Search This Blog

Showing posts with label Ransomware Attacks.. Show all posts

Nefilim Ransomware Evolving Rapidly: Top Targets at a Glance


Ransomware has continually expanded both in terms of threat and reach as threat actors continue to devise fresh methods of introducing new ransomware variants and malware families. One such newly emerged ransomware that was first identified at the end of February 2020, Nefilim, threatens to release victims’ encrypted data if they are unable to pay the ransom. With a striking code resemblance to that of Nemty 2.5 revenge ransomware, Nefilim is most likely to be distributed via exposed Remote Desktop Protocol, according to Vitali Kremez, an ethical hacker at SentinelLabs.

Earlier this month, researchers from threat intelligence firm Cyble, discovered a post by the authors of Nefilim ransomware, claiming to have hacked The SPIE Group, an independent European market leader for technical services in the fields of energy. As per the claims made by the operators in the post, they are in the possession of around 11.5 GB of company’s sensitive data that include corporate operational documents- company’s telecom services contracts, dissolution legal documents, infrastructure group reconstruction contacts and a lot more.

Since April 2020, Nefilim has targeted multiple organizations around the globe, narrowing down on the regions- South Asia, South America, Oceania, North America, and Western Europe. Going by the count of attacks disclosed publicly, manufacturing comes on top as the most preferential and hence the most targeted industries by the operators of Nefilim ransomware; Mas Holdings, Fisher & Paykel, Aban Offshore Limited, Stadler Rail were some of the major targets. Other industries infiltrated by Nefilim are communication and transportation; Orange S.A. and Toll Group, Arteris SA being some of the top targets respectively. One important thing to notice here is that the ransomware has spared the healthcare and education sector entirely as of now, interestingly, no organization from the two aforementioned sectors has been targeted.

Nefilim uses a number of ways including P2P file sharing, Free software, Spam email, Torrent websites, and Malicious websites, to infiltrate organizations’ IT systems. Designed specially to penetrate Windows PCs, Nefilim actively abuses Remote Desktop Protocol and uses it as its primary attack vector to infiltrate organizations. It employs a combination of two distinct algorithms AES-128 and RSA-2048 to encrypt the target’s data that is later leaked on their websites known as Corporate Leaks- when victims’ fail to pay the ransom.

Users are advised to stay wary of exposed ports and security departments shall ensure closing off unused ports, experts have also recommended to ‘limit login attempts’ for Remote Desktop protocol network admin access from settings to stay guarded.

REvil/Sodinokibi Ransomware Specifically Targeting Food and Beverages Organizations



REvil, also known as Sodinokibi ransomware was first spotted in April 2019, it attacks Windows PCs to encrypt all the files on local drives (besides those enlisted in their configuration file) and leaves a ransom note on affected systems with instructions to get the files decrypted in turn of the demanded ransom. It shares a similar code as GandCrab ransomware and is said to be distributed by the authors of the aforementioned ransomware which saw a steep decline in its activity with the arrival of REvil. The claim regarding similarity was based on observations made by experts that point towards an identical set of techniques used in attacks, similar countries targeted, and the language.

The ransomware strain exploits an Oracle WebLogic vulnerability to elevate privileges and in order to generate and propagate encryption keys; REvil makes use of an Elliptic-curve Diffie Hellman key exchange algorithm. Let’s take a look at its latest activities.

As per sources, the ransomware tries not to attack systems belonging to Iran, Russia other countries that were once a part of the Soviet Union. However, it has affected a number of organizations across various other regions. In the year 2020, REvil attackers have limited their infection to North American and Western European organizations, targeting National Eating Disorders Association, Agromart Group, etc, and Atlas Cars, Plaza Collection, etc respectively.

The ransomware operators have developed a special interest in the manufacturing sector; food and beverage distributing businesses have seen an unprecedented number of ransomware attacks lately. The top targets from the industry include Harvest Food Distributers, Brown Forman Daniel’s, Sherwood Food Distributers, and Lion. Other industries that were heavily targeted by REvil range from media, retail, entertainment, health, IT, transport, real estate, government, energy, and non-profit.

How does it operate?

REvil begins with exploiting the CVE-2018-8453 vulnerability and proceeds to eliminate resource conflicts by terminating blacklist processes before the process of encryption. It wipes the contents of blacklisted folders and then encrypts files on local storage devices and network shares, finally exfiltrating basic host information.

Initially, REvil was noticed to be attacking businesses by exploiting vulnerabilities, But, since the past year, the operators have started employing common infection vectors namely phishing and exploit kits.

Cognizant Reveals Employees Data Compromised by Maze Ransomware


Leading IT services company, Cognizant was hit by a Maze Ransomware attack earlier in April this year that made headlines for its severity as the company confirmed undergoing a loss of $50-$70 million in their revenues. In the wake of the ransomware attack, Cognizant issued an email advisory alerting its clients to be extra secure by disconnecting themselves for as long as the incident persists.

