Search This Blog

Showing posts with label Ransomware. Show all posts

Links Detected Between MSHTML Zero-Day Attacks and Ransomware Operations

 

The exploitation of a recently fixed Windows zero-day vulnerability was attributed to known ransomware operators, according to Microsoft and threat intelligence firm RiskIQ.

The existence of the zero-day, called CVE-2021-40444, was revealed on September 7, when Microsoft released countermeasures and cautioned that the vulnerability had been exploited in targeted attacks using specially designed Office documents. 

The vulnerability connected to Office's MSHTML browser engine can and has been misused for remote code execution. As part of its Patch Tuesday updates, Microsoft delivered upgrades on September 14th. 

Microsoft announced the acquisition of RiskIQ in July and posted separate blog posts detailing the attacks exploiting CVE-2021-40444. 

The first exploitation efforts were discovered in mid-August. But Microsoft observed a massive spike in exploitation attempts when the proof-of-concept (PoC) code and other details were made public after the initial announcement. 

As per the company, several threat actors, including ransomware-as-a-service affiliates, have used the public PoC code, but some of the exploitation attempts are part of testing rather than criminal operations. 

The company initially saw less than ten exploitation attempts and leveraged CVE-2021-40444 to deliver custom Cobalt Strike Beacon loaders. Microsoft has identified the attackers as DEV-0413 — DEV is allotted to emerging threat groups or unusual activity. To deliver the malware, they apparently used emails referencing contracts and legal agreements to get the targets to open documents formatted to abuse the MSHTML vulnerability.

Surprisingly, the Cobalt Strike infrastructure utilised in the assaults has earlier been linked to cybercrime organisations known for targeting big corporations with ransomware like Conti and Ryuk. These threat actors are tracked as Wizard Spider (CrowdStrike), UNC1878 (FireEye), DEV-0193, and DEV-0365 (Microsoft).

RiskIQ stated in its blog post, “Despite the historical connections, we cannot say with confidence that the threat actor behind the zero-day campaign is part of WIZARD SPIDER or its affiliates, or is even a criminal actor at all, though it is possible. If the threat actors were part of these groups, it means they almost surely purchased the zero-day exploit from a third party because they have not previously shown the ability to develop exploit chains of this complexity.” 

The company added, “Instead, we assess with medium confidence that the goal of the operators behind the zero-day may, in fact, be traditional espionage. This goal could easily be obscured by a ransomware deployment and blend into the current wave of targeted ransomware attacks.” 

RiskIQ states that the cyberspies could have gained access to the ransomware infrastructure, or they may have been allowed by the ransomware operators to utilise their infrastructure. Only one group might be involved in espionage and cybercrime, or the two groups use the same bulletproof hosting provider. 

According to Microsoft, the initial malicious document in attacks abusing CVE-2021-40444 emerges from the internet, and it should be labelled as the "mark of the web." 

Microsoft Office should open the document in Protected Mode unless the user specifically allows modification, limiting the misuse. However, if the attackers figure out a means to keep the document from being a “mark of the web,” they may utilise the vulnerability to execute the payload on the page without requiring user input.

South Africa’s Department of Justice hit by a Ransomware Attack

 

South Africa's Justice Department was attacked earlier this month by a major ransomware attack and has been struggling since then to get back to normal. The attack was carried out on the 6th of September 2021, after ransomware compromised the department's entire information systems. 

It restricted the internal staff and the public from accessing any technological services, including email and websites. The judicial department handled the attack by instantaneously implementing an emergency plan, as per a Bleeping Computer report. The objective was to address such circumstances and to make sure that not every activity in the country was interrupted. 

The Justice and Constitutional Development Department declared that child support payments are now suspended until systems return online. 

The paper mentioned the statement of the Justice and Constitutional Development Speaker, Steve Mahlangu, who said, “[The attack] has led to all information systems being encrypted and unavailable to both internal employees as well as members of the public. As a result, all electronic services provided by the department are affected, including the issuing of letters of authority, bail services, e-mail, and the departmental website”.

Mahlangu noted that although it is not possible to anticipate the exact day when systems will be restored, the department will “ensure all child maintenance money is kept secure for payment to the rightful beneficiaries when the systems are back online.” 

He further stated that some departmental functions remained working despite the attack. For example, just after a change to manual mode for the recording of hearings, court sittings continued. The manual steps for issuing different legal documents were also performed. 

The Department of Justice has likewise changed to a new email system. Some employees have moved to the new email system. The department also couldn't identify the cybercriminals behind the attack. However, as the recovery of the network takes a while, the hackers were not reimbursed for the attack. 

Hackers and ransomware organizations frequently take data before an information system is encrypted. This compels victims to pay an enormous ransom fee for fear of public information leakage. However, till recently "no indication of data compromise" has been identified by departmental added IT experts.

Ransomware Groups are Escalating Their Attacks on Healthcare Organizations

 

Ransomware groups have shown no signs of declining their attacks on hospitals, apparently intensifying attacks on healthcare institutions as countries all over the world cope with a new wave of COVID-19 virus. 

Two healthcare institutions in California and Arizona have begun sending out breach notification letters to thousands of people after both disclosed that sensitive information — including social security numbers, treatment information, and diagnosis data —, was obtained during recent hacks. 

LifeLong Medical Care, a California health facility, is mailing letters to about 115 000 people informing them of a ransomware attack on November 24, 2020. The letter does not specify which ransomware gang was responsible. Still, it does state that Netgain, a third-party vendor that offers services to LifeLong Medical Care, "discovered anomalous network activity" only then concluded that it was a ransomware assault by February 25, 2021. 

