Search This Blog

Showing posts with label ransomware.. Show all posts

Spanish Government Witnesses Cyber Attack

 

Earlier this morning, the Ministry of Labour and Social Economy of the Spanish government witnessed a cyber-attack. At the moment, Ministry did not comment on the specifications, nature, and severity of the attack. 

According to the official website of the department, the Ministry organizes and supervises Spain’s employment work, social economy, and look after social responsibility policies. This Ministerial Department has an annual budget of around €39 million. 

In the wake of the attack, the IT cyber-researchers at the department – an agency within Spain’s National Intelligence Centre from the National Cryptological Centre together with the Spanish Ministry of Labor and Social Economy (MITES) are investigating the attack and working to restore services. 

“The Ministry of Labor and Social Economy has been affected by a computer attack…” 

“…The technical managers of the Ministry and the National Cryptological Center are working together to determine the origin and restore normality as soon as possible," MITES’ media office said earlier today. 

After the cyber-attack the official website of the Ministry was still accessible, however, the communications office and the multimedia room were down. 

"The computer attack that the Ministry of Labor and Social Economy has suffered has NOT affected the operation of the State Public Employment Service, The Electronic Office, the website, and the set of services continue to be provided normally,"  SEPE reported. 

Furthermore, a government agency of the Spanish, Servicio Público de Empleo Estatal (SEPE) – a part of MITES that took a severe hit by ransomware in March due to which the services of the department were inaccessible for around two weeks – reported that it was not affected by the cyberattack. 

According to the resources, the SEPE department was hit by a Russian Ryuk ransomware gang on March 09, 2021.  As a result, over 700 agency offices across Spain were badly impacted. Besides, the agency’s workstations, the ransomware attack had impacted remote working stations of the department. It should be noted that the Spanish labor agency is the only ministry that has been hit by a ransomware attack in Spain.

Hackers Demand Ransom After Major Cyber-Attack on the Antwerp Laboratory


Algemeen Medisch Laboratorium bvba, (AML) in the Antwerp district of Hoboken was attacked by hackers; the laboratory manages about 3,000 Covid-19 tests daily, which is about 5% of the nation's total. The cyberattacks amid the outbreak of Coronavirus have rampantly increased over the past year and this attack was nothing new but yet another addition to the newly surfaced theme of malware and ransomware attacks in the context of 'COVID-19'. 
 
Hackers attacked the laboratory website by installing ransomware into it, it brought the website to a standstill. As we have seen in the past as well in the case of ransomware attacks - the hackers are demanding a ransom before releasing the website from confinement. 
 
ICT manager Maarten Vanheusden has said, “that after detailed analysis by our security teams, it was decided to disengage the network as a safety measure and by this way we can see what exactly is infected”. He also said by this time there is no information of data being stolen and that they are taking all the precautionary measures. Furthermore, the origins of the attack remain unknown as of now. The traces linked back the hackers to China, Russia, and Iran.  
 
AML is the largest private lab in the country which is dealing with the COVID-19 problem. There is no clarity regarding the purpose of the attack, speculations could not exactly suggest that whether the hackers attacked the laboratory merely for ransom or they have other plans as well as data theft. The case is being handled by the federal Computer Crimes Unit after the lab reported the attack to the Antwerp prosecutor`s office. 
 
This is the second time in December that hackers have attacked the sites related to the Covid-19 pandemic. European Medicines Agency (EMA) was targeted in a cyber-attack; EMA is responsible for assessing and approving vaccines for the European Union. German biotech firm BioNTech said, “that the agency was attacked and some documents which were related to the regulatory submission for Pfizer and BioNTech’s Covid-19 vaccine had been unlawfully accessed". 
 
Hackers are targeting many healthcare and medical organizations especially during this Covid-19 outbreak for demanding ransom as well as to obtain the classified information related to the vaccines.

DeathRansom, started as a mere joke is now encrypting files!


A ransomware strain named DeathRansom, which was considered a joke earlier, evolved and is now capable of encrypting files, cyber-security firm Fortinet reports. This DeathRansom after becoming an actual malware, was backed by a solid distribution campaign and has been taking victims daily in the last two months.

 Initially considered a joke - didn't encrypt anything 

 When it was first reported in Nov 2019, the DeathRansom version didn't encrypt anything and was deemed a mere joke. The infection left a simple ransom note and even though some people fell for the scam and paid the ransom demand, it didn't do much anything else. All the user had to do was to remove the second extension from the file to regain access.

 Now, a new version is released that actually works and will encrypt your files! 

 The developers seems to have evolved the malware further with a solid encryption scheme that works as an actual ransomware. According to Fortinet, "the new DeathRansom strains use a complex combination of Curve25519 algorithm for the Elliptic Curve Diffie-Hellman (ECDH) key exchange scheme, Salsa20, RSA-2048, AES-256 ECB, and a simple block XOR algorithm to encrypt files."

 Researchers and security experts are searching leek ways and implementation faults in the ransomware.

 The DeathRansom Author

 Fortinet examined the DeathRansom source code and the websites distributing the malware payloads and were able to track down the ransomware author and developer. The developer is a malware operator linked to various cyber crimes campaigns over the past few years. Prior to DeathRansom, the malware operator used to infect users with multiple password stealers (Vidar, Azorult, Evrial, 1ms0rryStealer) and cryptocurrency miners (SupremeMiner).

 Fortinet linked these crimes to young Russian named Egor Nedugov, living in Aksay, a small Russian town near Rostov-on-Don. Fortinet said,"They are very confident they found the right man behind DeathRansom, and that they found even more online profiles from the same actor which they didn't include in their report."

 As of now, DeathRansom is being distributed through phishing emails. Fortinet says it's working on finding any faults in the encryption scheme of the ransomware and creating a free decrypter to help victims.