Cognizant is one of the global leading IT services company headquartered in New Jersey (US). It started in 1994 as a service provider to Dun & Bradstreet companies worldwide; later in 1998, it became independent when D&B split into three, and one group of companies came under Cognizant corporation. Since then, the company has grown leaps and bounds making a name for its consulting and operation services in the industry.

The threat actors involved carried out the attack somewhere between 9-11 April, during this period of three days when the company was facing service disruptions, the operators mined a considerable amount of unencrypted data that included credit card details, tax identification numbers, social security numbers, passport data, and driving license information of the employees.

While giving further insights into the security incident, Cognizant said in its SEC filing, “Based on the investigation to date, we believe the attack principally impacted certain of our systems and data.”

“The attack resulted in unauthorized access to certain data and caused significant disruption to our business. This included the disabling of some of our systems and disruption caused by our taking certain other internal systems and networks offline as a precautionary measure."

“The attack compounded the challenges we face in enabling work-from-home arrangements during the COVID-19 pandemic and resulted in setbacks and delays to such efforts,” the filing read.

“The impact to clients and their responses to the security incident have varied,” the company added.

Conduent's European Operations Hit by Maze Ransomware, Data Stolen


Conduent, a business process outsourcing organization confirms that their European operations were crippled by a ransomware attack on Friday, in an immediate response to the attack the IT services giant was able to restore most of the affected systems within eight hours of the incident.

The security software company, Emsisoft and cybersecurity research and threat intelligence firm Bad Packets, expressed a large probability of Conduent been attacked by Maze ransomware.

What is a Maze ransomware attack?

The maze is a sophisticated strain of Windows ransomware that not only encrypts individual systems but also proliferate across the whole network of computers infecting each one of it. Typically, Maze attacks organizations around the globe and demand a ransom in cryptocurrency for a safe recovery of the data encrypted by the attackers.

It's the same variant of ransomware that attacked IT services company, Cognizant on April 18 – although the New-Jersey headquartered company chose not to share many details about the security incident, it said that its services were disrupted and internal security teams were taking active measures to contain the impact. Reportedly, some of the company's employees were locked out of the mail systems as a result of the attack.

In Conduent's case, the threat actors have posted online two zip files that appear to contain data regarding the company's services in Germany, as per the evaluations made by Emsisoft. The documents were published on a website that leaks Maze ransomware attacks.

The company's operations witnessed a disruption around 12:45 AM CET on Friday, May 29th. It was by 10.00 AM CET that morning – the systems were restored and functional again. Meanwhile, the ransomware was identified by the systems and was later addressed by their cybersecurity protocols.

While commenting on the matter, Cognizant CFO Karen McLoughlin said, "While we have restored the majority of our services and we are moving quickly to complete the investigation, it is likely that costs related to the ransomware attack will continue to negatively impact our financial results beyond Q2."

As per the statements released by Conduent to confirm the attack that happened last week, “Conduent's European operations experienced a service interruption on Friday, May 29, 2020."

"Our system identified ransomware, which was then addressed by our cybersecurity protocols. This interruption began at 12.45 AM CET on May 29th with systems mostly back in production again by 10.00 AM CET that morning, and all systems have since then been restored. This resulted in a partial interruption to the services that we provide to some clients. As our investigation continues, we have on-going internal and external security forensics and anti-virus teams reviewing and monitoring our European infrastructure"

However, Conduent did not answer the questions regarding the loss of the data and the researches carried out by two cybersecurity companies indicating the same.

Durham City, North Carolina Hit by Ransomware Attack



On Friday, The City of Durham, North Carolina suffered a cyberattack wherein Ryuk Ransomware crippled the city's IT systems and compromised its public safety phone networks. According to media reports, the city first experienced a phishing attack that eventually allowed the Ryuk Ransomware to develop onto its IT systems. In an immediate response, Durham shut down its network to prevent the attack from further spreading onto the entire network. All-access to the DCI Network for the Durham Police Department, the Durham Sheriff’s Office and their communications center had been temporarily disabled. Ryuk is well-planned and targeted ransomware that is being operated since 2018 by WIZARD SPIDER, a Russia-based operator of the TrickBot banking malware. After gaining access, Ryuk is programmed to permeate network servers as files are exchanged between systems.

As of now, there are no traces of data being stolen, however, users are advised to stay wary of phishing emails acting to be from the city officials. Alongside this, the attack led to the shut down of Durham's 911 call center and caused its Fire Department to be deprived of phone service. Ryuk's technical capabilities are relatively low, however, it has successfully targeted various small to large organizations across the world and encrypted hundreds of systems, storage, and data centres. Usually, the malware corrupt networks after they have been infected by the TrickBot Trojan, a malware designed to illegally harvest users' private data via phishing.

The malware is circulated via malicious email attachments and once it gathers all the important data from a given network, it lets the authors of Ryuk Ransomware acquire administrator credentials and gain access to the harvested data from the network, the malware does so by opening a shell back to the actors operating the threat.

"According to the SBI, the ransomware, named Ryuk, was started by a Russian hacker group and finds its way into a network once someone opens a malicious email attachment. Once it's inside, Ryuk can spread across network servers through file shares to individual computers," WRAL reported.