Netgain and LifeLong Medical Care finished their investigation by August 9, 2021. They discovered that full names, Social Security numbers, dates of birth, patient cardholder numbers, treatment, and diagnosis information were accessed and/or obtained during the assaults. 

Credit monitoring services, fraud alerts, or security freezes on credit files, credit reports, and stay attentive when it comes to "financial account statements, credit reports, and explanation of benefits statements for fraudulent or unusual behavior," as per LifeLong Medical Care. 

For further information, anyone with questions can call (855) 851-1278, which is a toll-free number. 

After being struck by a ransomware assault that revealed confidential patient information, Arizona-based Desert Wells Family Medicine was compelled to issue a similar letter to 35 000 patients. 

On May 21, Desert Wells Family Medicine learned it had been hit by ransomware and promptly engaged an incident response team to assist with the recovery. The incident was also reported to law enforcement. 

According to the healthcare institution, the ransomware gang "corrupted the data and patient electronic health records in Desert Wells' possession before May 21". After the malicious actors accessed the healthcare facility's database and backups, it was unrecoverable. 

Desert Wells Family Medicine stated in its letter, "This information in the involved patient electronic health records may have included patients' names in combination with their address, date of birth, Social Security number, driver's license number, patient account number, billing account number, health insurance plan member ID, medical record number, dates of service, provider names, and medical and clinical treatment information." 

The organization stated that it is presently reconstructing its patient electronic health record system and will provide free credit monitoring and identity theft prevention services to victims. 

"Patients should also check statements from their healthcare providers or health insurers and contact them right away if they notice any medical services they did not get," the letter continued. 

These recent assaults, according to Sascha Fahrbach, a cybersecurity evangelist at Fudo Security, indicate that the healthcare business, with its precious personal information, remains an enticing and profitable target for hackers and insiders. 

"There were more than 600 healthcare data breaches last year, with more than 22 million people affected, and unfortunately, this trend shows no sign of slowing down. Healthcare operators need to reassess their security posture, as well as shifting their mindset when it comes to safeguarding their data," Fahrbach added. 

"In particular, third parties remain a security liability which needs to be urgently addressed. Many in the healthcare industry are not taking the proper steps to mitigate third-party remote access and third-party vendor risk." 

After the Hive ransomware knocked down a hospital system in Ohio and West Virginia last month, the FBI issued a notice two weeks ago, adding that the gang frequently corrupts backups as well.

Hive has targeted at least 28 companies so far, including Memorial Health System, which was struck by ransomware on August 15.

Hackers Steal Data of 40,000 Patients From a Kidney Hospital in Thailand


On Wednesday, Thirachai Chantharotsiri, director of Bhumirajanagarindra Kidney Institute Hospital lodged a complaint that the personal information of over 40,000 patients has been stolen by a hacker. The compromised data included personal details and allegedly medical history of the patients. 

While talking to local media at Phaya Thai police station, Dr. Chantharotsiri told that on Monday, the database of the patients at a hospital in the Ratchathewi district of Bangkok became inaccessible to the hospital staff. A subsequent system check was carried out which revealed that the data had been stolen. The breach damaged the data system of the hospital which resulted in an inability to access the X-ray archive. 

According to the commissioner of the CCBI, Pol Lt Gen Kornchai Kalyklueng – owing to the ambiguity regarding the criminals – the investigating agency will seek support from American authorities and other international organizations to track down the hackers. 

Dr. Thirachai told that later, the facility received a call from a foreigner claiming to have hacked the system, the English-speaking man tried to negotiate for payment in exchange for the important information belonging to the hospital. 

The director filed a police complaint along with a recording of the call, reportedly, he did not hear from the anonymous caller again. 

In an attempt to mitigate concerns, the officials at the hospital maintained that the compromised data only include the primary data of the patients, emphasizing that diagnostic or medical records were untouched. 

As per the investigation of CCIB, the group behind the hacking is probably the one that hacked the systems of Krungthai Bank exposing client information and that of a hospital in the Northeast. Although the group identified is seemingly of Indian origins using a server in Singapore, most recent findings indicate that the threat actors were operating from the US.

Pirated Software Used To Distribute Malware

 

Another persistent operation has now been discovered by researchers that employ a network of websites that function as a "dropper as a service" to distribute a package of malware payloads to users looking for a "cracked" version of the popular business and consumer programs. Such malware incorporates numerous sorts of click scam bots, data stealers, and sometimes even ransomware. 

The cyberattack operates by exploiting several WordPress-hosted lure pages containing "download" links to software applications, which, once clicked by the user, redirect the person to a third party website which distributes potentially unwanted browser plug-ins and malware, including installers for Raccoon Stealer, Stop ransomware, the Glupteba backdoor, and a wide range of malevolent cryptocurrency miners that pretend to be an antivirus software for the system. 

"Visitors who arrive on these sites are prompted to allow notifications; If they allow this to happen, the websites repeatedly issue false malware alerts," the Sophos researchers said. "If the users click the alerts, they're directed through a series of websites until they arrive at a destination that's determined by the visitor's operating system, browser type, and geographic location." 

Links to the web pages appear at the top of search results whenever a user searches for illegal copies of a comprehensive range of software apps using strategies such as search engine optimization. These actions, which are thought to be the result of an illicit marketplace for paid download services, enable entry-level cybercriminals to establish and customize operations depending on the geographic targeting. 

Traffic exchanges, as the allocation infrastructure is also known, generally require a Bitcoin payment before associates can start creating accounts and begin disseminating installers, with web pages like InstallBest providing advice on "best practices," like advising against the use of Cloudflare-based servers for downloaders, along with URLs within Discord's CDN, Bitbucket, or other cloud platforms. 

