Search This Blog

Showing posts with label Ransomware attack. Show all posts

Threat Actors Target PrismHR in a Potential Ransomware Attack

 

PrismHR, a payroll company, suffered a cyber attack over the weekend that caused massive outages to its system. Although there are speculations among the customers that PrismHR was the victim of a ransomware attack but the payroll company hasn’t identified the attack as a ransomware one. 

PrismHR operates as an online payroll, benefits, and human resources platform used by professional employer organizations (PEO) – which employ it to provide payroll, HR, and benefits services to customers including small to medium-sized businesses (SMBs).

According to Bleeping Computer, a payroll giant was attacked on February 28th, 2021. The company stated “We recently experienced a cyber incident that affected our payroll and benefits software used by Professional Employer Organizations (PEOs) throughout the US. We immediately disabled access to the system to protect customer information and engaged top-tier security experts to help on this.”

“We are working quickly to restore customer access to our platform. While we are still looking into this, there is currently no evidence of unauthorized access or theft of data contained on our servers”, PrismHR further stated.

Due to the nature of this organization, PrismHR makes for an extremely valuable target to extract sensitive information across a large number of firms in one singular attack. Mostly, threat actors attack organizations over the weekend while employees are not present, computers are not being used, and there is less attention paid to the network. This allows threat actors to start the process of noisily deploying the ransomware to encrypt systems.

Mostly, attackers steal unencrypted data before encrypting the devices and this exfiltration of information gives the attackers leverage to financially gain via the sale of this data. Currently, the information regarding this attack is vague– if this turns out to be a ransomware attack, the outcome could be disastrous owing to the nature of PrismHR’s business. 

Considering, PrismHR holds sensitive information for thousands of organizations and this information includes social security numbers, payroll, ID cards, employee benefit information, information for beneficiaries, and a wide range of other sensitive information.

JFC International Compromised with a Ransomware Attack

 

JFC International has reported that some of its IT networks have been compromised by a ransomware attack. The food giant is one of Asian food products' main producers and wholesalers in Europe and the US. The attacks have reportedly damaged the European Group of JFC International and the organization anticipates the resumption of regular activities. The event has also been confirmed by JFC International, law enforcement, staff, and partners. 

Headquartered in Los Angeles, California, Unites States, JFC International is a leading producer and wholesaler of Asian foodstuffs in the US. JFC International also purchases branded goods from other international firms, in addition to its own products. The official creation of the company was in 1958 and eventually named in 1978, but it operated in various ways from 1906 onwards. It belongs to the Japanese Kikkoman company. 

JFC International also undertakes a thorough forensic inquiry to ascertain what the cyber-attack source was. As per a comment published on the company's European website, the servers affected were reportedly already protected. What kind of ransomware was involved in the attack or whether anyone compromised due to the incident, such details remain unknown. Any personal information may be accessible to the perpetrators since JFC defined the case as a data protection event. 

“JFC International (Europe) was recently subject to a ransomware attack that briefly disrupted its IT systems. A full forensic investigation by in-house specialists together with external cyber experts was immediately started and is underway. The normal conduct of business in Europe will be up and running after a brief interruption for security reasons,” as mentioned in a press release published by the company. “The affected servers were secured. JFC International (Europe) is cooperating closely with the relevant authorities,” states the company. 

The organization reported security events to staff and business associates and advised the competent authorities. With the aid of external cyber specialists, the firm investigated the intrusions and confirmed that the compromised servers had already been protected. Initially while giving the statement, it's not really clear which of the ransomware families was responsible for the attack are involved and whether the attackers have stolen any information. 

“A full forensic investigation by in-house specialists together with external cyber experts was immediately started and is underway. Normal conduct of business in Europe will be up and running after a brief interruption for security reasons. The affected servers were secured,” the company said in a statement posted on its European website.

Cybercriminal Gang Clop Attacked an International Law Firm Jones Day For Ransom

 

Jones Day, a U.S.-based international law firm has suffered a major ransomware attack, and the allegedly stolen files from Jones Day were leaked on the internet. A Cybercriminal group known as Clop has taken the responsibility for attacking and stealing the files from the law firm.

The incident was first reported on February 13 by Databreaches.net and soon after the attack ransomware gang Clop claimed the responsibility and threatened the law firm to leak the files unless a ransom is paid. This group is known to encrypt files on exploited systems, as well as stealing files from the target. Former U.S. President Donald Trump is among Jones Day’s clients.

