Search This Blog

Showing posts with label Ransomware. Show all posts

Malware Sload Aiming Europe Again

 

Sload (also termed as Starslord loader) has proven to be one of the most destructive malware variants in recent years. It usually acts as a downloader, which is a computer virus that accumulates and exfiltrates data from an infected system in order to analyze the target and drop a more significant payload if the target is profitable. 

Sload has been active in Europe since at least 2018, with numerous vendors reporting assaults on targets in the United Kingdom and Italy. Instead of employing an executable or a malicious document to invade devices, the malware's developers have chosen to use scripts that are intrinsic to Windows operating systems such as VBS and PowerShell as an initial foothold, tricking users into executing them using spear phishing. 

The downloader is undergoing development and has gone through several iterations; the creator is continuously changing the first stage script but the main module remains basically unchanged. 

According to early reports, this virus downloads a PowerShell script, which then downloads and executes Sload, using a rogue LNK file (Windows shortcut). Later editions start with obfuscated WSF/VBS scripts that are frequently mutated to avoid detection by anti-virus software. The initial script used in attacks has a low VirusTotal score and is meant to get beyond complex security technologies like EDRs. 

This year, Minerva Labs has noticed Sload infections arriving from Italian endpoints. The script they found is an obfuscated WSF script that decodes a sequence of malicious commands and then secretly downloads and runs a remote payload in memory after being executed. 

The script does this by renaming legal Windows binaries, which is a straightforward evasion method. Both "bitsadmin.exe" and "Powershell.exe" are copied and renamed, with the former being used to download a malicious PowerShell script and the latter loading it into memory and executing it. 

The downloader's final payload varies, but it has been known to drop the Ramnit and Trickbot banking trojans, both of which are extremely dangerous malware that can lead to ransomware attacks. 

Operations of the LockBit Ransomware Group: A Quick Look

 

Researchers have investigated on how LockBit, one of the more recent ransomware organisations, operates. 

As per the instances this year, ransomware has emerged as one of the most disruptive forms of cybercrime. So far, the world has witnessed the Colonial Pipeline ransomware crisis, which resulted in fuel supply shortages throughout sections of the United States; continuous troubles with Ireland's national health care; and systematic interruption for meat processing major JBS as a result of the infection. 

By 2031, ransomware assaults are expected to cost $265 billion globally, and settlements are now routinely in the millions of dollars, as in the case of JBS. However, there is no guarantee that decryption keys are suitable for their intended use, or that paying once guarantees that a business will not be targeted again. 

According to a Cybereason report issued this week, up to 80% of organisations that were victimised by ransomware and paid the ransom have experienced a second attack, possibly by the same threat actors. 

The danger of ransomware to businesses and essential infrastructure has grown to the point where it was brought up during a meeting between US President Joe Biden and Russian President Vladimir Putin at the Geneva summit. 

Prodaft Threat Intelligence (PTI) published a study (.PDF) on LockBit and its affiliates on Friday. 

According to the study, LockBit, which was previously known as ABCD, uses a RaaS model to give affiliate groups a central control panel where they can produce new LockBit samples, monitor their victims, make blog articles, and view statistics on the success — or failure — of their attacks. 

LockBit affiliates frequently purchase Remote Desktop Protocol (RDP) access to servers as an initial attack vector, however, they may also employ traditional phishing and credential stuffing approaches. 

"Those kinds of tailored access services can be purchased in as low as $5," Prodaft says, "making this approach very lucrative for affiliates." 

Exploits are also utilised to attack vulnerable systems, including Fortinet VPN vulnerabilities on victim machine that have not been fixed. As per the forensic studies of machines attacked by LockBit affiliates, threat organisations will frequently try to find "mission-critical" systems first, such as NAS devices, backup servers, and domain controllers. The data is subsequently exfiltrated, and packages are typically uploaded to services such as MEGA's cloud storage platform. 

After that, a LockBit sample is manually installed, and files are encrypted using an AES key that is generated. Backups are erased, and the system wallpaper is replaced with a ransom notice with a link to a.onion website address where decryption software can be purchased. The website also offers a free decryption 'trial,' in which one file (less than 256KB in size) can be decoded. 

If victims contact attackers, a chat window in the LockBit panel is used to communicate with them. The ransom demand, payment date, method (typically in Bitcoin (BTC)), and directions on how to obtain bitcoin are frequently discussed. Prodaft gained access to the LockBit panel, which revealed affiliate usernames, victim counts, registration dates, and contact information. 

The study team stated that evidence in the affiliate names and addresses indicate that some may also be linked with Babuk and REvil, two other RaaS organisations; however, the inquiry is still ongoing. 

LockBit affiliates look for an average of $85,000 from each victim, with 10 to 30% of that going to the RaaS operators, and the ransomware has attacked thousands of machines around the world. The software and services industry accounted for more than 20% of the victims on the dashboard. 

"Commercial and professional services as well as the transportation sector also highly targeted by the LockBit group," Prodaft says. "However, it should be noted that the value of the ransom is determined by the affiliate after various checks using online services. This value does not solely depend on the sector of the victim." 

LockBit's leak site was unavailable at the time of publication. After breaking into LockBit's systems, the researchers decrypted all of the platform's accessible victims.

