Search This Blog

Showing posts with label Ransomware. Show all posts

Threat Actors Demand Ransom After Major Cyber Attack on Scottish Environmental Protection Agency

 

Scottish Environment Protection Agency (SEPA) said its digital systems have been severely affected by a ransomware attack since Christmas Eve. Threat actors have locked agency's emails and contact centers and are demanding a ransom to unlock them.

National Cyber Security Centre and Scotland Police are investigating the whole incident and it is believed that the international cybercriminal group is behind the ransomware attack. Cybersecurity experts have unearthed that threat actors have stolen nearly 1.2 GB of data which suggests threat actors may have accessed and stolen 4,000 files.

SEPA said they have to start from scratch and build a whole new system following a ‘significant cyber-attack’. Agency further stated that essential services regarding food forecasting and warnings have not been hit by cyber-attack. Though it remains highly unlikely that 1,300 employees will be able to secure access to their old emails and online documents.

Scotland’s environmental regulator has termed this attack as an “incredibly sophisticated attack” and warned threat actors to face the consequences. We are aware that threat actors are demanding a ransom to unlock the agency's system but they will not succeed in their plan.

SEPA’s Chief Executive Terry A’ Hearn stated that “whilst we don’t know and may never know the full detail of the 1.2 GB of information stolen, what we know is that early indications suggest that the theft of information related to several business areas, some of the information stolen will have been publicly available”. 

The Conti ransomware group asserted the attack and has already leaked sensitive information on its site. The stolen information includes personal information associated with SEPA employees and information associated with commercial work with international allies.

Computing Giant Intel Launches New Processors with Ransomware Detection Features

 

One of the biggest computing giants of the world – Intel has utilized the power of technology and has launched four new series of processors in the Consumer Electronics Show 2021. They affirmed the users that these processors would offer a “Premium PC experience” that would also provide some additional and distinct features. 

Intel is known for its products that are apropos for this era devoted to technology. The digitalization of things is accelerating at an incredible pace. The base of this technology is persuasive computing that gave Intel the idea to build up a processor that has the best features to date in the market. Of the four series launched, one of them is the vPro series. It goes by the name Intel 11th Gen Core vPro series. 

Intel at the launch added that its 11th Gen Core vPro line offers the best performance in a thin a light form factor. It comes with added security features like the Intel Hardware Shield which as per the company is the industry’s first silicon-based AI threat detection to prevent ransomware and crypto-mining attacks. The company says that the Intel Control-Flow Enforcement technology shuts down an entire class of attacks. The new CPU also promises better battery performance.

Intel further announced its partnership with Boston-based Cybereason security firm. This partnership is expected to provide advanced security and support for the announced new features and its security software in the first half of 2021.

The special features that come with the vPro series are the HS (Hardware Shield) technology and the TDT (Threat Detection Technology). These come underneath the various protective antivirus layers of the software that enables the hardware to stay protected from any ransomware attacks. Another accentuate part is that both of the technologies perform on the CPU directly. 

The main intention of Intel behind adding such features is that these technologies allow it to share its data with proper security of the software and allowing it to detect if any malware had entered the software. The malwares that were unnoticed and were not detected by the antivirus will now be sensed by the new features. 

While declaring that “it detects ransomware and other threats that leave a footprint on the Intel CPU performance monitoring unit”, Intel stated in the press release,” Intel TDT uses a combination of CPU telemetry and ML heuristics to detect attack-behavior”

Security Analysis: The Rise of Cybercrime Underworld and Hacking Groups

During the Covid-19 pandemic, educational institutions, health agencies, and other significant organizations have suffered the most from cyberattacks. As if this was not enough, a massive wave of cyberattacks have risen against these institutions,  a new hacking group has emerged which uses modern techniques to attack its targets. The troublesome part is that these hackers are using an operational structure that is not very uncommon in the hacking underworld. Known as "Egregor," the hacking group has attacked more than 130 targets in recent months. 

The victims include logistics companies, schools, health agencies, the manufacturing industry, and financial agencies. The working of Egregor is similar to other ransomware, i.e. keeping hold of the data until the client pays the ransom money. There is but one minor change, Egregor's methods reveal the present structure of the hacking economy.  Instead of depending solely on lone wolfs (hackers) that orchestrate massive data breaches, or dark web platforms abundant with Russian threat actors, the hackers today work as a kind of unified group/team which acknowledges innovations and changes in the hacking industry. 

In other words, one can say that is a replica of Silicon Valley, but one that thrives on exploiting agencies for profit rather than building interactivity. Cybersecurity expert Jason Passwaters, CEO, Intel 471, says that there exist hackers which were active a long time ago and are still in the hacking game. They offer the same services as they used to back in the time, but the only change is now these hackers rely on each other, rather than working solely. Cybersecurity experts suggest that there might be up to 12 hackers involved in a data breach or a commodity cyberattack. The Egregor group isn't the only one. 

