Search This Blog

Showing posts with label Ransomware attack. Show all posts

Geneva: The Hot Topic For the Meeting Between US and Russian President

 

President Joe Biden will meet in person for the first time since taking office with Russian President Vladimir Putin in Geneva on June 16. The ransomware attacks on US organizations will be a core issue for this meeting. Biden suggested earlier this month that he would discuss with Putin the recent ransomware attack on Colonial Pipeline, which led to a shutdown of the country's largest gas pipeline.

The Kremlin has a historical past of working with cybercriminals, and many consultants believe the cyberattacks wouldn’t be taking place without some measure of consent from Putin. US president should demand action from Putin and he should take steps to ensure hackers who target the US, and the governments who facilitate their work or flip a blind eye to it, pay a worth.

"The scale of this problem is one that I think the country has to come to terms with." Fortunately, we're getting the first salvos to help the US and other countries build up defenses (The US isn't the only country struggling with this problem; just last month, Ireland's health services suffered a serious cyberattack). The Biden administration has instructed private companies to bolster their cybersecurity as it designs the government's strategy,” FBI Director Christopher Wray, who likened the problem of the menace to 9/11, informed The Wall Avenue Journal. 

The epidemic of ransomware crimes and different hacks is not only an American downside; it is one of many outgrowths of globalization. The US is planning to deal with one other pernicious outgrowth of globalization — the flexibility of companies to keep away from paying taxes, by bringing nations collectively to determine an escape-proof minimal company tax — the Biden administration ought to lead in forging a joint method to transnational cybercrime.

Russia has already interfered with elections in several nations, now its cybercriminals are busy extorting non-public companies and municipalities. But they are hardly alone. The Atlanta ransomware assault, which paralyzed companies and price the town hundreds of thousands, was traced again to Iranian hackers. The New York subway hack has been reportedly linked to Chinese hackers, who are becoming major players in the ransomware field.

Earlier this month, the United States Department of Justice (DOJ) announced that ransomware attacks in America are to be investigated with a similar urgency as incidences of terrorism. 

“It’s a specialized process to ensure we track all ransomware cases regardless of where it may be referred in this country, so you can make the connections between actors and work your way up to disrupt the whole chain,” said principal associate deputy attorney general at the Justice Department, John Carlin.

Ransomware Hits News Stations in US, Affects Local Broadcast

 

Two local television news stations have been shut down since Thursday, experts say it because of a ransomware attack on their parent company. Parent company Cox media group, which owns NBC affiliate WPXI in Pittsburgh, and ABC affiliate WFTV in Orlando, Florida, told their managers to shut down their company phones and computers. The employees have to communicate using only personal phones and text messages. However, both stations still somehow managed to run local broadcasts at the station, but their operations are somewhat limited. 

Cox has refused to release any statement about the attack, but experts believe that the ransomware was behind the attack where hackers breached the network and held the files hostage in demand of ransom.  

According to experts, if an incident in IT expands to its multiple organizations, it is most likely a ransomware attack. Experts believe that the primary reason for the attack where it is unplanned and widespread IT exploit is a ransomware breach. It can also be malware that is used to plant ransomware software. It is less likely than any other form of cyberattack can cause this shutdown.  

Meanwhile, in Orlando, the employees were asked to not go to the office on Thursday and Friday, however, they weren't told clearly what happened with the computer networks of the company. An employee in Pittsburgh said that the company on Thursday morning shut down its servers as a safety measure to avoid any security breach. 

As of now, the staff has been restricted off the computer networks, so there's not much that they can do, the situation has also become a bit tense at the stations. Actors are continuously attacking US organizations, schools, hospitals, and businesses for a long time. 

But the issue became a major threat when recently, the US federal government faced a major problem when an attack on the country's one of the biggest company Colonial Pipeline led to stoppage of gas supply for 5 days in the US. 

"Many of the most prolific ransomware gangs, including those responsible for the JBS and Colonial hacks, speak Russian and have at least some members based in Russia who appear to operate with impunity, leading President Joe Biden to say he's "looking closely" at retaliating," reports NBC news.  

FujiFilm Shuts Down Network Following Ransomware Attack

 

Japanese multinational conglomerate FujiFilm, headquartered in Tokyo suffered a ransomware attack on Tuesday night. The company has shut down portions of its network to prevent the attack's spread, as a precautionary measure. 

"FUJIFILM Corporation is currently carrying out an investigation into possible unauthorized access to its server from outside of the company. As part of this investigation, the network is partially shut down and disconnected from external correspondence," the company said in a statement.

FujiFilm is renowned for its digital imaging products but also produces high-tech medical kits, including devices for the rapid processing of COVID-19 tests. Due to the partial network outage, FUJIFILM USA has added a notice to its website stating that it is currently experiencing network problems impacting its email and phone systems. 

