Search This Blog

Showing posts with label Ransomware. Show all posts

United States Charged Six Russian Intelligence Officers with Involvement in An Unrestricted Huge Hacking Campaign

 


With involvement in an 'unrestricted huge hacking campaign', which incorporates the famous Petya ransomware attacks which have focused mainly on Ukraine in 2015, as of late, the Justice Department has charged six Russian intelligence officers. 

Residents and nationals of the Russian Federation (Russia)the six officials were also in Unit 74455 of the Russian Main Intelligence Directorate (GRU), a military intelligence agency of the General Staff of the Armed Forces.

 

The government claimed that the group that had attacked Ukraine has likewise hacked different computers promoting the 2018 Winter Olympics in South Korea. It likewise hacked and leaked emails of people related to Emmanuel Macron's 2017 campaign for president of France. 

Besides this, they additionally focused on the companies exploring the poisoning of former Russian operative Sergei Skripal two years ago in Britain. 

All the six hackers are GRU officers; the government said that for over two years, they had battled tirelessly to recognize these Russian GRU Officials who interweaved in a global campaign of hacking, disruption, and destabilization, representing the most dangerous and destructive cyber-attacks ever.

The GRU burrowed into three electrical administration systems and cluttered circuit breakers remotely, it was one of the first cyber-attacks and had a cyber firm that consistently focused on critical infrastructure.

The authorities had at first scrutinized and reprimanded North Korea for the strike yet later found that the GRU utilized North Korean hacking tools to throw off the experts. 

That is the motivation behind why the special agent of FBI Michael Christman insisted that the warrant is the result of over two years of strong investigation by the FBI, a position that was kept up by an agent who worked the case.

Here are the names and the acts done by the hackers referenced below: -

 

The FBI has regularly indicated that Russia is very equipped for a cybersecurity adversary, and the information uncovered in this statement shows how omnipresent and harming Russia's cyber activities are. 

While Russia is probably not going to capture the detainees, it is unlikely that they will attain any trial too.

Iranian Hackers Are Using Thanos Ransomware To Attack Organizations In the Middle East and South Africa

 

Cybersecurity experts discovered clues connecting cybersecurity attacks to Thanos ransomware, which is used by Iranian state-sponsored hackers. Researchers from ClearSky and Profero investigated significant Israel organizations and found cyberattacks linked to an Iranian state-sponsored hacking group named "Muddywater." Experts noticed repetitive patterns with two tactics in these attacks. Firstly, it uses infected PDF and Excel files to attach malware from the hackers' servers if they download and install them. Secondly, Muddywater mines the internet in search of unpatched MS Exchange email servers. 

It exploits the vulnerability "CVE-2020-0688" and deploys the servers with web shells, and again attaches the similar malware after downloading and installing the files. However, according to ClearSky, the second malware is not your everyday malware that is common but rather a unique malware with activities that have been noticed only once before. The Powershell threat is called "Powgoop" and was discovered last month by the experts. Palo Alto Network says that Thanos malware was installed using Powgoop. Besides this, Hakbit or Thanos malware has used other malware strains to install the ransomware called "GuLoader," coded in Visual Basic 6.0, different from other malware strains. 

"On July 6 and July 9, 2020, we observed files associated with an attack on two state-run organizations in the Middle East and North Africa that ultimately installed and ran a variant of the Thanos ransomware. The Thanos variant created a text file that displayed a ransom message requesting the victim transfer "20,000$" into a specified Bitcoin wallet to restore the files on the system," says the Palo Alto report. 

 According to ClearSky, they stopped these attacks before hackers could cause any damage; however, keeping in mind the earlier episodes, the company is now on an alarm. As per experts at ClearSky, they believe that Muddywater uses Thanos ransomware to hide its attacks and infiltrations. They say, "We assess that the group is attempting to employ destructive attacks via a disguised as ransomware attacks. Although we didn't see the execution of the destruction in the wild, due to the presence of the destructive capabilities, the attribution to nation-state sponsored threat actor."

Ryuk Ransomware Making Comeback with New Tools and Techniques

 

Ryuk ransomware has gained immense popularity in the notorious sphere of cybercrime by 2019. It has been on a rise both in terms of its reach and complexity as it goes about demanding ransoms worth multi-million-dollars from large organizations, local governments, and healthcare institutions. 
 
In one of their latest development, the operators of the malware have configured it to deploy a Trojan named ‘BazarLoader’ which is operated by the same threat group that is behind Trickbot. However, BazarLoader Trojan is equipped with advanced techniques to evade detection; the potential for long term infection in BazarLoader hints towards a change that the operators have brought in Ryuk’s plan of action. 
 
Ryuk is well-planned and targeted ransomware that is being operated since 2018 by WIZARD SPIDER, a Russia-based operator of the TrickBot banking malware, and the criminals behind this ransomware largely focus on big companies in order to acquire an exorbitant amount in ransom. 
 
