Search This Blog

Showing posts with label ransomware attacks. Show all posts

LockBit Ransomware Emerging as a Dangerous Threat to Corporate Networks


LockBit, a relatively new Ransomware that was first identified performing targeted attacks by Northwave Security in September 2019 veiled as.ABCD virus. The threat actors behind the ransomware were observed to be leveraging brute-force tactics and evasion-based techniques to infect computers and encrypt files until the victim pays the ransom.

LockBit enables attackers to move around a network after compromising it quickly; it exploits SMB, ARP tables, and PowerShell to proliferate the malware through an infected network.

The developers rely on third parties to spread the malware via any means the third party devises. After successfully infecting the network, the attacker redirects the victim to a payment site operated by them. The victim is then subjected to threats of data leak until the ransom is paid to the attackers.

Modus operandi of the attack

The attackers drop the payload that is hidden under the '.text' sections, evading conventional AV's mechanism from catching the file while running a scan in the disk, the file is compressed by the attackers with a unique format.

Upon being executed, the file runs a scan on the entire LAN network and attempts to establish a connection to the hosts via SMB port (445) to spread the infected file across the entire internal network.

Then in order to bypass the need for User Control, the command "C:\WINDOWS\SysWOW64\DllHost.exe /Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}" is run by an instance of SVCHOST.exe which is running by the process DLLhost.exe.

After that, the 'backup.exe' file executes the payload and encrypts most of the victim's files, changing their extensions to 'lockbit'. In the end, leaving a ransom note under the name 'Restore-My-Files.txt' in various folders on the host.

As per sources, the top targets of LockBit were located in the U.S., the U.K, China, India, Germany, France, and Indonesia. Experts suggest that users worldwide should strengthen their security defenses. It is also recommended to store the backups of important files separately so that it's hard to be accessed through a network.

Giving insights into a particular case, Patrick Van Looy, a cybersecurity specialist for Northwave, told BleepingComputer, "In this specific case it was a classic hit and run. After gaining access through brute-forcing the VPN, the attacker almost immediately launched the ransomware (which he could with the administrator account that he had access to). It was around 1:00 AM that the initial access took place, after which the ransomware was launched, and at around 4:00 AM the attacker logged off. This was the only interaction that we have observed."

Orange Confirms Ransomware Attack Compromising Data of 20 Enterprise Customers


Orange, the fourth-largest mobile operator in Europe has confirmed that it fell prey to a ransomware attack wherein hackers accessed the data of 20 enterprise customers. The attack targeted the 'Orange Business Services' division and was said to have taken place on the night of 4th July and was continued into the next day, ie., 5th July.

Orange is a France based multinational telecommunications corporation having 266 million customers worldwide and a total of 1,48,000 employees. It is a leading provider of global IT and telecommunications services to residential, professional, and large business clients. It includes fixed-line telephone, mobile communications, Internet and wireless applications, data transmission, broadcasting services, and leased line, etc.

The attack was brought to light by Nefilim Ransomware who announced on their data leak site that they acquired access to Orange's data through their business solutions division.

In a conversation with Bleeping Computer, the company said, "Orange teams were immediately mobilized to identify the origin of this attack and has put in place all necessary solutions required to ensure the security of our systems." Orange further told that the attack that occurred on the night of 4th July affected an internal IT platform known as, "Le Forfait Informatique", it was hosting data belonging to 20 SME customers that were breached by attackers, however, there were no traces of any other internal server being affected as a result of the attack. Giving insights, Tarik Saleh, a senior security engineer at DomainTools, said, "Orange certainly followed best practices by promptly disclosing the breach to its business customers, who will need to take all the possible precautions to make their data unusable in future attacks: changing the password of their accounts and looking out for potential phishing or spear-phishing emails."

While commenting on the security incident, Javvad Malik, Security Awareness Advocate at KnowBe4, said that in these times, it is essential, "that organizations put in place controls to prevent the attack from being successful, as even if they have backups from which they can restore, this won't bring back data that has been stolen."