“We want to state what we understand as of now and the measures that the company has taken. In the late evening of June 1, 2021, we became aware of the possibility of a ransomware attack. As a result, we have taken measures to suspend all affected systems in coordination with our various global entities. We are currently working to determine the extent and the scale of the issue. We sincerely apologize to our customers and business partners for the inconvenience this has caused,” FujiFilm further added. 

Threat hunting and cyber intelligence firm Group-IB estimated that the number of ransomware attacks grew by more than 150% in 2020 and that the average ransom demand increased more than twofold to $170,000.

While FUJIFILM has not stated what ransomware group is responsible for the attack, Advanced Intel CEO Vitali Kremez has told BleepingComputer that FUJIFILM was infected with the Qbot trojan last month.

"Based on our unique threat prevention platform Andariel, FUJIFILM Corporate appeared to be infected with Qbot malware based on May 15, 2021. Since the underground ransomware turmoil, the Qbot malware group currently works with the REvil ransomware group. A network infection attributed to QBot automatically results in risks associated with future ransomware attacks," Kremez told BleepingComputer.

Last week, hackers targeted the Japanese government organizations and gained access to the company's project management platform which resulted in data leaks from various government offices. One ministry had at least 76,000 email addresses exposed, including those belonging to individuals outside of the ministry.

Scripps Health Care Facility Reported Ransomware

 


Scripps Health care facility has reported on Tuesday that the organization has started sending alert notifications to nearly 150,000 individuals after a group of threat actors has stolen the sensitive data of people during a ransomware attack on one of its local health care facility on 01st May. 

What is Scripps Health care and how this works? 

Scripps is a nonprofit health care facility in San Diego, California, United States. The medical firm operates five hospitals and 19 outpatient facilities. The firm also treats a half-million patients around the year through 2,600 affiliated physicians. In addition, Scripps Healthcare also runs several medical education programs and research programs. 

A statement has been released by the firm in which a medical professional said, that the company has just begun notifying victims so that they can take protective measures against this attack which would allow them to safeguard their personal information from further misuse. “About 2.5 percent of those — nearly 3,700 — are said to have had their Social Security and/or driver’s license numbers taken. For those, the company said, it will provide complimentary credit monitoring and identity protection support services,” he further added. 

As per the information shared by the firm, the cybercriminals have stolen clinical credential data that includes the address of the individuals, patient account number, date of birth, medical record number, health insurance information, doctor’s name, and medical data, etc. Reportedly, the data was stolen from the system, however, the firm did not disclose which system the information came from. 

The breach has forced medical professionals at all levels of the healthcare facility to work differently because the system was at risk. Professionals have to use paper charts for their document work. Additionally, access to the important clinical data, including previous test results, was also unavailable for weeks. 

The health care facility further said that the investigation is being conducted on the attack and at present, they are unable to disclose all the technical details. “We still don’t know what the rest of the document seems to be related to. We have started an extensive manual review of these documents…”

“…This is a time-consuming process that can take months, but we will notify affected individuals and organizations as soon as possible in accordance with applicable regulatory requirements,” Scripps added.

Irish Health System and 16 U.S. Health and Emergency Networks Hit by Conti Ransomware Gang

 

According to the Federal Bureau of Investigation, the same group of online extortionists responsible for last week's attack on the Irish health system has also targeted at least 16 medical and first-responder networks in the United States in the past year. The FBI said cybercriminals using the malicious software called 'Conti' have attacked law enforcement, emergency medical services, dispatch centers, and municipalities, according to a warning issued by the American Hospital Association on Thursday. 

In May of 2020, the Conti ransomware appeared on the threat landscape. It has some links to other ransomware families. Conti has evolved quickly since its discovery, and it's known for how quickly it encrypts and deploys around a target system. Conti is a “double extortion” ransomware that steals and attempts to reveal data in addition to encrypting it. 

The FBI didn't specify who was targeted in these hacks or whether ransoms were paid, only that these networks "are among more than 400 organizations worldwide victimized by Conti, with over 290 of them based in the United States." The new ransom demands have been as high as $25 million, according to the study. 

On Thursday, Ireland said experts were looking into a decryption tool that had been posted online, which could help activate IT systems that had been crippled by a major ransomware attack on the country's healthcare provider. The government stated that it had not paid any ransom and would not pay any in return for the alleged key. It didn't respond to claims that the gang had threatened to release reams of patient information next week. 

This ransomware attack has prevented access to patient information, forced medical facilities to cancel appointments, and disrupted Covid-19 testing around the country for the past week. Ossian Smyth, Ireland's e-government minister, has described it as "perhaps the most serious cyber crime assault on the Irish state." 

The hackers who took down Ireland's healthcare system are said to be members of "Wizard Spider," a sophisticated cybercrime group based in Russia that has become more involved in the past year. The group has threatened to release medical records unless Ireland pays a $20 million fine.