After gaining access, Ryuk is programmed to permeate network servers as files are exchanged between systems. The malware is circulated via malicious email attachments and once it gathers all the important data from a given network, it lets the authors of Ryuk Ransomware acquire administrator credentials and gain access to the harvested data from the network, the malware does so by opening a shell back to the actors operating the threat. 
 
It takes only 29 hours to successfully carry out a complete attack on the network it is targeting; the process entails the entire series of incidents beginning from the spam mail to the successful encryption of data, as per the findings of DFIR. 
 
Threat actors behind ransomware attacks are rapidly evolving their attack vectors as the count of Ransomware attacks surge up to 365 percent over the past year. Owing to its ever-expanding operations, Ryuk made it to the notorious list of ransomware gangs having their own data leak websites wherein they release the data of companies who refuse to pay the demanded amount. 
 
The malware is continually changing itself to become more and more sophisticated, leaving companies with no option but to pay the extortionate amounts. The threat has expanded its reach beyond just private organizations and has also been recorded to target National services’ computers.

Warning Issued to End Cyberattacks Risk Running Afoul of Sanctions Rules by The U.S. Treasury Department

 

The U.S. Treasury Department recently issued a warning to cyber insurers and other financial institutions that 'facilitate payments' to hackers to end cyberattacks hazard crossing paths with sanctions rules. 

The warnings, referred to as 'malignant programs' known as ransomware and came in from Treasury's Office of Foreign Assets Control (OFAC)and Financial Crimes Enforcement Network (FinCEN).

The warnings also added to the additional worries of the cyber insurers, who have been 'ramping up' rates and attempting to control the exposure to vulnerable customers on account of flooding exorbitant ransomware claims as of late.

Hackers utilized ransomware to bring down frameworks that control everything from hospital billing to manufacturing and halted simply in the wake of accepting 'hefty payments', commonly paid in cryptocurrency.

Ransomware payment requests have seen quite a rise amidst the pandemic as people have chosen to work remotely and hackers target online systems. 

The normal ransomware payments bounced by 60% to $178,254 between the first and second quarters, as per Coveware, a firm that arranges and negotiates cyber ransom payoffs. The cyber policies frequently cover such ransoms, data recovery, legitimate liabilities, and arbitrators fluent in hackers' local dialects. 

Sumon Dantiki, a King and Spalding LLC legal advisor who exhorts on national security and cyber matters says that advanced insurers and financial establishments are now mindful of the sanctions concern. “Will victims who are insured still decide to make the payments?” Dantiki said. “This type of public advisory could affect the calculus there.” 

A subsequent FinCEN report even highlighted a developing industry of forensic firms that assist associations with responding to cyberattacks, including handling the payments.

OFAC referred to cyberattacks dating to 2015 that were traced back to hackers in sanctioned nations, like North Korea and Russia.

Nonetheless, while it is clearly evident that the US can force economic and trade sanctions on nations that support terrorism or disregard human rights, it will be the financial institutions that ultimately draw in with them or a few individuals can confront prosecution and penalties in the end.


LockBit Ransomware Emerging as a Dangerous Threat to Corporate Networks


LockBit, a relatively new Ransomware that was first identified performing targeted attacks by Northwave Security in September 2019 veiled as.ABCD virus. The threat actors behind the ransomware were observed to be leveraging brute-force tactics and evasion-based techniques to infect computers and encrypt files until the victim pays the ransom.

LockBit enables attackers to move around a network after compromising it quickly; it exploits SMB, ARP tables, and PowerShell to proliferate the malware through an infected network.

The developers rely on third parties to spread the malware via any means the third party devises. After successfully infecting the network, the attacker redirects the victim to a payment site operated by them. The victim is then subjected to threats of data leak until the ransom is paid to the attackers.

Modus operandi of the attack

The attackers drop the payload that is hidden under the '.text' sections, evading conventional AV's mechanism from catching the file while running a scan in the disk, the file is compressed by the attackers with a unique format.

Upon being executed, the file runs a scan on the entire LAN network and attempts to establish a connection to the hosts via SMB port (445) to spread the infected file across the entire internal network.

Then in order to bypass the need for User Control, the command "C:\WINDOWS\SysWOW64\DllHost.exe /Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}" is run by an instance of SVCHOST.exe which is running by the process DLLhost.exe.

After that, the 'backup.exe' file executes the payload and encrypts most of the victim's files, changing their extensions to 'lockbit'. In the end, leaving a ransom note under the name 'Restore-My-Files.txt' in various folders on the host.

As per sources, the top targets of LockBit were located in the U.S., the U.K, China, India, Germany, France, and Indonesia. Experts suggest that users worldwide should strengthen their security defenses. It is also recommended to store the backups of important files separately so that it's hard to be accessed through a network.

Giving insights into a particular case, Patrick Van Looy, a cybersecurity specialist for Northwave, told BleepingComputer, "In this specific case it was a classic hit and run. After gaining access through brute-forcing the VPN, the attacker almost immediately launched the ransomware (which he could with the administrator account that he had access to). It was around 1:00 AM that the initial access took place, after which the ransomware was launched, and at around 4:00 AM the attacker logged off. This was the only interaction that we have observed."

