Search This Blog

Showing posts with label Ransomware attack. Show all posts

City of Yonkers Refuses to Pay Ransom After Attackers Demand $10 million

 

The City of Yonkers has refused to pay the ransom after ransomware attackers demanded a ransom of $10 million to revive the disparate modules that overlay the different departments of the city.

Earlier this month, government employees at the City of Yonkers were restricted from accessing their laptops or computers after the city suffered a computer incursion by ransomware attackers. In the meantime, employees were told to restore as much data as possible manually from backups and this often means keeping pen and paper records that are transferred into databases.

The ransomware outbreak 

Ransomware attacks against the local governments are rising with each passing day. Last year, at least 2,354 governments, healthcare facilities, and schools were targeted by ransomware attackers. The local governments are the lucrative targets because they are less equipped in terms of resources and capabilities. 

A 2020 survey of state chief information security officers discovered that 70 percent listed ransomware as a top concern because of funding hurdles and lack of confidence in localities’ abilities to guard state information assets. And after a ransomware event occurs, only 45 percent of local enforcement agencies felt that they “had access to the resources” to analyze digital evidence linked to the crime. This then allows attackers to operate with more confidence, as the third way found that only 3 out of every 1,000 cybercrimes reported to the FBI result in an arrest. 

In 2019, the City of Baltimore was crippled for more than two weeks before the government’s systems were restored, in a delay that cost the city more than $18 million. Although Baltimore followed the instructions given by cyber security experts and the FBI to not pay the ransom, many people questioned the city’s strategy, given the extent of the damage.

“If we paid the ransom, there is no guarantee [the attackers] can or will unlock our system. There’s no way of tracking the payment or even being able to confirm who we are paying the money to. Because of the way they requested payment, there’s no way of knowing if they are leaving other malware on our system to hold us for ransom again in the future,” Mayor Bernard C. Jack Young said while responding to the critics.

“Ultimately, we would still have to take all the steps we have taken to ensure a safe and secure environment. I’m confident we have taken the best course of action,” he added. 

No more ransom payments

When three more local governments were attacked within a space of few months, it sparked a meeting of the United States Conference of Mayors. The meeting of US mayors resulted in a unanimous decision to stop paying ransom demands.

“Paying ransomware attackers encourages continued attacks on other government systems, as perpetrators financially benefit. The United States Conference of Mayors has a vested interest in de-incentivizing these attacks to prevent further harm,” the mayors wrote.

In the case of the City of Yonkers, the city confirmed that the virus was quarantined on the network, no ransom was paid and the Department of Homeland Security was notified.

Howard University Cancels Online and Hybrid Classes After Ransomware Attack

 

Washington, D.C’s Howard University, one of the largest Black Schools in the United States, has canceled online and hybrid classes as it continues to investigate a ransomware attack on its computer network.

The security breach was identified on September 3, just weeks after students returned to campus when the University’s Enterprise Technology Services (ETS) noticed “unusual activity” on the University’s network and intentionally shut it down in order to mitigate the risk and to investigate the incident. 

There has been no evidence to suggest that private details of their 9,500 undergraduate and graduate students were retrieved or stolen, but the investigation is still active, the university wrote in a statement.

“Based on the investigation and the information we have to date; we know the University has experienced a ransomware cyberattack. However, our investigation remains ongoing, and we continue to work toward clarifying the facts surrounding what happened and what information has been accessed,” the statement said. 

Howard University canceled classes to determine the impact of the ransomware attack, only essential employees were allowed to continue their work. Campus Wi-Fi will also be down while the investigation is underway, though cloud-based software will remain accessible to students and teachers.

“This is a highly dynamic situation, and it is our priority to protect all sensitive personal, research, and clinical data. We are in contact with the FBI and the D.C. city government, and we are installing additional safety measures to further protect the University’s and your personal data from any criminal ciphering,” the university said.

But the university warned that that remediation will be “a long haul — not an overnight solution.”

Howard University is the latest educational institution to be hit by a ransomware attack since the start of the pandemic, with the FBI’s Cyber Division warning that attackers have changed their strategies and are currently focusing heavily on schools and universities due to the widespread shift to remote learning.

Last year, the University of California paid $1.14 million to NetWalker attackers after they encrypted data within its School of Medicine’s servers, and the University of Utah paid hackers $457,000 to prevent them from releasing data stolen during an attack on its network. 

In 2021 only, ransomware attackers have targeted 58 U.S. education organizations and school districts, including 830 individual schools, according to the report published by Emsisoft threat analyst Brett Callow last month. Emsisoft estimates that in 2020, 84 incidents disrupted learning at 1,681 individual schools, colleges, and universities. 

"The attack on Howard University is yet another sign that cyberattacks are global, interconnected, and evolving. Hackers, drawn by the lucrative potential of holding business-critical data hostage, are launching more sophisticated attacks every day,” Stephen Manley, the chief technology officer at Druva, a data protection software company, said in a statement.

Amidst Surge in Ransomware Attacks, FBI Warns Food and Agriculture Sector

 

The FBI has published a private industry advisory on Wednesday, alerting the food and agriculture sectors that they have been under active attack by ransomware organizations. The cybercriminals' approach to firms in this area is unremarkable; the methods and procedures they deploy are well-known. 

According to the FBI, ransomware gangs want to "disrupt operations, cause financial loss, and negatively impact the food supply chain." 

"Ransomware may impact businesses across the sector, from small farms to large producers, processors and manufacturers, and markets and restaurants. Cybercriminal threat actors exploit network vulnerabilities to exfiltrate data and encrypt systems in a sector that is increasingly reliant on smart technologies, industrial control systems, and internet-based automation systems," the FBI said. 