US and Australia Warn of Rise in Avaddon Ransomware Attacks

 

The Federal Bureau of Investigation (FBI) and the Australian Cyber Security Centre (ACSC) have issued an alert about an ongoing Avaddon ransomware campaign that is affecting organizations across a wide range of industries in the United States and across the world. 

Avaddon ransomware associates are attempting to breach the networks of manufacturing, healthcare, and other private sector entities around the world, according to a TLP:GREEN flash warning issued by the FBI last week. 

The ACSC clarified the targeting details today, stating that the ransomware group's associates are targeting companies from a broad variety of industries, including government, banking, law enforcement, energy, information technology, and health. Although the FBI only cites ongoing attacks, the ACSC lists a number of countries that have been targeted, including the United States, the United Kingdom, Germany, China, Brazil, India, the United Arab Emirates, France, and Spain, to name a few.

"The Australian Cyber Security Centre (ACSC) is aware of an ongoing ransomware campaign utilizing the Avaddon Ransomware malware [..] actively targeting Australian organizations in a variety of sectors," the ACSC added. 

Avaddon threat actors threaten victims with denial-of-service (DDoS) attacks in order to persuade them to pay ransoms, according to the ACSC (in addition to leaking stolen data and encrypting their system). However, no evidence of DDoS attacks has been discovered as a result of the Avaddon ransomware attacks, according to the FBI. 

The Avaddon ransomware group first declared in January 2021 that they would use DDoS attacks to bring down victims' websites or networks before they reach out and negotiate a ransom payment. 

When ransomware groups started using DDoS attacks against their victims as an additional leverage point, BleepingComputer first posted on this new trend in October 2020. SunCrypt and RagnarLocker were the two ransomware operations that used this new strategy at the time. 

The first Avaddon ransomware samples were discovered in February 2019, and the ransomware started hiring affiliates in June 2020 after launching a massive spam campaign that targeted users all over the world. Affiliates of the Avaddon RaaS operation are required to obey a set of guidelines, one of which is that no targets from the Commonwealth of Independent States be pursued (CIS). 

Avaddon pays each affiliate 65 percent of the ransom money they bring in, with the operators receiving the remaining 35 percent. Avaddon ransomware’s affiliates have also been known to steal data from their victims' networks before encrypting systems in order to double-extortion. 

Almost all active ransomware operations have adopted this technique, with victims commonly informing their customers or employees of potential data breaches following ransomware attacks.

Ransomware Attack Shuts Down Top U.S. Fuel Pipeline Network

 

The operator of a major gasoline pipeline in the U.S. shut down operations late Friday following a ransomware attack pipeline system that transports fuel across the East Coast. The attack is unlikely to affect gasoline supply and prices unless it leads to a prolonged shutdown of the pipeline, experts said. 

Colonial Pipeline did not say what was demanded or who made the demand. Ransomware attacks are typically carried out by criminal hackers who seize data and demand a large payment in order to release it.

The company is the main source of gasoline, diesel, and jet fuel for the East Coast with a capacity of about 2.5 million barrels a day on its system from Houston as far as North Carolina, and another 900,000 barrels a day to New York. It presents a new challenge for an administration still dealing with its response to major hacks from months ago, including a massive breach of government agencies and corporations for which the U.S. sanctioned Russia last month.

President Joe Biden was briefed on the incident on Saturday morning, a White House spokesperson said and added that the federal government is working with the company to assess the implications of the attack, restore operations and avoid disruptions to the supply. The government is planning for various scenarios and working with state and local authorities on measures to mitigate any potential supply issues. 

“We’ve seen ransomware start hitting soft targets like hospitals and municipalities, where losing access has real-world consequences and makes victims more likely to pay. We are talking about the risk of injury or death, not just losing your email,” said Ulf Lindqvist, a director at SRI International who specializes in threats to industrial systems.

After the shutdown was first reported on Friday, gasoline and diesel futures edged slightly higher on the New York Mercantile Exchange. Gasoline gained 0.6% while diesel futures rose 1.1%, both outpacing gains in crude oil. Gulf Coast cash prices for gasoline and diesel edged lower on prospects that supplies could accumulate in the region.

Colonial previously shut down its gasoline and distillate lines during Hurricane Harvey, which hit the Gulf Coast in 2017. That contributed to tight supplies and gasoline price rises in the United States after the hurricane forced many Gulf refineries to shut down.

Ransomware Hits US Defense Contractor BlueForce

A ransomware attack hit U.S defense contractor Blueforce, says Hatching Triage sample, and a Conti ransomware chat. Ransomware in the Hatching Triage page consisted of a ransom threat likely to be from an attacker who hit the victim with Conti Ransomware strain. Tech Target's sister website LMagIT found the sample which was sent to SearchSecurity. 

The note said that all the victim's files were encoded by CONTI ransomware, attacker told the victim to google about if he weren't aware of what the strain is, and said that all information has been encrypted with the software and couldn't be restored by any method unless the victims contact the team directly. 