Emotet Botnet Operators Switching to a New Template Named ‘Red Dawn’


Emotet malware has been continually evolving to the levels of technically sophisticated malware that has a major role in the expansion of the cybercrime ecosystem. First discovered as a simple banking Trojan, Emotet’s roots date back to 2014 when it attempted to steal banking credentials from affected machines.

However, after going through multiple upgrades, since then, it has taken upon various roles- to exemplify, it has leveled up its threat game long ago to become a “loader”; it gathers data and sends it via an encrypted channel to its command and control (C2) servers, it also downloads modules to further the functionality.

The threat actors, actively involved in the rapid expansion of “Emotet” as a service, have devised a new method of attacking their targets by making them access infected documents. Until a while ago, the operators of Emotet have been using an iOS-themed document template in their botnet campaigns, the template informed victims that the document was created on iOS and that in order to view the content properly, he needs to ‘Enable Content’.

However, this is not the scenario anymore. In its newer campaigns, the notorious botnet is reported to be employing a new template, named ‘Red Dawn’ by Emotet expert, Joseph Roosen, for its red accent colors.

While displaying the message, “This document is protected”, the Red Dawn template informs the user that the preview is unavailable and in order to view the document, he is required to click on ‘Enable Content’ or ‘Enable Editing’ button.

After the user is being tricked into accessing the document via the steps he was asked to follow, Emotet malware gets installed on his system following the execution of macros. Once the system is successfully infected, Emotet malware may proceed to deliver other malware and ransomware namely Trickbot and Qbot or Conti and ProLock respectively.

“#Emotet AAR for 2020/09/02: Only a couple malspams at dayjob. It looks like JP is getting targeted heavily now by E1/E2 and E3. Seeing templates on all 3! The new regex for E1 is stupid and I bet Yuri thought that was epic, well nope, even easier to block, new regex in report. TT”, Joseph Roosen said in his related Tweet.

Nefilim Ransomware Evolving Rapidly: Top Targets at a Glance


Ransomware has continually expanded both in terms of threat and reach as threat actors continue to devise fresh methods of introducing new ransomware variants and malware families. One such newly emerged ransomware that was first identified at the end of February 2020, Nefilim, threatens to release victims’ encrypted data if they are unable to pay the ransom. With a striking code resemblance to that of Nemty 2.5 revenge ransomware, Nefilim is most likely to be distributed via exposed Remote Desktop Protocol, according to Vitali Kremez, an ethical hacker at SentinelLabs.

Earlier this month, researchers from threat intelligence firm Cyble, discovered a post by the authors of Nefilim ransomware, claiming to have hacked The SPIE Group, an independent European market leader for technical services in the fields of energy. As per the claims made by the operators in the post, they are in the possession of around 11.5 GB of company’s sensitive data that include corporate operational documents- company’s telecom services contracts, dissolution legal documents, infrastructure group reconstruction contacts and a lot more.

Since April 2020, Nefilim has targeted multiple organizations around the globe, narrowing down on the regions- South Asia, South America, Oceania, North America, and Western Europe. Going by the count of attacks disclosed publicly, manufacturing comes on top as the most preferential and hence the most targeted industries by the operators of Nefilim ransomware; Mas Holdings, Fisher & Paykel, Aban Offshore Limited, Stadler Rail were some of the major targets. Other industries infiltrated by Nefilim are communication and transportation; Orange S.A. and Toll Group, Arteris SA being some of the top targets respectively. One important thing to notice here is that the ransomware has spared the healthcare and education sector entirely as of now, interestingly, no organization from the two aforementioned sectors has been targeted.

Nefilim uses a number of ways including P2P file sharing, Free software, Spam email, Torrent websites, and Malicious websites, to infiltrate organizations’ IT systems. Designed specially to penetrate Windows PCs, Nefilim actively abuses Remote Desktop Protocol and uses it as its primary attack vector to infiltrate organizations. It employs a combination of two distinct algorithms AES-128 and RSA-2048 to encrypt the target’s data that is later leaked on their websites known as Corporate Leaks- when victims’ fail to pay the ransom.

Users are advised to stay wary of exposed ports and security departments shall ensure closing off unused ports, experts have also recommended to ‘limit login attempts’ for Remote Desktop protocol network admin access from settings to stay guarded.

REvil/Sodinokibi Ransomware Specifically Targeting Food and Beverages Organizations



REvil, also known as Sodinokibi ransomware was first spotted in April 2019, it attacks Windows PCs to encrypt all the files on local drives (besides those enlisted in their configuration file) and leaves a ransom note on affected systems with instructions to get the files decrypted in turn of the demanded ransom. It shares a similar code as GandCrab ransomware and is said to be distributed by the authors of the aforementioned ransomware which saw a steep decline in its activity with the arrival of REvil. The claim regarding similarity was based on observations made by experts that point towards an identical set of techniques used in attacks, similar countries targeted, and the language.