Hacking groups like Thanos, Conti, and SunCrypt that use similar malware strains, have also started operating in a cooperative way.  Cyberscoop reports, "it’s a style with roots in the mid-2000s when a hacker using the name “slavik” released the Zeus malware, a hacking tool that helped accelerate what’s known now as an affiliate model. The FBI has identified a Russian man, Evgeniy Bogachev, as “slavik,” and has listed him on the bureau’s list of most wanted fugitives. Bogachev’s Zeus malware is responsible for financial losses of more than $100 million, the FBI says, even as the creator has posed in ostentatious outfits in social media pictures." 

Appliance Giant Whirlpool Smacked by Nefilim Attack

 


As Ransomware attacks become the new normal, people are increasingly falling prey to such attacks in cyberspace as well as beyond. As the attacks become sophisticated, the problem of ransomware has been prominent and no business worldwide is entirely immune to the threat. Recently one of the world's renowned multinational manufacturers and suppliers of home appliances, Whirlpool, headquartered in Michigan, United States become a victim of one of these ransomware attacks. 

The American appliance marketer company, Whirlpool is one of the world’s largest home appliance and home smart gadgets as well as device creators. It has a diverse variety of products under various categories namely Kitchen aid, Indesit, Hotpoint, etc. The incident demonstrated how not even the big names are immune to the ransomware threat. 

This ransomware attack was done by the Nefilim Ransomware Gang whose main task is to get into the encrypted data system by breaking the firewall and stealing confidential information for some obligatory money. With the same, if the money or the demanded amount in cash or kind is not provided on time, they leak the confidential information to the public. As per the investigations, a similar incident happened with Whirlpool in the first week of December 2020 as well, however, the exact time and date remain unknown. 

The data that the Nefilim gang leaked on its website includes sensitive information of the organization like the documents regarding employee benefits, medical information requests, background checks, accommodation requests, and much more.

Though they never opened up about the leaked data by the Nefilim gang, the consequences made them agree on the blooming rumors'. In an interview, Whirlpool talked about the attack and communicated, “Last month Whirlpool Corporation discovered ransomware in our environment. The malware was detected and contained quickly. We are unaware of any consumer information that was exposed. There is no operation impact at this time”.

“We live in a time when Illegal cyber crimes are all too prevalent across every industry. Data privacy is a top priority at Whirlpool Corporation, and we invest in the technology and processes to help protect, our people, our data our operations.”

Later, Whirlpool affirmed that their systems are fortunately restored after the malicious malware attack and everything is safe.

Ransomware Attack Leaks GenRx’s Data

 

GenRx Pharmacy, which is settled in Scottsdale, AZ, is telling people of a data breach incident. The occurrence might affect the security of certain individuals. While the drug store doesn't know about any real damage done to people because of the circumstance, it is furnishing conceivably affected people with data by means of First Class mail with respect to steps taken, and what should be done to further fortify against likely defacement. 

On September 28, 2020, the pharmacy discovered proof of ransomware on its system and promptly started an examination, including recruiting independent information security and technology experts to help with incident response and criminological examination. During the ransomware assault, the drug store had full admittance to its information with unaffected reinforcements and had the option to keep up persistent business activities as they examined. Along with forensic experts, the drug store ended the cybercriminals' admittance to the drug store's system the very day and affirmed that an unapproved outsider conveyed the ransomware just a single day prior. On November 11, 2020, the drug store affirmed that the cybercriminals had exfiltrated a few records that incorporated certain health-related data, the drug store used to measure and transport endorsed items to patients.

As per the sources, the cybercriminals accessed health data of certain previous GenRx patients: patient ID, transaction ID, first and last name, address, telephone number, date of birth, sex, allergies, drug list, health plan data, and prescription data. The drug store doesn't gather patient Social Security Numbers ("SSNs") or keep up monetary data, thus it is extremely unlikely that the cybercriminal could get to that data of GenRx patients during this episode. 

An entry on the US Department of Health and Human Services HIPAA breach portal shows that more than 137,000 GenRx patients are being educated about the occurrence. GenRx Pharmacy has overhauled its firewall firmware, added extra anti-virus and web-sifting programming, established multifaceted verification, expanded Wi-Fi network traffic checking, gave extra preparation to representatives, refreshed inside approaches and methodology, and introduced real-time intrusion detection and reaction programming on all workstations and workers that access the organization.

The pharmacy is surveying more choices to improve its conventions and controls, technology, and preparation, including fortifying encryption. Although SSNs and monetary data were not influenced by this occurrence, the pharmacy suggests that as an overall best practice, people monitor account articulations and free credit reports to distinguish expected mistakes.