Supply Chain Attack Conducted by Darkside Operator

 

Mandiant researchers have identified a supply chain attack against a CCTV provider by a Darkside ransomware gang affiliate that has been distinguished as UNC2465. UNC2465 and other linked gangs identified by FireEye/Mandiant as UNC2628 and UNC2659 are regarded as one of the key affiliates of the DARKSIDE Group. 

The intrusion began on 18 May 2021, a day after the public suspension of the DARKSIDE general program (Mandiant Advantage background). Mandiant believes that although no ransomware has been discovered, membership groups that have performed DARKSIDE attacks could employ several ransomware affiliate programs and switch to each other at any time. 

Mandiant found that the installers were malicious at the commencement of June and informed the CCTV firm of a possible compromise on this website, making it possible for UNC2465 to substitute legitimate and Trojanised files.

Although Mandiant does not anticipate that many individuals have been affected, this strategy is reported to boost awareness. 

Software supply chain attacks can be very complex, from the recent attacks discovered by FireEye to attacks targeting smaller suppliers. A single infiltration of the software supply chain attack gives access to all businesses running the software of a victim company – in this situation, UNC2465 has modified the installer instead of the software itself.

Mandiant noted in mid-May 2021, that numerous threat players quoted a notice that the operators of the service seemed to share with the DARKSIDE RaaS members. That notification indicated that it had lost the access and would be closing its service to its infrastructure, including its blog, payment, and CDN servers. 

Since then, other underground members have claimed that they are unpaid DARKSIDE affiliates, and in certain cases privately gave forum admins with proof indicating their claims are legitimate. 

Mandiant consulting responded to an intrusion in June 2021; The first vector, which Mandiant found was a trojanized security camera PVR installer from a reputable website. As a result of ongoing infrastructure use and equipment use since October 2020, Mandiant has attributed the general intrusion to DARKSIDE affiliate UNC2465. 

On 18 May 2021, a person accessed the Trojanized link in the concerned organization and installed a ZIP. A chain of Downloads and Scripts was run when the software was installed which led to SMOKEDHAM and afterward NGROK on the computer of the victim. 

Further malware use like BEACON is also reported to have taken place. The trojan program was enabled in Mandiant's opinion between 18 May 2021, and 08 June 2021. 

Mandiant indicates that the majority of publicly identified victims of ransomware shaming websites have progressed steadily over the last month. Despite the recent restriction on posts concerning ransomware in underground forums, threat actors may still exploit private chats and links to find ransomware services.

Objectives for Ransomware Attack Against Nuclear Contractor Sol Oriens Remain Unknown

 

New Mexico-based government contractor Sol Oriens was attacked by the Russian REvil ransomware group that sparked worries in the national security community, because of the company's work with the Department of Energy's National Nuclear Security Administration.

However, the motives for the attack remain unknown. Sol Oriens confirmed it was targeted in May, according to CNBC's Eamon Javers, and the corporation stated no sensitive or important security-related material was compromised. The company's website remained down as of Friday, and Mother Jones reported that it had been down since June 3. Sol Oriens has yet not confirmed if the attack was ransomware. 

According to Michael DeBolt, senior vice president of intelligence at Intel 471, Sol Oriens was targeted by REvil, the same group that was accused of targeting meat manufacturer JBS. 

“From the REvil blog, all indications are that Sol Oriens was a target of opportunity, and not of design tied to some state-sponsored entity,” DeBolt stated. 

“However the sensitive nature of this particular victim did not elude the REvil operators and affiliates responsible for the attack. In fact, they explicitly threatened to reveal ‘documentation and data to military agencies of our choice [sic]’ and shared proof by way of screenshots on their name and shame blog. Even so, these actors primarily remain financially motivated.” 

According to Gary Kinghorn, senior director of marketing and alliances at Tempered Networks, the vulnerability of the information in this breach appears to be less than catastrophic if it was restricted to personal information and contacts, but there's no way of knowing if it went further than that. The goals of this attack, according to Kinghorn, are clearly useful to geopolitical opponents, and enterprises must be aware of the immense sophistication and resources behind these operations, regardless of purpose. 

Kinghorn added, “Organizations, particularly those holding DoE-class information and secrets, have to realize that yesterday’s security tools are no longer enough and are too error-prone to justify.” 

“The National Security Agency has already strongly suggested that government agencies move to zero trusts and even ensure encryption of all data in motion. These advanced steps can effectively make networks unhackable. However, right now, organizations are still weighing the costs and ROI until they get exposed like this to make changes.”

New Evil Corp Ransomware Disguised as PayloadBin to Avoid Sanctions

 

The new PayloadBIN ransomware has been linked to the Evil Corp cybercrime gang, which rebranded to avoid US Treasury Department restrictions issued by the Office of Foreign Assets Control (OFAC). The Evil Corp gang, also known as the Indrik Spider and the Dridex gang, began as a ZeuS botnet affiliate. They eventually organized a group dedicated to disseminating the Dridex banking virus and downloader via phishing emails. 

According to the FBI, Dridex was used to steal more than $100 million from banks in more than 40 nations. Following that, the software was utilized as a loader to install the BitPaymer ransomware on victims' computers. Two Russian nationals, Maksim Yakubets and Igor Turashev were indicted by a US grand jury in December 2019 for allegedly running Evil Corp. 