Accellion Inc., a Palo Alto-based private cloud solutions company is believed to be a source for the ransomware attack due to the vulnerability in its software, Accellion software was connected to a data breach in which 1.4 million unemployment records were stolen from the Office of the Washington State Auditor on 2nd February. Goodwin Procter, a global 50 law firm uncovered in an internal memo earlier this month that some client information has been accessed in a breach of an unnamed vendor, later discovered as Accellion.

Threat actors are claiming to have more than 100 gigabytes of data and have started to leak the stolen files online as evidence of their successful ransomware attack. This same group attacked the German tech giant Software AG in October last year and demanded a ransom of $20 million in return for a decryption key and promised not to leak the redacted files they had stolen.

Jones Day stated that “Jones Day’s network has not been breached. Nor has Jones Day been the subject of a ransomware attack. Jones Day has been informed that Accellion’s FTA file transfer platform, which is a platform that Jones Day – like many law firms, companies, and organizations – used, was recently compromised and information was taken. Jones Day continues to investigate the breach and has been, and will continue to be, in discussion with affected clients and appropriate authorities.”

RiskSense Report Affirms Surge in Vulnerabilities Associated with Ransomware

 

In recent years, the threat from Ransomware has grown enormously. The ransomware attacks have started to threaten more web applications, open-source platforms, and systems as attackers explore more precise pathways to the biggest and most important data stores of organizations. 

In the year 2019, a research report showed the total vulnerabilities associated with ransomware were 57 which quadrupled in the year 2020 to 223, whereas the total counting of the ransomware families hiked from 19 to 125. The vast majority of faults in ransomware attacks– almost 96 percent, were reported in public before 2019. Software-as-a-service (SaaS) apps emerged as a new ransomware target with the largest number of faults with successful exploits patterns. Lastly, more than 15 operational families are offered ransomware-as-a-service, allowing almost everyone to initiate ransomware attacks without coding or safety skills. 

Approximately 40% of 223 CVEs connected to recent ransomware attacks are vulnerable to five common protection vulnerabilities which are identified as: permissions, privileges, and access controls; injection code, improper input validation, incorrect operating constraints inside memory buffer boundaries, and confidential information disclosure to the unauthorized consumer. The report published by RiskSense states that these overlaps "make it easy for ransomware families to predict new vulnerability disclosures with similar characteristics." 

Srinivas Mukkamala, CEO, and co-founder of RiskSense said their analysis shows that both short-term patterns, like COVID-19 that drive more companies onto the Internet, as well as more advances in digital transformation and cloud acceptance across the sector, contribute to this increased attack surface. These aspects have merged to pushed many companies with misconfigurations, and will most likely be abused by malware organizations, to implement technology – such as cloud applications, VPNs, and home network. 

Mukkamala further added that “All of [those trends] actually opened up the aperture and attack surface for ransomware to target and if you look at the vulnerabilities, you can clearly see that your SaaS has been targeted, your backup as a service has been targeted, your remote access services have been targeted and interestingly, we’re looking at your open-source libraries being targeted.” 

RiskSense also detects the increasing usage by state-supported, specialized persistent threat groups of many of the same vulnerabilities. These groups would certainly not infect malware payload entities, but increasingly use the same security vulnerabilities and misconfigurations. 

Often organizations do not actually have the expertise or security officers to keep up, and RiskSense research shows that several different weaknesses in the typical attack chain are abused, depending on metrics such as the gravity of the Common Vulnerability Scoring System to assign priority to the job can be folly. Some of the firms, provide their own method, using data analysis to determine which current bugs are related to exploits seen in the wild, for what they call patch intelligence. 

Ransomware defense “is becoming more like an analytics play, where you’ve got to collect all your data and start prioritizing based on the exploitability and [whether] it's active right now,” stated Mukkamala.

Developer of Cyberpunk 2077 Hit by Ransomware Attack

 

Ransomware turned into an inexorably critical danger all through 2020, as hackers continued to target hospitals and health care providers amid pandemic. A more modest pattern has additionally been brewing in the course of the most recent couple of months, with a rash of assaults on computer game organizations including big names like Ubisoft, Capcom, and Crytek. Presently the developer CD Projekt Red, which released the censured blockbuster Cyberpunk 2077 in December, is the most recent target. 