Food and agriculture enterprises that are victims of ransomware incur massive financial losses as a result of ransom alongside suffering productivity losses and remediation costs. Organizations may potentially lose proprietary information and personally identifying information as a result of a ransomware operation, as well as suffer negative publicity. 

Many of the world's largest food firms now use a variety of IoT devices and smart technology in business processes. According to the FBI, bigger agricultural firms are attacked since they can manage to pay bigger ransoms, but smaller entities are targeted because they cannot afford high-quality cybersecurity. 

"From 2019 to 2020, the average ransom demand doubled and the average cyber insurance payout increased by 65 percent from 2019 to 2020. The highest observed ransom demand in 2020 was $23 million, according to a private industry report. According to the 2020 IC3 Report, IC3 received 2,474 complaints identified as ransomware with adjusted losses of over $29.1 million across all sectors," the FBI said. 

In an industry that is heavily dependent on smart technologies, industrial control systems, and web automation systems, cyber attackers use networking weaknesses to steal information data and encrypt systems. 

According to the organization, cybercriminals employ a myriad of methods to attack individuals with ransomware like email phishing operations, Remote Desktop Protocol (RDP) vulnerabilities, and software vulnerabilities; these are the most popular method of attack.

The FBI has Issued a Warning About the Hive Ransomware Gang

 

The Federal Bureau of Investigation (FBI) has issued a security alert regarding the Hive ransomware attacks, which provides technical data and indicators of compromise related to the gang's operations. The gang recently targeted Memorial Health System, which was compelled to shut down some of its activities.   

The new Hive ransomware, according to John Riggi, senior advisor for cybersecurity at the American Hospital Association, is of particular concern to healthcare organizations. Hive has targeted at least 28 companies so far, including Memorial Health System, which was infected by ransomware on August 15. Across Ohio and West Virginia, the non-profit operates a number of hospitals, clinics, and healthcare facilities.

The attack, led Memorial, which is situated in Ohio, to stop user access to IT applications. All urgent surgery cases and radiology exams were canceled for August 16th, but all general care visits went through as planned. While systems were restored, staff at Memorial's hospitals - Marietta Memorial, Selby, and Sistersville General Hospital – had to rely on paper records. 

Hive ransomware has been active since June 2021, and it uses a Ransomware-as-a-Service model with a wide range of tactics, techniques, and procedures (TTPs). According to government experts, the gang uses a variety of methods to infiltrate victims' networks, including phishing emails with malicious attachments to acquire access and Remote Desktop Protocol (RDP) to move around once on the network. 

"After compromising a victim network, Hive ransomware actors exfiltrate data and encrypt files on the network. The actors leave a ransom note in each affected directory within a victim's system, which provides instructions on how to purchase the decryption software. The ransom note also threatens to leak exfiltrated victim data on the Tor site, 'HiveLeaks,'" the FBI explained. "Hive ransomware seeks processes related to backups, anti-virus/anti-spyware, and file copying and terminates them to facilitate file encryption. The encrypted files commonly end with a .hive extension."

Before directing victims to a link to the group's "sales department" that can be reached through a TOR browser, the alert explains how the ransomware corrupts systems and backups. The link connects victims to a live chat with the perpetrators, but the FBI reports that some victims have been called by the attackers demanding ransom. The majority of victims have a payment deadline of two to six days, however, some have been able to extend their deadlines through negotiation.

73,500 Patients Data was Compromised in a Ransomware Attack on a Singapore Eye Clinic

 

The personal data and clinical information of roughly 73,500 patients of a private eye clinic were hit by a ransomware attack earlier this month, the third such occurrence in a month. Names, addresses, identity card numbers, contact information, and clinical information such as patients' clinical notes and eye scans were among the data, according to Eye & Retina Surgeons (ERS) on Wednesday. 

The clinic, however, stated that no ransom has been paid and that no credit card or bank account information has been obtained or compromised. The compromised IT systems at the clinic are not connected to the ministry's IT systems, such as the National Electronic Health Record, and there have been no similar cyber-attacks on MOH's IT systems, according to the Ministry of Health. 

The ministry also requested ERS to look into the issue, conduct a thorough evaluation of its systems, and collaborate with the Cyber Security Agency (CSA) to "take prompt mitigation efforts to enhance its cyber defences."

"Following this incident, MOH will be reminding all its licensed healthcare institutions to remain vigilant, strengthen their cybersecurity posture, and ensure the security and integrity of their IT assets, systems, and patient data. It is only through the disciplined maintenance of a safe and secure data and IT system that healthcare professionals will be able to deliver accurate and appropriate care, and uphold patient safety," the MOH said. 

The clinic's IT system has recently been restored "securely," with IT experts performing "thorough" system checks, reformatting servers, and running anti-virus scans on all computer terminals. The ERS stated that it had taken steps to avoid the situation from happening again. It is currently telling patients about the cyber-attack. 

Following the ERS ransomware incident, identical problems occurred at insurer Tokio Marine Insurance Singapore and IT firm Pine Labs. According to a recent study from Singapore's Cyber Security Agency (CSA), there were 89 ransomware cases reported to the agency last year, up from 35 cases in 2019. The assaults mostly targeted small and medium-sized businesses in the manufacturing, retail, and healthcare sectors. 

To encourage all licensed healthcare providers to set up and continually assess their security protections, impose new measures, and apply best practices to secure their IT systems and endpoints, the MOH issued the Healthcare Cybersecurity Essentials guidelines in August.