Yakubets was functioning "as Evil Corp's head and is answerable for overseeing the group's illicit cyber activities," the Treasury Department claimed at the time, after assisting with money laundering and the GameOver/Zeus botnet and malware operation. It said Yukabets had been working for Russia's Federal Security Service, or FSB, since at least 2017, and that it had previously sanctioned the FSB for assaults against US targets. It also announced a $5 million reward for information leading to his apprehension. 

The Babuk gang said that they would stop using ransomware encryption and instead focus on data theft and extortion after breaching the Metropolitan Police Department in Washington, DC, and taking unencrypted data. The Babuk data leak site had a graphic makeover at the end of May, and the ransomware gang rebranded as 'payload bin.' 

On Thursday, BleepingComputer discovered PayloadBIN, a new ransomware strain linked to the rebranding of Babuk Locker. When the ransomware is installed, the ransomware will append the . PAYLOADBIN extension to encrypted files. The ransom message is also known as 'PAYLOADBIN-README.txt,' and it claims that the victim's "networks are LOCKED with PAYLOADBIN ransomware." 

BleepingComputer suspected Babuk of lying about their plans to move away from ransomware and relaunched under a new name after discovering the sample. After examining the new ransomware, both Emsisoft's Fabian Wosar and ID Ransomware's Michael Gillespie confirmed that it is a rebranding of Evil Corp's prior ransomware operations.

Ransomware Hits News Stations in US, Affects Local Broadcast

 

Two local television news stations have been shut down since Thursday, experts say it because of a ransomware attack on their parent company. Parent company Cox media group, which owns NBC affiliate WPXI in Pittsburgh, and ABC affiliate WFTV in Orlando, Florida, told their managers to shut down their company phones and computers. The employees have to communicate using only personal phones and text messages. However, both stations still somehow managed to run local broadcasts at the station, but their operations are somewhat limited. 

Cox has refused to release any statement about the attack, but experts believe that the ransomware was behind the attack where hackers breached the network and held the files hostage in demand of ransom.  

According to experts, if an incident in IT expands to its multiple organizations, it is most likely a ransomware attack. Experts believe that the primary reason for the attack where it is unplanned and widespread IT exploit is a ransomware breach. It can also be malware that is used to plant ransomware software. It is less likely than any other form of cyberattack can cause this shutdown.  

Meanwhile, in Orlando, the employees were asked to not go to the office on Thursday and Friday, however, they weren't told clearly what happened with the computer networks of the company. An employee in Pittsburgh said that the company on Thursday morning shut down its servers as a safety measure to avoid any security breach. 

As of now, the staff has been restricted off the computer networks, so there's not much that they can do, the situation has also become a bit tense at the stations. Actors are continuously attacking US organizations, schools, hospitals, and businesses for a long time. 

But the issue became a major threat when recently, the US federal government faced a major problem when an attack on the country's one of the biggest company Colonial Pipeline led to stoppage of gas supply for 5 days in the US. 

"Many of the most prolific ransomware gangs, including those responsible for the JBS and Colonial hacks, speak Russian and have at least some members based in Russia who appear to operate with impunity, leading President Joe Biden to say he's "looking closely" at retaliating," reports NBC news.  

Business Operation Gets Shut Down as FujiFilm Suffers An Attack

 

On Wednesday 2nd June, Fujifilm released a short statement to reveal the illegitimate infiltration of its server by foreign parties. However, it did not specify that whether the ransomware component used in the attack was recognized, whether any information was exfiltrated from its Internet, or whether attackers approached them for a ransom. 

Earlier on 4th June, Japan's global Fujifilm group formally announced that perhaps a ransomware attack that impacted corporate operational activities had been committed earlier in this week. 

“FUJIFILM Corporation is currently carrying out an investigation into possible unauthorized access to its server from outside of the company. As part of this investigation, the network is partially shut down and disconnected from external correspondence,” stated Fujifilm. 

In various interactions with Fujifilm employees though, it looked internally that ransomware was responsible for the attack and that the business had to disconnect pieces of its network around the world. 

Fujifilm advised their staff to shut down their laptops and all other servers immediately at roughly 10:00 AM EST on Tuesday. The network failure also blocked the email, the billing system, and the reporting system from being accessed. Fujifilm has also incorporated warning to its consumers of disruption of their operation to alert their customers. 

Whereas the ransomware gang behind the attack has still not been named, the REvil ransomware campaign is thought to be the case. The REvil ransomware gang will infiltrate a system and steadily expand to several other machines while collecting unencrypted data via the remote access offered by the Trojan. 

Once they get access to a domain admin account in the Windows domain and collect valuables, then they can use the ransomware to encrypt devices across the system. 

Operation DarkSide ransomware targeted last month the largest US petroleum pipeline, the Colonial Pipeline. In certain States it caused the pipeline to be shut down.

Last month, the Conti ransomware group attacked the HSE, the public health service in Ireland, and the Department of Health, leading to a major disturbance in health care services. 

"It will be a topic of discussion in direct, one-on-one discussions — or direct discussions with President Putin and President Biden happening in just a couple of weeks," Psaki said at the press briefing.

Hackers Reportedly Target Cox Media Group Stations



‘Cox Media Group’, is one of the largest media conglomerates in the United State, earlier today, the organization has to put down its live streams for television and radio stations. According to the sources, the attack has been deemed unprecedented due to which Cox Media programs were inaccessible across the country. 