On Tuesday, CD Projekt Red uncovered that it had been the victim of a ransomware assault. “Some of our internal systems have been compromised,” the organization said in a statement presented on Twitter. The assailants encrypted a few PCs and took the information, however CD Projekt Red said it would not pay the ransom and that it was re-establishing its systems from backups. The incident comes as CD Projekt Red faced a long time of sustained criticism for its bug-ridden, overhyped Cyberpunk 2077 release. The game had numerous performance issues on various platforms, that is why Sony pulled it from the PlayStation Store and, alongside Microsoft, offered refunds to players. 

Despite the organization's recuperation efforts, it still faces potential fallout. The assailants obviously took source code for Cyberpunk 2077 as well as other CD Projekt Red games like Witcher 3, an unreleased version of Witcher 3, and Gwent, the digital Witcher card game. The assailants likewise say they took business data like investor relations, human resources, and accounting data. CD Projekt Red says there is no proof that client information was undermined in the breach.

“If we will not come to an agreement, then your source code will be sold or leaked online and your documents will be sent to our contacts in gaming journalism,” the attackers said in their ransom note. 

CD Projekt Red has released patches for Cyberpunk 2077 trying to improve the game's stability and do damage control. Yet, the organization faces a lawsuit from investors, accusing that it forced developers to work unreasonably overtime to finish the game, and criticism about its use of nondisclosure agreements to keep journalists from reporting accurately on the game's shortcomings prior to release.

Trucking Company Forward Air Hit by Ransomware, Suffers Heavy Loss of $7.5 Million

 

Forward Air, a trucking and freight transportation logistics company said that it suffered a ransomware attack of $7.5 million. The attack has caused heavy damage to the company's Q4 financial results. The amount comes from "loss of less-than-load (LTL) trucking business" and not costs suffered that dealt with the incident.  The loss mainly occurred because Forward Air had to temporarily pause electronic data operations with its customers. The ransomware incident happened last year on 15th December and was termed as a cyberattack using Hades ransomware. 

The attack compelled Forward Air to shut down its IT systems offline and close down electronic operations to deal with the issue. As per Freight waves, a trucking news site, the cyberattack had had a huge impact on the company's daily operations as the workers and employees couldn't get the required files to pass through the customs. Though the company says that everything is back to normal now, the SEC (Security and Exchange Commissions) filing and the large amount that the company had to pay tells otherwise. This is why cybersecurity experts always recommend being safe in the first place than to actually deal with a ransomware attack.  

Freight Waves reports, "While the cause is not disclosed, the wording of the Forward Air note is similar to what other companies will state when they are under a cyberattack. Additionally, the failure of the website and the fact that the source at the 3PL said emails to Forward Air were bouncing often are marks of a cyberattack." 

The SEC filing didn't mention Forward Air paying any ransom amount nor about any cyber insurance policy. Coveware, a company that deals in ransomware payment negotiations, published a report last week which said that the organizations are refraining to pay ransoms now as they've realized that the hacking groups don't always delete the stolen data.  Today, the companies choose to build again from scratch instead. Though the ransom payments saw a decline, the year 2020 was the highest ransomware year.  As per the report from Chainalysis, 2020 observed a total ransom payment worth $350 Million, 311% more than 2019.   

UK Research and Innovation Hit With Ransomware Attack

 

UK Research and Innovation (UKRI) unveiled a ransomware assault that has disturbed services and may have prompted data theft. The cyberattack unveiled a week ago, has affected two of the group's services: a portal utilized by the Brussels-based UK Research Office (UKRO) and an extranet, known as the BBSRC extranet, which is used by UKRI councils. 

Launched in 2018, UKRI is a public body upheld by the Department for Business, Energy, and Industrial Strategy (BEIS). Nine councils meet up under the brand to oversee research grants and to support innovative businesses and opportunities in the United Kingdom. UKRI said that the IT incident has brought about "data being encrypted by a third-party," which implies that ransomware is at fault. Ransomware is a kind of malware that is frequently a culprit in assaults against the enterprise. Once ransomware has landed on an undermined system, it will normally encrypt data and files and may likewise spread all throughout a network to take out backups and other resources. 

At the point when information encryption is finished, clients are bolted out and ransomware operators will demand payment as a trade-off for a decryption key. This blackmail demand is regularly needed in cryptocurrencies, for example, Bitcoin. The divulgence is scant in insights regarding the assault or who was behind it as an investigation is underway. “We have reported the incident to the National Crime Agency, the National Cyber Security Centre and Information Commissioner’s Office,” UKRI informs.