In addition, the researchers discovered several companies that, rather than providing their particular malware delivery networks, function as "go-betweens" to established malvertising networks that compensate website owners for traffic. 

Earlier in June, a cryptocurrency miner known as Crackonosh was discovered misusing the technique to download a coin miner software known as XMRig to silently compromise the affected host's resources to mine Monero. A month later, the criminals behind MosaicLoader malware were discovered targeting people looking for pirated software as part of an international attempt to install a fully-featured backdoor susceptible to hooking vulnerable Windows systems into a botnet.

Amidst Surge in Ransomware Attacks, FBI Warns Food and Agriculture Sector

 

The FBI has published a private industry advisory on Wednesday, alerting the food and agriculture sectors that they have been under active attack by ransomware organizations. The cybercriminals' approach to firms in this area is unremarkable; the methods and procedures they deploy are well-known. 

According to the FBI, ransomware gangs want to "disrupt operations, cause financial loss, and negatively impact the food supply chain." 

"Ransomware may impact businesses across the sector, from small farms to large producers, processors and manufacturers, and markets and restaurants. Cybercriminal threat actors exploit network vulnerabilities to exfiltrate data and encrypt systems in a sector that is increasingly reliant on smart technologies, industrial control systems, and internet-based automation systems," the FBI said. 

Food and agriculture enterprises that are victims of ransomware incur massive financial losses as a result of ransom alongside suffering productivity losses and remediation costs. Organizations may potentially lose proprietary information and personally identifying information as a result of a ransomware operation, as well as suffer negative publicity. 

Many of the world's largest food firms now use a variety of IoT devices and smart technology in business processes. According to the FBI, bigger agricultural firms are attacked since they can manage to pay bigger ransoms, but smaller entities are targeted because they cannot afford high-quality cybersecurity. 

"From 2019 to 2020, the average ransom demand doubled and the average cyber insurance payout increased by 65 percent from 2019 to 2020. The highest observed ransom demand in 2020 was $23 million, according to a private industry report. According to the 2020 IC3 Report, IC3 received 2,474 complaints identified as ransomware with adjusted losses of over $29.1 million across all sectors," the FBI said. 

In an industry that is heavily dependent on smart technologies, industrial control systems, and web automation systems, cyber attackers use networking weaknesses to steal information data and encrypt systems. 

According to the organization, cybercriminals employ a myriad of methods to attack individuals with ransomware like email phishing operations, Remote Desktop Protocol (RDP) vulnerabilities, and software vulnerabilities; these are the most popular method of attack.

Babuk Ransomware Full Source Code Leaked On A Russia-Speaking Hacking Forum



The complete source code for the Babuk ransomware has been leaked by a threat actor on a Russian-speaking hacking forum, this week. It allows easy access to a sophisticated ransomware strain to competitors and threat actors planning to sneak into the ransomware realm with little effort. 

The full source code of Babuk ransomware posted on the hacking forum comprises all things that one would require for a functional ransomware executable. The leaked file contains "various Visual Studio Babuk ransomware projects for VMware ESXi, NAS, and Windows encryptors," as per Xiarch Security. The leak has been confirmed to be legitimate by various ransomware experts. Apparently, the leak also includes decryption keys for the gang's past victims. 

Babuk ransomware gang made certain changes into their operations as they announced they will longer encrypt information on networks, but will rather "get to you and take your data" they said on hacker-forum. "..we will notify you about it if you do not get in touch we make an announcement." They announced in advance that their source code will be publically available as Babuk changes direction and plans to shut down. "We will do something like open-source RaaS, everyone can make their own product based on our prouduct." They further told. 

In April, earlier this year, the Babuk group attacked Washington D.C police with a ransomware attack wherein they stole over 250 gigabytes of data from the Metropolitan Police Department of the District of Columbia (MPD). It included police reports, internal memos, and PII of confidential informants, and employees. Following the attack, the gang heavily criticized MPD for huge security gaps and threatened the law enforcement agency to publish the data if the ransom demand is not met. 

MPD acknowledged the unauthorized access on their server, and it started working with the FBI to investigate the matter. Meanwhile, the U.S. law enforcement agency reviewed the activity to determine the full impact of the attack. 

Post MPD attack, there are reports of strife within the group members of Babuk. The 'Admin' wished to leak the data stolen from the MPD attack for advertising, however, the other members were against the idea as they felt it was too much even for them (the bad guys). As a result, the group disintegrates and the initial 'Admin' went on to launch the 'Ramp' cybercrime forum while others began Babuk V2, where they continue carrying out ransomware attacks with little or no difference. After a while, the original admin accused his gang members of attempting to make his new site unusual by subjecting it to a series of DDoS attacks. 

"One of the developers for Babuk ransomware group, a 17 year old person from Russia, has been diagnosed with Stage-4 Lung Cancer. He has decided to leaked the ENTIRE Babuk source code for Windows, ESXI, NAS." A user going by the Twitter handle @vxunderground tweeted.

UK Based Firms, Voip Unlimited, And Voipfone Under DDoS Attack

 

Users of Voipfone's UK business broadband and Voice-over-Internet-Protocol (VoIP) services have reported to ISPreview.co.uk that the supplier has been facing massive service interruptions for the past couple of days, that also seems to be the consequence of a Distributed Denial of Service (DDoS) attack against their system applications. 

Likewise, South Coast-based Voip Unlimited had also reported that it has been bombarded with a "colossal ransom demand" after being struck by a prolonged and large-scale DDoS attack. They believe that it was launched by the Russian cybercriminal organization REvil. 

On September 2nd, it reported that "services are operational ... however the attacks are still ongoing." 