"As part of this, organizations should implement a layered defensive strategy, in particular against credential stuffing, exploitation of unpatched systems, and phishing emails which are the main source of ransomware. This includes having technical controls, the right procedures, and ensuring staff has relevant and timely security awareness and training," he further added.

CNY Works Data Breach: Personal Details of 56,000 Customers Exposed


Social Security numbers, names, and other personal details of around 56,000 individuals were exposed as CNY Works faced a data breach. The data breach potentially affected people who sought employment via the company's services.

CNY Works is a New York-based non-profit corporation working to help businesses and job-seeking individuals with the objective of providing skilled workers to businesses and employment for those seeking a job within Central New York – providing a single entry point for Workforce Information.

The agency started sending letters to all its affected customers, warning them about the security breach – the officials told that files compromised during the attack (likely to be a ransomware attack) on their servers consisted of their names and Security numbers. However, the agency did not spot signs of any data being accessed, viewed, or taken down by the threat actors.

Social Security number is a nine-digit number used to record a person's earnings and verify his identity whenever he starts a new job; having your social security number compromised can lead to identity theft in various ways, cybercriminals can sell people's identities on the dark web marketplaces to highest bidders. In a way, it's like getting your bank account info. stolen, only that you can always get a new bank account number, while new Social Security numbers are rarely issued by the concerned administration.

While addressing the security issue, Lenore Sealy, executive director for CNY Works, said in an email to media outlets, “We are sending notification letters to approximately 56,000 individuals.”

“However, we are notifying individuals out of an abundance of caution. CNY Works has no evidence that any of the personal information for these individuals has been misused, or even that any of the personal information in its possession was accessed or stolen as a result of this incident.” The email further read.

ProLock Ransomware Operators Join Hands with QakBot Trojan to Infect Victims' Networks


'Human-operated ransomware' has been on a rise with the emergence of ProLock in the month of March, the new ransomware came as a successor to 'PwndLocker', another variant of malware targeting all the major industries from finance, retail to healthcare and governmental organizations as well. Notably, in late April, the attack targeting the largest ATM provider in the United States, Diebold Nixdorf was the first major attack carried by ProLock where the attackers only compromised the company's corporate network while their ATMs and customer networks were left untouched, according to the media reports.

In order to acquire access to targets' networks, ProLock has joined hands with financial malware primarily targeting businesses, QakBot. Since its initial online fraud attacks, the banking trojan has constantly evolved to specialize in SOCKS proxy, anti-research capabilities and to effectively steal victims' online banking credentials. The malware has been upgraded so much so that one of its present variants can even incapacitate securing software functioning at the endpoints. Interestingly, the assistance of QakBot that distinguishes the malware from other ransomware operators further strengthens the operations of ProLock as it helps the malware with credential dumping and anti-detection techniques.

ProLock makes use of RDP and QakBot to set the attack into motion, it assists the threat actors in evading detection and with persistence. Researchers told QBot specializes in bypassing detection as it is programmed to check out for its latest version and replace its current version with the newest one. Meanwhile, in order to acquire persistence in the network, the attackers use authentic accounts for RDP. RDP allows the malware to move laterally across networks and accumulate data, which later is exfiltrated through a command-line tool. Side by side, the files are being encrypted by ProLock that adds a .proLock, .pr0Lock or .proL0ck extension to all the encrypted files and leaves a ransom note demanding a ransom in turn for their data. However, as of now, ProLock doesn't have a website to publish victims' stolen data in case they are denied ransom.

“ProLock uses many similar techniques as other ransomware operators to achieve their goals,” said Oleg Skulkin, senior digital forensics analyst at Group-IB in a recent analysis. “At the same time, however, the group does have its own unique approach. With more and more cybercrime groups showing interest in enterprise ransomware deployment campaigns, some operators may be involved in deploying different ransomware families, so we’ll likely see more overlaps in tactics, techniques, and procedures.”