Cyber Firm: Ransomware Group Demanding $50M in Accenture Security Breach

 

The hacking group behind a ransomware attack on global solution provider powerhouse Accenture has demanded $50 million in ransom, as per the cybersecurity firm that saw the demand. 

According to a tweet from Cyble, a dark web and cybercrime monitoring company, the threat actor is seeking $50 million in return for more than 6 TB of data. 

On Thursday, Accenture responded it had no additional information to add to its statement, pointing CRN to a statement issued on Wednesday that claimed it had "contained the matter and isolated the affected servers" and that "there was no impact on Accenture's operations, or on our clients' systems." 

The hacking group apparently used LockBit ransomware to target Accenture, which is ranked No. 1 on CRN's Solution Provider 500 for 2021, in the attack revealed on Wednesday. 

As per Emsisoft, a cybersecurity firm located in New Zealand, LockBit is a ransomware strain that stops users from accessing infected devices until a ransom payment is completed. The incident arises after a ransomware assault on Kaseya in July, which involved a $70 million ransom demand to decrypt victim files. Kaseya later stated that it had acquired a decryptor for the REvil ransomware, but it had not paid the ransom. 

“At the end of the day, paying the ransom is never a good idea,” stated Douglas Grosfield, founder and CEO of Kitchener, Ontario-based Five Nines IT Solutions, in an interview with CRN. 

“The majority of folks that do end up paying the ransom don’t necessarily get all of their data back. And what you do get back, you can’t trust. There could be a payload there—a ticking time bomb—that will make it easier for the perpetrators to get in again.” 

He stated that ransomware groups targeting IT service companies such as Accenture is unsurprising. “The only surprise is that it took the bad guys this long to figure out that service providers are a pretty juicy target,” he added. 

According to Grosfield, the Accenture incident serves as a reminder of the proverb, "physician, heal thyself," which states that IT service providers must verify their own systems are safe to propose security solutions to their own clients. 

Accenture claims to have contained the assault, however, this is a questionable assertion. The firm confirmed the ransomware assault in an emailed response to a request for information from CRN but stated it had no impact on the organization. 

“Through our security controls and protocols, we identified irregular activity in one of our environments. We immediately contained the matter and isolated the affected servers. We fully restored our affected servers from back up. There was no impact on Accenture’s operations, or on our clients’ systems,” Accenture wrote. 

However, a CNBC reporter spoke on Wednesday that the hackers behind the Accenture attack uploaded over 2,000 files to the dark web, including PowerPoint presentations and case studies. 

On Wednesday, VX Underground, which claims to possess the Internet's largest collection of malware source code, tweeted a timer allegedly from the hacking group, indicating how the time until the attack on Accenture's data would begin. The timer's timer ultimately ran out. The LockBit ransomware gang published 2,384 files for a short period, according to VX-Underground, however, those files were unavailable due to Tor domain issues, most likely due to excessive traffic. 

The LockBit attack clock was restarted with a new date of Aug. 12, 2021, 20:43 UTC, or 4:43 p.m. ET Thursday, according to the group. 

The Accenture incident, according to Ron Bradley, vice president of third-party risk management firm Shared Assessments, is "a perfect example of the distinction between business resiliency and business continuity," he told Threatpost on Wednesday. 

“This particular example with Accenture is interesting in the fact that it was a known/published vulnerability,” Bradley continued. “It highlights the importance of making sure systems are properly patched in a timely manner. The ability for Accenture to manage the repercussions of potentially stolen data will be an important lesson for many organizations going forward.” 

According to Hitesh Sheth, president, and CEO of cybersecurity firm Vectra, all organizations should expect such assaults, but especially a global consultancy firm with many links. 

“First reports suggest Accenture had data backup protocols in place and moved quickly to isolate affected servers,” he informed Threatpost on Wednesday. “It’s too soon for an outside observer to assess the damage. However, this is yet another reminder to businesses to scrutinize security standards at their vendors, partners, and providers. Every enterprise should expect attacks like this – perhaps especially a global consulting firm with links to so many other companies. It’s how you anticipate, plan for and recover from attacks that counts.” 

LockBit encrypts files with AES encryption and generally asks a high-five-figure ransom to decrypt the data. LockBit's procedures are mostly automated, allowing it to operate with little human monitoring once a victim has been hacked, according to Emsisoft. It may be used as the foundation for a ransomware-as-a-service business model, in which ransomware authors can utilize it in exchange for a share of the ransom payments.

City Officials of Grass Valley Negotiates with the Handlers of Ransomware Attack

 

The city of Grass Valley is one of the latest victims of a ransomware attack. The operators of the ransomware attack informed the city officials that they had obtained data from city systems and threatened to post it on the web if the city doesn't pay a ransom. Surprisingly, the city officials decided to pay the ransom. 

“I think everyone’s a target. We’re not supposed to negotiate with terrorists – it emboldens them,” said Matthew Coulter, a Grass Valley resident who clearly wasn’t happy by the decision taken by the city officials.

According to Grass Valley police, they were left with no choice after the perpetrators contacted them in late June and threatened to publish the stolen data. The copied data allegedly included information on people or businesses that had conversations with various Grass Valley systems, including law enforcement.

“If we didn’t pay a small ransom and that data was dumped on the world wide web, then all of the people that we interacted with would be at risk of identity theft, loss of privacy, et cetera. One of the factors that weighed heavily for the city council was if this was something we could do to protect the people that we serve,” said Grass Valley attorney Michael Colatuono. 