City of Cornelia Witnessed Fourth Ransomware Attack

                   

It seems like now the city of Cornelia has gotten quite used to the horrors of ransomware attacks as on Saturday, they witnessed their 4th ransomware attack within the last 2 years, the City Manager Donald Anderson on Tuesday. A day after Christmas eve, on the pleasant morning of the 26th of December 2020 the city of Cornelia got their Christmas gift as a malware attack. Experts say that this may not be the last incident but it is a part of the aggravated trend that the city may witness in the near future. 

Though the city has spent almost $ 30,000 for the upgradation of the firewall after the last attack that happened in September 2019 for better shielding of the system, still the hackers were able to take over the state’s administration and the data system offline.  

In a statement, the city’s manager said that they have “anticipated such situations in and out with abundance of caution”, moreover they have also “taken down our network while we investigate the situation and restore our data.” The aforementioned situation, owing to its gravity, is not only being monitored by officials from the state, but experts from outside have also stepped in to investigate the matter. 

According to Anderson the local services of the city like the emergency phone lines, garbage pickups and the utility work, etc, are not disturbed at all and are functioning properly. The email services and the city hall phones are also operating under normal conditions. However, since the city’s software data system is down, the employees and the natives are in a stalemate condition as they can neither lookup for the bill balances nor can accept any sort of credit card payments for the city services.  

Though the majority of the city functionalities are unaffected by this attack, still the operators behind the ransomware attack were able to incapacitate the newly installed water treatment plant of the city of Cornelia.  

“According to them the business model of those behind the ransomware is typically NOT to profit off of selling the personal information of the city employees or our citizens on the internet – it is to extract a payment from the city .” Anderson further added. Meanwhile, the city officials denied disclosing any further information and asked for cooperation and support from the city natives, telling them to stay patient and keep their calm until things are being resolved. 

'Ransomware Task Force': Microsoft, McAfee and Rapid7 Coalition

 

19 tech companies, cybersecurity firms, and non-profits have collaborated with the Institute for Security and Technology (IST) to form a new group called "The Ransomware Task Force" (RTF) to tackle the increasingly destructive and prevalent threat of ransomware. The joint venture includes big names such as Microsoft, McAfee, Rapid7, Cybereason along with other cyber advocacy groups, threat intelligence, think tanks, and research groups – The Global Cyber Alliance, The Cyber Threat Alliance, and The CyberPeace Institution, to name a few. 
 
The primary focus of The Ransomware Task Force will be to provide security against Ransomware attacks by engaging various stakeholders in assessing technical solutions and identifying loopholes in already existing solutions. The idea is to work collectively on building a roadmap to address the scope of the threat based on an 'industry consensus' instead of relying upon individual suggestions.  
 
The founding members came together to combat a form of cybercrime that they believe is expansive in its scope and has led to violent consequences that go beyond economic ruination. Actively addressing the threat of ransomware while providing clear guidance will effectively diminish the varying levels of the ransomware kill chain. Other founding partners include Aspen Digital, Citrix, Resilience, SecurityScorecard, The Cybersecurity Coalition, Stratigos Security, Team Cymru, Third Way, UT Austin Stauss Center, Shadowserver Foundation. The website for The Ransomware Task Force inclusive of full membership and leadership roles will be rolled out in January 2021.  
 
While giving insights, the Institute for Security and Technology, one of the founding members, said, “The RTF’s founding members understand that ransomware is too large of a threat for any one entity to address, and have come together to provide clear recommendations for both public and private action that will significantly reduce the threat posed by this criminal enterprise,”
 
As per Sam Curry, one of the founding members of RTF and Chief Security Officer at Cybereason, "Time and time again, we see ransomware capabilities deployed early in hacking operations but not immediately detonated,"  
 
"In these cases, the ransomware is detonated only after preliminary stages of the attack are finished across all compromised endpoints to achieve maximum impact on the victim. Reducing hackers' attempts to amplify the impact of ransomware attacks will drive down ransomware costs for the victim and decrease the victim's inclination to pay ransom demands."

Are Media Agencies the Next Target of Cybercriminals?

 

There is no denying the fact that cybercriminals have been exploiting the trust of people in media agencies. However, the ongoing situations have seen an incredible surge in cybercriminals needing to utilize each possible way to target media agencies.

Aside from direct attacks, they have even misused brand names to create counterfeit identities, which are then used to target 'potential victims'.

A couple of incidents throw light upon how and why these threat actors have set their sights on the media industry.

Some of them have been directly targeted generally through ransomware attacks.

Ritzau, the biggest independent news agency in Denmark, was targeted by a ransomware attack, prompting the compromise and encryption of more than one-fourth of its 100 network servers.

The computer servers at the Press Trust of India were also attacked by LockBit ransomware, which kept the agency from delivering news to its subscribers.

A few attackers very cleverly utilize the 'pretense' of media agencies to plan out their attacks.

Some time back, TA416 Able was found carrying out spear-phishing attacks by imitating journalists from the Union of Catholic Asia News, endeavoring to target the scope of victims, including diplomats for Africa and people in the Vatican.