SeaChange, Video Delivery Software Solutions Provider Hit By Sodinokibi Ransomware


SeaChange, a leading supplier of video delivery software solutions has been attacked by the authors of Sodinokibi ransomware. Reportedly, the operators have published images of the data they claim to have obtained after encrypting the systems and are threatening the Waltham, Massachusets based company to leak the stolen data.

SeaChange International has offices in Poland and Brazil, it is a remotely managed video solution provider with around 50 million subscribers across the globe. BBC, DISH, COX, DNA, Quickline, RCN, and Starhub are a few names amongst their 200+ video provider customers.

The cybercriminals behind Sodinokibi ransomware have been actively involved in posting illegally obtained data of victims onto their leak website since 2019 and then demanding a ransom for the release of the same. Lately, attackers have increasingly employed this strategy of building pressure on non-paying victims and converting them into a paying one by releasing the stolen data bit by bit, starting from smaller parts.

In this particular case, the attackers created a webpage by the company's name and published the images of the allegedly stolen data on that page, it contained a screenshot of folders on one of the SeaChange's servers targeted by the attackers, a driver's license, insurance certificates and a cover letter for a proposal sent to Pentagon for video-on-demand service. However, the operators did not specify the ransom amount at that time.

While denying to provide further data, Sodinokibi operators said, "Thank you for your interest and your questions, but I really can't answer. We publish confidential information about companies if they ignore us for a long time or decide not to pay. Otherwise, we are not ready to share any information about them in their own interests, including share which companies we have encrypted, how much data we have stolen, etc."

New Orleans: Mayor Declares State of Emergency after a Cyberattack


The city of New Orleans after being hit by a cyberattack, declared a state of emergency wherein the employees and officials were asked to shut down the computers, power down devices by unplugging and take down all servers as a cautionary measure. As a part of the incident, The Nola.gov website was also down.

Officials suspect the involvement of ransomware as the attacks demanding ransom has become increasingly common in the recent past and ransomware was detected as per Mayor LaToya Cantrell, however, there is no confirmatory lead on the matter as the city has not received any ransom demand from the attackers.

Earlier this year, in November, The State of Louisiana was hit by a ransomware attack which prompted officials to shut down government websites and deactivate other digital services and consequently, a state of emergency was being declared by the governor. As per the sources, it is the gravest cyber attack the state had witnessed till date, it took about two weeks for the authorities to restore all the systems and make them functional again. The attack was followed by aggressive measures being taken by the security officers who classified the attack being a "sophisticated and coordinated" one. As per the latest findings, it remains unclear whether the two attacks are linked to each other or not.

While drawing other correlations, New Orleans Mayor LaToya Cantrell referenced the attack back to one where several school systems in Louisiana were attacked by malware. The compromised school systems were from Sabine, Morehouse, and Ouachita, according to the reports by CNN.

“Out of an abundance of caution, all employees were immediately alerted to power down computers, unplug devices & disconnect from WiFi. All servers have been powered down as well,” stated a tweet from New Orleans’ Office of Homeland Security & Emergency Preparedness.

During a press conference in regard of the matter, Mayor LaToya Cantrell said, “We have a unified command, we’re here with not only our local partners but our state and federal partners as well, which includes our national guard, Louisiana state police, FBI, the state fusion center and secret service."

Three Common Forms of Ransomware Infecting 1,800 businesses, Warns Dutch Govt



Around 1,800 companies are being affected by ransomware across the globe, according to a confidential report by the National Cyber Security Centre (NCSC) in the Netherlands. The report does not specify the names of the affected organizations but indicates that the targeted are the big players from different industries including chemical, health, construction, food, entertainment, and automobile. Most of these companies deal with revenue streams of millions and billions.

In the recent past, ransomware attacks have been on a rise and are being widely publicized as well, but due to the rapid increase in the number of ransomware attacks, many of these go unnoticed and hence unreported. As a result, the number of affected companies as per the NCSC report is likely conservative. Reportedly, the affected organizations are on their own as they recuperate from the attack by either being forced to pay the ransom or resorting to untainted backups to restore files.