In the event the data has been stolen, this may incorporate grant applications and review data contained in the portals, as well as expense claims. Nonetheless, the agency couldn't yet say whether financial information has been taken. "We are working to securely reinstate impacted services as well as conducting forensic analysis to ascertain if any data was taken, including the potential loss of personal, financial, or other sensitive data," the group says. "If we do identify individuals whose data has been taken we will contact them further as soon as possible." 

As indicated by DLA Piper, £142.7 million ($193.4 million) in fines have been given over the previous year for breaches of the EU's General Data Protection Regulation (GDPR), near a 40% increment in contrast with the past 20 months.

Resident Evil Developer Capcom Became a Victim of Ransomware Attack

 

The year 2020 had been a year that witnessed a lot of data leaks and hacks of assorted kinds for apps and websites. This time it was the turn of an Osaka headquarters video game developer company, Capcom that became the victim of a data breach and ransomware attack in November 2020. Not only the company but its users have also been compromised because of this attack. As a result of the ransomware attack, Capcom had to shut down its assorted parts of the network including its email and file services. 

Initially, they never disclosed that if any customer's information was breached or any of its websites, servers, or games were compromised because of this attack. However, on 16th November 2020, the company published that almost 9 of its users had their personal information compromised and further added that 350,000 of its users were at risk of a data breach. 

In this attack, Capcom witnessed hundreds of thousands of pieces of personal data stolen from its servers, including the names and addresses of customers and former employees. The estimated number of victims of the aforementioned case is 16,415. 

Capcom later affirmed that they were suspicious that the company’s information, including "sales reports, financial information, game development documents, [and] other information related to business partners," was illicitly accessed during the attack. They stated that Documents matching that description have been circulating around certain corners of the Internet since November. 

Capcom further stated that "the company has also ascertained that the potential maximum number of customers, business partners, and other external parties, etc., whose personal information may have been compromised in the attack is approximately 390,000 people (an increase of approximately 40,000 people from the previous report)." 

Not only that Capcom's network was hit by a Ransomware attack but a note was also left on the server by the threat actors. The letter affirmed that Ranga Locker, the ransomware gang is behind this cyber-attack. The gang left some hyperlinks as proof of the attack by them. Those links led the company to a file that had personal information of the company and its users as well as employees, that was later published on the internet. 

Additionally, the company wrote, "Capcom would once again like to reiterate its deepest apologies for any complications or concerns caused by this incident.”

US FBI Warned Organisations of the Egregor Ransomware Attacks

 

The US-based FBI (Federal Bureau of Investigation) has warned of the upcoming ransomware attack against the hospitals and private organizations. They initially gave an alert saying that there was a credible ransomware thread that may harm the hospitals and other private organizations. All of it was done in the wake of the increasing cyber-crime rate in the USA. As the situation worsened, they warned the organizations to stay alert with eyes wide open and patches ready. It noteworthy that since the FBI's warning, one or the other organizations has been becoming a victim of these attacks. 

Initially, the organizations witnessed some issues with their IT system, and then they started receiving some phishing emails from various sites. The suddenness of the events made the organizations trust the warning released by the FBI, as the Egregor's chaos unfolded. 

The Egregor ransomware attack targets the organization worldwide. The threat actors behind the operations hack into the networks of the organizations and steal sensitive data. Once the data is exfiltrated they encrypt all the files and then leave a ransomware note stating that, in case, the organization fails to pay the ransom within the given time, then the stolen data will not only be leaked but will also be distributed to the public by means of mass media. 

The aforesaid Egregor ransomware attack was seen in the threat landscape in September 2020, since then the Egregor gang have claimed to compromise over 150 organizations. They have also claimed to have leaked the data of two of the world’s biggest gaming giants, UBISOFT and CRYTEK. The obtained data of these two companies is posted on the ransomware gang dark web. The incident unfolded the two companies didn't pay the demanded ransom. Despite warnings by security experts, it's difficult to actively avoid falling prey to ransomware attacks, owing to the nature and modus-operandi of such threats. Besides UBISOFT and CRYTEK, other companies namely BARNES & NOBELS, CENOSUD, and METRO’s Vancouver’s agency Trans Link was also on the list. 