The Cox Media Group has ownership of 33 television stations in 20 markets, 54 radio stations in 10 markets, various multi-platform streaming videos, and several digital platforms. The TV stations in markets like Pittsburgh; Boston; Dayton, Seattle; Ohio; Oklahoma, and Tulsa, are a mixture of major network affiliates like ABC, CBS, FOX, NBC, etc. 

A report has been published by Inside Radio that disclosed the technical details of the attack wherein it was mentioned that the attack took place on the morning of the 3rd June and crashed the internal networks and streaming capabilities including the mobile apps and web streams properties. However, official websites of Cox Media and several programs kept running without any harm but some programs have to be rescheduled.

“This morning we were told to shut down everything and log out our emails to ensure nothing spread. According to my friends at affiliate stations, we shut things down in time to be safe and should be back up and running soon,” a Cox employee shared with media. 

Notably, the incident didn’t impact traditional pay-TV feeds for the channels. Meanwhile, the Dish Network reported that its network didn’t experience any issue regarding ransomware attack, so far; Dish Network is the broadcaster that made a deal with Cox Media for about 14 channels in December 2020. 

Deputy National Security Adviser Anne Neuberger on Thursday issued an open letter requesting organizations to take security precautions against ransomware attacks. 

Nowadays, many tech giants and several cybersecurity firms are taking ransomware attacks way more seriously, still, the gaps in prevention persist. 

Scripps Health Care Facility Reported Ransomware

 


Scripps Health care facility has reported on Tuesday that the organization has started sending alert notifications to nearly 150,000 individuals after a group of threat actors has stolen the sensitive data of people during a ransomware attack on one of its local health care facility on 01st May. 

What is Scripps Health care and how this works? 

Scripps is a nonprofit health care facility in San Diego, California, United States. The medical firm operates five hospitals and 19 outpatient facilities. The firm also treats a half-million patients around the year through 2,600 affiliated physicians. In addition, Scripps Healthcare also runs several medical education programs and research programs. 

A statement has been released by the firm in which a medical professional said, that the company has just begun notifying victims so that they can take protective measures against this attack which would allow them to safeguard their personal information from further misuse. “About 2.5 percent of those — nearly 3,700 — are said to have had their Social Security and/or driver’s license numbers taken. For those, the company said, it will provide complimentary credit monitoring and identity protection support services,” he further added. 

As per the information shared by the firm, the cybercriminals have stolen clinical credential data that includes the address of the individuals, patient account number, date of birth, medical record number, health insurance information, doctor’s name, and medical data, etc. Reportedly, the data was stolen from the system, however, the firm did not disclose which system the information came from. 

The breach has forced medical professionals at all levels of the healthcare facility to work differently because the system was at risk. Professionals have to use paper charts for their document work. Additionally, access to the important clinical data, including previous test results, was also unavailable for weeks. 

The health care facility further said that the investigation is being conducted on the attack and at present, they are unable to disclose all the technical details. “We still don’t know what the rest of the document seems to be related to. We have started an extensive manual review of these documents…”

“…This is a time-consuming process that can take months, but we will notify affected individuals and organizations as soon as possible in accordance with applicable regulatory requirements,” Scripps added.

This Entertainment-Themed Campaign Installs Malware in User Computer System

 

A popular phishing campaign tries to somehow get users to believe that they've enrolled in the film streaming platform to force customers to call on a phone number for cancellation – a technique that contains BazaLoader malware that harms the computer. 

BazaLoader is a C++ downloader for installing and performing other modules. In April 2020, BazaLoader was first observed by Proofpoint. 

BazaLoader develops a backdoor on Windows machines that could be exploited to provide initial access to other malware attacks - even ransomware. Ryuk Ransomware is generally delivered through BazaLoader, which can have severely harmful consequences to a successful compromise amongst cybercriminals. The operation of BazaLoader demands important human contact in the implementation and installation of the BazaLoader backdoor. 

The operator of the threat used customer service agents to lead victims to download and install the malware unwittingly. This campaign represents a broader pattern used as part of a sophisticated attack chain by BazaLoader threat actors that use call centers. 

The initial stage of the effort, which is detailed by cybersecurity investigators at Proofpoint, involves distributing tens of thousands of phishing emails affirming to come from 'BravoMovies,' a bogus movie streaming platform created by cybercriminals themselves. 

The site seems plausible and people behind it generated false film posters utilizing open-source pictures that are available online – but the way the site has numerous orthographic mistakes can suggest that something must be wrong if one looks very carefully. 

The email received states that the victim has subscribed and charged $39.99 a month - but if they contact a support number, that suspected subscription may be terminated. 

When the user contacts the number to which they are associated, the "customer service" professional claims to walk them through the withdrawal procedure – but what they are doing tells the unwitting victim how they may install BazaLoader on their computer systems. 

These are done by directing the caller to a "Subscription" website, wherein part of the procedure invites users to click a Microsoft Excel downloading link. This document contains macros that will silently upload BazaLoader to the system if it is activated, spreading malware on the victim's PC. 

"Malicious attachments are often blocked by threat detection software. By directing people to phone the call center as part of the attack chain, the threat actors can bypass threat detection mechanisms that would otherwise flag its attachments as spam," Sherrod DeGrippo, senior director of threat research and detection at Proofpoint, told ZDNet. 

"Social engineering is the key to this attack chain and threat actors depend upon their social engineering lures to cause recipients to take any action to complete the attack chain and get the malware on the target's machine," said DeGrippo further added. 