NCSC's report enlists three file-encrypting malware pieces namely LockerGoga, MegaCortex, and Ryuk that are to be blamed for the malware penetration, these pieces of malware use a similar digital infrastructure and are "common forms of ransomware." While drawing other inferences, NCSC reckons the utilization of zero-day vulnerabilities for the infection. The dependence upon the same digital infrastructure implies that the attackers setting-up the attacks transferred the threat onto the victim's network via a single network intruder.

Professionals in intruding corporate networks tend to find allies who are involved in ransomware dealings and being experts they are always inclined to spot the best amongst all for whom they gladly pay a lump sum amount of money as salaries on a monthly basis in turn for proficient penetration testers that can potentially travel via infected networks without being detected. Here, the level of access provided determines how high the prices can go up to.

Cybercriminals are not likely to stop spreading ransomware as long as there are victims who are paying the ransom as they have no other option to fall back on, NCSC strictly recommends that organizations strengthen their security net to avoid falling prey to ransomware attacks carried out every now and then these days. 

Finland Municipalities and Government Agencies Prepare for Possible Cyberattack


Finland is adapting to protect itself from a secret criminal organization warning to attack cyber-security if the country fails to pay Bitcoins as the ransom money. 

"Around two hundred Finland government bodies and districts participated in the preparation. The situation reportedly concerns a possible group of hackers asking Bitcoin ransom before prosecuting several attacks on cybersecurity," concludes the reports of YLE. The threats are said to be given by #Tietovuoto321, a crew of criminal hackers. According to reports, the group sent Bitcoin ransom blackmails to more than 200 Finnish government agencies, in response to which the Finland authorities have taken steps.


Organizations prepared for further warnings- The training Taisto is conducted by the Population Register Centre, aiming for supporting the technologization of the nation and computerized assistance in Finland. The Population Register Centre works for the Ministry of Finance. As of now, public agencies and bodies noticed their websites and cybersecurity vulnerable to hacking recently. Therefore, a training program is said to be scheduled in the coming days. "The voluntary bodies have reacted happily," says General Secretary, Population Register Centre. He further says, "The institutions in recent times have started waking up to new attacks daily and it is becoming a matter of concern for the nation."

Cases of Ransomware threats have increased- 
The attacks demanding ransoms have multiplied in recent times. Government bodies have become a simple target for hackers all around the world. In a new report published by Hard Fork, "The American government had to pay the hackers to recover their health institutions' data servers."In a data breach incident last month in Mexico, the hackers demanded Bitcoins valued $4.9 million from a government-owned oil company named Pemex.

But it's not all sad and gloomy. In a surprising change of events recently, a user sufferer of ransomware claimed vengeance on his enemies by hacking the database that supported their virus, publishing 1000 deciphering codes for other victims to help them get their money back. In the present times, it is quite difficult to completely divert such warnings in the actual course, but the training tries to support institutions' capacities to fight an invasion.

Technology Company Hit by Ransomware Attack, Prevented Access to Crucial Patient Records


Virtual Care Provider Inc, a Wisconsin based technology company that provides cloud data hosting, security, and access management to more than 100 nursing homes was hit by a ransomware attack carried out by Russian hackers. The involvement of Ryuk encryption prevented access to crucial medical records of the patients and administration data related to the medication. After encrypting all the data hosted by the company for its patients and clients, attackers demanded a $14 million ransom in bitcoin in turn for a digital key that would unlock access to the data. Unable to afford the ransom, the company owner said that she is fearful of the consequences of the incident which could lead to the premature death of certain patients and the shutdown of her business.

Reportedly, the ransomware was spread via a virus known as 'TrickBot', the company told that it is 'feverishly working' to regain access to crucial data. The officials estimated that about 20% of the company's servers were compromised during the attack.

In a letter addressed to the company's clients, obtained via the Milwaukee Journal Sentinel, Christianson and Koch said that VCPI is "prioritizing servers that provide Active Directory access, email, eMAR, and EHR applications. We will be communicating status updates often and transparently, and, in preparation for service restoration, recommending to you the most efficient manner for your users to regain authenticated access."