However, at this point, it remains unclear whether any additional UK Internet Telephony Service Providers (ITSP) have also been affected or not. Nevertheless, the UK Comms Council – the industry association which represents ITSPs – has alerted customers well about cyberattacks and reminded them to implement "appropriate DDoS mitigation strategies." 

Mark Pillow, MD of Voip Unlimited, informed that the business accepts "full responsibility of the availability of our services to our clients" and that they feel "extremely sorry for all inconvenience caused." 

He further explained: "At 2 pm 31st August, Voip Unlimited's network was the victim of an alarmingly large and sophisticated DDoS attack attached to a colossal ransom demand." 

DDoS attacks usually function by flooding a target server or end-user with data requests from numerous internet-connected devices (often malware-infected machines/botnets, etc.), causing the designated destination to crash or experience substantial performance issues until the bad traffic ceases. These attacks might potentially reveal additional vulnerabilities that hackers can abuse. 

A number of VoIP Unlimited's networks suffered "intermittent or total loss of internet connectivity services" as a result of the attack, however, clients utilizing its Voip Unlimited Ethernet and Broadband services are thought to have been mostly unharmed. 

"UK Comms Council has communicated to us that other UK SIP (Session Initiation Protocol) providers are affected and identified them as a criminal hacking organization called REvil who appear to be undertaking planned and organized DDoS attacks against VoIP companies in the UK," Pillow added. 

The sheer magnitude of the attack is yet unknown, but according to an email sent by Voipfone on Tuesday and obtained by El Reg, the firm's services were "intermittently disrupted by a DDoS attack" over the Bank Holiday weekend, flooding its system with phony traffic from tens of thousands infected devices. 

It is quite noticeable that the users have now become extremely upset as a result of their inability to access vital digital telecommunication services upon their return to work following the August Bank Holiday weekend. 

In a statement, chair of Comms Council UK Eli Katz told, "Comms Council UK is aware of the Denial of Service attacks currently targeting IP-based communications service providers in the UK and that a small number of our members have been impacted. We have communicated the issue to our membership and are continuing to liaise closely with them to share further information and support as the situation develops." 

Likewise, an alleged DDoS attack on Iran's telecommunications networks in February caused a substantial disturbance, wiping out around 25% of the country's internet connectivity and triggering an early outage of mobile and fixed-line services.

Lockbit Ransomware Suspected Behind the Attacks on Envision Credit Union

 

Cyberattacks employing a type of ransomware that appeared nearly two years ago have increased in number lately. The ransomware known as LockBit Ransomware, continues to be effective for cyber thieves. 

Trend Micro's cybersecurity analysts recently documented an uptick in LockBit ransomware operations that have surged since the beginning of July. This ransomware-as-a-service first surfaced in September 2019 and has been quite successful, although activities have increased relatively during this summertime. 

Recently, Envision Credit Union has been the victim of a potential ransomware attack that seized its computer networks. There were clear indications of a suspected ransomware attack that surfaced last week, leading to speculation that the entity responsible for the attack was LockBit 2.0. 

LockBit works on the concept of Ransomware as a Service (RaaS), in which they lease out their network and software to legitimate hackers in exchange for a portion of the payment. It is a sort of double extortion in which the perpetrator threatens to expose the victim's personal information or data if the victim does not pay the money. 

Thus according to Datminr, a New York-based cybersecurity firm, the cybercriminals allegedly threatened to expose the stolen information on the 30th of August. 

The Tallahassee Democrat wrote Envision officials with various questions regarding the alleged cyber-attack. A representative only acknowledges the attack as "technical difficulties" and an "event," whilst presenting the Democrat with the following statement: 

“The credit union started experiencing technical difficulties on some of its systems, even though it has already implemented adequate security measures. We are taking all necessary steps to address the issue, which includes establishing an investigation and notifying law enforcement. We are aware of the situation and are working to ensure that the funds of our members were not put at risk.” 

The Kaspersky team has also published a report on the LockBit ransomware gang. According to them, LockBit is the newest in a succession of cybercriminals organizations promoting the ability to automate infiltration of local machines via a domain controller. 

“This ransomware is used for highly targeted attacks against enterprises and other organizations,” Kaspersky researchers said. “As a self-piloted cyberattack, LockBit attackers have made a mark by threatening organizations globally.”

Ransomware operations are on the upswing both internationally and regionally. One such ransomware attack happened in May, where the ransomware gang Darkside targeted the Colonial Pipeline Company, a Houston-based utility corporation that operates the nation's largest refined oil pipeline. 

Researchers also note that sometimes the ransomware attacks are so professionally built that they easily pass the security measure.

LockFile Ransomware Circumvents Protection Using Intermittent File Encryption

 

A new ransomware threat known as LockFile has been affecting organizations all around the world since July. It surfaced with its own set of tactics for getting beyond ransomware security by using a sophisticated approach known as "intermittent encryption." 

The operators of ransomware, called LockFile, have been found exploiting recently disclosed vulnerabilities like ProxyShell and PetitPotam to attack Windows servers and install file-encrypting malware that scrambles just every alternate 16 bytes of a file, allowing it to circumvent ransomware defenses. 

Mark Loman, Sophos director of engineering, said in a statement, "Partial encryption is generally used by ransomware operators to speed up the encryption process, and we've seen it implemented by BlackMatter, DarkSide, and LockBit 2.0 ransomware.” 

"What sets LockFile apart is that, unlike the others, it doesn't encrypt the first few blocks. Instead, LockFile encrypts every other 16 bytes of a document." 

"This means that a file such as a text document remains partially readable and looks statistically like the original. This trick can be successful against ransomware protection software that relies on inspecting content using statistical analysis to detect encryption," Loman added. 