As per the findings that followed the investigations initiated by the city, the malware employed in the attack was found to be having Russian origins, however, the exact origin of the attack still remains unknown and the investigation regarding the same is underway.

Rise of the Ransomware Attacks Leads to an Increase Extortion Demands of Cyber Criminals


As there happens a rise in the number of ransomware attacks doubled is the number of organizations surrendering to the extortion demands of cybercriminals in the wake of succumbing to such attacks particularly this year in contrast with the previous one.

As indicated by figures in the recently released 2019 CrowdStrike Global; Security Attitude Security, the total number of organizations around the globe that pay the ransom subsequent to succumbing to a supply-chain attack has dramatically increased from 14% of victims to 39% of those influenced.

While cybersecurity suppliers and law enforcements suggest that victims don't fund crime by surrendering to the blackmail requests/ extortion demands, at times organizations see it as the fastest and easiest method for re-establishing their networks.

In the UK explicitly, the number of organizations that have encountered a ransomware attack and followed through on the demanded price for the decryption key stands at 28% – twofold the 14% figure of the previous year.

Be that as it may, on the grounds that the victims are as yet paying the ransom – which normally amounts up to six-figure sum – cybercriminals will keep on directing ransomware campaigns and likely broaden them further, particularly as the possibility of them getting captured is low.

In any case, notwithstanding the accomplishment of ransomware attacks – particularly those that have undermined the whole infrastructure of entire organizations – there are some generally straightforward and simple methods for averting the attacks doing any harm.

In the event that organizations guarantee that every one of the frameworks and programming on the network is fixed with the most recent security updates, it goes 'a long way' to preventing ransomware attacks from being effective the same number of campaigns depend on the abuse of the known vulnerabilities.

Organizations ought to likewise guarantee that default passwords aren't utilized on the system and, where conceivable, two-factor verification ought to be applied as this will counteract any hacker who figures out how to break the system from moving around and causing more damage.

However, in case of a ransomware attack being effective, organizations can guarantee they don't have to make the payment by normally creating a backup of their system and guaranteeing that the backup is stored offline.

Maze Ransomware Exfiltrated Data of Southwire Firm, Threatens to Publish if Ransom Not Paid


Maze ransomware, a variant of Chacha Ransomware that has been leading the charge of various ransomware attacks lately, now claimed responsibility for yet another cyber attack, this time on North America's most prominent wire and cable manufacturer, Southwire that generates household and industrial cables, utility products, portable and electronic cord products, OEM wire products, engineered products, and metal-clab cables for more than 50% of Northern America. It's a leading wire producing company with over 7,500 employees and has been around for seven decades now.

The attackers surreptitiously infiltrated company data and demanded a ransom of approximately $6 million (859 BTC) for a safe release of the data which reportedly is all set to be published in case the company fails to pay the demanded amount.

Maze Ransomware was originally discovered by Jérôme Segura, a security researcher at Malwarebytes in the month of May, earlier this year. Since then, the malware strain has gained massive popularity and is continuously becoming more and more active. While organizing various malspam campaigns, it has been discovered that its affiliates are essentially more dangerous.

On Monday, around the time when the company's website suffered the ransomware attack, admins located a message posted in Imgur demanding a ransom of 850 BTC from the company. In the wake of which, a topic was started on Reddit where Snooze16, seemingly an employee of the company, while putting the situation in perspective, said, “I went into the offices yesterday afternoon. Everyone was headed home – no computers. It looks like their site is still down. The IT guy that was there told me that the plant called him at 5 am asking how to shut the servers down. Bad time of year not to be shipping.”

In a conversation with the Chronicle, Jason Pollard, vice president of Talent Acquisition and Communications for the wire manufacturer, told, "We immediately self-quarantined by shutting down the entire network,"

"The incident did cause some disruption in our ability to make and ship our products."

"The safety of our employees, the quality of our products and our commitment to our customers are critically important to us. Today, we’re bringing critical systems back online, prioritizing manufacturing and shipping functions that enable us to create and send the product to our customers. We are dedicated to restoring all systems and bringing all of our employees back to work as safely and as quickly as possible." He further added.

Ransomware Attack Locks the Internet Service in Public Schools of Rockford





Due to a ransomware attack, the public schools in Rockford, Illinois are working without the internet service; whether it may be phone or a computer system everything has been affected.

The schools originally experienced the problem with its phone and internet services on Friday yet classes for around 28,000 students in 47 schools resumed by Monday in spite of outages as yet impacting the school buildings and the nearby district offices.

The ransomware in this way distinguished is said to be a kind of malware, or malevolent software, regularly spread through emails containing link or attachments that 'encrypt' a user's documents or systems, preventing them from accessing the data.

In a statement on Monday, the school officials said that experts are helping the district's technology team assess the outage. The locale says its authorities are attempting to get a 'complete picture' of the episode and see how it impacts its data.

However it is still under wraps as to with whom the school district is working with to thusly find the root cause of the whole problem, whether it is working with local, and state or federal law enforcement agencies.