Operated by WIZARD SPIDER (eCrime group), Ryuk is a targeted, well-planned and sophisticated ransomware that has targeted large organizations, primarily those that supply services to other businesses. It is employed to target the enterprise ecosystem and has mainly focused on wire fraud in the recent past. Despite having relatively low technical abilities and being under constant development since its release in August 2018, Ryuk has successfully encrypted hundreds of systems, storage and data centers in all the companies it attacked.

VCPI chief executive and owner Karen Christianson said, “We have employees asking when we’re going to make payroll,” “But right now all we’re dealing with is getting electronic medical records back up and life-threatening situations handled first.”

“We’ve got some facilities where the nurses can’t get the drugs updated and the order put in so the drugs can arrive on time,” she further told. “In another case, we have this one small assisted living place that is just a single unit that connects to billing. And if they don’t get their billing into Medicaid by December 5, they close their doors. Seniors that don’t have a family to go to are then done. We have a lot of [clients] right now who are like, ‘Just give me my data,’ but we can’t.”

Windows Security Warning- Ransomware is Rapidly Growing and Got Difficult to Guard Against




Security experts are predicting an unusual rise in ransomware attacks and a strategic change in the cybercrime ecosystem which is directed to evade detection and fail the existing defense mechanisms against it. As the ransomware attacks will expand in scale with a heightened influence, few dominant players currently present are expected to disperse themselves into multiple smaller ones.

Ransomware infects the victim's computer by locking down the hard drive and encrypting the data present onto the system, then the attacker asks the victim to pay the demanded ransom in due time and if the victim fails to do so, the data is gone forever. The virus spreads across infected networks via a worm and encrypts several machines in a row. After an in-depth analysis of various 'Windows security threats' such as coin miners, file-less malware, ransomware, PUAs, banking Trojans, Global cybersecurity company, Bitdefender concluded that out of all, the threat posed by ransomware is growing rapidly. Reportedly, it has grown 74 percent, year on year. GandCrab had been one of the most prevalent and sophisticated ransomware since its arrival in 2018, it kept on strengthening its defense and upgrading its delivery methods to bypass detections. After its death, ransomware experienced its first and indeed a steep fall in the cybercrime ecosystem in terms of severity of a particular threat. However, a new birth means several new players will enter the scene and might hit the security layers even harder than GandCrab, experts have the potential candidates under the radar. One such threat is being anticipated from 'Sodinokibi (aka REvil or Sodin)'.

The upsurge in ransomware attacks in 2019 has led the U.S. Cybersecurity and Infrastructure Security Agency (CISA) to declare that it was nearing to qualify as a "large-scale cyber event." According to an August 2019 publication, ransomware "has rapidly emerged as the most visible cybersecurity risk playing out across our nation's networks."

"The fall of GandCrab, which dominated the ransomware market with a share of over 50 percent, has left a power vacuum that various spinoffs are quickly filling. This fragmentation can only mean the ransomware market will become more powerful and more resilient against combined efforts by law enforcement and the cybersecurity industry to dismantle it," the report reads.

Malspam Campaign attacks German organizations with Buran ransomware


As of Oct 2019 researchers have discovered malicious spam (malspam) campaign targeting German organizations that delivered Buran crypto-ransomware family. The emails are crafted so as to appear to be coming from online fax service eFax.

Public reporting indicates that Buran malspam campaigns began on 13 September 2019, corroborated by metadata found in emails and Microsoft Word documents. Then the campaign on 1 October 2019 copied the eFax brand, an online fax service. German organizations were targeted using an email that seemed like it was from eFax and Word document in German.

 Technical Details 

On opening the mail, the user is given a hyperlink, which if clicked directs the user to a PHP page that contains the malicious word document. The document then contains a Visual Basic for Applications (VBA) macro, when enabled, downloads the malicious executable.