Sophos' LockFile analysis is based on evidence published to VirusTotal on August 22, 2021. Once installed, the virus uses the Windows Management Interface (WMI) to terminate important services linked with virtualization software and databases before encrypting critical files and objects and displaying a ransomware message that looks similar to LockBit 2.0's. 

The ransom message further asks the victim to contact "contact@contipauper.com," which Sophos believes they are referencing a rival ransomware organization named Conti. 
 
Furthermore, after successfully encrypting all of the documents on the laptop, the ransomware erases itself from the system, indicating "there is no ransomware binary for incident responders or antivirus software to identify or clear up." 

Loman warned that the takeaway for defenders is that the cyberthreat landscape never sits still, and adversaries will rapidly grasp any chance or weapon available to conduct a successful attack. 

The disclosures come as the U.S FBI published a Flash report outlining the tactics of a new Ransomware-as-a-Service (RaaS) group known as Hive, which consists of many actors who use multiple mechanisms to attack business networks, steal data, encrypt data on the networks, and attempt to collect a ransom in exchange for access to the decryption keys.

Chaos Malware: The Amalgam of Ransomware and Wiper

 

A new strain of malware called Chaos, which is still under active development has been discovered by the security experts. The malware was first spotted in June 2021 and has already gone through four different versions, the most recent of which was released on August 5. 

According to Trend Micro security researcher Monte de Jesus, this rapid growth indicates that the malware may soon be ready for use in real world attacks.

An attacker promoting Chaos malware initially claimed that the malware was a .NET variant of Ryuk ransomware, but the analysis of the malware uncovered that it’s more like a destructive trojan or wiper than traditional ransomware.

“Instead of encrypting files (which could then be decrypted after the target paid the ransom), it replaced the files’ contents with random bytes, after which the files were encoded in Base64. This meant that affected files could no longer be restored, providing victims no incentive to pay the ransom,” de Jesus explained. 

Modus operandi of Chaos Malware 

The first version of Chaos is exceedingly dangerous because of its worming functionality. The malware has the capability to spread to all removable drives on a compromised system. “This could permit the malware to jump onto removable drives and escape from air-gapped systems,” de Jesus said.

After the installation, this first version of Chaos looked for various file paths and extensions to infect, and then it dropped a ransom note which demanded payment of 0.147 BTC, that would be around $6,600.

Chaos 2.0 has the capability to erase volume shadow copies and the backup catalog to prevent recovery, along with disabling Windows recovery mode, but it still did not have the functionality to recover files

“However, version 2.0 still overwrote the files of its targets. Members of the forum where it was posted pointed out that victims wouldn’t pay the ransom if their files couldn’t be restored,” de Jesus added.

In version 3.0, it added encryption to the mix. It could now encrypt files under 1 MB using AES/RSA encryption and feature a decryptor-builder.

The latest version of Chaos was released on August 5, which expanded its encryption feature to files of 2 Mb in size. It also allows operators to append encrypted files with their private extensions. 

According to a recent mid-year report from SonicWall, ransomware has been growing with a rapid pace in 2021, with global attack volume increasing in the first half of the year compared to the same period the previous year. 

“In our view, the Chaos ransomware builder is still far from being a finished product since it lacks features that many modern ransomware families possess, such as the ability to collect data from victims that could be used for further blackmail if the ransom is not paid. In the hands of a malicious actor who has access to malware distribution and deployment infrastructure, it could cause great damage to organizations,” de Jesus concluded.

Crytek Confirms Data Theft After Egregor Ransomware Attack

 

German game developer and publisher Crytek has accepted that its encrypted systems containing customers’ private details were breached by a ransomware gang known as Egregor who later leaked the same on the dark website. 

Earlier this month, Crytek sent out breach notification letters to the victims of the ransomware attack in which it acknowledges the ransomware attack that occurred in October 2020. The letter was shared with BleepingComputer by one of the customers impacted in the incident. 

"We want to inform you that Crytek was the victim of a ransomware attack by some unknown cyber-criminals. Ransomware is a form of malware that encrypts files on the systems of the attacked company. During that attack certain data had been encrypted and stolen from our network. We took immediate action to prevent the encryption of our systems, further secure our environment, and initiate an internal and external investigation into the incident," Crytek said in a letter mailed to one of their customers impacted by the encryption breach.

The company tried to reassure impacted individuals by saying "the website itself was difficult to identify, so that in our estimation, only very few people will have taken note of it." In addition to this, the enterprise also wrote that considering the size of the leaked data, it would have taken too long to download it anyway, which would probably have been a significant obstacle for individuals that wanted to get a hold of the data. 

The company also believes that those who attempted downloading the leaked data were discouraged by the "huge risk" of compromising their systems with malware embedded in the leaked documents.

Crytek's attempts to downplay the seriousness of the data breach don't hold water because attackers who really wanted to get their hands on leaked data would use a virtual machine and downloader to safely open what they download. The stolen data leaked by Egregor on their data leak website contained files related to WarFace, the cancelled Arena of Fate MOBA game, and documents that included information about their network operations.

So far, Egregor has targeted many well-known companies and organizations around the world, such as Barnes and Noble, Kmart, Cencosud, Randstad, and Vancouver’s TransLink metro system. In February, many members of the Egregor ransomware group were captured in Ukraine during a coordinated operation between the French and Ukrainian authorities. This happened because French law enforcement was successful in detecting some ransom payments that were transmitted to some people residing in Ukraine.

Master Key for Decryption of Kaseya, Leaked on Hacking Forum

 

The universal decryption key for Kaseya has been leaked on a Russian hacking forum by hackers. An Ekranoplan-named user shared the screenshot for REvil infected files that look to be a universal decrypter. The tweet was also retweeted by a security researcher titled pancak3. 