It should also be pointed out that while getting an e-mail claiming that the user's credit card will be billed if they do not answer, with the creation of a sense of urgency such as this is a common method employed in phishing operations to make a user obey instructions.

DarkSide Affiliates Claim Gang's Bitcoin Deposit

 

Multiple associates have protested about not being charged for past services since the DarkSide ransomware operation was shut down a week ago, and have filed a petition for bitcoins in escrow on a hacker forum. Escrow systems are popular in Russian-language cybercriminal cultures to prevent scams between sellers and buyers. The deposit is a direct message from ransomware operations that they mean business. 

DarkSide is a ransomware vulnerability that has been active since at least August 2020, when it was used in a cyberattack against the Colonial Pipeline in Georgia, causing a significant fuel supply disruption along the US East Coast. The malware is distributed as a service to various cybercriminals through an affiliate scheme and, like other well-known ransomware threats, uses double extortion, combining file encryption with data theft, and is installed on compromised networks through manual hacking techniques. 

DarkSide deposited 22 bitcoins on the famous hacker forum XSS to gain the confidence of potential partners and expand the operation. The wallet is administered by the site's administrator, who also serves as a guarantor for the gang and an arbitrator in the event of a dispute. 

Many analysts believe the group used an escape scam to retain the ransom money they received from their network of affiliates. DarkSide operators, on the other hand, claim to have halted operations as a result of US government pressure following the assault on the Colonial Pipeline. 

Last year, the REvil ransomware deposited $1 million in Bitcoin to a separate hacking website in order to recruit new members. This action demonstrated that they trusted the forum administrator with the money and that there was plenty to be made. 

Researchers discovered a series of allegations made by members of a hacking forum who claimed to have played various roles in the DarkSide ransomware gang's operations. Some associates assisted in the pentesting of threats or organizational breaches. According to Elliptic, a blockchain research company, the Darkside ransomware gang has received over $90 million in ransom payments from its victims since October 2020. 

“In total, just over $90 million in Bitcoin ransom payments were made to DarkSide, originating from 47 distinct wallets.” reads the report published by the Elliptic. “According to DarkTracer, 99 organizations have been infected with the DarkSide malware – suggesting that approximately 47% of victims paid a ransom and that the average payment was $1.9 million.”

Experts reported a twofold increase in the activity of ransomware hackers in Russia

The authors of the study called the growth "staggering." Since the beginning of April, experts have been monitoring ransomware attacks on more than 1 thousand organizations on a weekly basis. At the end of the first quarter of 2020, this figure was below 600.

"So far, there is no reason to reduce the number of attacks", said Sergey Zabula, head of the group of systems engineers working with partners of Check Point Software Technologies in Russia.
According to him, a 100 percent increase in the number of incidents can be observed at the end of 2021.

"Attackers will continue to invent new, more sophisticated attacks to grow their businesses and steal large amounts of money. And if companies do not pay special attention to training their employees and improving the level of cybersecurity of the organization as a whole, the size of the damage will grow," the expert said.

"ESET data also indicates a twofold increase in the number of incidents involving encryption viruses in 2021", said Vitaly Zemskikh, the company's technical director for Russia and the CIS. According to him, this is due to the neglect of information security in many organizations.

"Moreover, ransomware viruses are one of the most understandable ways to commercialize efforts for hackers", added Kaspersky Lab cybersecurity expert Dmitry Galov.

In addition, it became known that in April 2021, the number of powerful DDoS attacks on game servers in Russia increased by 30 times. According to StormWall experts, DDoS attacks were carried out using a new incarnation of the well-known Layer7 botnet, consisting of 25 thousand infected Internet of Things (IoT) devices.

The famous Russian-language hacker forum has banned the mention of ransomware

XSS is a well-known forum where users discuss all kinds of vulnerabilities, exploits, malware, and ways to penetrate other people's networks. Ransomware was also actively discussed there, moreover, among the forum participants there are representatives of Ransomware groups who actively recruited new partners to work on the "Ransomware-as-a-Service" (RaaS) model.

The decision to ban the discussion of Ransomware was made personally by the forum administrator.

The administrator stated that Ransomware is usually not interesting from a technical point of view, while the main purpose of the forum is "knowledge".

"We are a technical forum, we learn, research, share knowledge, write interesting articles. The goal of Ransomware is only to earn money. The goals are not the same," the forum administrator wrote.

He noted that there is a degradation: newcomers see "crazy virtual millions" that are paid from time to time as a ransom for unlocking data, and think that they will be able to get them. Therefore, beginners "do not want anything, do not learn anything, do not code anything, even just do not think, their whole life is reduced to "encrypt - get $”.

The administrator of XSS Forum also said that there is too much PR around the topic, as well as "nonsense, hype, noise" and even politics. The topic of Politics is obviously related to the Ransomware attack on the Colonial Pipeline, which led to a large-scale crisis in the United States.

"The word "ransom" was equated with a number of unpleasant phenomena — geopolitics, extortion, state hacking. This word has become dangerous and toxic," the forum administrator said.

So he decided to ban everything related to Ransomware. Even old forum threads related to this topic will be deleted.

According to Alexey Vodiasov, technical director of SEC Consult Services said that Ransomware is really a way to make quick money with very little effort. It is possible that after the attack on the Colonial Pipeline, US law enforcement agencies may launch an intensive campaign against the cyber underground.