“The FBI assesses Egregor ransomware is operating as a Ransomware as a Service Model. In this model, multiple different individuals play a part in conducting a single intrusion and ransomware event. Because of the large number of actors involved in deploying Egregor, the tactics, techniques, and procedures (TTPs) used in its deployment can vary widely, creating significant challenges for defense and mitigation.” read the FBI's alert. “Egregor ransomware utilizes multiple mechanisms to compromise business networks, including targeting business network and employee personal accounts that share access with business networks or devices".

Such ransomware attacks are performed with the help of Phishing emails that may contain malicious attachments or exploits for the remote desktop protocol (RDP) or VPN's. It must be noted that following the release of the FBI's warning to the organizations – the threat actors have seemingly paced up in response to the FBI's action against them, making the entire picture clearer! 

NameSouth’s Data Leaked for not Paying Ransom to Cybercriminals

 

NameSouth is by all accounts the most recent casualty of the ransomware group that surfaced at some point in 2019. NetWalker's objectives range across different enterprises, with archives of purloined information from around a hundred exploited organizations openly posted on the gang's darknet site to date. NameSouth LLC, a provider of veritable, OE, and OEM trade car parts for German-brand vehicles is situated in Mooresville, North Carolina. Set up in 2004, the organization distributes replacement parts for vehicles fabricated by Audi, BMW, Mercedes, Porsche, Saab, Volkswagen, and Volvo across North America.

The NameSouth archive leaked by NetWalker incorporates classified organization information and delicate archives, including monetary and accounting information, financial records, personally identifiable worker data, and different legal reports. In light of backup file creation dates, the document was exfiltrated from the NameSouth network on November 26, 2020. Apparently, the information was leaked days after the fact after the organization missed the gang's deadline to pay the ransom. A large portion of the information in the leaked archive seems to have a place with the organization instead of its accomplices or clients, which implies that it is NameSouth and its workers who are well on the way to endure the worst part of the harm. 

The leaked archive contains 3GB worth of report examines, including: 

 • Invoices containing tax identification numbers. 

 • Complete names, addresses, telephone numbers, and definite working long periods of at least 12 NameSouth representatives.

 • Client names and addresses.

 • Financial records dating from 2010 to 2020. 

 • Monetary and accounting information. 

From what samples of the leaked documents they had the option to get to, apparently, the records in the archive contain individual data of at least 12 NameSouth representatives, including their definite working hours. Such data would make it simpler for criminals to complete spear phishing assaults against the representatives. Getting to NameSouth's monetary and accounting information, including credit card records that date as far back as 2010, would permit criminals to commit fraud in the organization's name, for example, applying for government-supported Covid alleviation loans. 

To avoid becoming victims of such ransomware attacks, here are a few precautions:

 • Build up an intelligent danger recognition framework or a security incident event framework. In case of a break by pernicious criminals, such frameworks will caution your IT faculty about the occurrence constantly and assist them with keeping information exfiltration from organization servers. 

 • Utilize a salted secure encryption algorithm to encode your confidential information. At the point when scrambled, your organization information would be everything except futile to criminals. The information would be scrambled by the algorithm, which would deliver it incoherent for unapproved parties without an encryption key.

Hackers Demand Ransom After Major Cyber-Attack on the Antwerp Laboratory


Algemeen Medisch Laboratorium bvba, (AML) in the Antwerp district of Hoboken was attacked by hackers; the laboratory manages about 3,000 Covid-19 tests daily, which is about 5% of the nation's total. The cyberattacks amid the outbreak of Coronavirus have rampantly increased over the past year and this attack was nothing new but yet another addition to the newly surfaced theme of malware and ransomware attacks in the context of 'COVID-19'. 
 
Hackers attacked the laboratory website by installing ransomware into it, it brought the website to a standstill. As we have seen in the past as well in the case of ransomware attacks - the hackers are demanding a ransom before releasing the website from confinement. 
 
ICT manager Maarten Vanheusden has said, “that after detailed analysis by our security teams, it was decided to disengage the network as a safety measure and by this way we can see what exactly is infected”. He also said by this time there is no information of data being stolen and that they are taking all the precautionary measures. Furthermore, the origins of the attack remain unknown as of now. The traces linked back the hackers to China, Russia, and Iran.  
 
AML is the largest private lab in the country which is dealing with the COVID-19 problem. There is no clarity regarding the purpose of the attack, speculations could not exactly suggest that whether the hackers attacked the laboratory merely for ransom or they have other plans as well as data theft. The case is being handled by the federal Computer Crimes Unit after the lab reported the attack to the Antwerp prosecutor`s office. 
 
