Search This Blog

Showing posts with label AvosLocker. Show all posts

Savannah College of Art & Design Data Breach

 

The Savannah College of Art and Design (SCAD), a private entity in Georgia that accepts students from various states and has a presence in France, may be dealing with a patchwork of state data breach reporting regulations.

Avos Locker states the SCAD was attacked about two weeks ago and a significant amount of data was stolen. The college's network was not encrypted, in contrast to some ransomware attacks; only data was exfiltrated.

The information was found to be a part of a data security incident on August 30. On August 22, experts discovered unauthorized access affecting users' systems. Experts acted quickly to control the situation, and with the aid of a cybersecurity company, they started an inquiry.

Researchers also informed law enforcement about the occurrence. According to the inquiry, on August 22, an unauthorized user obtained access to the network and copied a few files from company systems.

A review of more than 69,000 files and a sample of the exfiltrated data were provided by Avos. The filenames' descriptions, which included names of persons and hints about the files' contents, appear to be what the files are made of. One of the samples student files contained a spreadsheet with more than 60,000 records for both past and present pupils.

More than 15,000 records dating back to 2005 were present in one of the files. Many of the records were for relatively minor offenses that are typical of college students.

Despite being a private institution, SCAD's website states that FERPA rights apply to its students. Schools are not required under FERPA to send out individual notification letters or breach alerts.

Aside from personal data about students, there may also be a problem with student financial aid. The federal Gramm Leach Bliley Act, which enforces security and breach notification requirements, may be implicated if such records were accessed. DataBreaches were unable to identify from the file list in this case whether that law would be applicable.

Avos withheld the amount of the ransom it demanded to erase the stolen data. SCAD did engage in some negotiation, but their goal seemed to be more to purchase time, according to a response it sent to data breaches.SCAD did not answer a question regarding how they handled the situation.




Ransomware Gang Offered a Decryptor After Realizing they Hit a US Government Agency

 

After discovering that they had encrypted a US government agency, the AvosLocker ransomware operation offered a free decryptor. AvosLocker infiltrated a US police department last month, encrypting devices and stealing data during the attack. 

Sophos researchers investigating AvosLocker ransomware deployment discovered that the main process begins with attackers utilising PDQ Deploy to run and execute a batch script on targeted workstations called "love.bat," "update.bat," or "lock.bat." The script issues and executes a series of commands that prepare the machines for the ransomware's release before rebooting into Safe Mode. Windows Safe Mode is an IT support solution for resolving IT issues in which most security and IT administration capabilities are disabled. 

The command sequence takes about five seconds to execute and includes disabling Windows update services and Windows Defender, attempting to disable the components of commercial security software solutions that can run in Safe Mode, installing the legitimate remote administration tool AnyDesk and configuring it to run in Safe Mode while connected to the network, ensuring continued command and control by the attacker, setting up a new account with auto-login details, and then connecting to the target's domain controller in order to remotely access and run the ransomware executable, called update.exe.

“The techniques used by AvosLocker are simple, but very clever. They ensure that the ransomware has the best chance of running in Safe Mode and allow the attackers to retain remote access to the machines throughout the attack,” said Peter Mackenzie, director of incident response at Sophos. 

According to a screenshot released by security researcher pancak3, when they learned the victim was a government entity, they offered a free decryptor. While providing a decryptor to the police department, the ransomware organization declined to offer a list of stolen files or details on how they gained access to the department's network. According to an AvosLocker operation member, they have no strategy on who they target but typically avoid encrypting government agencies and hospitals.

"You should note, however, that sometimes an affiliate will lock a network without having us review it first," the AvosLocker operator said. 

Over the last year, international law enforcement activities have resulted in numerous indictments or arrests of ransomware members and money launderers. These arrests include members of the ransomware groups REvil, Egregor, Netwalker, and Clop. This increased pressure has been proved to have a positive effect, resulting in the shutdown of various ransomware operations, including DarkSide, BlackMatter, Avaddon, and REvil.

Pacific City Bank hit by a Ransomware Attack

 

Pacific City Bank (PCB) is issuing warnings to inform its customers about a security issue discovered on August 30, 2021, which they assert was quickly resolved. 

Pacific City Bank (PCB), one of America's leading Korean-American community financial service providers, has revealed a ransomware attack that occurred last month. 

“PCB responded promptly to disable the activity, investigate its source, and monitor PCB’s network. PCB subsequently became aware of claims that it had been the target of a ransomware attack. On September 7, 2021, PCB determined that an external actor had illegally accessed and/or acquired certain data on its network,” the bank said in a statement. 

On September 7, 2021, PCB's internal investigation into what happened was completed, and it discovered that malicious attackers had stolen the user's Loan application forms, Tax return documents, W-2 information of client firms, Payroll records of client firms, Full names, Addresses, Social Security Numbers, Wage and tax details from their systems. 

According to PCB, not all customers were influenced by such factors because each customer submitted different papers and information that was kept in the compromised systems. Furthermore, it is unknown whether this occurrence impacts the bank's complete clientele or simply a small percentage. 

The receivers of these notices were encouraged to be wary of unsolicited mail and to keep an eye on their bank statements and credit reports for indications of fraud. In addition, the bank has provided Equifax with a one-year free credit monitoring and identity theft protection program, with information on how to sign up included in the letters. 

While the bank didn't mention the ransomware gang responsible for the September attack, AvosLocker has claimed the attack and posted an entry on their information leak website. The event is scheduled for September 4, 2021, therefore the five-day gap could simply be the "grace" period of the opening negotiation round when ransomware operators avoid making public statements. 

There have been no discrepancies in the data that were subsequently placed on the blackmail portal because they show what PCB has now conceded was breached. AvosLocker is among the most recent ransomware operators, having emerged in the wild this summer and soliciting affiliates to join the RaaS on numerous underground sites. 

The group employs a multi-threaded malware strain that allows attackers to encrypt files quickly whereas the attacker deploys the payloads individually. Although the AvosLocker uses text and API obfuscation to avoid static identification, it is otherwise "naked," meaning it lacks a cryptographic layer.

Established in California, PCB, is an American community bank that concentrates on the Korean-American community and provides commercial banking services. It is also the third-largest Korean American bank following Bank of Hope and Hanmi Bank, with branches in eight states.