Washington DC Police Hit by the Worst Ransomware Ever

 

In the U.S. capital, the police department experienced a major information leak after declining to satisfy the extortion demands of a Russian-speaking ransomware syndicate. As per the experts, the US police department has been hit by the worst ransomware ever. 

On Thursday 13th May, the Gang, identified as the Babuk Squad, published on the dark web, some thousands of confidential documents from the Washington Metropolitan Police Department. Hundreds of police officer intelligence documents, containing feeds from other agencies, such as the FBI and Secret Service, were discovered through a report by The Associated Press. 

Ransomware attacks have reached epidemic proportions as international gangs paralyze local and state governments, police, hospital, and private companies' computer networks. They need substantial payments for deciphering or to prevent the online leakage of stolen information. 

The Colonial Pipeline was shut down last week by a cyber-attack which caused gasoline stockpiling and panic buying across southeast sections of the nation's largest fuel pipeline. 

This Police data leak is "perhaps the most significant ransomware incident to date," due to the risks it poses for officers and civilians, said Brett Callow, a threat analyst and ransomware specialist at the Emsisoft security company. 

Most documents contained security details from many other law enforcement authorities regarding the inauguration of President Joe Biden, along with a connection to a militia group "embedded source." 

The two pipe bombs abandoned at the location of the Democratic Committee and the Republican National Committee before the revolt in the American Capitol on January 6 were studied by the FBI in one document. Yet another document explains the details. This involves "big data pull" from cell towers, as well as plans to "analyze purchases" of Nike shoes that a concerning individual uses. 

In response to an AP request for comments, the police department didn't initially respond but has reported earlier that personal data was compromised. 

Some of the information was subsequently leaked, exposing personal data from background checks of some officials, including information on previous use of drugs, financial conditions, and — in at least one instance — regarding past sexual assault. 

“This is going to send a shock through the law enforcement community throughout the country,” Ted Williams, a former officer at the department who is now a lawyer, told The Associated Press. 

Williams further added that it makes it harder for officers to do their work because of background checks and administrative files publicly disclosed.

“The more the crooks know about a law enforcement officer, the more the crooks try to use that for their advantage,” he said. 

Recently the Babuk community demanded $4 million to not publish the archives, but only around $100,000 was provided. The Ministry did not say whether it offered it. Any discussions will show the difficulty of the issue of ransomware, with the police forced to consider paying for criminal gangs.

FBI – CISA Published a Joint Advisory as Colonial Pipeline Suffers a Catastrophic Ransomware Attack

 

Following a catastrophic ransomware assault on a Colonial Pipeline, the FBI and the US Cybersecurity and Infrastructure Security Agency (CISA) published a joint advisory. The notice, issued on Tuesday 11th May, contains information on DarkSide, malware operators running a Ransomware-as-a-Service (RaaS) network. 

DarkSide is in charge of the latest Colonial Pipeline cyber assault. Past Friday - 7th May, the fuel giant has said that a Cyberattack had obliged the company, which was found to be an intrusion of DarkSide affiliates, to stop pipeline activities and to pull the IT systems offline. 

Cybercriminal gangs use DarkSide for data encryption and to gain entry to a victim's server. These groups attempt to disclose the information if the victim is not paying the ransom. DarkSide leverage groups have recently targeted organizations, including production, legal, insurance, healthcare, and energy, through various sectors of CI. 

Colonial pipeline is yet to be recovered, and the FBI is engaged with them as a key infrastructure supplier – one of which provides 45% of the fuel of the East Coast and typically provides up to 100 million gallons of fuel per day. 

"Cybercriminal groups use DarkSide to gain access to a victim's network to encrypt and exfiltrate data," the alert says. "These groups then threaten to expose data if the victim does not pay the ransom. Groups leveraging DarkSide have recently been targeting organizations across various CI sectors including manufacturing, legal, insurance, healthcare, and energy." 

The ransomware from DarkSide is available to RaaS clients. This cybercriminal template has become prominent because only a core team needs to create malware that can be transmitted to other people. 

RaaS can also be offered on a subscription basis as a ransomware partner, and/or the developers may earn cuts in income when a ransom is paid. In exchange, developers continue to enhance their 'product' malware. 

Furthermore the FBI - CISA advisory also provides tips and best practices to avoid or mitigate ransomware threats. 

The most important defense act against ransomware is prevention. It is crucial to follow good practices to defend against attacks by ransomware, that can be damaging to a person or an organization. 

"CISA and FBI urge CI [critical infrastructure] asset owners and operators to adopt a heightened state of awareness and implement recommendations [...] including implementing robust network segmentation between IT and OT networks; regularly testing manual controls; and ensuring that backups are implemented, regularly tested, and isolated from network connections," the agencies say. "These mitigations will help CI owners and operators improve their entity's functional resilience by reducing their vulnerability to ransomware and the risk of severe business degradation if impacted by ransomware."

Three Affiliated Tribes—The Mandan, Hidatsa & Arikara Suffers Ransomware Attack

 

On the 28th of April Three Affiliated Tribes – the Mandan, Hidatsa, and Arikara nation – informed their workers that they have been hacked with their server and believed it was ransomware. The community has not accessed files, email, and sensitive information since the server was hacked. 

Ransomware is a sort of malware that, as per the Homeland Security Department, attempts to publish information or restrict access until a ransom is paid. The Federal Bureau of Investigation, reports that 4,000 ransomware attacks are initiated daily, with an attack is conducted every 40 seconds. 
 