The ransomware strain exploits an Oracle WebLogic vulnerability to elevate privileges and in order to generate and propagate encryption keys; REvil makes use of an Elliptic-curve Diffie Hellman key exchange algorithm. Let’s take a look at its latest activities.

As per sources, the ransomware tries not to attack systems belonging to Iran, Russia other countries that were once a part of the Soviet Union. However, it has affected a number of organizations across various other regions. In the year 2020, REvil attackers have limited their infection to North American and Western European organizations, targeting National Eating Disorders Association, Agromart Group, etc, and Atlas Cars, Plaza Collection, etc respectively.

The ransomware operators have developed a special interest in the manufacturing sector; food and beverage distributing businesses have seen an unprecedented number of ransomware attacks lately. The top targets from the industry include Harvest Food Distributers, Brown Forman Daniel’s, Sherwood Food Distributers, and Lion. Other industries that were heavily targeted by REvil range from media, retail, entertainment, health, IT, transport, real estate, government, energy, and non-profit.

How does it operate?

REvil begins with exploiting the CVE-2018-8453 vulnerability and proceeds to eliminate resource conflicts by terminating blacklist processes before the process of encryption. It wipes the contents of blacklisted folders and then encrypts files on local storage devices and network shares, finally exfiltrating basic host information.

Initially, REvil was noticed to be attacking businesses by exploiting vulnerabilities, But, since the past year, the operators have started employing common infection vectors namely phishing and exploit kits.

A City In Colorado Attacked, Forced to Pay $45,000 Ransom


Lafayette city from Colorado had to pay a ransom amount worth $45,000 for decryption of files that were encrypted in July, as the City was unable to restore the data from the backup. The town was attacked on 27th July, and the ransomware cyberattack affected people's smartphones, emails, and payment services. During the attack, the City didn't offer any explanation about what caused the problems. It asked its people to call 911 or emergency services if they were facing trouble with the outage. After a few days of the incident, Lafayette informed the citizens that the town had suffered a cyberattack. All the systems were encrypted by the hackers, which caused the outage problem.


The City managed to recover the lost financial data, but it had to pay a ransom of $45,000 to hackers (anonymous) for retrieving data. The recipient of the payment, an unknown identity, has offered a decryption software in return for the refund. The town on its official website says, "system servers and computers are currently being cared for and rebuilt. Once complete, data will be restored to the system, and operations will resume. No permanent damage to hardware has been identified. While core City operations continue, online payment systems have not resumed. At this time, the City is unable to estimate a timeline that all systems will be back up and running."

The city Mayor Harkens decided not to reveal the attacker's identity to the people as it might compromise their negotiation terms. As per the reports, neither user data nor the credit card credentials was stolen. The mayor has advised townpeople to stay wary of any suspicious activity in their accounts.

The Lafayette town must be lucky as the hackers demanded a minimal amount of ransom in return. According to experts, in cases like these, the ransom demand can go from a hundred thousand to millions of dollars. "System servers and computers are currently being cleaned and rebuilt. Once complete, data will be restored to the system, and operations will resume. No permanent damage to hardware has been identified," says the town's website.

WastedLocker ransomware uses a sophisticated trick by abusing Windows features to avoid detection


WastedLocker has been in the highlights for a successful attack on wearable tech and smartwatch manufacturer Garmin and was paid around 10 million for a decryption key. The ransomware is rumored to be working for the Russian Hacking group Evil Corp, a notorious hacking crew with numerous high profile attacks in their resume.


But the security researchers at Sophos discovered how the ransomware was using the inner workings of Windows to avoid detection by anti-ransomware tools and the method they say is quite ingenious and sophisticated.

 "That's really sophisticated stuff, you're digging way down into the things that only the people who wrote the internals of Windows should have a concept of, how the mechanisms might work and how they can confuse security tools and anti-ransomware detection," Chester Wisniewski, a principal research scientist at Sophos said.
How WastedLocker uses Windows Cache to hide itself 

Usually, anti-ransomware softwares monitor Operating System files for any suspicious behavior like an unknown process performing various functions like opening a file, writing to it, and then closing the file - it will trigger behavior detection and catch any malicious file. But WastedLocker, unlike other traditional ransomware stores the files on Windows Cache and operates from that file and not the original.

 Windows cache to speed up processes, stores commonly used files in it so as when the system requires a command, it first checks for the file in the cache and load it from there rather than the drive making the operation much faster.

 This ransomware opens a file in the Cache, read it there and close the original file. The software will now encrypt the file stored on the cache and not the original. When many changes are done on the file, the file becomes "dirty" and Windows Cache updates the original file with the changes. Since all these commands are done by a legitimate source and Windows itself - it tricks the detection software into believing the process is a system originated and legit thereby bypassing exposure.

 This ability to go undetected makes WastedLocker the most lethal ransomware we have seen yet.

The Council of the EU and Its First-Ever Sanctions against Persons or Entities Involved in Various Cyber-Attacks



The Council of the European Union imposed its first-ever sanction against persons or entities engaged with different cyber-attacks focusing on European citizens and its member states. 