City and emergency services were not greatly affected, and some discretionary outages were temporarily implemented. The cost of the incident is covered by the city’s insurance, according to an earlier press release and statements during the news conference.

Grass Valley isn’t the first city in the region to become a target, and likely won’t be the last. Sierra College was affected earlier this year, others are dealing with similar issues. City officials said the Federal Bureau of Investigation was contacted and that various state agencies are still investigating to find the perpetrators behind the attack. Credit monitoring is available to anyone interested if their personal data may have been breached.

To counter any cyberattack, the most important thing to look out for is ‘phishing’ emails. They may come from emails that you seem to recognize, but they could be pretending to be someone you are familiar with. He said to always check email addresses and avoid clicking on links you don’t recognize, referencing how one click could read this chaos, said Matt Bishop, a cybersecurity expert and UC Davis professor.

Fashion Retailer Guess Confirms Data Breach

 

Guess, the popular clothing and lifestyle brand is notifying the customers via letters of a data breach caused by a ransomware attack in February. Soon after the incident, the retailer contracted a cybersecurity firm to assist with their investigation into the ransomware attack.

“On May 26, 2021, the investigation determined that personal information related to certain individuals may have been accessed or acquired by an unauthorized actor. The investigation determined that Social Security numbers, driver’s license numbers, passport numbers, and/or financial account numbers may have been accessed or acquired,” the letter reads.

Guess finally discovered the addresses of all affected customers after reviewing exposed documents on June 30. It began informing customers on June 09 and filed a breach notification a month later. While only 1,300 individuals may have been affected by the Guess data breach, the extent of the damage suffered by each affected customer should serve as a warning to enterprises of all sizes. 

Los Angeles-based Guess has 1,580 stores globally, including 280 in the U.S. and 80 in Canada. As of May, it added new shops equivalent to 539. They are situated globally in 100 countries.

In April, Databreaches.net reported that the  DarkSide ransomware gang claimed responsibility for the Guess data breach and ransomware attack, and they had studied Guess' financial records and learned the company brought in nearly $2.7 billion in revenue last year. 

"We recommend using your insurance, which just covers this case. It will bring you four times more than you spend on acquiring such a valuable experience. We act in stages and notify the press usually already when exactly sure that the company will not pay. As for [Guess and another company they named] -- I think the press will see them," the DarkSide representative said in messages translated from Russian.

"Although the DarkSide ransomware group is out of commission, that does not mean this breach is insignificant. The significant amount and very personal types of data being collected by the organization, including passport numbers, Social Security numbers, driver's license numbers, financial account and/or credit/debit card numbers with security codes, passwords, or PIN numbers, is an extremely valuable dataset for cybercriminals if they want to steal identities," Erich Kron, a  security analyst at KnowBe4, stated.

Palo Alto Networks' Unit 42 Publishes Report on Mespinoza Group

 

Unit 42 of Palo Alto Networks has examined the Mespinoza gang's latest techniques and practices in identifying its 'cocky' message and its instruments endowed with 'creative names' – but has shown no evidence suggesting that the group has changed to ransomware-as-a-service. 

Mespinoza attacks mostly, demonstrate various trends between different actors and families threatened with ransomware, which make their attacks simple and easy to use. 

The report researchers explained, "As with other ransomware attacks, Mespinoza originates through the proverbial front door – internet-facing RDP servers – mitigating the need to craft phishing emails, perform social engineering, leverage software vulnerabilities or other more time-consuming and costly activities. Further costs are saved through the use of numerous open-source tools available online for free, or through the use of built-in tools enabling actors to live off the land, all of which benefits bottom-line expenses and profits." 

Although the MESPINOZA organization has not been as active as the more popular REvil, still its operations have achieved great success: the examination of Unit 42, revealed that victims pay up to $470,000 each for decryption of files, mainly from targets in the US and UK - including a Hackney Council attack last October.

After a victim is in their sight, they may rapidly and accurately proceed from breach to exfiltration to ransomware. One scenario, by no means the quickest, lasted less than three days from breaking the RDP network through network recognition and credential collection, and on the second day the required data were exfiltrated and the ransomware deployed on the third day. 

"Through the use of various open-source tools - mostly designed for use by sysadmins and pen-testers - the Mespinoza actors can move around the network with ease, looking for high-value data for maximum leverage as they go, and staging the latter parts of their attack to encrypt as many systems as possible," stated Alex Hinchliffe, threat intelligence analyst at Unit 42. 

The group has primarily mostly targeted the manufacturers, retailers and medical sector, and the education sector. Unit 42 research also revealed evidence that the Mespinoza Group's previous reports followed in the footsteps of REvil and offered Ransomware-as-a-services.

Communication from the group described as "cocky," by the researchers, could have been mistaken in this respect. Researchers have concluded, "Victim organizations are referred to as 'partners,'" the researchers found. "Use of that term suggests that they try to run the group as a professional enterprise and see victims as business partners who fund their profits." 

"Generally speaking RDP and other remote administration tools have become a high-value target for many cybercriminals and nation-state adversaries because of how simple it is to find them," Hinchliffe told. 

"There's no reason to expose RDP directly to the public internet in this day and age," security researcher Tom Hudson told The Register of the all-too-familiar entry point for Mespinoza's attacks. "If you need RDP access over the internet you should be requiring the use of a VPN with multi-factor authentication enforced." 

While Mespinoza may not be above the copying victims lists of other malware groups, it is evident that its tools are named in another area. The report further notes that a tool for building network tunnels is dubbed 'MagicalSocks.' A component saved on its server is probably called 'HappyEnd.bat.' This is probably used to encapsulate an attack.