Another incident happened when the U.S. seized 27 domain names that were utilized by Iran's Islamic Revolutionary Guard Corps (IRGC) for carrying out secretive influence campaigns, in which a few domains were suspected to be veritable media outlets.

OceanLotus had set up and operated a few websites, professing to be news, activist, or anti-corruption sites consistently. Furthermore, they traded off a few Vietnamese-language news websites and utilized them to load an OceanLotus web profiling framework.

Subsequently keeping these events in mind, experts recommend having sufficient safety measures, like frequent data backups, anti-malware solutions, and implementing Domain-based Message Authentication, Reporting & Conformance (DMARC).

Furthermore, recommendations were made on carrying out tests to distinguish and eliminate the risks of domain spoofing.


A quick look into malwares that installs ransomware : Remove them form your system immediately

 

We recently looked into ways phishing mails are evolving, attackers getting creative by the day. But a new trend has taken up the dark web, and soon phishing campaigns for ransomware and malware will be a thing of the past. With the sources equable of a small government, malware gangs have started collaborating within themselves and have come up with "initial access brokers," what these groups do is provide ransomware and other groups with already infected systems.
Compromised systems through RDP endpoints, backdoored networking devices, and malware-infected computers install ransomware into the network, this makes the ransomware attacker work as swiftly as cutting into the cake. 

 There are currently three types of bookers that serve ransomware : 

Selling compromised RDP endpoints: These bookers carry a brute remote desktop protocol (RDP) into corporate systems, sold as "RDP Shops". Ransom groups often choose systems that are integrated well within the network.

Selling hacked networking devices: Hackers sell pre hacked devices exploiting publically known vulnerabilities or weak spots like firewalls, VPN servers or others. Access to these devices is auctioned off on dark web forums.

Selling computers pre-infected with malware: This is the most popular way ransomware is spread. Hacking gangs spread their malware bots into well-established systems and sell them to the highest bidder who further injects ransomware into the system. 

The best protection against these attacks is to prevent them from happening. The first two infiltrations can be fended off using strong passwords, security measures, and regular updates. The third means (malware) is a bit complicated as it uses human blunder and tricks to invade the device.

Following is a list of malware that if you find in your system, drop everything and fix them out for they are sure to inject ransomware in your network:

  •  Emotet (Emotet-Trickbot-Ryuk) 
  •  Trickbot (Ryuk - Conti)
  •  BazarLoader (Ryuk) 
  • QakBot (MegaCortex-ProLock-Egregor) 
  •  SDBBot (Clop)
  •  Dridex (BitPaymer-DoppelPaymer) 
  • Zloader (Egregor-Ryuk)
  •  Buer Loader (Ryuk)

Managed.com Hosting Provider Hit by REvil Ransomware, $500K Ransom Demand


Managed hosting provider Managed.com has temporarily taken down all its servers and web hosting systems offline including clients' websites in response to a REvil ransomware attack that compromised public-facing web hosting systems. 
 
The threat actors behind the security incident that took place on Monday, 16th November are not known yet, however, the company said that it is involved with law enforcement agencies to investigate the matter and restore the services as securely as possible. As of now, it remains unclear if the attackers have stolen any data before the encryption of devices. 
 
Initially, the web hosting service refrained from revealing any details about the incident and posted an update claiming 'unscheduled maintenance' as the reason for the service interruption. However, later on, the company disclosed that it had encountered a ransomware attack that affected their systems and files containing critical data. 
 
In a status update, Managed.com said, "November 17, 2020 – On Nov.16, the Managed.com environment was attacked by a coordinated ransomware campaign. To ensure the integrity of our customers’ data, the limited number of impacted sites were immediately taken offline. Upon further investigation and out of an abundance of caution, we took down our entire system to ensure further customer sites were not compromised. Our Technology and Information Security teams are working diligently to eliminate the threat and restore our customers to full capacity. Our first priority is the safety and security of your data. We are working directly with law enforcement agencies to identify the entities involved in this attack. As more information is available, we will communicate directly with you." 
 
"Upon further investigation and out of an abundance of caution, we took down our entire system to ensure further customer sites were not compromised. Our Technology and Information Security teams are working diligently to eliminate the threat and restore our customers to full capacity. Our first priority is the safety and security of your data. We are working directly with law enforcement agencies to identify the entities involved in this attack,” the service further told in a statement. 
 
According to multiple sources, REvil, a ransomware-as-a-service infamously known for carrying out large attacks previously has demanded a $500,000 ransom in Monero to receive a decryption key. REvil has attacked big names like Kenneth Cole, Travelex, Brown-Forman, GSMLaw and SeaChange in the past.

Also known as Sodinokibi ransomware, REvil was first spotted in April 2019, it attacks Windows PCs to encrypt all the files on local drives (besides those enlisted in their configuration file) and leaves a ransom note on affected systems with instructions to get the files decrypted in turn of the demanded ransom.