If the victim tried anything suspicious with recovery software, the attacker warned that all files will get damaged, and told the victim to continue at his own risk. "Conti ransomware was first reported in mid-2020, and like many other modern ransomware families, it extorts victims by not only encrypting data but threatening to publish it, too. Recent Conti victims include several London schools, as well as fashion retailer FatFace. It was also a member of the Maze ransomware cartel when it was active," said SearchSecurity. The threat also included a .onion link and a standard URL to an active chat between a negotiator from Blueforce and Conti actor. 

Blueforce is Virginia-based which builds nexus between the Department of State (DoS) and Department of Defense (DoD) via a sophisticated mix of interagency, international development expertise, and cross-functional defense. The conversation dates back to April 9, actor enquired if the target was willing to negotiate. After about 2 weeks, the victim replied with a request saying all the files were encrypted and to help. 

The attacker asked the victim for identification, Blueforce responded last week, asked for the following procedure, and also enquired whether any data was encrypted. According to SearchSecurity "the threat actor responded in the affirmative and demanded 17 bitcoins (worth nearly $969,000 as of this writing). In addition, the response included a list and data pack of files to verify that Conti had breached the company and exfiltrated data. The chat has not been updated since."

Ransomware Attack by REvil on Apple, Demands $50 Million

 

While Apple was working on the preparations for the 'Spring Loaded' event that went live on Tuesday, 20th April, the company requested a settlement to prevent its next-gen equipment data from being leaked. The REvil Group, also identified as SODINOKIBI, said that it had been able to access the computer network of Apple's Quanta Computer, and has requested $50 million to decrypt its systems, via the Dark Web. Quanta Computer is a major MacBook Air, MacBook Pro supplier. 

The operator of REvil published a blog on its dark website that goes by the name – 'Happy Blog' claiming that Quanta Computer is being a target of a ransomware attack. 

Even though the Hacker Group initially tried to negotiate an agreement with the company, the team allegedly posted details of the upcoming Apple devices before the Spring-Loaded event, following the refusal by Quanta Computer to pay the ransom, as per a blog post. 

Some of the schematic seemingly aligned with the current iMac as well as some new version details were shared by hackers. The Ransomware Operator warned Apple, to repurchase the existing data until 1st May to avoid further leakage. Each day, before Apple buckles up, hackers attempt to threaten to post new files to their site. The organization also said that it is dealing with many big suppliers on the sale of large amounts of classified drawings and gigabytes of personal information. 

“Quanta Computer's information security team has worked with external IT experts in response to cyberattacks on a small number of Quanta servers,” a Quanta Computer spokesperson stated. “We've reported to and kept seamless communications with the relevant law enforcement and data protection authorities concerning recent abnormal activities observed. There's no material impact on the Company's business operation.” 

The representative further stated that the information security defense system was triggered instantly while performing a comprehensive inquiry. The organization has also said its cybersecurity level was revamped and its current infrastructure is improved. 

Quanta also said that they were working on the issue with law enforcement authorities and data protection authorities

New REvil Ransomware Version Automatically Logs Windows into Safe Mode

 

The REvil Ransomware is unstoppable when it comes to ingenious hacking tactics and techniques. The well-known ransomware has escalated its attack vector once again, this time by changing the victim's login password in order to reboot the computer into Windows Safe Mode. 

While malicious groups are constantly upgrading their attack strategies in order to fight security measures, the threat actors behind the REvil ransomware are especially skilled at honing their malware in order to make their attack campaigns more effective.

Last month, security researcher R3MRUM discovered a new sample of the REvil ransomware that improves the new Safe Mode encryption method by changing the logged-on user’s password and setting Windows to automatically login on reboot. The ransomware would update the user's password to ‘DTrump4ever’ if the -smode statement is used. 

Afterward, the ransomware configures the following Registry values for Windows to automatically log in with the new account information. It is currently unknown whether new REvil ransomware encryptor samples will continue to use the ‘DTrump4ever' password, but at least two samples submitted to VirusTotal in the last two days have done so. 

This latest strategy exemplifies how ransomware groups are actively refining their tactics in order to effectively encrypt users' devices and demand a ransom payment. 

Asteelflash, a world-leading French EMS company, confirmed last week that it has been the target of a cybersecurity incident, identifying the involvement of REvil ransomware. After initially setting the ransom at $12 million in Monero crypto, the attackers demanded Asteelflash pay a whopping $24 million ransom. However, as the negotiations didn’t reach a point of agreement in time, the actors raised the ransom to double the amount and leaked the first sample of the exfiltrated files. 

Acer, a computer manufacturer, was also hit by the REvil ransomware. REvil has demanded a ransom of $50 million, which may be the highest ever demanded ransom.

REvil has released a service for contact to news media, companies for the best pressure at no cost, and DDoS (L3, L7) as a paid service. Threat actors, or associated partners, will perform voice-scrambled VoIP calls to the media and victim’s business partners with information about the attack.