The sanctions imposed include a ban for people traveling to any EU nations and a freeze of assets on persons and entities. 

The order has been issued against six individuals and three entities liable for or associated with different cyber-attacks. Out of the six individuals sanctioned they include two Chinese citizens and four Russian nationals. 

The companies associated with carrying out these cyber-attacks incorporate an export firm situated in North Korea, and technology companies from China and Russia.

The entities responsible for or engaged with different cyber-attacks incorporate some publicly referred to ones as 'WannaCry', 'NotPetya', and 'Operation Cloud Hopper,' just as an endeavored cyber-attack against the organization for the prohibition of chemical weapons.




As per the European Council, the detailed of these persons or entities are: 

 1. Two Chinese Individuals—Gao Qiang and Zhang Shilong—and a technology firm, named Tianjin Huaying Haitai Science and Technology Development Co. Ltd, for the Operation Cloud Hopper. 

 2. Four Russian nationals (also wanted by the FBI) — Alexey Valeryevich, Aleksei Sergeyvich, Evgenii Mikhaylovich, and Oleg Mikhaylovich—for attempting to target the Organisation for the Prohibition of Chemical Weapons (OPCW), in the Netherlands. 

 3. A Russian technology firm (exposed by the NSA) — Main Centre for Special Technologies (GTsST) of the Main Directorate of the General Staff of the Armed Forces of the Russian Federation—for the NotPetya ransomware attack in 2017 and the cyber-attacks directed at a Ukrainian power grid in the winter of 2015 and 2016. 

 4. A North Korean export firm — Chosun Expo, for the WannaCry ransomware attack that made havoc by disrupting information systems worldwide in 2017 and linked to the well-known Lazarus group. 

The Council says, “Sanctions are one of the options available in the EU's cyber diplomacy toolbox to prevent, deter and respond to malicious cyber activities directed against the EU or its member states, and today is the first time the EU has used this tool." 

As indicated by the European Union, the two Chinese nationals who carried out Operation Cloud Hopper are members from the APT10 threat actor group, otherwise called 'Red Apollo,' 'Stone Panda,' 'MenuPass' and 'Potassium.' 

On the other hand, the four Russian nationals were agents of the Russian Intelligence agency GRU who once expected to hack into the Wi-Fi network of the OPCW, which, if effective, would have permitted them to compromise the OPCW's on-going investigatory work.

Aberystwyth University and others affected by Blackbaud Global Ransomattack


Aberystwyth University, a 148-year-old mid-Wales institution was attacked via a hack on Blackbaud, a US company that deals with education financial management and administration software.

 It was among the 20 institutions that were affected by the ransomware attack including the University of York, Loughborough University, University of London, and University College, Oxford. The welsh university with an influx of 10,000 students every year said, "no bank account or credit card details were taken".

 The ransomware attack occurred around May of this year and targeted Blackbaud which is associated with many education institutes thereby the attack sent shockwaves to at least twenty institutes from the US, UK, and Canada. The company did end up paying the ransom and said that, "confirmation that the copy [of data] they removed had been destroyed" but they were criticized for not informing about the hack and data risk to the victims until July that is after a month of the attack.

According to the law, under General Data Protection Regulation (GDPR) the company is supposed to report a significant data breach to data authorities within 72 hours. Both the UK and Canada data authorities were made aware of a data breach only last week.

 ICO (UK's Information Commissioner's Office) spokeswoman said: "Blackbaud has reported an incident affecting multiple data controllers to the ICO. We will be making inquiries to both Blackbaud and the respective controllers, and encourage all affected controllers to evaluate whether they need to report the incident to the ICO individually."

 Impact on Aberystwyth University

 The 148-year-old institute in Wales reassured that no student data was affected and the "stolen data has now been destroyed and has no reason to believe it was misused".

 Blackbaud confirmed to the university that no financial details of bank or credit were taken. A spokesperson from the university said, "We take data security extremely seriously. We are urgently investigating this incident and are awaiting further details from Blackbaud.

 "We are in the process of contacting those online portal users and recipients of our alumni and supporter e-newsletters whom we believe may have been affected."  

Orange Confirms Ransomware Attack Compromising Data of 20 Enterprise Customers


Orange, the fourth-largest mobile operator in Europe has confirmed that it fell prey to a ransomware attack wherein hackers accessed the data of 20 enterprise customers. The attack targeted the 'Orange Business Services' division and was said to have taken place on the night of 4th July and was continued into the next day, ie., 5th July.

Orange is a France based multinational telecommunications corporation having 266 million customers worldwide and a total of 1,48,000 employees. It is a leading provider of global IT and telecommunications services to residential, professional, and large business clients. It includes fixed-line telephone, mobile communications, Internet and wireless applications, data transmission, broadcasting services, and leased line, etc.

The attack was brought to light by Nefilim Ransomware who announced on their data leak site that they acquired access to Orange's data through their business solutions division.