Factories have become a major target for malware attacks

In the third quarter, the industry was attacked by various hacker groups - including RTM and TinyScouts, as well as ransomware operators. For example, according to Positive Technologies, the operators of the Maze ransomware program conducted a successful attack on Hoa Sen Group, the largest manufacturer of steel sheets in Vietnam. During the attack, personal data of employees, internal correspondence and other confidential information were stolen.

"This year, the vast majority of criminal groups switched to working with encryption programs since attackers realized that they can earn no less than in the case of a successful attack on a Bank, and technical execution is much easier," explained Anastasiya Tikhonova, head of APT Research at Group-IB.

According to her, more groups and partner programs have joined the "big game hunt”. 

"The size of the ransom has also increased significantly: cryptolocker operators often ask for several million dollars, and sometimes even several tens of millions. For example, the OldGremlin group, consisting of Russian-speaking hackers, actively attacks exclusively Russian companies: banks, industrial enterprises, medical organizations and software developers," explained Tikhonova.

The expert believes that one of the weakest links in the information security chain is still a person. "There are examples when an operator of a large industrial enterprise got bored, wanted to listen to music, and plugged a 3G modem directly into the USB port of the SCADA control and monitoring system.. And how many "trusted laptops” were there that employees brought from a business trip", concluded Tikhonova.

The expert believes that the danger of using Internet of things devices (IoT) is that it is problematic for advanced engineers to determine the fact of compromise. Target systems are assembled from a fairly large number of devices, and it is almost impossible to monitor and respond to possible security events and threats without additional solutions and human resources.

Government in Australia issues Clop Ransomware warning to Healthcare Organizations

 

The Australian Cyber Security Center has issued a security alert for the health sector to check their barriers and defenses against potential ransomware attacks especially the Clop Ransomware that uses SDBBot Remote Access Tool (RAT).
The ACSC (Australian Cyber Security Center) wrote that they, "observed increased targeting activity against the Australian Health sector by actors using the SDBBot Remote Access Tool (RAT)." 

 The SDBBot RAT is almost exclusively used by the TA505 group, their attack technique follows phishing and spam email campaigns to infect malware but from 2019, they started using SDBBot payload as a remote way to access systems. 

 ACSC further mentioned, "SDBBot is comprised of 3 components. An installer that establishes persistence, a loader that downloads additional components, and the RAT itself. "Once installed, malicious actors will use SDBBot to move laterally within a network and exfiltrate data. SDBBot is [also] a known precursor of the Clop ransomware"

 As the Australian Government says, SDBBot is also known as a precursor of the Clop Ransomware, which in recent months have become one of the most lethal ransomware, researchers also call it "big-game hunting ransomware" or "human-operated ransomware." 

 The Clop ransomware group keep their eye on the big picture, they first choose to widen their access to a maximum number of systems, till then they hold back their playload, and only when they have reached the maximum or the whole network will they manually deploy the ransomware. This way, the organization has no way to stop the infection midway and the payout is huge in a hundred thousand dollars and if the victim fails to pay the ransom, all their data is leaked on the malware's "leak website". 

Other countries like the UK and the US also predict a potential attack by Ryuke or Trickbot and issues a similar warning some weeks back. Australian Cyber Security Centre (ACSC) also warned Australian companies in October about Emotet malware, which is used contemporaneity with Trickbot. "Upon infection of a machine, Emotet is known to spread within a network by brute-forcing user credentials and writing to shared drives. Emotet often downloads secondary malware onto infected machines to achieve this, most frequently Trickbot," the ACSC wrote. With the new alert, companies need to be very diligent in their protection and testing mechanism in order to prevent themselves from an attack.

Enel Group attacked by Netwalker, demanding a whooping $14 million

 

Energy Company Enel Group has yet again been hit by malware, making it a second this year. The energy group has been demanded a ransom of 14 million dollars for the decryption key and to not reveal the stolen data by Netwalker ransomware.
Enel Group is an Italian multinational Power company, operating in 30 countries working in electricity generation and distribution, as well as in the distribution of natural gas. With a revenue of $90 billion, it ranks 87th in Fortune Global 500. 

Earlier this year in June, Enel Group was attacked by Snake ransomware also known as EKANS but then the attack was caught beforehand and was not successful. Contrary to now, when Netwalker not only successfully encrypted the power company's system but also leaked their data on its website. 

Enel Group has still not confirmed if the attack was true but bleepingcomputer confirms the attack as data given by Netwalker reveals info of Enel employees. 

The attackers connected to Enel Group writs, "Hello Enel. Don't be afraid to write us.", and still the power company maintained their silence and as is the norm when the victim doesn't engage with the hackers the ransom doubles and now Enel Group's ransom stands at a whopping 14 million dollars.