Hades Ransomware Attacks US Big Game

 

An obscure monetarily spurred threat group is utilizing the self-proclaimed Hades ransomware variant in cybercrime activities that have affected at least three victims since December 2020. Known victims incorporate a huge US transportation and logistics organization, a huge US consumer products organization, and a worldwide manufacturing organization. 

Tactics, Techniques, and Procedures (TTP) utilized to compromise a victim network, escalate privileges, move laterally, evade defenses, exfiltrate data and deploy Hades ransomware are relatively consistent with other notable ransomware operators, utilizing a mix of commodity tooling and various living-off-the-land techniques. When Hades lands on a victim's machine, it duplicates itself and relaunches itself through the command line. The 'spare' duplicate is then erased and an executable is unloaded in memory. A scan is then performed in local directories and network offers to discover content to encrypt however every Hades sample secured uses a different extension. 

Moreover, Accenture recognized extra Tor covered up services and clearnet URLs by means of different open-source reporting relating to the Hades ransomware samples. For every examined sample, the ransom notes distinguished educate the victim to install Tor browser and visit the predetermined page. The Tor pages vary just in the Victim ID that is given, demonstrating every Tor address might be particularly created for every victim. Accenture Security distinguished an aggregate of six of these addresses, showing there could be three extra victims that they are unaware of as of now. 

Right now, it is hazy if the obscure threat group works under an affiliate model, or if Hades is appropriated by a solitary group. Under an affiliate model, developers partner with affiliates who are answerable for different undertakings or phases of the operation lifecycle, for example, conveying the malware, giving starting admittance to associations, or even target selection and reconnaissance. In any case, in light of intrusion information from incident response engagements, the operators tailor their strategies and tooling to deliberately chose targets and run a more “hands-on keyboard” operation to inflict maximum damage and higher payouts. 

Likewise, Accenture recognized similarities in the Hades ransom notes to those that have been utilized by REvil ransomware operators, where parts of the ransom notes observed contain identical wording.

Several Americans Affected by Netgain Ransomware Attack

 

The number of Americans influenced by a cyber assault on a cloud facilitating and IT services provider has expanded by 210,000. Netgain Technologies LLC, in St. Cloud, Minnesota, had to take a portion of its data centres offline after succumbing to a ransomware assault on November 23 a year ago. A couple of days after the assault, clients were emailed admonitions that system outages or slowdowns may occur. 
The organization offers types of assistance to a few companies in the medical care and accounting industries, including Woodcreek Provider Service, a medical-practice management organization in Washington state that offers help to pediatric facilities and urgent care centres owned and operated by MultiCare Health System. On December 3, Netgain told Woodcreek that the protected health information of patients was stored on servers affected by the cyber assault and may have been accessed by threat actors. Other information that may have been undermined incorporated the personal information of Woodcreek employees, medical care providers, applicants, contractors, and individuals receiving services delivered by MultiCare Health Systems and/or Woodcreek Provider Service. 

As per a statement released on March 9 by Woodcreek: "The data included names and addresses, clinical record numbers, dates of birth, government-backed retirement numbers, health care coverage strategy and recognizable proof numbers, protection claims, clarification of advantages, proclamations, clinical notes, reference demands, research facility reports, the choice not to inoculate structures, approval demands for administrations, therapy endorsements, records demands, vaccination data, immunization records, remedy demands, arrival of data structures, summon records demands, clinical record revelation logs, occurrence reports, solicitations, correspondence with patients, understudy ID numbers, ledger numbers, work-related archives, court reports, Drug Enforcement Agency authentications, finance retaining and protection allowance approvals, advantage and tax documents, representative wellbeing data and some clinical records." 

Affirmation of what information was involved with the assault was only received by Woodcreek on January 18, 2021. The organization is currently finding ways to advise affected individuals in writing. Woodcreek said that since the incident occurred, it has upgraded network safety conventions and practices to improve the security of the information in its care. The organization said it had gotten written assurances from Netgain that the IT services provider has added security enhancements within its network to proactively defend against future threats.

Threat Actors Target PrismHR in a Potential Ransomware Attack

 

PrismHR, a payroll company, suffered a cyber attack over the weekend that caused massive outages to its system. Although there are speculations among the customers that PrismHR was the victim of a ransomware attack but the payroll company hasn’t identified the attack as a ransomware one. 

PrismHR operates as an online payroll, benefits, and human resources platform used by professional employer organizations (PEO) – which employ it to provide payroll, HR, and benefits services to customers including small to medium-sized businesses (SMBs).

According to Bleeping Computer, a payroll giant was attacked on February 28th, 2021. The company stated “We recently experienced a cyber incident that affected our payroll and benefits software used by Professional Employer Organizations (PEOs) throughout the US. We immediately disabled access to the system to protect customer information and engaged top-tier security experts to help on this.”

“We are working quickly to restore customer access to our platform. While we are still looking into this, there is currently no evidence of unauthorized access or theft of data contained on our servers”, PrismHR further stated.