This is the second time in December that hackers have attacked the sites related to the Covid-19 pandemic. European Medicines Agency (EMA) was targeted in a cyber-attack; EMA is responsible for assessing and approving vaccines for the European Union. German biotech firm BioNTech said, “that the agency was attacked and some documents which were related to the regulatory submission for Pfizer and BioNTech’s Covid-19 vaccine had been unlawfully accessed". 
 
Hackers are targeting many healthcare and medical organizations especially during this Covid-19 outbreak for demanding ransom as well as to obtain the classified information related to the vaccines.

Active Cypher: Great Deal of Orchestration of Our Intelligence in AI into Existing Systems

 
Active Cypher: The company is built upon a socially responsible fabric, that provides information security for individuals and corporations in an increasingly complex digital age. The guest speaker for the interview was Mr. Michael Quinn, CEO, and Mr. Caspian Tavallali, COO Active Cypher. Active Cypher’s Ransom Data Guard utilizes a combination of Active Cypher’s proprietary encryption orchestration, smart AI, and advanced endpoint protection. 
 
Please tell us about your company Active Cypher? 
 

I am Michael Quinn, CEO of Active Cypher. We are a data protection company; we have an ethos within a company that the data needs to be able to protect itself wherever it is created. We have built a product line that offers those capabilities of protection against ransomware attacks through protecting data at the file level in the server environment and in the cloud. What our product allows us to do is be crypto agile. We can work with numerous encryption schemes. Once we are installed we basically back out of the situation and allow the client to run and trust their own data. 

 
Your company talked about game-changing software “Ransom Data Guard” that will protect organizations against ransomware threats. Please describe more about it. 
 
What we developed is a capability where understanding what ransomware has to do in order to take control of the device in a user environment. We built a product just before the Covid-19 and work from home culture started and we realized that people are using shared environments on the same device at home. So we basically allow the organization to encrypt the data down to the device level and protect it. The ransomware protection that we provide basically allows us to manage the files in such a way that they are not accessible to external sources like ransomware. We put this product along with our cloud fortress product to make sure that we were meeting compliance regulations. What we found after working with the law firms is we allow the companies to meet compliance through this capability if the product was ransomed or even if it was exfiltrated because we encrypt the data so the actual data itself is useless. On the ransomware side, the beauty of it is we allow a lot of flexibility in how the data can be stored and used. 
 
Besides ransomware protection, what are the other solutions Active Cypher provides? 
 
We do a great deal of orchestration of our intelligence in AI into existing systems, we integrate into Microsoft tools as well as we have APIs that can write to any of the tools that are out there. We don’t bring in to replace anything or add to anybody’s burden, we integrate into it with our information.  
 
Let’s say somebody opens a doc. file or they load up a doc. file which has an exploit. How do you handle that? 

If somebody uploads an exploit or malware and when it’s opened, because of the process we use to interrogate the document for its integrity, we will stop any process that is trying to intervene with the environment and we’ll put a warning out. What will happen is you’ll get an alert from us, let’s say you open up a “wannacry” as an example, you will get a screenshot saying “your device has been ransomed.” The reality is you can still open all your files. What we do is, with our cloud fortress product, we do a real-time backup. 
 
At a time when hospitals and medical institutions are struggling with Covid-19, how has Active Cypher protected them from ransomware threats? 

In most of the hospitals and medical environments, their IT staff lacked the sophistication to understand what was happening. Earlier, the attackers were not really trying to damage the data, they were trying to ransom it and return it. Now what the attackers are doing is, that they are actually getting into the environment and not going after the data because most of the hospitals have upgraded their capabilities along with using our products. Now, the hackers are attacking the IoT (internet of things) at the device level, which is more life-threatening. What we have done to help healthcare institutions is basically putting a “Data Guard” which is the stand-alone ransomware product on devices. 
 
How do you handle the GDPR (General Data Protection Regulation) and Privacy requirements when it’s the home environment? 

With “Data Guard,” the way the product is designed, it can be installed on a consumer device. In that environment it allows people to protect what they have like personal data or business data that they have on their device is protected. And that’s the simplicity of Data Guard, is the fact that it protects your device and the files on it and ensures that ransomware can’t launch successfully.  
 
With cyberattacks rising, is there any advice you can give to our readers on cybersecurity? 

Everybody has to be aware, you don’t have to be afraid. With the stress of work, particularly with this remote work environment, the user has to be more diligent. So, ease of use and awareness are probably the keys to maintaining good data hygiene.