After a Ransomware Attack, CNA Reports a Data Breach

 

Following a Phoenix CryptoLocker ransomware attack in March, CNA Financial Corporation, a leading US-based insurance firm, is notifying clients of a data breach. According to the Insurance Information Institute, CNA is the seventh-largest commercial insurance company in the United States. Individuals and corporations in the United States, Canada, Europe, and Asia can purchase a wide range of insurance products from the company, including cyber insurance coverage. 

"The investigation revealed that the threat actor accessed certain CNA systems at various times from March 5, 2021 to March 21, 2021," CNA said in breach notification letters mailed to affected customers on 9th July. "During this time period, the threat actor copied a limited amount information before deploying the ransomware." According to breach information filed with Maine's Attorney General's office, the data breach reported by CNA affected 75,349 people. 

CNA realized that the data stolen during the assault contained personal information such as names and Social Security numbers after evaluating them. "Having recovered the information, we have now completed our review of that information and have determined it contained some personal information including name, Social Security number and in some instances, information related to health benefits for certain individuals," CNA explained in a separate incident update.

"The majority of individuals being notified are current and former employees, contract workers, and their dependents." The corporation went on to say that there was no evidence that the stolen data was "viewed, retained, or shared." Furthermore, CNA states that there is no reason to believe that the stolen data has been or will be exploited in any way. CNA also said, "CNA will be offering 24 months of complimentary credit monitoring and fraud protection services through Experian. CNA is also providing a toll-free hotline for the individuals to call with any questions regarding the incident." 

According to sources acquainted with the incident, the Phoenix CryptoLocker operators encrypted approximately 15,000 devices on CNA's network after spreading ransomware payloads on March 21. The attackers encrypted the machines of remote workers who were logged into the company's VPN during the incident, according to BleepingComputer. 

Phoenix Locker is thought to be a new ransomware family designed by the Evil Corp hacking gang to dodge sanctions after victims of the WastedLocker ransomware refused to pay ransoms to avoid legal action or fines. "The threat actor group, Phoenix, responsible for this attack, is not a sanctioned entity and no U.S. government agency has confirmed a relationship between the group that attacked CNA and any sanctioned entity," the company said.

Hackers Asking $70 Million in Ransom, Kaseya Confirmed

 

On Monday, U.S. information technology organization ‘Kaseya’ has reported a new ransomware attack that has targeted 800 to 1,500 businesses around the world. Florida-based company's CEO, Fred Voccola told the media that as of now, it is difficult to gauge the impact of the ransomware attack because those who have been targeted were mainly customers of Kaseya's customers. 

Reportedly, hackers got their way into the internal files of the system that gave them command over the system. It allowed them to successfully disable hundreds of businesses on all five continents. However, those who have been targeted were not necessarily affected adversely, it included dentists' offices or accountants. While, in some countries, disruption has been felt more severely such as in Sweden, where hundreds of supermarkets had to shut since their cash registers were inoperative, and in New Zealand schools and kindergartens ran offline. 

The group of hackers who asserted liability for the breach is asking $70 million ransom for restoring all the businesses' data that has been stolen. 

Alongside, the group has also shown readiness in person-to-person conversations with a cybersecurity expert and with Reuters. "We are always ready to negotiate," a representative of the hackers told Reuters earlier Monday. The spokesperson, who had dialogue via a chat interface on the hackers' website, has not disclosed their names. 

When Voccola was asked about this negotiation he directly refused to say anything. "I can't comment 'yes,' 'no,' or 'maybe'," he said when asked whether his company would talk to or pay the hackers. "No comment on anything to do with negotiating with terrorists in any way."

Kaseya Limited is an American software company that provides software for managing networks, systems, and information technology infrastructure. It also offers software tools to IT companies and its network monitor is used for observing the performance and various types of network assets like switches, Firewalls, routers, etc. 

Diavol Ransomware is Linked to Wizard Spider Cybercrime Group

 

The cybercrime group behind the Trickbot botnet, Wizard Spider, has been linked to a new ransomware strain dubbed Diavol, according to FortiGuard Labs security analysts. In early June 2021, Diavol and Conti ransomware payloads were delivered on several systems in a ransomware attack prevented by the company's EDR technology. 

Wizard Spider is a financially motivated criminal group based in Russia that manages the Trickbot botnet, which is used to distribute second-stage malware to infected devices and networks. Because it spreads over corporate networks, Trickbot is especially hazardous to companies. If it gains administrative access to a domain controller, it will also steal the Active Directory database, allowing the organization to harvest even more network credentials.

From the use of asynchronous I/O operations for file encryption queuing to the use of nearly identical command-line options for the same functionality, the two ransomware groups' samples are cut from the same fabric (i.e., logging, drives and network shares encryption, network scanning). Despite the similarities, the researchers were unable to establish a clear relationship between Diavol ransomware and the Trickbot gang, due to some substantial variances that made attribution with high confidence impossible. For example, unlike Conti, Diavol ransomware has no built-in checks to prevent payloads from operating on Russian targets' systems. There's also no proof of data exfiltration capabilities before encryption, which is a classic ransomware extortion method. 

The encryption mechanism used by Diavol ransomware is based on user-mode Asynchronous Procedure Calls (APCs) and an asymmetric encryption algorithm. This distinguishes it from other ransomware families, which frequently employ symmetric methods to accelerate the encryption process. Diavol doesn't employ any obfuscation techniques, such as packing or anti-disassembly, but it nonetheless manages to obfuscate its essential routines by putting them in bitmap images.