 Netwalker claims that they stole 5 terabytes of data and today the ransomware leaked the Enel Group's data to their data leak site. This was bound to happen since Enel Group neither engaged the hackers nor did they in any way showed any signs of an attack. Now, Netwalker is pressuring the Resource company in succumbing to the demands as they leak their data and threaten to (in their words) "analyze every file for interesting things" to be further leaked on the dark web. 

 Enel Groups better have an ace in their sleeves or a very good cyber hacker to get their data back.

United States Charged Six Russian Intelligence Officers with Involvement in An Unrestricted Huge Hacking Campaign

 


With involvement in an 'unrestricted huge hacking campaign', which incorporates the famous Petya ransomware attacks which have focused mainly on Ukraine in 2015, as of late, the Justice Department has charged six Russian intelligence officers. 

Residents and nationals of the Russian Federation (Russia)the six officials were also in Unit 74455 of the Russian Main Intelligence Directorate (GRU), a military intelligence agency of the General Staff of the Armed Forces.

 

The government claimed that the group that had attacked Ukraine has likewise hacked different computers promoting the 2018 Winter Olympics in South Korea. It likewise hacked and leaked emails of people related to Emmanuel Macron's 2017 campaign for president of France. 

Besides this, they additionally focused on the companies exploring the poisoning of former Russian operative Sergei Skripal two years ago in Britain. 

All the six hackers are GRU officers; the government said that for over two years, they had battled tirelessly to recognize these Russian GRU Officials who interweaved in a global campaign of hacking, disruption, and destabilization, representing the most dangerous and destructive cyber-attacks ever.

The GRU burrowed into three electrical administration systems and cluttered circuit breakers remotely, it was one of the first cyber-attacks and had a cyber firm that consistently focused on critical infrastructure.

The authorities had at first scrutinized and reprimanded North Korea for the strike yet later found that the GRU utilized North Korean hacking tools to throw off the experts. 

That is the motivation behind why the special agent of FBI Michael Christman insisted that the warrant is the result of over two years of strong investigation by the FBI, a position that was kept up by an agent who worked the case.

Here are the names and the acts done by the hackers referenced below: -

 

The FBI has regularly indicated that Russia is very equipped for a cybersecurity adversary, and the information uncovered in this statement shows how omnipresent and harming Russia's cyber activities are. 

While Russia is probably not going to capture the detainees, it is unlikely that they will attain any trial too.

Iranian Hackers Are Using Thanos Ransomware To Attack Organizations In the Middle East and South Africa

 

Cybersecurity experts discovered clues connecting cybersecurity attacks to Thanos ransomware, which is used by Iranian state-sponsored hackers. Researchers from ClearSky and Profero investigated significant Israel organizations and found cyberattacks linked to an Iranian state-sponsored hacking group named "Muddywater." Experts noticed repetitive patterns with two tactics in these attacks. Firstly, it uses infected PDF and Excel files to attach malware from the hackers' servers if they download and install them. Secondly, Muddywater mines the internet in search of unpatched MS Exchange email servers. 

It exploits the vulnerability "CVE-2020-0688" and deploys the servers with web shells, and again attaches the similar malware after downloading and installing the files. However, according to ClearSky, the second malware is not your everyday malware that is common but rather a unique malware with activities that have been noticed only once before. The Powershell threat is called "Powgoop" and was discovered last month by the experts. Palo Alto Network says that Thanos malware was installed using Powgoop. Besides this, Hakbit or Thanos malware has used other malware strains to install the ransomware called "GuLoader," coded in Visual Basic 6.0, different from other malware strains. 

"On July 6 and July 9, 2020, we observed files associated with an attack on two state-run organizations in the Middle East and North Africa that ultimately installed and ran a variant of the Thanos ransomware. The Thanos variant created a text file that displayed a ransom message requesting the victim transfer "20,000$" into a specified Bitcoin wallet to restore the files on the system," says the Palo Alto report. 

 According to ClearSky, they stopped these attacks before hackers could cause any damage; however, keeping in mind the earlier episodes, the company is now on an alarm. As per experts at ClearSky, they believe that Muddywater uses Thanos ransomware to hide its attacks and infiltrations. They say, "We assess that the group is attempting to employ destructive attacks via a disguised as ransomware attacks. Although we didn't see the execution of the destruction in the wild, due to the presence of the destructive capabilities, the attribution to nation-state sponsored threat actor."

Ryuk Ransomware Making Comeback with New Tools and Techniques

 

Ryuk ransomware has gained immense popularity in the notorious sphere of cybercrime by 2019. It has been on a rise both in terms of its reach and complexity as it goes about demanding ransoms worth multi-million-dollars from large organizations, local governments, and healthcare institutions. 
 
In one of their latest development, the operators of the malware have configured it to deploy a Trojan named ‘BazarLoader’ which is operated by the same threat group that is behind Trickbot. However, BazarLoader Trojan is equipped with advanced techniques to evade detection; the potential for long term infection in BazarLoader hints towards a change that the operators have brought in Ryuk’s plan of action. 
 
