way to prevent jeopardizing patients' privacy and to stop hackers from releasing compromised records, which can be very serious threat in healthcare.

Serco Affirms Babuk Ransomware Attack

 

Outsourcing giant Serco has affirmed that parts of its infrastructure in mainland Europe have been hit by a double extortion ransomware assault from the new Babuk group, however, the parts of its operation relating to the NHS Test and Trace program are unaffected. “Serco’s mainland European business has been subject to a cyber-attack,” a Serco representative said. “The attack was isolated to our continental European business, which accounts for less than 3% of our overall business. It has not impacted our other business or operations.” 

The incident comes after security firms and insurers progressively have stressed that digital extortionists gain from other assailants' techniques, outsource a portion of their operations and depend on connections to infiltrate victim networks. Albeit the NHS Test and Trace program was unaffected by the incident, ThreatConnect EMEA vice-president Miles Tappin said the vulnerabilities in Serco's wider systems were of incredible concern, and the Babuk assault uncovered “inherent weaknesses of the system”. 

“Like many actors new to the world of ransomware, the actor behind Babuk ransomware has been learning on the job while drawing insights from other criminal groups,” said Allan Liska, an intelligence analyst at the threat intelligence company Recorded Future. In the ransom note, Babuk's operators professed to have approached Serco's systems for three weeks and to have as of now exfiltrated a terabyte of information. The cybercriminals made explicit references to Serco partners, including Nato and the Belgian Army, and threatened Serco with consequences under the General Data Protection Regulation (GDPR). 

The attacker has demanded $60,000 to $85,000 in ransoms, however, that is “likely to increase over time as the threat actor becomes more experienced in ransomware operations,” as indicated by a private analysis from PricewaterhouseCoopers got by CyberScoop. Babuk is a long way from sophistication. Its code has contained mistakes that held it back from executing on some targeted computers, as indicated by PwC. “We assess that, due to a disregard for error checking, Babuk would fail to execute altogether in some environments,” the analysis says. 

However, while Babuk is as yet a moderately low-level threat to associations, as indicated by Liska, that could change on the off chance that they can bring in more cash from assaults and put resources into new capabilities.

The FSB recorded an attempt to encrypt the data of patients in hospitals in Russia

The deputy director of the National coordination center for computer incidents (NCCI) Nikolay Murashov during a speech at the information security forum stated that for the first time in 2020, the Special Services recorded attempts by hackers to introduce malicious software into the information resources of Russian medical institutions in order to encrypt user data.

According to him, there were also hacker attacks on the information resources of the Central Election Commission and Civic Chamber of the Russian Federation.

Murashov said that the special services managed to prevent attacks on the services of state structures.

In total, over the past year, the NCCI has stopped the work of more than 132 thousand malicious resources. At the same time, according to Murashov, the main sources of cyber attacks on Russian resources are located outside the country: 67 thousand foreign malicious resources and 65 thousand such resources in Russia were blocked by the Center for the year. The attacks were carried out from Turkey, the Netherlands, and Estonia and were aimed at state authorities and industrial enterprises.

In general, according to Murashov, remote work has complicated the protection of personal data, as attacks began to be carried out through insufficiently protected remote access centers and vulnerable software. NCCI specialists also registered the sending of phishing messages, most often, card data were stolen through phishing.

The National coordination center for computer incidents has been recording for several years that the main sources of hacker attacks on Russian organizations are located abroad.

In late January, the NCCI center warned of possible cyberattacks from the United States. The threat of attacks in the Center was associated with accusations against Russia from Western countries of involvement in hacker attacks on American government resources, as well as with threats from them to carry out "retaliatory" attacks on Russian critical information infrastructure.

According to the Investigative Committee, in general, the number of cybercrimes over the past seven years in Russia has increased 20 times, and every seventh crime is committed using information technology or in cyberspace.

The NCCI was created in 2018 by order of the FSB to combat the threat of hacker attacks on Russia's infrastructure.

Trucking Company Forward Air Hit by Ransomware, Suffers Heavy Loss of $7.5 Million

 

Forward Air, a trucking and freight transportation logistics company said that it suffered a ransomware attack of $7.5 million. The attack has caused heavy damage to the company's Q4 financial results. The amount comes from "loss of less-than-load (LTL) trucking business" and not costs suffered that dealt with the incident.  The loss mainly occurred because Forward Air had to temporarily pause electronic data operations with its customers. The ransomware incident happened last year on 15th December and was termed as a cyberattack using Hades ransomware. 

The attack compelled Forward Air to shut down its IT systems offline and close down electronic operations to deal with the issue. As per Freight waves, a trucking news site, the cyberattack had had a huge impact on the company's daily operations as the workers and employees couldn't get the required files to pass through the customs. Though the company says that everything is back to normal now, the SEC (Security and Exchange Commissions) filing and the large amount that the company had to pay tells otherwise. This is why cybersecurity experts always recommend being safe in the first place than to actually deal with a ransomware attack.  

Freight Waves reports, "While the cause is not disclosed, the wording of the Forward Air note is similar to what other companies will state when they are under a cyberattack. Additionally, the failure of the website and the fact that the source at the 3PL said emails to Forward Air were bouncing often are marks of a cyberattack." 

The SEC filing didn't mention Forward Air paying any ransom amount nor about any cyber insurance policy. Coveware, a company that deals in ransomware payment negotiations, published a report last week which said that the organizations are refraining to pay ransoms now as they've realized that the hacking groups don't always delete the stolen data.  Today, the companies choose to build again from scratch instead. Though the ransom payments saw a decline, the year 2020 was the highest ransomware year.  As per the report from Chainalysis, 2020 observed a total ransom payment worth $350 Million, 311% more than 2019.