Search This Blog

Showing posts with label Texas. Show all posts

Texas Hit By a Human-Operated Ransomware That Targets against Government Agencies and Enterprises



May 2020 was not a good month for both the Texas Courts and the Texas Department of Transportation (TxDOT) as the month marked the discovery of a new ransomware called Ransom X, being effectively utilized in human-operated and focused on attacks against government agencies and enterprises.

Advanced Intel's Vitali Kremez discovered a 'ransom.exx' which was believed to be the name of the ransomware. As this is human-operated ransomware, as opposed to one distributed by means of phishing or malware, when executed the ransomware opens a console that shows info to the attacker while it is running.

As indicated by Kremez, Ransom.exx works to terminate 289 procedures identified with security software, database servers, MSP softwares, remote access devices, and mail servers.

Ransom X will likewise play out a series of orders all through the encryption process that:
Clear Windows event logs
Delete NTFS journals
Disable System Restore
Disable the Windows Recovery Environment
Delete Windows backup catalogs
Wipe free space from local drives.

The commands executed are listed below:
cipher /w %
s wbadmin.exe delete catalog –quiet 
bcdedit.exe /set {default} recoveryenabled no 
bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures 
schtasks.exe /Change /TN "\Microsoft\Windows\SystemRestore\SR" /disable 
wevtutil.exe cl Application 
wevtutil.exe cl System 
wevtutil.exe cl Setup 
wevtutil.exe cl Security 
wevtutil.exe sl Security 
/e:false fsutil.exe usn deletejournal /D C: 

The ransomware then starts to encrypt the entirety of the information on the computer and affix a custom extension related to the victim to each encrypted record.

As observed below, the custom extension for the Texas Department of Transportation attack was .txd0t.


Furthermore, when completed, the Ransom X console will show the number of encoded files and how long it took to finish it. In every folder that was scanned during the encryption procedure, a ransom note named![extension]_READ_ME!.txt will be made.

This ransom note incorporates the company name, and email address to contact, and guidelines on the most proficient method to pay the ransom.

As observed below, the ransom note is modified for a certain victim that is enduring an attack, which for this situation is the Texas Department of Transportation.


However, in the case of Texas where the attack made its significant hit it is to be noted that at the hour of the attack, it was not comprehended what ransomware focused on the government agencies.

In any case, because of the limited visibility into this ransomware operation, there is no data with respect to the ransom sums or whether they steal information as a major aspect of the attack.

This ransomware has now been broken down, analyzed, and seems secure, which implies that it is highly unlikely to decrypt the files for nothing.

Attackers demand $2.5 million for Texas Ransomeware




The cybercriminals who attacked multiple Texas local governments with file-encrypting malware via compromising service provider's network.

The attackers demanded a ransom of $2.5 million for decrypting the entire local government files, the mayor of a municipality says.

The Department of Information Resources (DIR) has announced that a total of 22 victims has been established, while all of them were attacked by a single party.

However, the names of all the victim municipalities have not been disclosed, whereas two municipalities have announced the hit publicly.

In a statement released by the city of Borger, "Based on the current state of the forensic investigation, it appears that no customer credit card or other personal information on the City of Borger’s systems have been compromised in this attack. No further information about the origins of the attack will be released until the completion of the investigation,"

Keene is another city affected by this ransomware attack. Both of the administration right now can not process card payments or utility disconnections.

The city will inform its citizen as soon as they restart business and financial services, press release. 

State of Texas Hit By a Ransomware Attack; 23 Agencies Shut Down!





The state of Texas got hit recently by a cyber-attack as a result of which 23 government agencies were taken down offline.

Per the DIR (Department of Information Resources) of Texas most of the aggrieved parties were small local government agencies which are unnamed so far.

The Texas state networks however are still unharmed. The State Operations center of the state has been rigorously working towards the problem.

Sources mention that all the state and federal agencies handling the case hint at the fact that the attack was coordinated by a single actor.

The attack has been categorized as a sure shot ransomware attack. Per sources in it was a stain which was identified as “Nemucod”.

The aforemetioned ransomware generally “encrypts files and then at the end adds the .JSE extension”, a researcher mentioned.

Allegedly, the US have been the target for a lot of cyber-attacks of late. With an apparent total of 53% of the entire global number, the US have been victimized the most by cyber-attacks.

A state emergency was declared on Louisiana in July this year in response to a ransomware attack on school computer systems.

The situation is very critical from the point of cyber-security as municipalities falling prey to such attacks and ransomware in particular is not a good sign at all.

Mass scale attacks and their increase in number are disconcerting on so many levels. Because threat actors willing to put so many efforts, like the researchers like to say, are numerous.