Due to the nature of this organization, PrismHR makes for an extremely valuable target to extract sensitive information across a large number of firms in one singular attack. Mostly, threat actors attack organizations over the weekend while employees are not present, computers are not being used, and there is less attention paid to the network. This allows threat actors to start the process of noisily deploying the ransomware to encrypt systems.

Mostly, attackers steal unencrypted data before encrypting the devices and this exfiltration of information gives the attackers leverage to financially gain via the sale of this data. Currently, the information regarding this attack is vague– if this turns out to be a ransomware attack, the outcome could be disastrous owing to the nature of PrismHR’s business. 

Considering, PrismHR holds sensitive information for thousands of organizations and this information includes social security numbers, payroll, ID cards, employee benefit information, information for beneficiaries, and a wide range of other sensitive information.

JFC International Compromised with a Ransomware Attack

 

JFC International has reported that some of its IT networks have been compromised by a ransomware attack. The food giant is one of Asian food products' main producers and wholesalers in Europe and the US. The attacks have reportedly damaged the European Group of JFC International and the organization anticipates the resumption of regular activities. The event has also been confirmed by JFC International, law enforcement, staff, and partners. 

Headquartered in Los Angeles, California, Unites States, JFC International is a leading producer and wholesaler of Asian foodstuffs in the US. JFC International also purchases branded goods from other international firms, in addition to its own products. The official creation of the company was in 1958 and eventually named in 1978, but it operated in various ways from 1906 onwards. It belongs to the Japanese Kikkoman company. 

JFC International also undertakes a thorough forensic inquiry to ascertain what the cyber-attack source was. As per a comment published on the company's European website, the servers affected were reportedly already protected. What kind of ransomware was involved in the attack or whether anyone compromised due to the incident, such details remain unknown. Any personal information may be accessible to the perpetrators since JFC defined the case as a data protection event. 

“JFC International (Europe) was recently subject to a ransomware attack that briefly disrupted its IT systems. A full forensic investigation by in-house specialists together with external cyber experts was immediately started and is underway. The normal conduct of business in Europe will be up and running after a brief interruption for security reasons,” as mentioned in a press release published by the company. “The affected servers were secured. JFC International (Europe) is cooperating closely with the relevant authorities,” states the company. 

The organization reported security events to staff and business associates and advised the competent authorities. With the aid of external cyber specialists, the firm investigated the intrusions and confirmed that the compromised servers had already been protected. Initially while giving the statement, it's not really clear which of the ransomware families was responsible for the attack are involved and whether the attackers have stolen any information. 

“A full forensic investigation by in-house specialists together with external cyber experts was immediately started and is underway. Normal conduct of business in Europe will be up and running after a brief interruption for security reasons. The affected servers were secured,” the company said in a statement posted on its European website.

Cybercriminal Gang Clop Attacked an International Law Firm Jones Day For Ransom

 

Jones Day, a U.S.-based international law firm has suffered a major ransomware attack, and the allegedly stolen files from Jones Day were leaked on the internet. A Cybercriminal group known as Clop has taken the responsibility for attacking and stealing the files from the law firm.

The incident was first reported on February 13 by Databreaches.net and soon after the attack ransomware gang Clop claimed the responsibility and threatened the law firm to leak the files unless a ransom is paid. This group is known to encrypt files on exploited systems, as well as stealing files from the target. Former U.S. President Donald Trump is among Jones Day’s clients.

Accellion Inc., a Palo Alto-based private cloud solutions company is believed to be a source for the ransomware attack due to the vulnerability in its software, Accellion software was connected to a data breach in which 1.4 million unemployment records were stolen from the Office of the Washington State Auditor on 2nd February. Goodwin Procter, a global 50 law firm uncovered in an internal memo earlier this month that some client information has been accessed in a breach of an unnamed vendor, later discovered as Accellion.

Threat actors are claiming to have more than 100 gigabytes of data and have started to leak the stolen files online as evidence of their successful ransomware attack. This same group attacked the German tech giant Software AG in October last year and demanded a ransom of $20 million in return for a decryption key and promised not to leak the redacted files they had stolen.

Jones Day stated that “Jones Day’s network has not been breached. Nor has Jones Day been the subject of a ransomware attack. Jones Day has been informed that Accellion’s FTA file transfer platform, which is a platform that Jones Day – like many law firms, companies, and organizations – used, was recently compromised and information was taken. Jones Day continues to investigate the breach and has been, and will continue to be, in discussion with affected clients and appropriate authorities.”

RiskSense Report Affirms Surge in Vulnerabilities Associated with Ransomware

 

In recent years, the threat from Ransomware has grown enormously. The ransomware attacks have started to threaten more web applications, open-source platforms, and systems as attackers explore more precise pathways to the biggest and most important data stores of organizations. 