A document with details that the intrusion was linked with ransomware was sent to all Three Affiliate Tribes employees on April 28th. The one thing that it does, is changing file locations and file names of the document, stated Mandan, Hidatsa & Arikara CEO Scott Satermo. “Share this text, call, or use other methods as we have no way of sending an email notification at this time.” 

“Ransomware is running rampant in governments throughout the world,” said National Association of State Chief Information Officers (NASCIO) Director of Policy & Research Meredith Ward in an email to Native News Online. “Many local governments have been hit very hard.” 

NASCIO is a 501c(3)(h) non-profit framework that has its main advocacy and policy goal, as objectives and has a provision of insight and advice on the consequences of legislation, policies, and proposals relating to technology. On 14 October 2020, 30 Member States identified financial fraud as being a major cause of infringement over the past year compared with 10 states in 2018, states a report issued by NASCIO. The main causes of infringements still lie in external sources: malicious (68%), external-source web services (81%), and increased hacktivism (86%). 

Although ransomware attacks may appear popular, yet they aren't recorded widely in the various tribes. There are currently no statistical databases if and how often these cyberattacks impact tribes. Unless the rescue has been charged, ransomware actors also attempt and threaten the selling or leaking of exfiltrated data or authentication information as per the Cybersecurity & Infrastructure Security Agency (CISA). Ransomware attacks among national, local, tribal and territorial (SLTT) government bodies and critical infrastructure organizations have become exceedingly common in recent years. 

The Department of the Interior overturned a judgment of Trump-era on 22nd March 2021 which decided that a section of the Missouri River on the Fort Berthold Indian Reserve will belong to the government of North Dakota. The decision was made days after the very first American Indian to become Secretary of the Interior Department, Laguna Pueblo Debra Haaland, was sworn in. The change could offer Mandan, Hidatsa, and Arikara tribal members billions of dollars in revenue. 

The U.S. Congress assesses legislation including the State and Local Cybersecurity Improvement Act. If enacted, the law will provide several billion cybersecurity financing through the Cybersecurity and Infrastructure Security Agency to state, local governments and 25 million US dollars for tribal governments. In September 2020 it was discussed in the House Homeland Security Committee and voted in two-party terms, but it still resides in the Senate.

Ransomware Hits US Defense Contractor BlueForce

A ransomware attack hit U.S defense contractor Blueforce, says Hatching Triage sample, and a Conti ransomware chat. Ransomware in the Hatching Triage page consisted of a ransom threat likely to be from an attacker who hit the victim with Conti Ransomware strain. Tech Target's sister website LMagIT found the sample which was sent to SearchSecurity. 

The note said that all the victim's files were encoded by CONTI ransomware, attacker told the victim to google about if he weren't aware of what the strain is, and said that all information has been encrypted with the software and couldn't be restored by any method unless the victims contact the team directly. 

If the victim tried anything suspicious with recovery software, the attacker warned that all files will get damaged, and told the victim to continue at his own risk. "Conti ransomware was first reported in mid-2020, and like many other modern ransomware families, it extorts victims by not only encrypting data but threatening to publish it, too. Recent Conti victims include several London schools, as well as fashion retailer FatFace. It was also a member of the Maze ransomware cartel when it was active," said SearchSecurity. The threat also included a .onion link and a standard URL to an active chat between a negotiator from Blueforce and Conti actor. 

Blueforce is Virginia-based which builds nexus between the Department of State (DoS) and Department of Defense (DoD) via a sophisticated mix of interagency, international development expertise, and cross-functional defense. The conversation dates back to April 9, actor enquired if the target was willing to negotiate. After about 2 weeks, the victim replied with a request saying all the files were encrypted and to help. 

The attacker asked the victim for identification, Blueforce responded last week, asked for the following procedure, and also enquired whether any data was encrypted. According to SearchSecurity "the threat actor responded in the affirmative and demanded 17 bitcoins (worth nearly $969,000 as of this writing). In addition, the response included a list and data pack of files to verify that Conti had breached the company and exfiltrated data. The chat has not been updated since."

New South Wales Labor Party Hit By Avaddon Threat Attackers Demand Ransom


On Wednesday afternoon New South Wales (NSW) police unit has disclosed an apparent ransomware attack on the New South Wales labor party. 

Global cybercriminals group has given a 10 days timeline to the labor party to pay a ransom or else the illicitly accessed credentials will be put into the public domain including driver’s licenses, images of passports, and employment contracts.

According to the data, the ransomware operational group named Avaddon, which emerged in Russia is found to be behind the recent breach. Additionally, for further information Sydney City Police Area Command, has already begun its inquiries against the attack. 

The Avaddon ransomware was originated in the middle of 2020 in an underground forum(where participants exchange information on abusive tactics and engage in the sale of illegal goods and services, which are a form of online social network (OSN). Research suggests that Avaddon has been linked to various malicious activities, including data compromise and leaked credentials of at least 23 organizations as of February this year. 

Further, a research university, Rey Juan Carlos in Spain has published a research paper in which it disclosed that the Avaddon ransomware uses distributed denial-of-service attacks against its victims that denied to pay the ransom. 