Data Breach: HR Consulting Giant Randstad Hit by Egregor Ransomware

 

Randstad NV, a multinational Human Resource consulting firm announced that they were hit by Windows Egregor ransomware. Ransomware operators while breaching the network of the staffing agency stole unencrypted files; 1% of which have been published by the threat actors as proof of the data breach. 
 
The data that has been made public is a 32.7MB archive which contains 184 files including legal documents, business files, accounting spreadsheets, and some financial reports. After the data was published by the ransomware operators, a security notification regarding the confirmation of the same was issued by Randstad. However, there is no clarity on whether the personal data of employees or clients was compromised during the attack. 

As per the sources, the attack impacted only a limited number of servers, disrupting their operations based in the US, France, Italy, and Poland. However, in other areas, the company continued its business operations without any interruption. 
 
Headquartered in Diemen, Netherlands, Randstad NV is a Dutch-based globally operated human resources giant that was founded in 1960 and currently operates in 39 countries and 5 continents. Reportedly, the company has trained over 350,000 candidates and helped around 2 million to find a job with their clients.

“Randstad NV (“Randstad”) recently became aware of malicious activity in its IT environment and an internal investigation into this incident was launched immediately with our 24/7 incident response team. Third-party cybersecurity and forensic experts were engaged to assist with the investigation and remediation of the incident,” Randstad disclosed. 
 
"To date, our investigation has revealed that the Egregor group obtained unauthorized and unlawful access to our global IT environment and to certain data, in particular related to our operations in the US, Poland, Italy and France," reads the statement published by the firm. 
 
"They have now published what is claimed to be a subset of that data. The investigation is ongoing to identify what data has been accessed, including personal data, so that we can take appropriate action with regard to identifying and notifying relevant parties,"

First identified earlier this year in September, Egregor ransomware has been observed to be rapidly escalating its threat activity by breaking into organizations and running the malware to encrypt their sensitive data. The initial infection vector employed by the attackers is still unknown, however, security researchers have anticipated it to be malicious links or spam emails. Some similarities such as obfuscation techniques, API calls, strings, and functions have been spotted between Egregor and Sekhmet. The sources say that the ransom note left after the attack is also identical in many ways.

Managed.com Hosting Provider Hit by REvil Ransomware, $500K Ransom Demand


Managed hosting provider Managed.com has temporarily taken down all its servers and web hosting systems offline including clients' websites in response to a REvil ransomware attack that compromised public-facing web hosting systems. 
 
The threat actors behind the security incident that took place on Monday, 16th November are not known yet, however, the company said that it is involved with law enforcement agencies to investigate the matter and restore the services as securely as possible. As of now, it remains unclear if the attackers have stolen any data before the encryption of devices. 
 
Initially, the web hosting service refrained from revealing any details about the incident and posted an update claiming 'unscheduled maintenance' as the reason for the service interruption. However, later on, the company disclosed that it had encountered a ransomware attack that affected their systems and files containing critical data. 
 
In a status update, Managed.com said, "November 17, 2020 – On Nov.16, the Managed.com environment was attacked by a coordinated ransomware campaign. To ensure the integrity of our customers’ data, the limited number of impacted sites were immediately taken offline. Upon further investigation and out of an abundance of caution, we took down our entire system to ensure further customer sites were not compromised. Our Technology and Information Security teams are working diligently to eliminate the threat and restore our customers to full capacity. Our first priority is the safety and security of your data. We are working directly with law enforcement agencies to identify the entities involved in this attack. As more information is available, we will communicate directly with you." 
 
"Upon further investigation and out of an abundance of caution, we took down our entire system to ensure further customer sites were not compromised. Our Technology and Information Security teams are working diligently to eliminate the threat and restore our customers to full capacity. Our first priority is the safety and security of your data. We are working directly with law enforcement agencies to identify the entities involved in this attack,” the service further told in a statement. 
 
According to multiple sources, REvil, a ransomware-as-a-service infamously known for carrying out large attacks previously has demanded a $500,000 ransom in Monero to receive a decryption key. REvil has attacked big names like Kenneth Cole, Travelex, Brown-Forman, GSMLaw and SeaChange in the past.

Also known as Sodinokibi ransomware, REvil was first spotted in April 2019, it attacks Windows PCs to encrypt all the files on local drives (besides those enlisted in their configuration file) and leaves a ransom note on affected systems with instructions to get the files decrypted in turn of the demanded ransom.