On Activation, the Buran ransomware performs the following tasks- (Sc.Itssecure.com)

•Sends an HTTP GET request to hxxp://geoiptool[.]com, in order to determine the location of the victim machine.
•Copies itself to another directory & renames itself to “Isass.exe”, in order to evade being detected by security solutions in place.
•It then utilizes a command shell to establish persistence.
•Further, it modifies the windows registry’s run key, so that “Isass.exe” is executed every time someone logs into the machine.
•It then disables services like windows event log and windows error recovery & automatic repair.
•Finally, it deletes any backups made by Volume shadow copy service (VSS).
•Upon completion of the encryption process, a ransom note is displayed, containing the instructions that need to be followed by the victim, in order to decrypt his files.

These type of malicious spam ransomware campaigns leads to lag in business-critical operations, loss of sensitive and confidential data and financial loss to the organization. Such ransomware keeps surfacing often and can lead to degeneration of an organization and hence organizations should take active measures and protect themselves from such malevolent attacks. The organizations should create strong cybersecurity with updated systems and software and invest in employee training programs, to aware them about malspams, phishing, and other threats.

Cyber security Team Identified Ransomware Utilized to Compromise City Power



Residents of Johannesburg using pre-paid electricity meters were not able to load the electricity purchased from City Power and were also unable to purchase further electricity due to a ransomware attack which compromised City Power's database.

Earlier, City Power said while the variant of ransomware utilized to carry out the attack remains unknown, they have the encrypted network, applications, and database being restored and rebuilt by their ICT department.

Easing off the customers, Isaac Mangena, the utility's spokesperson, said, "We want to assure residents of Johannesburg that City Power systems were able to proactively intercept this and managed to deal with it quicker."

"Customers should also not panic, as none of their details were compromised," Mangena assured.

On Friday, City Power announced that their cybersecurity team identified the variant of malware which temporarily paralyzed the city's computer systems.

Reportedly, the email systems took the hardest hit by the ransomware and were taking a while to recover and be functional again.

While giving updates, Mangena said “The virus samples have been taken to the external labs for analysis and testing,”

“Our IT technicians have also recovered and, in [a] few instances, reconstructed most of the systems,, applications, and data that was threatened, using backup files.”

Victims of the cyber power attack along with the customers, have been raging since the incident happened and encrypted the computer databases, applications and network.

City Power turned to external cyber security experts who worked in association with their team to tackle the issue.


Ransomware Attack Leaves Johannesburg without Power




A key electricity supplier for the largest South African city, Johannesburg, experienced a massive ransomware attack which led to the shutdown of the city's computer systems on Thursday.

In a series of tweets, City Power announced that the ransomware virus encrypted all their databases, applications and networks; all of which is being reconstructed by their ICT department.

They further told that the customers may not be able to access their website and may not be able to purchase electricity units until the issue has been sorted out by their ICT department.

As the website continued to be offline, the victims resorted to social media in order to report the issues occuring with their electricity supplies.

The type of ransomware employed in the attack is still a matter of question, however, with the magnitude, the power of this cyber power attack can be gauged. Besides, restricting customers from buying pre-paid electricity, it also affected the attempts made by City Power to respond to localized blackouts.

Commenting on the matter, a spokesman for City Power said, for the people affected, "These are the people on the pre-paid system[s] and would at any given day buy electricity,"

"Those people were not able to access the system." he added.




Free Scheme, 'The No More Ransom Project' Saving Thousands from Ransomware Attacks


A free scheme known as, 'The No More Ransom project' which was founded by Europol, police in the Netherlands, and McAfee is recorded to have prevented cyber-attack victims from paying heavy ransoms and assisted over 200,000 people in saving approximately $108m (£86m).

Along with advice and recommendations, the project delivers software which is configured to recover computer files that get encrypted during ransomware attacks.

With the introduction of 14 new tools in the year 2019 itself, the project having over 150 global partners can now decrypt a total of 109 variants of infection.