When the ransomware executes on a compromised PC, it takes the code from the PE resource section of the pictures and inserts it into a buffer with execution permissions. Before the Diavol ransomware is finished, it will change the background of each encrypted Windows device to a black wallpaper with the following message: "All your files are encrypted! For more information see README-FOR-DECRYPT.txt."

"Currently, the source of the intrusion is unknown," Fortinet says. "The parameters used by the attackers, along with the errors in the hardcoded configuration, hint to the fact that Diavol is a new tool in the arsenal of its operators which they are not yet fully accustomed to."

REvil Hits Brazilian Healthcare Giant Grupo Fleury

 

São Paulo-based medical diagnostic firm Grupo Fleury has suffered a ransomware attack that has impaired business operations after the company shut down its systems. On the 22nd of June, the company website began displaying an alert message, alerting to the fact that its systems were suffering an attack and are no longer accessible.

Brazilian healthcare giant provides medical laboratory services across the nation with over 200 service centers and more than 10,000 employees. The company performs approximately 75 million clinical exams in a year.

"Please be advised that our systems are currently unavailable and that we are prioritizing the restoration of services. The causes of this unavailability originated from the attempted external attack on our systems, which are having operations reestablished with all the resources and technical efforts for the rapid standardization of our services," read the message translated into English. 

With their systems being knocked down, patients are unable to book appointments for labs and other medical examinations online. Since the announcement, multiple cybersecurity sources have confirmed that Grupo Fleury suffered an attack by the ransomware operation known as REvil, also known as Sodinokibi. 

“The Healthcare industry and healthcare supply chain are both one of the top three targeted sectors worldwide. Additionally, REvil are launching a lot of attacks at the moment, having hit a maritime organization in Brazil earlier this month,” Andy Norton, European cyber risk officer at Armis, stated.

The fact that Grupo Fleury's data is of significant concern as it contains enormous amounts of personal and medical data of patients, REvil is demanding $5 million for the decryptor key and the assurance that no vital information will be leaked online. REvil is known for exfiltrating data before encrypting devices and then using the stolen information as leverage to extort money from the company.

“In a previous statement made to the Russian-OSINT Telegram channel, a REvil representative stated that they were targeting Brazil for revenge. However, it is not known what that revenge is for. REvil is known for exfiltrating data and the data could include personally identifiable information and sensitive medical information of their patients and staff, which could be detrimental for the organization,” Jamie Hart, cyber threat intelligence analyst at digital risk protection company Digital Shadows Ltd, said.

Prior to this attack, JBS Foods, the world’s largest meat producer, was the victim of a REvil ransomware attack. JBS paid a ransom of $11 million in order to keep their stolen information from being leaked online. REvil has targeted numerous high-profile organizations, including Brazil's the Rio Grande do Sul court system, nuclear weapons contractor Sol Oriens.

Geneva: The Hot Topic For the Meeting Between US and Russian President

 

President Joe Biden will meet in person for the first time since taking office with Russian President Vladimir Putin in Geneva on June 16. The ransomware attacks on US organizations will be a core issue for this meeting. Biden suggested earlier this month that he would discuss with Putin the recent ransomware attack on Colonial Pipeline, which led to a shutdown of the country's largest gas pipeline.

The Kremlin has a historical past of working with cybercriminals, and many consultants believe the cyberattacks wouldn’t be taking place without some measure of consent from Putin. US president should demand action from Putin and he should take steps to ensure hackers who target the US, and the governments who facilitate their work or flip a blind eye to it, pay a worth.

"The scale of this problem is one that I think the country has to come to terms with." Fortunately, we're getting the first salvos to help the US and other countries build up defenses (The US isn't the only country struggling with this problem; just last month, Ireland's health services suffered a serious cyberattack). The Biden administration has instructed private companies to bolster their cybersecurity as it designs the government's strategy,” FBI Director Christopher Wray, who likened the problem of the menace to 9/11, informed The Wall Avenue Journal. 

The epidemic of ransomware crimes and different hacks is not only an American downside; it is one of many outgrowths of globalization. The US is planning to deal with one other pernicious outgrowth of globalization — the flexibility of companies to keep away from paying taxes, by bringing nations collectively to determine an escape-proof minimal company tax — the Biden administration ought to lead in forging a joint method to transnational cybercrime.

Russia has already interfered with elections in several nations, now its cybercriminals are busy extorting non-public companies and municipalities. But they are hardly alone. The Atlanta ransomware assault, which paralyzed companies and price the town hundreds of thousands, was traced again to Iranian hackers. The New York subway hack has been reportedly linked to Chinese hackers, who are becoming major players in the ransomware field.

Earlier this month, the United States Department of Justice (DOJ) announced that ransomware attacks in America are to be investigated with a similar urgency as incidences of terrorism. 

“It’s a specialized process to ensure we track all ransomware cases regardless of where it may be referred in this country, so you can make the connections between actors and work your way up to disrupt the whole chain,” said principal associate deputy attorney general at the Justice Department, John Carlin.

Ransomware Hits News Stations in US, Affects Local Broadcast

 

Two local television news stations have been shut down since Thursday, experts say it because of a ransomware attack on their parent company. Parent company Cox media group, which owns NBC affiliate WPXI in Pittsburgh, and ABC affiliate WFTV in Orlando, Florida, told their managers to shut down their company phones and computers. The employees have to communicate using only personal phones and text messages. However, both stations still somehow managed to run local broadcasts at the station, but their operations are somewhat limited. 

Cox has refused to release any statement about the attack, but experts believe that the ransomware was behind the attack where hackers breached the network and held the files hostage in demand of ransom.  