Haldiram attacked by ransomware, attackers demand USD 7,50,000 ransom

 

Haldiram foods were attacked by ransomware encrypting all their files, data, applications, and systems and demanded a ransom of USD 7, 50,000 for decrypting and granting access of their data back to them.
The complaint was filed on July 17 of this year but an FIR was registered on Oct 14 by cyber cell, making it the second recent case where there was such a delay by Cyber Cell.

According to the FIR, on July 12 at 1:30 am the first problem was noticed with the server as some of the dispatch orders were held up.

The company's servers were hacked and encrypted by malware and the hackers left the message that all their files, data, applications, and systems have been encrypted and demanded a ransom of USD 7,50,000 to decrypt the data and system and to delete all the stolen data from their end.

 “That on receipt of the aforesaid information, senior manager (IT) Ashok Kumar Mohanty informed Aziz Khan, DGM (IT) to resolve the issue. However, on accessing the servers of the company, Mr. Aziz Khan, found out that all the servers of the company had been hacked and hit by a cyber-attack/malware popularly called as a Ransomware Attack. Upon becoming aware of the attack, officials reached the corporate office of the company situated at C-31, Sector-62, Noida at about 02:30 am to analyze the situation and resolve the same. 

“That thus, in order re-analyze and confirm the problem with the servers and to find a resolution, officials decided to call another IT official who consequently accessed the firewall program on the company’s servers and found some traffic generating from servers, showing the following IP addresses i.e. 192.168.0.152 and 192.168.0.154. 7. The officials of the company found out that some program was being executed on the aforementioned servers and all the data of the company was being diverted from and going out from the servers of the company. Therefore, the said program was immediately terminated by the officials along with the connectivity to all systems at branch locations of the company. However, it is apprehended that till the said disconnection was undertaken by the officials, maybe the entire or substantial data may have already been stolen from the servers. Thus, it is evident that the accused persons unauthorizedly entered the servers with intent to commit the offense of theft and extortion, thereby committing the offense of criminal trespass,” reads the FIR lodged under IPC sections 384 (extortion), 420 (cheating), and section 66 of the IT Act.

 The company’s DGM (IT) and the complainant in this case Aziz Khan, said that the complaint was filed with the cyber cell in July but the FIR was registered two months later when they have internally cleared the issue and got their data back. 

 “We had given a complaint to the cyber cell in July itself but an FIR was lodged only after multiple rounds that too, two months later. We have restored all our data internally,” said Aziz Khan, DGM (IT).

How a loyal employee saved Tesla from a Russian 1 million malware attack


As Justin Richards said, "heroes can be found in the most unlikely places. Perhaps we all have it within us to do great things...", this tale of extortion, bribing, and planned attack brings out how a loyal employee saved Tesla from a 1 million malware attack.



In early August, an employee of Tesla was offered 1 million dollars to place an inside threat- a malware in Tesla's Newada factory; a conspiracy had it been successful could have cost the company millions. 

According to the US Justice Department indictment Egor Igorevich Kriuchkov, a 27-year-old Russian came to the United States in July and started messaging an employee of the sustainable technology company whom he had met years earlier. The employee, a Russian emigrant, and Kriuchkov met at a Reno area bar, and that's where the idea for infiltrating Tesla's network was first pitched to the employee. He would get $500,000 to open a malicious email or 1 million cash or Bitcoin for the incursion of malicious files via USB. 

 The employee though reported the miscreant to the company and soon the US Federal Bureau of Investigation got involved. The Investigation department and our unnamed employee worked out undercover to discover Kriuchkov's whole scheme where an inside threat would infiltrate the whole network with ransomware and if Tesla didn't pay the ransom- their data would be publicly released on the Internet.

 The conspirator Egor Igorevich Kriuchkov was arrested on 22 August, driving from Reno to Los Angeles where he was to catch a flight to flee the country, subsequently, after the arrest, he was presented to the court on Monday. Two other suspected conspirators have been identified as Kisa and Pasha (nicknames).

 Elon Musk, tweeted Thursday night "This is a serious attack", in response to Tesla's blog post. The attacker did confess that his gang has been working on similar attacks on other companies but the plan on Tesla could have been for more than money; it could have been a plan to obtain the high-end sustainable tech, manufacturing, and chemistry. The attack has not yet been revealed to be tied to the Russian Government.