In a conversation with Bleeping Computer, the company said, "Orange teams were immediately mobilized to identify the origin of this attack and has put in place all necessary solutions required to ensure the security of our systems." Orange further told that the attack that occurred on the night of 4th July affected an internal IT platform known as, "Le Forfait Informatique", it was hosting data belonging to 20 SME customers that were breached by attackers, however, there were no traces of any other internal server being affected as a result of the attack. Giving insights, Tarik Saleh, a senior security engineer at DomainTools, said, "Orange certainly followed best practices by promptly disclosing the breach to its business customers, who will need to take all the possible precautions to make their data unusable in future attacks: changing the password of their accounts and looking out for potential phishing or spear-phishing emails."

While commenting on the security incident, Javvad Malik, Security Awareness Advocate at KnowBe4, said that in these times, it is essential, "that organizations put in place controls to prevent the attack from being successful, as even if they have backups from which they can restore, this won't bring back data that has been stolen."

"As part of this, organizations should implement a layered defensive strategy, in particular against credential stuffing, exploitation of unpatched systems, and phishing emails which are the main source of ransomware. This includes having technical controls, the right procedures, and ensuring staff has relevant and timely security awareness and training," he further added.

Indian Organizations Suffer the Most in Public Cloud Security Incidents



In a survey of 26 countries for public Cloud security incidents, India emerges as the nation which endured the hardest hits the previous year with 93 percent of the nation's organizations encountering the problem.

The survey included more than 3,500 IT managers across 26 nations in Europe, the Americas, Asia Pacific, the Center East, and Africa that currently host data and workloads at hand in the Public Cloud.

The cybersecurity incidents that Indian organizations suffered most included ransomware (53 percent) and other malware (49 percent), exposed data (49 percent), compromised accounts (48 percent), and cryptojacking (36 percent), said the report titled "The State of Cloud Security 2020" by cybersecurity company Sophos.

While Europeans seem to have endured the least level of security incidents in the Cloud, an indicator that compliance with General Data Protection Regulation (GDPR) guidelines are assisting with protecting organizations from being undermined.

However, India still hasn't enforced a data protection law.

Chester Wisniewski, Principal Research Scientist at Sophos said in a statement, "Ransomware, not surprisingly, is one of the most widely reported cybercrimes in the public Cloud."

 "The recent increase in remote working provides extra motivation to disable Cloud infrastructure that is being relied on more than ever, so it's worrisome that many organizations still don't understand their responsibility in securing Cloud data and workloads," Wisniewski added later.

"Cloud security is a shared responsibility, and organizations need to carefully manage and monitor Cloud environments in order to stay one step ahead of determined attackers."

According to the report, more than 55 percent of Indian organizations and businesses revealed that cybercriminals obtained access through the stolen Cloud provider account credentials.

Regardless of this, only 29 percent said managing access to Cloud accounts is a top area of concern. Albeit 'accidental exposure' keeps on plaguing organizations, with misconfigurations exploited in 44 percent of reported attacks on Indian organizations.

With 76 percent of organizations utilizing the Public Cloud, detection and response are driving the Cloud security concern for IT managers in India while data security still stays as a top concern across the world for organizations.

Hackers Leak Tons of Personal Data as IndiaBulls Fails to Meet the First Ransomware Deadline


Hackers demanding ransom released data, as the IndiaBull failed to meet the first ransom deadline. It happened after a 24-hour ransomware warning was issued, and when the party was unable to make ends meet, the hackers dumped the data. According to Cyble, a Singapore based cybersecurity agency, the hackers have threatened to dump more data after the second deadline ends. The hackers are using ransomware, which the experts have identified as "CLOP."


The hackers stole the data from IndiaBulls and released around 5 Gb of personal data containing confidential files and customer information, banking details, and employee data. It came as a warning from the hackers, in an attempt to threaten the other party, says a private cybersecurity agency.

About the data leak-
The dumped data resulted in exposing confidential client KYC details like Adhaar card, passport details, Pan card details, and voting card details. The leak also revealed personal employee information like official ID, contact details, passwords, and codes that granted access permission to the company's online banking service. The IndiaBulls' spokesman said that the company was informed about the compromise of its systems on Monday; however, the data leaked is not sensitive. When asked about the data leak incident that happened on Wednesday, he said that the company had nothing to say.

The cybersecurity agency, however, tells a different story. It says that the spokesperson's information is incorrect as the attack did not happen on Monday. It also says that it requires some time to carry out such an attack, in other words, the transition phase from initial attack to extortion. The company may have been confused or misguided, say the cybersecurity experts. In a ransomware attack, the hacker makes it impossible for the user to access the files by encrypting them. Most of the time, the motive behind the ransomware threat is money, which is quite the opposite of state-sponsored hackers, whose aim is to affect the systems. In the IndiaBulls' incident, hackers encrypted the files using CLOP ransomware. It is yet to confirm how the hackers pulled this off, but according to Cyble, it was mainly due to vulnerabilities in the company's VPN.