Ryuk is well-planned and targeted ransomware that is being operated since 2018 by WIZARD SPIDER, a Russia-based operator of the TrickBot banking malware, and the criminals behind this ransomware largely focus on big companies in order to acquire an exorbitant amount in ransom. 
 
After gaining access, Ryuk is programmed to permeate network servers as files are exchanged between systems. The malware is circulated via malicious email attachments and once it gathers all the important data from a given network, it lets the authors of Ryuk Ransomware acquire administrator credentials and gain access to the harvested data from the network, the malware does so by opening a shell back to the actors operating the threat. 
 
It takes only 29 hours to successfully carry out a complete attack on the network it is targeting; the process entails the entire series of incidents beginning from the spam mail to the successful encryption of data, as per the findings of DFIR. 
 
Threat actors behind ransomware attacks are rapidly evolving their attack vectors as the count of Ransomware attacks surge up to 365 percent over the past year. Owing to its ever-expanding operations, Ryuk made it to the notorious list of ransomware gangs having their own data leak websites wherein they release the data of companies who refuse to pay the demanded amount. 
 
The malware is continually changing itself to become more and more sophisticated, leaving companies with no option but to pay the extortionate amounts. The threat has expanded its reach beyond just private organizations and has also been recorded to target National services’ computers.

Warning Issued to End Cyberattacks Risk Running Afoul of Sanctions Rules by The U.S. Treasury Department

 

The U.S. Treasury Department recently issued a warning to cyber insurers and other financial institutions that 'facilitate payments' to hackers to end cyberattacks hazard crossing paths with sanctions rules. 

The warnings, referred to as 'malignant programs' known as ransomware and came in from Treasury's Office of Foreign Assets Control (OFAC)and Financial Crimes Enforcement Network (FinCEN).

The warnings also added to the additional worries of the cyber insurers, who have been 'ramping up' rates and attempting to control the exposure to vulnerable customers on account of flooding exorbitant ransomware claims as of late.

Hackers utilized ransomware to bring down frameworks that control everything from hospital billing to manufacturing and halted simply in the wake of accepting 'hefty payments', commonly paid in cryptocurrency.

Ransomware payment requests have seen quite a rise amidst the pandemic as people have chosen to work remotely and hackers target online systems. 

The normal ransomware payments bounced by 60% to $178,254 between the first and second quarters, as per Coveware, a firm that arranges and negotiates cyber ransom payoffs. The cyber policies frequently cover such ransoms, data recovery, legitimate liabilities, and arbitrators fluent in hackers' local dialects. 

Sumon Dantiki, a King and Spalding LLC legal advisor who exhorts on national security and cyber matters says that advanced insurers and financial establishments are now mindful of the sanctions concern. “Will victims who are insured still decide to make the payments?” Dantiki said. “This type of public advisory could affect the calculus there.” 

A subsequent FinCEN report even highlighted a developing industry of forensic firms that assist associations with responding to cyberattacks, including handling the payments.

OFAC referred to cyberattacks dating to 2015 that were traced back to hackers in sanctioned nations, like North Korea and Russia.

Nonetheless, while it is clearly evident that the US can force economic and trade sanctions on nations that support terrorism or disregard human rights, it will be the financial institutions that ultimately draw in with them or a few individuals can confront prosecution and penalties in the end.


LockBit Ransomware Emerging as a Dangerous Threat to Corporate Networks


LockBit, a relatively new Ransomware that was first identified performing targeted attacks by Northwave Security in September 2019 veiled as.ABCD virus. The threat actors behind the ransomware were observed to be leveraging brute-force tactics and evasion-based techniques to infect computers and encrypt files until the victim pays the ransom.

LockBit enables attackers to move around a network after compromising it quickly; it exploits SMB, ARP tables, and PowerShell to proliferate the malware through an infected network.

The developers rely on third parties to spread the malware via any means the third party devises. After successfully infecting the network, the attacker redirects the victim to a payment site operated by them. The victim is then subjected to threats of data leak until the ransom is paid to the attackers.

Modus operandi of the attack

The attackers drop the payload that is hidden under the '.text' sections, evading conventional AV's mechanism from catching the file while running a scan in the disk, the file is compressed by the attackers with a unique format.

Upon being executed, the file runs a scan on the entire LAN network and attempts to establish a connection to the hosts via SMB port (445) to spread the infected file across the entire internal network.

Then in order to bypass the need for User Control, the command "C:\WINDOWS\SysWOW64\DllHost.exe /Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}" is run by an instance of SVCHOST.exe which is running by the process DLLhost.exe.

After that, the 'backup.exe' file executes the payload and encrypts most of the victim's files, changing their extensions to 'lockbit'. In the end, leaving a ransom note under the name 'Restore-My-Files.txt' in various folders on the host.