The Kaseya customers have been utilizing the tool for ransomware Universal Decryption to get files held hostage by the REvil. The very same media organization previously thought that all encrypted REvil files are the key works. The website has nevertheless reported that the other attacks of the renowned gang are not being carried out. The tool works rather only on the files of the Kaseya users. 

The REvil ransomware organization has infiltrated the zero-day vulnerability, which encrypted Documents of roughly 1,500 enterprises, in the cyberattack on the VSA remote management application of Kaseya. The major attack paralyzed Kaseya customers' operation. Kaseya is the software automation supplier for the information technology industry with remote management tools. 

The renowned ranking gang then asked for an incredible $70 million ransom to return the encrypted data through a universal decrypter tool. The key is to neutralize the threat actors' activities towards the victims by making the files available again. After this whooping demand, the gang suddenly disappeared. 

On the web, the organization had left no record, as of July 13. The group is said to be 42 percent behind the new ransomware attacks. 

It is important to mention that the abrupt disappearance of the renowned gang was carried out one day before the United States involving high authorities from the White House. and Russia discussed the surge in the ransomware cases. 

Meanwhile, on July 22, Kaseya eventually got the decryption tool, to reverse its customer file encryption. 

The Verge states that there are three ways in which Kaseya can get hold of the decryption tool: the US, Russia, or REvil itself. Nevertheless, these assumptions were neither confirmed nor denied by the IT business. Conversely, the Florida-based IT company said that it received the key from a "trusted third party." 

In addition, Kaseya has provided its customers with the universal decryption tool but there is a twist - the corporation requires its customers to sign a non-disclosure agreement. While NDAs are routinely employed in cyberattacks, incorporating them in this process makes the incident a complete secret.

Conti Group Exploited Vulnerable Microsoft Exchange Servers

 

According to cybersecurity consultancy firm Pondurance, the Conti ransomware gang is now using backdoors that are still active. On-premises Microsoft Exchange email servers that have been patched are still vulnerable. 

Pondurance researchers stated, "Despite patching, thousands of devices might still be compromised". Conti appears to be targeting firms that patched the Exchange issues initially attacked by Chinese attackers but failed to detect and remove the backdoor access that had already been installed.

On March 4th, Microsoft released emergency fixes for four vulnerabilities in its on-premises Exchange email servers. The Biden administration officially accused a group working for China's Ministry of State Security in July of running a string of attacks against vulnerable Microsoft Exchange email servers this year that disrupted thousands of firms in the United States and around the globe. 

The US has not authorized China for its aggressive cyber operations, according to Anne Neuberger, the US deputy national security advisor for cyber and emerging technologies, who stated last week that the US is first aiming to establish an international consensus on how to respond. 

Meanwhile, Chinese advanced persistent threat organizations have been discovered abusing vulnerabilities in Microsoft Exchange servers to breach telecommunications provider networks in Southeast Asia in an attempt to capture confidential communications from customers. 

The Pondurance researchers discovered one instance in which an unlicensed and exploited remote monitoring and management agent was deployed on an on-premises Exchange server. 

"The unauthorized RMM tool remained present on the victim machine for approximately four months and granted the ability for remote interaction with the victim machine," Pondurance says. "In July, the RMM tool was used by outside actors to install additional malicious frameworks, including Cobalt Strike. The resulting actions concluded with the installation of Conti ransomware." 

According to the researchers, the company patched Exchange without first ensuring that any previously established backdoor access had been deleted. 

"Pondurance recommends searching for unauthorized ScreenConnect services installed on on-premises Exchange servers that were vulnerable to [the flaw exploit] at some point," Pondurance stated.

"These services should be present within the registry and would have generated 'Service Created' event logs (event ID 7045) at the time of install in March 2021. You may also find ScreenConnect-related folders created in the filesystem under 'C:ProgramData,' 'C:Program Files (x86),' and 'C:WindowsTemp.'" 

Fat Face, a British clothing and accessory retailer paid Conti a $2 million ransom in March to unlock its computers after Conti accessed numerous files containing sensitive data. The organization has also been linked to healthcare-related attacks. After a Conti ransomware assault on Ireland's Health Service Executive in May, the FBI issued a warning to healthcare institutions and first responder networks, urging them to take precautions to avoid being a victim. 

Furthermore, after complaining about the profit share, a dissatisfied Conti affiliate reportedly released important training material from the ransomware group. Conti, a ransomware-as-a-service group, recruits affiliates to hack networks and encrypt devices in exchange for a cut of the ransom money.

According to Bleeping Computer, a security researcher published a post written by an outraged Conti affiliate who publicly exposed information about the ransomware campaign. 

According to the study, this information contains IP addresses for Cobalt Strike C2 servers as well as a 113 MB package including many tools and training materials for conducting ransomware operations. As per the Bleeping Computer report, the affiliate also wrote on a prominent Russian-speaking hacking site claiming he had been paid $1,500 as part of an attack, while the gang members made millions.

Ransomware Groups Never Perish, They Reincarnate

 

It is no longer a matter of shock that ransomware attacks have surged over the past few years,  the technological advancements have proved to be a boon for them. Ransomware is indeed a malware type that encodes the files of the victim. The offender subsequently asks the victim to make payment in order to regain access to the encrypted information as he explains the directions to make payment and receive the decryption key. 

Several ransomware organizations are now in the phase of their third incarnation. In the cybercrime sphere, reinvention is a key survival technique. The earliest techniques include the fake death or retirement and then subsequently the invention of a new identity. A fundamental objective of such a ruse is to make researchers focus their attention temporarily elsewhere. 