Texas Hit By a Human-Operated Ransomware That Targets against Government Agencies and Enterprises



May 2020 was not a good month for both the Texas Courts and the Texas Department of Transportation (TxDOT) as the month marked the discovery of a new ransomware called Ransom X, being effectively utilized in human-operated and focused on attacks against government agencies and enterprises.

Advanced Intel's Vitali Kremez discovered a 'ransom.exx' which was believed to be the name of the ransomware. As this is human-operated ransomware, as opposed to one distributed by means of phishing or malware, when executed the ransomware opens a console that shows info to the attacker while it is running.

As indicated by Kremez, Ransom.exx works to terminate 289 procedures identified with security software, database servers, MSP softwares, remote access devices, and mail servers.

Ransom X will likewise play out a series of orders all through the encryption process that:
Clear Windows event logs
Delete NTFS journals
Disable System Restore
Disable the Windows Recovery Environment
Delete Windows backup catalogs
Wipe free space from local drives.

The commands executed are listed below:
cipher /w %
s wbadmin.exe delete catalog –quiet 
bcdedit.exe /set {default} recoveryenabled no 
bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures 
schtasks.exe /Change /TN "\Microsoft\Windows\SystemRestore\SR" /disable 
wevtutil.exe cl Application 
wevtutil.exe cl System 
wevtutil.exe cl Setup 
wevtutil.exe cl Security 
wevtutil.exe sl Security 
/e:false fsutil.exe usn deletejournal /D C: 

The ransomware then starts to encrypt the entirety of the information on the computer and affix a custom extension related to the victim to each encrypted record.

As observed below, the custom extension for the Texas Department of Transportation attack was .txd0t.


Furthermore, when completed, the Ransom X console will show the number of encoded files and how long it took to finish it. In every folder that was scanned during the encryption procedure, a ransom note named![extension]_READ_ME!.txt will be made.

This ransom note incorporates the company name, and email address to contact, and guidelines on the most proficient method to pay the ransom.

As observed below, the ransom note is modified for a certain victim that is enduring an attack, which for this situation is the Texas Department of Transportation.


However, in the case of Texas where the attack made its significant hit it is to be noted that at the hour of the attack, it was not comprehended what ransomware focused on the government agencies.

In any case, because of the limited visibility into this ransomware operation, there is no data with respect to the ransom sums or whether they steal information as a major aspect of the attack.

This ransomware has now been broken down, analyzed, and seems secure, which implies that it is highly unlikely to decrypt the files for nothing.

Cognizant Reveals Employees Data Compromised by Maze Ransomware


Leading IT services company, Cognizant was hit by a Maze Ransomware attack earlier in April this year that made headlines for its severity as the company confirmed undergoing a loss of $50-$70 million in their revenues. In the wake of the ransomware attack, Cognizant issued an email advisory alerting its clients to be extra secure by disconnecting themselves for as long as the incident persists.

Cognizant is one of the global leading IT services company headquartered in New Jersey (US). It started in 1994 as a service provider to Dun & Bradstreet companies worldwide; later in 1998, it became independent when D&B split into three, and one group of companies came under Cognizant corporation. Since then, the company has grown leaps and bounds making a name for its consulting and operation services in the industry.

The threat actors involved carried out the attack somewhere between 9-11 April, during this period of three days when the company was facing service disruptions, the operators mined a considerable amount of unencrypted data that included credit card details, tax identification numbers, social security numbers, passport data, and driving license information of the employees.

While giving further insights into the security incident, Cognizant said in its SEC filing, “Based on the investigation to date, we believe the attack principally impacted certain of our systems and data.”

“The attack resulted in unauthorized access to certain data and caused significant disruption to our business. This included the disabling of some of our systems and disruption caused by our taking certain other internal systems and networks offline as a precautionary measure."

“The attack compounded the challenges we face in enabling work-from-home arrangements during the COVID-19 pandemic and resulted in setbacks and delays to such efforts,” the filing read.

“The impact to clients and their responses to the security incident have varied,” the company added.

Ransomwares evolving: Cybercriminals collaborating and auctioning data


Ransomware are soon becoming the most feared disease of cyber-world, started from simple encryption of the victim's computer and files, they have now evolved to stealing and selling data. But it's not limited to just that, now these stolen data will be auctioned off to the highest bidder if the ransom is not paid.


Sodinokibi/REvil group recently launched its auction website from its own blog. Their first debut was an auction of files retrieved (stolen) from a Canadian agriculture company whose ransom was not paid. The starting bid - $50,000 Monero cryptocurrency.

These auction websites are quite beneficial for these hackers, first by creating potential of monetization and second by putting additional pressure on the victims to pay up the ransom. Even governments and cybersecurity vendors spend millions for this kind of data, employing people to lurk the dark web for sensitive data on elite class. Now, they can directly buy this from these auction sites.

The REvil group was also rumored to sell files on pop singer Madonna which they hacked from entertainment law firm Grubman Shire Meiselas & Sacks.