In the year 2019, a research report showed the total vulnerabilities associated with ransomware were 57 which quadrupled in the year 2020 to 223, whereas the total counting of the ransomware families hiked from 19 to 125. The vast majority of faults in ransomware attacks– almost 96 percent, were reported in public before 2019. Software-as-a-service (SaaS) apps emerged as a new ransomware target with the largest number of faults with successful exploits patterns. Lastly, more than 15 operational families are offered ransomware-as-a-service, allowing almost everyone to initiate ransomware attacks without coding or safety skills. 

Approximately 40% of 223 CVEs connected to recent ransomware attacks are vulnerable to five common protection vulnerabilities which are identified as: permissions, privileges, and access controls; injection code, improper input validation, incorrect operating constraints inside memory buffer boundaries, and confidential information disclosure to the unauthorized consumer. The report published by RiskSense states that these overlaps "make it easy for ransomware families to predict new vulnerability disclosures with similar characteristics." 

Srinivas Mukkamala, CEO, and co-founder of RiskSense said their analysis shows that both short-term patterns, like COVID-19 that drive more companies onto the Internet, as well as more advances in digital transformation and cloud acceptance across the sector, contribute to this increased attack surface. These aspects have merged to pushed many companies with misconfigurations, and will most likely be abused by malware organizations, to implement technology – such as cloud applications, VPNs, and home network. 

Mukkamala further added that “All of [those trends] actually opened up the aperture and attack surface for ransomware to target and if you look at the vulnerabilities, you can clearly see that your SaaS has been targeted, your backup as a service has been targeted, your remote access services have been targeted and interestingly, we’re looking at your open-source libraries being targeted.” 

RiskSense also detects the increasing usage by state-supported, specialized persistent threat groups of many of the same vulnerabilities. These groups would certainly not infect malware payload entities, but increasingly use the same security vulnerabilities and misconfigurations. 

Often organizations do not actually have the expertise or security officers to keep up, and RiskSense research shows that several different weaknesses in the typical attack chain are abused, depending on metrics such as the gravity of the Common Vulnerability Scoring System to assign priority to the job can be folly. Some of the firms, provide their own method, using data analysis to determine which current bugs are related to exploits seen in the wild, for what they call patch intelligence. 

Ransomware defense “is becoming more like an analytics play, where you’ve got to collect all your data and start prioritizing based on the exploitability and [whether] it's active right now,” stated Mukkamala.

Developer of Cyberpunk 2077 Hit by Ransomware Attack

 

Ransomware turned into an inexorably critical danger all through 2020, as hackers continued to target hospitals and health care providers amid pandemic. A more modest pattern has additionally been brewing in the course of the most recent couple of months, with a rash of assaults on computer game organizations including big names like Ubisoft, Capcom, and Crytek. Presently the developer CD Projekt Red, which released the censured blockbuster Cyberpunk 2077 in December, is the most recent target. 

On Tuesday, CD Projekt Red uncovered that it had been the victim of a ransomware assault. “Some of our internal systems have been compromised,” the organization said in a statement presented on Twitter. The assailants encrypted a few PCs and took the information, however CD Projekt Red said it would not pay the ransom and that it was re-establishing its systems from backups. The incident comes as CD Projekt Red faced a long time of sustained criticism for its bug-ridden, overhyped Cyberpunk 2077 release. The game had numerous performance issues on various platforms, that is why Sony pulled it from the PlayStation Store and, alongside Microsoft, offered refunds to players. 

Despite the organization's recuperation efforts, it still faces potential fallout. The assailants obviously took source code for Cyberpunk 2077 as well as other CD Projekt Red games like Witcher 3, an unreleased version of Witcher 3, and Gwent, the digital Witcher card game. The assailants likewise say they took business data like investor relations, human resources, and accounting data. CD Projekt Red says there is no proof that client information was undermined in the breach.

“If we will not come to an agreement, then your source code will be sold or leaked online and your documents will be sent to our contacts in gaming journalism,” the attackers said in their ransom note. 

CD Projekt Red has released patches for Cyberpunk 2077 trying to improve the game's stability and do damage control. Yet, the organization faces a lawsuit from investors, accusing that it forced developers to work unreasonably overtime to finish the game, and criticism about its use of nondisclosure agreements to keep journalists from reporting accurately on the game's shortcomings prior to release.

Trucking Company Forward Air Hit by Ransomware, Suffers Heavy Loss of $7.5 Million

 

Forward Air, a trucking and freight transportation logistics company said that it suffered a ransomware attack of $7.5 million. The attack has caused heavy damage to the company's Q4 financial results. The amount comes from "loss of less-than-load (LTL) trucking business" and not costs suffered that dealt with the incident.  The loss mainly occurred because Forward Air had to temporarily pause electronic data operations with its customers. The ransomware incident happened last year on 15th December and was termed as a cyberattack using Hades ransomware. 