The DarkSide, which collected a $5 million payment from the Colonial Pipeline earlier last year, is only one of the most intriguing and newest reinventions to see much of this crushed by the U.S. Department of Justice. Once someone noticed that their Internet servers had indeed been seized, DarkSide stated that it was collapsing. However, just over a couple of months later, BlackMatter was created, a new affiliate ransomware operation, and specialists immediately found out that BlackMatter was using the same unique form of encryption used by DarkSide. 

The downfall of DarkSide occurred closely with that of REvil, a long-term ransomware gang claiming more than 100 million dollars from victims. Kaseya, a Miami-based corporation, was REvil's last major victim. This exploit allowed REvil to disseminate ransomware to as many as 1500 Kaseya using organizations. REvil called upon all victims of Kaseya's attack to pay a $70 million amount for decryption. 

REvil too is commonly regarded as a boost-up for GandCrab, a prominent ransomware group with over $2 billion in extortion for 12 months before it shut down in June 2019. 

The latest ransomware start-up "Grief" was only the current DoppelPaymer paintwork, which matched most of its code with a previous iteration named BitPaymer in 2016. All three were created by a renowned cybercriminal organization, known as TA505, 'Indrik Spider' and Evil Corp.

Mark Arena, CEO of cyber threat intelligence company Intel 471, stated that whether BlackMatter is a new name for the REvil group, or merely a rebirth of DarkSide, is uncertain. “Likely we will see them again unless they’ve been arrested,” Arena further added. 

Taiwanese Computer Hardware Company Gigabyte Suffers Ransomware Attack

 

Gigabyte, a motherboard developing company from Taiwan and also a hardware giant was attacked by the RansomExx ransomware hacking group, who has blackmailed to leak 112 GB of hack data if the organization doesn't pay the ransom. Gigabyte is famous for making motherboards, but also builds other computer hardware and components, like laptops, monitors, graphic cards, and data center servers. The ransomware attack happened earlier this week which compelled the company to close down its systems in Taiwan. 

Besides this, the attack compromised multiple websites of Gigabyte, which includes support systems and website portions of the company. Customers have complained of having issues while accessing support docs or getting updated information on Ram's. The reason is most probably due to the ransomware attack. "The RansomEXX ransomware operation originally started under the name Defray in 2018 but rebranded as RansomEXX in June 2020 when they became more active. RansomEXX does not only target Windows devices but has also created a Linux encryptor to encrypt virtual machines running VMware ESXi servers," said Bleeping Computers. 

As per United Daily News (a Chinese news organization), Gigabyte revealed about the company suffering cyberattack which affected its servers. After finding unusual activity on its company network, Gigabyte closed down its IT systems and informed law agencies. However, Gigabyte itself has not officially confirmed which organization is behind the attack, but Bleeping Computers believe that it was carried out by the RansomExx gang. RansomExx hackers while encrypting a network attach ransom notes to each encrypted system. 

The ransom notes include a link to a private page accessible only to the victims to check the decryption of a file and to provide an email address for doing ransom negotiations. Bleeping Computer reports "like other ransomware operations, RansomEXX will breach a network through Remote Desktop Protocol, exploits, or stolen credentials. Once they gain access to the network, they will harvest more credentials as they slowly gain control of the Windows domain controller. During this lateral spread through the network, the ransomware gang will steal data from unencrypted devices used as leverage in ransom extortion."

Inadequate Payment Leads the Affiliate to Leak the Ransomware Gang's Technical Manual

 

A frustrated Conti affiliate revealed the gang's training material during attacks and released details on one of the administrators of ransomware. The document contains the Cobalt Strike C2 server IP addresses and the 113 MB archive with a wide variety of training tools for ransomware attacks. 

The Conti Ransomware business runs as "Ransomware-as-a-service" (RaaS), wherein the core group handles the virus as well as the Tor sites. It has been identified since 2020 as a ransomware program. 

Most ransomware of Conti is laid out straight by a hacker who has obtained an unsecured RDP port, using email phishing on the Internet over a worker's computer or used malware attachments, downloads, patch operations, or network access flaws. 

Recently published at an undercover cybercrime forum called the XSS, an individual who seemed to have had a problem with the minimal money paid by the Conti gang to infiltrate the corporate networks, revealed their documents. These files have been uploaded on a forum of Russian speaking cybercrime practitioners, which contains many instruction manuals, reportedly from Conti, a Russian speaking group of hackers who have attacked several healthcare facilities, which include health chains in the U.S. and the national system of Ireland, the Health Service Executive. 

The main team will get 20-30 percent of the ransom payment under this model, whereas the associates would earn the balance. The affiliate also said he had shared the information since he had been only paid $1,500 in an operation while the rest of the gang make millions and promise enormous payments after a victim pays the ransom. 

In one of the step-by-step tutorials published in Russian, the participants are told to locate and hack the victims using a malware identified as Cobalt Strike. The instruction states that the first stage is to use Google to look for possible revenues for a target company. Hackers are then directed to locate staff accounts that have administrative access for the firm and how to use this knowledge to apply ransomware to encrypt their network interface to demand ransom for its decryption 

"The leak also shows the maturity of their ransomware organization and how sophisticated, meticulous, and experienced they are while targeting corporations worldwide," says Advanced Intel's Vitali Kremez, who had already analyzed the archive. "It also provides a plethora detection opportunity including the group focus on AnyDesk persistence and Atera security software agent persistence to survive detections."

A Silicon Valley Venture Capital Firm Attacked by A Ransomware; Asked for Ransom


A Silicon Valley advanced technology venture capital organization was hit hard by a ransomware attack in July 2021. The firm with more than $1.8 billion possessions is going through a search operation and fixing its systems. 

According to the data, malicious actors got access into the system and stole important data including the personal information of the company’s private investors, and limited partners. 

