Search This Blog

Showing posts with label Ransomware group. Show all posts

Ukrainian police arrested members of a well-known cyber ransomware group

Members of the Egregor group, which provides the service using the Ransomware-as-a-Service (RaaS) model, have been arrested by the Ukrainian police.

The arrest is the result of a joint operation of the French and Ukrainian law enforcement systems. The names of the arrested citizens were not disclosed, but it is known that they provided logistical and financial support for the service.

It is worth noting that this ransomware has been active since the fall of 2020 and works according to the Ransomware-as-a-Service (RaaS) model. That is, the authors of the malware rent it out to other criminals, who are already hacking companies, stealing data, encrypting files, and then demanding a “double ransom” from victims (for decrypting files, as well as for not disclosing the data stolen in the process of hacking).

If the victims pay a ransom, the group that organized the hack keeps most of the funds, and the developers of Egregor receive only a small share. The attackers laundered funds through the Bitcoin cryptocurrency.

Those arrested are suspected, among other things, of providing such financial schemes.

According to Allan Liska, a cybersecurity researcher at Recorded Future, Recorded Future has discovered that the Egregor infrastructure, including the site and the management and control infrastructure, has been offline since at least Friday (February 12).

The French side joined the investigation after the Egregor software was used in attacks on the computer game developer Ubisoft and the logistics organization Gefco in 2020.

Although the Egregor system based on the RaaS model was launched in September 2020, a number of cybersecurity experts believe that the service operators are the well-known cyber ransomware group Maze.

DDoS Campaign Exposed by the Security Firm Radware


Security firm Radware uncovered the threat actors' campaign named 'distributed denial-of-service' (DDoS). This campaign was launched to target the same set of victims from September 2020 after the companies failed to pay the initial ransom between five and ten bitcoins ($160,000 and $320,000) as demanded by the threat actors.

According to the reports, an anonymous group of hackers attacked the victims in August or September 2020 for the first time. In December 2020 and January, threat actors sent additional ransom extortion emails to the organizations after the victims failed to pay the initial ransom. Threat actors attacked the organizations with a DDoS strike immediately after the organizations received the second set of intimidating messages.

The latest DDoS strike surpassed 200Gbps and continued for more than nine hours without any disruption. As per the reports of Radware, the latest ransom note reads, “maybe you forgot us, but we didn’t forget you. We were busy working on more profitable projects, but now we are back”.

Radware security experts are convinced that the series of attacks were managed by the same ransomware group due to the identical infrastructure in the strike and the messages received from the ransomware group. Also, the organizations that received the latest letters were not leaked in the media last year therefore only the original ransomware group would have known that the companies have been targeted last year.

Radware security experts have noticed the change in the threat actor’s strategy, in previous strikes threat actors targeted the organizations for few weeks and then passed on. “The 2020-2021 global ransom DDoS campaign represents a strategic shift from these tactics. DDoS extortion has now become an integral part of the threat landscape for organizations across nearly every industry since the middle of 2020”, the report explained.

This group of threat actors does not hold back in returning to the targets that originally ignored their warnings, this is the massive fundamental change in the tactics of threat actors. According to Radware, the companies should be prepared for another letter and strike in the upcoming months.

Ransomware Group Published More Than 4,000 SEPA's Files Online


Scottish Environment Protection Agency (SEPA) once again fell victim to the threat actors. Hackers published more than 4,000 files on their website after the regulator denied to pay the ransom, it is noteworthy that these hackers were also responsible for attacking SEPA on a Christmas Eve.

Last month, Cybersecurity experts discovered that threat actors have stolen nearly 1.2 GB of data which suggested threat actors may have accessed and stolen 4,000 files. Threat actors locked their emails and contacts centre and were demanding a ransom to unlock it. SEPA said they have to start from scratch and build a whole new system following a ‘significant cyber-attack’. 

Agency is still able to provide essential services regarding food forecasting and warnings, as well as regulation and monitoring services. The Conti ransomware group asserted responsibility for the attack but SEPA hasn’t validated the claims of the Conti ransomware group. Published information includes personal information associated with SEPA employees and information associated with commercial work with international allies.

Terry A’Hearn, chief executive of SEPA stated that “we’ve been clear that we won’t use public finance to pay serious and organized criminals’ intent on disrupting public services and extorting public funds. We have made our legal obligations and duty of care on the sensitive handling of data a high priority and, following Police Scotland advice, are confirming that data stolen has been illegally published online”. 

“We’re working quickly with multi-agency partners to recover and analyze data then, as identifications are confirmed, contact and support affected organizations and individuals”, he further added.

Ransomware groups are quite successful in their tactics of stealing data and threatening the firm to publish online if a ransom isn’t paid in exchange for the decryption key. Every month ransomware gangs are making hundreds of thousands of dollars in bitcoin per attack.