According to experts, if an incident in IT expands to its multiple organizations, it is most likely a ransomware attack. Experts believe that the primary reason for the attack where it is unplanned and widespread IT exploit is a ransomware breach. It can also be malware that is used to plant ransomware software. It is less likely than any other form of cyberattack can cause this shutdown.  

Meanwhile, in Orlando, the employees were asked to not go to the office on Thursday and Friday, however, they weren't told clearly what happened with the computer networks of the company. An employee in Pittsburgh said that the company on Thursday morning shut down its servers as a safety measure to avoid any security breach. 

As of now, the staff has been restricted off the computer networks, so there's not much that they can do, the situation has also become a bit tense at the stations. Actors are continuously attacking US organizations, schools, hospitals, and businesses for a long time. 

But the issue became a major threat when recently, the US federal government faced a major problem when an attack on the country's one of the biggest company Colonial Pipeline led to stoppage of gas supply for 5 days in the US. 

"Many of the most prolific ransomware gangs, including those responsible for the JBS and Colonial hacks, speak Russian and have at least some members based in Russia who appear to operate with impunity, leading President Joe Biden to say he's "looking closely" at retaliating," reports NBC news.  

FujiFilm Shuts Down Network Following Ransomware Attack

 

Japanese multinational conglomerate FujiFilm, headquartered in Tokyo suffered a ransomware attack on Tuesday night. The company has shut down portions of its network to prevent the attack's spread, as a precautionary measure. 

"FUJIFILM Corporation is currently carrying out an investigation into possible unauthorized access to its server from outside of the company. As part of this investigation, the network is partially shut down and disconnected from external correspondence," the company said in a statement.

FujiFilm is renowned for its digital imaging products but also produces high-tech medical kits, including devices for the rapid processing of COVID-19 tests. Due to the partial network outage, FUJIFILM USA has added a notice to its website stating that it is currently experiencing network problems impacting its email and phone systems. 

“We want to state what we understand as of now and the measures that the company has taken. In the late evening of June 1, 2021, we became aware of the possibility of a ransomware attack. As a result, we have taken measures to suspend all affected systems in coordination with our various global entities. We are currently working to determine the extent and the scale of the issue. We sincerely apologize to our customers and business partners for the inconvenience this has caused,” FujiFilm further added. 

Threat hunting and cyber intelligence firm Group-IB estimated that the number of ransomware attacks grew by more than 150% in 2020 and that the average ransom demand increased more than twofold to $170,000.

While FUJIFILM has not stated what ransomware group is responsible for the attack, Advanced Intel CEO Vitali Kremez has told BleepingComputer that FUJIFILM was infected with the Qbot trojan last month.

"Based on our unique threat prevention platform Andariel, FUJIFILM Corporate appeared to be infected with Qbot malware based on May 15, 2021. Since the underground ransomware turmoil, the Qbot malware group currently works with the REvil ransomware group. A network infection attributed to QBot automatically results in risks associated with future ransomware attacks," Kremez told BleepingComputer.

Last week, hackers targeted the Japanese government organizations and gained access to the company's project management platform which resulted in data leaks from various government offices. One ministry had at least 76,000 email addresses exposed, including those belonging to individuals outside of the ministry.

Scripps Health Care Facility Reported Ransomware

 


Scripps Health care facility has reported on Tuesday that the organization has started sending alert notifications to nearly 150,000 individuals after a group of threat actors has stolen the sensitive data of people during a ransomware attack on one of its local health care facility on 01st May. 

What is Scripps Health care and how this works? 

Scripps is a nonprofit health care facility in San Diego, California, United States. The medical firm operates five hospitals and 19 outpatient facilities. The firm also treats a half-million patients around the year through 2,600 affiliated physicians. In addition, Scripps Healthcare also runs several medical education programs and research programs. 

A statement has been released by the firm in which a medical professional said, that the company has just begun notifying victims so that they can take protective measures against this attack which would allow them to safeguard their personal information from further misuse. “About 2.5 percent of those — nearly 3,700 — are said to have had their Social Security and/or driver’s license numbers taken. For those, the company said, it will provide complimentary credit monitoring and identity protection support services,” he further added. 

As per the information shared by the firm, the cybercriminals have stolen clinical credential data that includes the address of the individuals, patient account number, date of birth, medical record number, health insurance information, doctor’s name, and medical data, etc. Reportedly, the data was stolen from the system, however, the firm did not disclose which system the information came from. 

The breach has forced medical professionals at all levels of the healthcare facility to work differently because the system was at risk. Professionals have to use paper charts for their document work. Additionally, access to the important clinical data, including previous test results, was also unavailable for weeks. 

The health care facility further said that the investigation is being conducted on the attack and at present, they are unable to disclose all the technical details. “We still don’t know what the rest of the document seems to be related to. We have started an extensive manual review of these documents…”

“…This is a time-consuming process that can take months, but we will notify affected individuals and organizations as soon as possible in accordance with applicable regulatory requirements,” Scripps added.

Irish Health System and 16 U.S. Health and Emergency Networks Hit by Conti Ransomware Gang

 

According to the Federal Bureau of Investigation, the same group of online extortionists responsible for last week's attack on the Irish health system has also targeted at least 16 medical and first-responder networks in the United States in the past year. The FBI said cybercriminals using the malicious software called 'Conti' have attacked law enforcement, emergency medical services, dispatch centers, and municipalities, according to a warning issued by the American Hospital Association on Thursday. 