After the findings, a letter was written to the Maine attorney general’s office, in which ATV expressed that the firm only got to know about the attack on July 09th when its servers storing financial information had been encrypted by ransomware. Along with this, on July 26th, the firm found that the data had been stolen from the servers before the files were encrypted. 

ATV mentioned that a common “double extortion” tactic was used by the group, and also, the ransomware group menaced to upload the data online if the ransom is not being paid. ATV believes that the group targets the personal data of individual investors including the names, email addresses, social security numbers, and phone numbers in the attack. 

According to a listing on the Maine attorney general’s data breach notification portal around 300 individuals were affected by the attack, including one from Maine. While ATV already informed the FBI about the attack, no further technical details have been reported. 

The venture capital organization founded in 1979, is based in Menlo Park, California with offices in Boston. The firm extensively invests in technology, software and services, communications, and healthcare technology. Venture capital is known for its secret investors. The firm does not publically disclose its investors. However, in certain circumstances, the firm discloses names of investors such as those who invest millions into a business venture. The firm always gives different reasons for this, but analysts say it is because of market competition.

Following a Ransomware Cyberattack, D-BOX Stated it is Gradually Restarting Operations

 

After a ransomware cyberattack on its internal information-technology systems, D-BOX Technologies Inc. says it is progressively resuming operations, with restoration work likely to be completed in the coming weeks. Production was never entirely disrupted by the cyberattack, according to the Montreal-based entertainment company, and rehabilitation of its different internal IT systems has begun. 

D-BOX creates and redefines realistic, immersive entertainment experiences by using elements such as motion, vibration, and texture to move the body and stimulate the imagination. D-BOX has partnered with some of the world's most innovative firms to provide new ways to improve amazing stories. 

The company has postponed the release of its interim financial statements and analysis for the three months ending June 30. The incident had a limited impact on internal systems, and services to studios and theatre operators were unaffected, according to the statement. The company expects a 40% increase in revenue in the first quarter, reaching roughly 3.1 million Canadian dollars ($2.5 million). It stated that its management was attempting to file the financial report as quickly as possible, but that a delay of two to four weeks was probable. 

Analysis suggests that the systems of its clients were neither hacked nor impacted during the cyberattack, according to a report by an external firm specializing in cyber incidents. As a result of the incident, D-BOX does not expect any security patches to its services or software updates to be necessary for its partners. In addition, as a precaution, the company has provided all of its employees and directors a 12-month subscription to Equifax's identity theft and fraud protection service. 

“Security is a top priority and D-BOX is committed to continuing to take all appropriate measures to ensure the highest integrity of all our systems,” said Sebastien Mailhot, President, and CEO of D-BOX. “I’m proud of the efforts of our IT team and external advisors, as they mitigated the attack and accomplished an enormous amount of work in order to resume activities. D-BOX is committed to continuing to communicate directly with all of its clients and partners, whom we thank for their patience as we resolve this situation. The Corporation believes that the financial impact of this cyberattack on the results should be negligible.”

Q2 2021 Report by Digital Shadow, Abridged

 

Q2 2021 was among the most important ransomware periods, with several significant events taking place. Humans witnessed one of the biggest pipelines in the United States being targeted, new ransomware organizations emerging and some others disappearing this quarter. People witnessed renowned cybercriminal forums denouncing ransomware and certain law enforcement activities radically changing some ransomware operations. 

According to the recent report by Digital Shadows, a cybersecurity firm, more than 700 firms were attacked with ransomware and their information was dumped on data leak websites in Q2 of 2021. Of the nearly 2,600 victims mentioned on the data leak websites of ransomware, 740 were identified in Q2 2021, depicting a 47% rise over Q1. 

Digital Shadows researchers found an increase of 183% between the first quarter of 2012 and the second quarter in the retail sector with ransomware operations. 

Q1 2021 was driven by supply chain attacks, such as that of the Microsoft Exchange Server and SolarWinds, compared to the latest quarter when the present and the future threat environment of ransomware was defined. 

The report includes the quarter's main events including the DarkSide Colonial Pipeline attack, the JBS attack on the world's largest meat processor, and enhanced US and European law enforcement actions. 

But the Photon Research Team from Digital Shadows noticed that other ranching themes had emerged under the surface. Since the Maze ransomware gang helped to popularize the definition of the data leak, double extortion methods among groups who wanted to inflict maximum harm after attacks have become widespread. 

 According to the investigation, data appeared to be common on dark web leak sites from organizations of the commercial products and services industry. The list of affected organizations was likewise dominated by construction and materials, retail, technology, and healthcare organizations. 

Conti Group led the way, following Avaddon, PYSA, and REvil with concerning activities. 

"This is the second consecutive quarter that we have seen Conti as the most active in terms of victims named to their DLS. Conti, believed to be related to the Ryuk ransomware, has consistently and ruthlessly targeted organizations in critical sectors, including emergency services," the report said. 

However, the research warns that several organizations have gone or emerged from nowhere in the global ransomware marketplace. According to digital shadows, the organization halted operations in Q2, are Avaddon, Babuk Locker, DarkSide, and Astro Locker, whilst groups such as Vice Society, Hive, Prometheus, LV Ransomware and Xing, Grife, and Ransomware, arose from their Dark-Web leak sites. 

In addition, 60% of victims' firms are situated in the United States, with only Canada witnessing a decline in ransomware assaults from Q1 to Q2. Over 350 US-based organizations, compared to 46 in France, 39 in the UK, and 35 in Italy, have been affected by ransomware in Q2. 

Lastly, the report's scientists questioned if Q3 saw other attacks similar to the Kaseya ransomware campaign, where REvil operators employed a zero-day vulnerability to infiltrate more than forty managed service providers.