The attack compelled Forward Air to shut down its IT systems offline and close down electronic operations to deal with the issue. As per Freight waves, a trucking news site, the cyberattack had had a huge impact on the company's daily operations as the workers and employees couldn't get the required files to pass through the customs. Though the company says that everything is back to normal now, the SEC (Security and Exchange Commissions) filing and the large amount that the company had to pay tells otherwise. This is why cybersecurity experts always recommend being safe in the first place than to actually deal with a ransomware attack.  

Freight Waves reports, "While the cause is not disclosed, the wording of the Forward Air note is similar to what other companies will state when they are under a cyberattack. Additionally, the failure of the website and the fact that the source at the 3PL said emails to Forward Air were bouncing often are marks of a cyberattack." 

The SEC filing didn't mention Forward Air paying any ransom amount nor about any cyber insurance policy. Coveware, a company that deals in ransomware payment negotiations, published a report last week which said that the organizations are refraining to pay ransoms now as they've realized that the hacking groups don't always delete the stolen data.  Today, the companies choose to build again from scratch instead. Though the ransom payments saw a decline, the year 2020 was the highest ransomware year.  As per the report from Chainalysis, 2020 observed a total ransom payment worth $350 Million, 311% more than 2019.   

UK Research and Innovation Hit With Ransomware Attack

 

UK Research and Innovation (UKRI) unveiled a ransomware assault that has disturbed services and may have prompted data theft. The cyberattack unveiled a week ago, has affected two of the group's services: a portal utilized by the Brussels-based UK Research Office (UKRO) and an extranet, known as the BBSRC extranet, which is used by UKRI councils. 

Launched in 2018, UKRI is a public body upheld by the Department for Business, Energy, and Industrial Strategy (BEIS). Nine councils meet up under the brand to oversee research grants and to support innovative businesses and opportunities in the United Kingdom. UKRI said that the IT incident has brought about "data being encrypted by a third-party," which implies that ransomware is at fault. Ransomware is a kind of malware that is frequently a culprit in assaults against the enterprise. Once ransomware has landed on an undermined system, it will normally encrypt data and files and may likewise spread all throughout a network to take out backups and other resources. 

At the point when information encryption is finished, clients are bolted out and ransomware operators will demand payment as a trade-off for a decryption key. This blackmail demand is regularly needed in cryptocurrencies, for example, Bitcoin. The divulgence is scant in insights regarding the assault or who was behind it as an investigation is underway. “We have reported the incident to the National Crime Agency, the National Cyber Security Centre and Information Commissioner’s Office,” UKRI informs.

In the event the data has been stolen, this may incorporate grant applications and review data contained in the portals, as well as expense claims. Nonetheless, the agency couldn't yet say whether financial information has been taken. "We are working to securely reinstate impacted services as well as conducting forensic analysis to ascertain if any data was taken, including the potential loss of personal, financial, or other sensitive data," the group says. "If we do identify individuals whose data has been taken we will contact them further as soon as possible." 

As indicated by DLA Piper, £142.7 million ($193.4 million) in fines have been given over the previous year for breaches of the EU's General Data Protection Regulation (GDPR), near a 40% increment in contrast with the past 20 months.

Resident Evil Developer Capcom Became a Victim of Ransomware Attack

 

The year 2020 had been a year that witnessed a lot of data leaks and hacks of assorted kinds for apps and websites. This time it was the turn of an Osaka headquarters video game developer company, Capcom that became the victim of a data breach and ransomware attack in November 2020. Not only the company but its users have also been compromised because of this attack. As a result of the ransomware attack, Capcom had to shut down its assorted parts of the network including its email and file services. 

Initially, they never disclosed that if any customer's information was breached or any of its websites, servers, or games were compromised because of this attack. However, on 16th November 2020, the company published that almost 9 of its users had their personal information compromised and further added that 350,000 of its users were at risk of a data breach. 

In this attack, Capcom witnessed hundreds of thousands of pieces of personal data stolen from its servers, including the names and addresses of customers and former employees. The estimated number of victims of the aforementioned case is 16,415. 

Capcom later affirmed that they were suspicious that the company’s information, including "sales reports, financial information, game development documents, [and] other information related to business partners," was illicitly accessed during the attack. They stated that Documents matching that description have been circulating around certain corners of the Internet since November. 

Capcom further stated that "the company has also ascertained that the potential maximum number of customers, business partners, and other external parties, etc., whose personal information may have been compromised in the attack is approximately 390,000 people (an increase of approximately 40,000 people from the previous report)." 

Not only that Capcom's network was hit by a Ransomware attack but a note was also left on the server by the threat actors. The letter affirmed that Ranga Locker, the ransomware gang is behind this cyber-attack. The gang left some hyperlinks as proof of the attack by them. Those links led the company to a file that had personal information of the company and its users as well as employees, that was later published on the internet. 

Additionally, the company wrote, "Capcom would once again like to reiterate its deepest apologies for any complications or concerns caused by this incident.”