As per sources, the top targets of LockBit were located in the U.S., the U.K, China, India, Germany, France, and Indonesia. Experts suggest that users worldwide should strengthen their security defenses. It is also recommended to store the backups of important files separately so that it's hard to be accessed through a network.

Giving insights into a particular case, Patrick Van Looy, a cybersecurity specialist for Northwave, told BleepingComputer, "In this specific case it was a classic hit and run. After gaining access through brute-forcing the VPN, the attacker almost immediately launched the ransomware (which he could with the administrator account that he had access to). It was around 1:00 AM that the initial access took place, after which the ransomware was launched, and at around 4:00 AM the attacker logged off. This was the only interaction that we have observed."

Emotet Botnet Operators Switching to a New Template Named ‘Red Dawn’


Emotet malware has been continually evolving to the levels of technically sophisticated malware that has a major role in the expansion of the cybercrime ecosystem. First discovered as a simple banking Trojan, Emotet’s roots date back to 2014 when it attempted to steal banking credentials from affected machines.

However, after going through multiple upgrades, since then, it has taken upon various roles- to exemplify, it has leveled up its threat game long ago to become a “loader”; it gathers data and sends it via an encrypted channel to its command and control (C2) servers, it also downloads modules to further the functionality.

The threat actors, actively involved in the rapid expansion of “Emotet” as a service, have devised a new method of attacking their targets by making them access infected documents. Until a while ago, the operators of Emotet have been using an iOS-themed document template in their botnet campaigns, the template informed victims that the document was created on iOS and that in order to view the content properly, he needs to ‘Enable Content’.

However, this is not the scenario anymore. In its newer campaigns, the notorious botnet is reported to be employing a new template, named ‘Red Dawn’ by Emotet expert, Joseph Roosen, for its red accent colors.

While displaying the message, “This document is protected”, the Red Dawn template informs the user that the preview is unavailable and in order to view the document, he is required to click on ‘Enable Content’ or ‘Enable Editing’ button.

After the user is being tricked into accessing the document via the steps he was asked to follow, Emotet malware gets installed on his system following the execution of macros. Once the system is successfully infected, Emotet malware may proceed to deliver other malware and ransomware namely Trickbot and Qbot or Conti and ProLock respectively.

“#Emotet AAR for 2020/09/02: Only a couple malspams at dayjob. It looks like JP is getting targeted heavily now by E1/E2 and E3. Seeing templates on all 3! The new regex for E1 is stupid and I bet Yuri thought that was epic, well nope, even easier to block, new regex in report. TT”, Joseph Roosen said in his related Tweet.

Nefilim Ransomware Evolving Rapidly: Top Targets at a Glance


Ransomware has continually expanded both in terms of threat and reach as threat actors continue to devise fresh methods of introducing new ransomware variants and malware families. One such newly emerged ransomware that was first identified at the end of February 2020, Nefilim, threatens to release victims’ encrypted data if they are unable to pay the ransom. With a striking code resemblance to that of Nemty 2.5 revenge ransomware, Nefilim is most likely to be distributed via exposed Remote Desktop Protocol, according to Vitali Kremez, an ethical hacker at SentinelLabs.

Earlier this month, researchers from threat intelligence firm Cyble, discovered a post by the authors of Nefilim ransomware, claiming to have hacked The SPIE Group, an independent European market leader for technical services in the fields of energy. As per the claims made by the operators in the post, they are in the possession of around 11.5 GB of company’s sensitive data that include corporate operational documents- company’s telecom services contracts, dissolution legal documents, infrastructure group reconstruction contacts and a lot more.

Since April 2020, Nefilim has targeted multiple organizations around the globe, narrowing down on the regions- South Asia, South America, Oceania, North America, and Western Europe. Going by the count of attacks disclosed publicly, manufacturing comes on top as the most preferential and hence the most targeted industries by the operators of Nefilim ransomware; Mas Holdings, Fisher & Paykel, Aban Offshore Limited, Stadler Rail were some of the major targets. Other industries infiltrated by Nefilim are communication and transportation; Orange S.A. and Toll Group, Arteris SA being some of the top targets respectively. One important thing to notice here is that the ransomware has spared the healthcare and education sector entirely as of now, interestingly, no organization from the two aforementioned sectors has been targeted.

Nefilim uses a number of ways including P2P file sharing, Free software, Spam email, Torrent websites, and Malicious websites, to infiltrate organizations’ IT systems. Designed specially to penetrate Windows PCs, Nefilim actively abuses Remote Desktop Protocol and uses it as its primary attack vector to infiltrate organizations. It employs a combination of two distinct algorithms AES-128 and RSA-2048 to encrypt the target’s data that is later leaked on their websites known as Corporate Leaks- when victims’ fail to pay the ransom.

Users are advised to stay wary of exposed ports and security departments shall ensure closing off unused ports, experts have also recommended to ‘limit login attempts’ for Remote Desktop protocol network admin access from settings to stay guarded.