Referencing from the explanation given by, Steven Wilson, head of Europol's European Cybercrime Centre (EC3), “When we take a close look at ransomware, we see how easy a device can be infected in a matter of seconds. A wrong click and databases, pictures and a life of memories can disappear forever. No More Ransom brings hope to the victims, a real window of opportunity, but also delivers a clear message to the criminals: the international community stands together with a common goal, operational successes are and will continue to bring the offenders to justice.”

The project made determined and successful efforts to take down various ransomware campaigns including  GandCrab, which is amongst one of the most hostile ransomware campaigns of all time.

GandCrab continued making headlines in 2018 and in 2019, the cyber world saw an upsurge in the number of ransomware attacks targeting large organizations.

Commenting on the matter, Mr. Woser told BBC, "Projects like No More Ransom have been crucial when it comes to fighting ransomware on a global level, with pretty much all major parties cooperating on a global and daily basis, sharing intel[igence] in real-time - except for the US.

"The US should consider the success of the No More Ransom Project to be a call to action.

"Better cooperation between the private sector and law enforcement could result in fewer ransom demands being paid.

"That would make cyber-crime less profitable and, consequently, reduce the financial incentive for groups to commit cyber-crime."




Ransomware found exploiting former Windows flaw

Researchers at cybersecurity firm Kaspersky have uncovered new encryption ransomware named Sodin (Sodinokibi or REvil) that exploits a recently discovered Windows vulnerability to get elevated privileges in an infected system. The ransomware takes advantage of the architecture of the central processing unit (CPU) to avoid detection - functionality that is not often seen in ransomware.

"Ransomware is a very popular type of malware, yet it's not often that we see such an elaborate and sophisticated version: using the CPU architecture to fly under the radar is not a common practice for encryptors," said Fedor Sinitsyn, a security researcher at Kaspersky.

"We expect a rise in the number of attacks involving the Sodin encryptor, since the amount of resources that are required to build such malware is significant. Those who invested in the malware's development definitely expect if to pay off handsomely," Sinitsyn added.

The researchers found that most targets of Sodin ransomware were found in the Asian region: 17.6 percent of attacks have been detected in Taiwan, 9.8 percent in Hong Kong and 8.8 percent in the Republic of Korea.

However, attacks have also been observed in Europe, North America and Latin America, Kaspersky said, adding that the ransomware note left on infected PCs demands $2500 worth of Bitcoin from each victim.

The vulnerability CVE-2018-8453 that the ransomware uses was earlier found to be exploited by the FruityArmor hacking group. The vulnerability was patched on October 10, 2018, Kaspersky said.

To avoid falling victim to Sodin threats, make sure that the software used in your company is regularly updated to the most recent versions, said Kaspersky researchers.

Security products with vulnerability assessment and patch management capabilities may help to automate these processes, they added.

Hit by Ransomware Attack, US Town Agrees to pay Attackers $600,000 in Bitcoin



Riviera Beach, a small city which is located just north of West Palm Beach, fall prey to a massive cyber attack, wherein the hackers paralyzed the city's computer systems and have asked the city council to pay a $600,000 ransom in Bitcoin in order to have the data released.

With the hope of regaining the access to the encrypted data in the cyber attack, the officials of the Florida town conducted a meeting this week where the council agreed to pay the criminals 65 Bitcoin, a difficult to track currency.

Reportedly, it was after an employee of the town's police division accessed a phishing email, the virus which paralyzed all the computer systems in the city was unleashed.

To spread the word about the ransomware attack amongst the residents, a notice was posted on the city website which stated that they had undergone a data security event and was "working with our internal management team third-party consultants to address all issues."

Commenting on the matter, Mr. Rebholz, a principal for Moxfive, a technology advisory firm, said, “The complexity and severity of these ransomware attacks just continues to increase,”

“The sophistication of these threat actors is increasing faster than many organizations and cities are able to keep pace with.” He added.

A number of American cities have fallen prey to similar, computer-based breaches wherein the attackers demanded heavy ransoms for the restoration of the networks. Recently, Baltimore experienced a similar attack and though they refused to pay the ransom, the attack cost the city $18 million to fix damages.