“NSW Labor, the company does not want to cooperate with us, so we give them 240 hours to communicate and cooperate with us. If this does not happen before the time counter expires, we will leak valuable company documents…” 

“…We have a large amount of data on contracts, a lot of confidential information, confidential contracts, driver’s licenses, passports, employment contracts, information about employees, resumes, and more,” Avaddon said in a post on its website. 

Prior to this cyberattack, Austrian high profile organizations have been targeted including the email systems of the Commonwealth and West Australian parliaments that were taken offline this year. Now, a major political party has become a victim of cyber threats; however, this is the first time when cyber attackers have tried to extort an Australian political party for their financial advantages. 

Josh Lemon, managing director of digital forensics and incident response at business advisory firm Ankura, said most of the screenshots contained keywords such as “sensitive” and “confidential”. 

“Although it’s a little bit abstract, as someone who isn’t the victim, it’s intended to provide proof to the actual victim,” Mr. Lemon added. 

N3TW0RM Ransomware: Emerges in Wave of Cyberattacks in Israel

 

In a surge of cyberattacks that began last week, a new ransomware group known as 'N3TW0RM' is targeting Israeli companies. 

N3TW0RM, like other ransomware gangs, has set up a data leak platform where they threaten to release stolen files to threaten victims into paying a ransom. At least four Israeli companies and one nonprofit organization were successfully breached in this wave of attacks, according to Israeli news outlet Haaretz. 

Two Israeli companies, H&M Israel and Veritas Logistic have already been mentioned on the ransomware gang's data leak, with the threat actors allegedly leaking data stolen during the Veritas attack. According to Israeli media and BleepingComputer, the ransomware gang has not demanded especially large ransoms in comparison to other enterprise-targeting attacks. Veritas' ransom demand was three bitcoins, or roughly $173,000, as per Haaretz, while another ransom note shared with BleepingComputer indicates a demand of four bitcoins, or roughly $231,000. 

As per the WhatsApp message circulated by Israeli cybersecurity researchers, the N3TW0RM ransomware shares several characteristics with the Pay2Key attacks that took place in November 2020 and February 2021. 

Pay2Key has been linked to the Fox Kitten hacking group, an Iranian nation-state hacking group whose mission was to disrupt and damage Israeli interests rather than collect a ransom payment. At this time, no hacker groups have been linked to the N3TW0RM attacks. 

One source in the Israeli cybersecurity industry told BleepingComputer that N3TW0RM is also being used to sow havoc for Israeli interests as given the low ransom demands and lack of response to negotiations. However, according to Arik Nachmias, CEO of incident response firm Honey Badger Security, the attacks in N3TW0RM's case are motivated by money. 

While encrypting a network, threat actors typically distribute a standalone ransomware executable to each system they want to encrypt but N3TW0RM uses a client-server model. The N3TW0RM threat actors install a programme on a victim's server that will listen for connections from the workstations, thus according to samples [VirusTotal] of the ransomware seen by BleepingComputer and conversations with Nachmias. 

The threat actors then use PAExec to deploy and execute the'slave.exe' client executable on every device that the ransomware will encrypt, according to Nachmias. When encrypting files, the '.n3tw0rm' extension will be appended to their titles. 

According to Nachmias, the server portion would save the keys in a file and then instruct the clients to start encrypting devices. This strategy helps the threat actor to keep all aspects of the ransomware activity inside the victim's network without having to rely on a remote command and control server.

However, it increases the attack's complexity and can allow a victim to recover their decryption keys if all of the files are not deleted after the attack.

Ransomware Hackers Target Popular Cloud Service Provider 'Swiss Cloud'

 

Swiss Cloud, a Switzerland-based cloud hosting provider, suffered a ransomware attack that seriously impacted its server infrastructure. The incident took place on Tuesday, April 27, according to Swiss Cloud’s status page. 

The company, which is one of Switzerland’s major hosting providers, said on Friday in an update posted on its website that it’s working to restore affected servers from existing backups. 

“After the cyber-attack on April 27, work is proceeding to clean up the systems and restore normal operations at swiss cloud computing ag. The backup systems can be used for recovery. Parts of the complex server network affected by the attack must first be cleaned up individually and reconfigured with the corresponding temporal effects. The work to clean up and restore the servers, for which swiss cloud computing ag is supported by specialists from the system partners of HPE and Microsoft, gives reason to be confident that the systems will be available again in the coming week. The work will also continue on weekends in 24-hour shifts.” reads a statement posted by the company on its website. 

More than 6,500 clients affected

While the incident did not affect the company’s entire server infrastructure—spread among different data centers across Switzerland, the disruption has impacted server availability for more than 6,500 customers. One of the most high-profile customers impacted by Swiss Cloud’s outage is Sage, a company that delivers payroll and HR software for German-speaking nations. 

However, while the company might be confident regarding the timeline of its recovery plan, similar ransomware attacks have also taken place at other cloud and web hosting providers over the past few years. In most cases, recovery efforts lasted weeks, not days. This includes incidents at Managed.com, Equinix, CyrusOne, Cognizant, X-Cart, A2 Hosting, SmarterASP.NET, Dataresolution.net, iNSYNQ, and Internet Nayana, just to name the larger attacks. 

Web hosting and cloud infrastructure providers are not particularly targeted by the ransomware groups, but once they’re breached, they usually face some of the largest ransom demands. This is because even the smallest downtime they suffer trickles down to all their customers, and providers face immense pressure to restore services from all sides. This pressure is also why some companies choose to pay the ransom demand even if they have backups.