Brett Callow, a threat analyst at Emsisoft says, “The auctions may be less about directly creating revenue than they are about upping the ante for future victims. Having their data published on an obscure site is bad enough, but the prospect of it being auctioned and sold to competitors or other criminal enterprises may chill companies to the bone and provide them with an additional incentive to meet the criminals’ demands.” 

He further thinks that soon other ransomware groups will follow REvil with their own auction schemes.

“REvil’s launch of [an] online auction was, in many ways, a logical and inevitable progression as ransomware groups constantly seek out new ways to monetize attacks and apply additional pressure to companies,” Callow said. “In the same way that other ransomware groups adopted [the Maze ransomware group’s] encrypt-and-exfiltrate strategy, it’s almost inevitable that other groups will also adopt REvil’s encrypt-exfiltrate-and-auction strategy.”

Joining Forces

Another tactic by these groups is joining forces, the idea of helping each other, and increasing their threat value. The infamous Maze ransomware has partnered with LockBit (not many financial details have been shared) and they even published LockBut's stolen data on their own data leak website.

Maze also announced that they are in talks with another ransomware group and may collaborate with a third ransomware operation.

The First Ransomware Attack and the Ripples It Sent Forward In Time


What was once a simple piece of malware discovered just 20 years ago this month exhibited its capacity which transformed the entire universe of cyber-security that we know of today?

Initially expected to just harvest the passwords of a couple of local internet providers, the malware, dubbed as 'LoveBug' spread far and wide, infecting more than 45 million devices to turn into the first piece of malware to truly take businesses offline.

LoveBug was the shift of malware from a constrained exposure to mass demolition. 45 million compromised devices daily could rise to 45 million daily payments.

Be that as it may, eleven years before anybody had known about LoveBug, the IT industry saw the first-ever main case of ransomware, as AIDS Trojan. AIDS Trojan which spread through infected floppy disks sent to HIV specialists as a feature of a knowledge-sharing activity.

The 'lovechild' of LoveBug and AIDS Trojan was the ransomware that followed, with GPCoder and Archievus hitting organizations around the globe through which the hackers additionally bridled ecommerce sites to discover better ways to receive payments.

The protection industry responded by taking necessary steps with 'good actors' cooperating to decipher the encryption code on which Archievus depended, and sharing it broadly to assist victim with abstaining from paying any ransom.

From that point forward the 'cat and mouse' game has proceeded with viruses like CryptoLocker, CryptoDefense, and CryptoLocker2.0 constructing new attack strategies, and the protection industry executing new defenses. Presently ransomware has become increasingly sophisticated and progressively prevalent as targets today are more averse to be individuals since large businesses can pay enormous sums of cash.

And yet, data protection has become progressively sophisticated as well, with certain four areas that should now be a part of each business' ransomware strategy: protect, detect, respond, and recover. Social engineering and phishing are also presently becoming progressively central to the success of a ransomware attack.

The LoveBug was effective in a scattergun fashion, yet at the same time depended on social engineering.

Had individuals been less disposed to open an email with the subject line ‘I love you', the spread of the malware would have been 'far more limited'.

Nevertheless, the users presently ought to be more alert of the increasingly diverse threats in light of the fact that inexorably, hackers are expanding their threats data exfiltration or public exposure on the off chance that they feel that leaking data may be progressively 'persuasive' for their targets.

Thus so as to react to the issue, it's essential to have backup copies of data and to comprehend the nature and estimation of the information that may have been undermined in any way.

Hackers who were preparing attacks on hospitals arrested in Romania


Romanian law enforcement officials stopped the activities of the cybercriminal group PentaGuard, which was preparing to carry out attacks on Romanian hospitals using ransomware.

Four hackers were arrested, and searches were conducted at their place of residence (at three addresses in Romania and one address in Moldova). According to the Romanian Directorate for Investigating Organized Crime and Terrorism (DIICOT), hackers had various malicious programs at their disposal, including Trojans for remote access, ransomware, as well as tools for defacing sites and SQL injections.

In addition, hackers developed malicious computer applications for use in computer attacks, such as rasomware-cryptolocker and RAT (Remote Trojan Access). Such malicious attacks were directed against several state institutions, as in Bucharest.

During the investigation, it became clear that cybercriminals planned to attack hospitals. The attackers intended to send phishing emails on the subject of COVID-19 to medical institutions, and use them to infect networks with ransomware Locky or BadRabbit, encrypt files and demand a ransom for recovery. According to the Romanian media, this is how the cybercriminals wanted to protest against the quarantine measures taken by the Romanian government.

This type of attack makes it possible to block and seriously disrupt the functioning of the IT infrastructure of these hospitals. They are part of the healthcare system, which currently plays a decisive and decisive role in combating the pandemic with the new coronavirus.

The hacker group PentaGuard has existed since about 2000. In January 2001, the group carried out a massive deface of the sites of the British and Australian governments. Over the past few years, PentaGuard has not conducted any deface campaigns but has remained active on hacker forums. In January 2020, the group resumed defacing attacks.