In May of 2020, the Conti ransomware appeared on the threat landscape. It has some links to other ransomware families. Conti has evolved quickly since its discovery, and it's known for how quickly it encrypts and deploys around a target system. Conti is a “double extortion” ransomware that steals and attempts to reveal data in addition to encrypting it. 

The FBI didn't specify who was targeted in these hacks or whether ransoms were paid, only that these networks "are among more than 400 organizations worldwide victimized by Conti, with over 290 of them based in the United States." The new ransom demands have been as high as $25 million, according to the study. 

On Thursday, Ireland said experts were looking into a decryption tool that had been posted online, which could help activate IT systems that had been crippled by a major ransomware attack on the country's healthcare provider. The government stated that it had not paid any ransom and would not pay any in return for the alleged key. It didn't respond to claims that the gang had threatened to release reams of patient information next week. 

This ransomware attack has prevented access to patient information, forced medical facilities to cancel appointments, and disrupted Covid-19 testing around the country for the past week. Ossian Smyth, Ireland's e-government minister, has described it as "perhaps the most serious cyber crime assault on the Irish state." 

The hackers who took down Ireland's healthcare system are said to be members of "Wizard Spider," a sophisticated cybercrime group based in Russia that has become more involved in the past year. The group has threatened to release medical records unless Ireland pays a $20 million fine.

US and Australia Warn of Rise in Avaddon Ransomware Attacks

 

The Federal Bureau of Investigation (FBI) and the Australian Cyber Security Centre (ACSC) have issued an alert about an ongoing Avaddon ransomware campaign that is affecting organizations across a wide range of industries in the United States and across the world. 

Avaddon ransomware associates are attempting to breach the networks of manufacturing, healthcare, and other private sector entities around the world, according to a TLP:GREEN flash warning issued by the FBI last week. 

The ACSC clarified the targeting details today, stating that the ransomware group's associates are targeting companies from a broad variety of industries, including government, banking, law enforcement, energy, information technology, and health. Although the FBI only cites ongoing attacks, the ACSC lists a number of countries that have been targeted, including the United States, the United Kingdom, Germany, China, Brazil, India, the United Arab Emirates, France, and Spain, to name a few.

"The Australian Cyber Security Centre (ACSC) is aware of an ongoing ransomware campaign utilizing the Avaddon Ransomware malware [..] actively targeting Australian organizations in a variety of sectors," the ACSC added. 

Avaddon threat actors threaten victims with denial-of-service (DDoS) attacks in order to persuade them to pay ransoms, according to the ACSC (in addition to leaking stolen data and encrypting their system). However, no evidence of DDoS attacks has been discovered as a result of the Avaddon ransomware attacks, according to the FBI. 

The Avaddon ransomware group first declared in January 2021 that they would use DDoS attacks to bring down victims' websites or networks before they reach out and negotiate a ransom payment. 

When ransomware groups started using DDoS attacks against their victims as an additional leverage point, BleepingComputer first posted on this new trend in October 2020. SunCrypt and RagnarLocker were the two ransomware operations that used this new strategy at the time. 

The first Avaddon ransomware samples were discovered in February 2019, and the ransomware started hiring affiliates in June 2020 after launching a massive spam campaign that targeted users all over the world. Affiliates of the Avaddon RaaS operation are required to obey a set of guidelines, one of which is that no targets from the Commonwealth of Independent States be pursued (CIS). 

Avaddon pays each affiliate 65 percent of the ransom money they bring in, with the operators receiving the remaining 35 percent. Avaddon ransomware’s affiliates have also been known to steal data from their victims' networks before encrypting systems in order to double-extortion. 

Almost all active ransomware operations have adopted this technique, with victims commonly informing their customers or employees of potential data breaches following ransomware attacks.

Ransomware Attack Shuts Down Top U.S. Fuel Pipeline Network

 

The operator of a major gasoline pipeline in the U.S. shut down operations late Friday following a ransomware attack pipeline system that transports fuel across the East Coast. The attack is unlikely to affect gasoline supply and prices unless it leads to a prolonged shutdown of the pipeline, experts said. 

Colonial Pipeline did not say what was demanded or who made the demand. Ransomware attacks are typically carried out by criminal hackers who seize data and demand a large payment in order to release it.

The company is the main source of gasoline, diesel, and jet fuel for the East Coast with a capacity of about 2.5 million barrels a day on its system from Houston as far as North Carolina, and another 900,000 barrels a day to New York. It presents a new challenge for an administration still dealing with its response to major hacks from months ago, including a massive breach of government agencies and corporations for which the U.S. sanctioned Russia last month.

President Joe Biden was briefed on the incident on Saturday morning, a White House spokesperson said and added that the federal government is working with the company to assess the implications of the attack, restore operations and avoid disruptions to the supply. The government is planning for various scenarios and working with state and local authorities on measures to mitigate any potential supply issues. 

“We’ve seen ransomware start hitting soft targets like hospitals and municipalities, where losing access has real-world consequences and makes victims more likely to pay. We are talking about the risk of injury or death, not just losing your email,” said Ulf Lindqvist, a director at SRI International who specializes in threats to industrial systems.

After the shutdown was first reported on Friday, gasoline and diesel futures edged slightly higher on the New York Mercantile Exchange. Gasoline gained 0.6% while diesel futures rose 1.1%, both outpacing gains in crude oil. Gulf Coast cash prices for gasoline and diesel edged lower on prospects that supplies could accumulate in the region.

Colonial previously shut down its gasoline and distillate lines during Hurricane Harvey, which hit the Gulf Coast in 2017. That contributed to tight supplies and gasoline price rises in the United States after the hurricane forced many Gulf refineries to shut down.