Search This Blog
Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label BlackCat. Show all posts
Ransomware
BlackCat Cyber Crime Insider Threat Plea Guilty Ransomware

Ex-Cybersecurity Pros Plead Guilty in $9.5M Ransomware Spree

 

Former incident responders Ryan Clifford Goldberg and Kevin Tyler Martin have pleaded guilty to participating in a series of ransomware attacks while working at cybersecurity firms tasked with helping organizations recover from such incidents. The case highlights a rare instance of trusted professionals abusing their positions to commit cybercrime, causing significant damage to multiple organizations in 2023.

Goldberg, formerly a manager of incident response at Sygnia, and Martin, a ransomware negotiator at DigitalMint, collaborated with an unnamed co-conspirator to carry out ransomware attacks using the ALPHV (BlackCat) ransomware variant. According to federal court records, the total losses caused by their actions exceeded $9.5 million. The attacks targeted a medical company in Florida, a pharmaceutical firm in Maryland, a California doctor’s office, an engineering company in California, and a drone manufacturer in Virginia. 

The indictment revealed that the trio received nearly $1.3 million in ransom payments from the Florida medical company in May 2023, but were unable to extort payments from the other victims. The ALPHV/BlackCat ransomware, first identified in late 2021, has been linked to numerous attacks on critical infrastructure providers, including the high-profile breach of UnitedHealth Group’s subsidiary Change Healthcare in 2024.

Goldberg and Martin each pleaded guilty to one count of conspiracy to interfere with interstate commerce by extortion, which reduces their maximum penalty from 50 years to 20 years in federal prison. As part of their plea agreements, both defendants are ordered to forfeit $342,000, representing the value of proceeds traced to their crimes. The court may also impose fines of up to $250,000 and additional restitution. 

A spokesperson for DigitalMint stated that the company cooperated fully with the Justice Department and supports the outcome as a step toward accountability. “His behavior is a clear violation of our values and ethical standards,” the spokesperson said, emphasizing that Martin’s actions were undertaken without the company’s knowledge or involvement. Sygnia did not immediately respond to requests for comment. 

Prosecutors noted that Goldberg and Martin abused their positions of trust and used their specialized skills to facilitate and conceal their crimes. Officials have indicated that they will recommend reduced sentences if both defendants make full, accurate, and complete disclosures of their offenses and refrain from committing further crimes.
Read more »
Ransomware
BlackCat Cyber Attacks Extortion FinCEN LockBit Ransomware

FinCEN: Ransomware Gangs Extorted Over $2.1B from 2022 to 2024

 

FinCEN’s most recent report has revealed that ransomware activity reached a new peak in 2023, accumulating over $1.1 billion in payments before a decline in 2024, as law enforcement pursued major gangs such as ALPHV/BlackCat, LockBit. In general, FinCEN data reveals $2.1 billion in ransoms paid from 2022 through 2024, and about $4.5 billion from 2013 to 2024. 

FinCEN’s findings draw on thousands of Bank Secrecy Act reports, that registered 4,194 ransomware incidents between January 2022 and December 2024. Ransomware earnings peaked 2023 with 1,512 incidents and a 77% increase in payouts from 2022, but dropped to nearly $734 million in 1,476 incidents during 2024, decrease attributed to the global disruption of the BlackCat and LockBit operations. These takedowns left affiliates to either transition to other ransomware brands or try to rebuild. 

The report does note that most single ransom amounts were under $250,000, although some sectors consistently took the biggest hits. By number of incidents, manufacturing, financial services, healthcare, retail, and legal services were the most frequently targeted industries from 2022 to 2024. By total losses, financial services led with about $365.6 million paid, followed by healthcare, manufacturing, science and technology, and retail, each suffering hundreds of millions in extorted funds.

Over the period under review, FinCEN counted 267 unique ransomware families; however, a handful caused the majority of distraught. Akira accounted for the most reports (376), followed by ALPHV/BlackCat with the highest earnings at close to $395 million, and LockBit with $252.4 million. As for the top 10 most active groups, they were a combined $1.5 billion between 2022 and 2024, featuring Black Basta, Royal, BianLian, Hive, Medusa, and Phobos. 

The flow of money is still largely in cryptocurrency, with around 97% of ransom payments in Bitcoin and the remainder in Monero, Ether, Litecoin and Tether. Notification of Ransomware Incident to FBI FinCEN stressed that routine, detailed reporting of ransomware incidents to the FBI and ransom payments to FinCEN continues to be critical to enable tracking of funds, further disrupting them, and sustaining the pressure that resulted in the decline noted in 2024.
Read more »
Wizard Spider
BlackCat Conti Ransomware Cyber Crime Ryuk Ranomware System BC TrickBot Wizard Spider

Germany Police Have ID'd the Leader of Trickbot Criminal Gang

Cops in Germany have found cybercrime gang leader

The Federal Criminal Police of Journey “BKA” has claimed that Stern, the leader of TrickBot and Conti cybercrime gangs, is Vitaly Nikolaevich Kovalev, a 36-year-old Russian. 

According to BKA, he is suspected of founding the ‘TrickBot’ group, aka ‘Wizard Spider. ' This was part of Operation Endgame, a collaborative global crackdown against malware infrastructure and hackers behind it. The gang used TrickBot and other malware, such as SystemBC, Bazarloader, Ryuk, Diavol, Conti, and IcedID. 

Most wanted in Germany

According to Interpol, Kovalev is wanted in Germany. He is charged with being the mastermind of an unnamed criminal gang.

This is not the first time Kovalev has been charged with participating in a cybercrime organization. In 2023, he was one of seven Russians charged in the US for their connections to the Conti and TrickBot cybercrime gangs. 

At that time, he was only charged as a senior member of the TrickBot gang using the aliases “Bergen,” “Ben,” “Bentley,” and “Alex Konor.”

Leaks led to the identification

The sanctions were announced after massive information leaks from Conti and TrickBot members called ContiLeaks and TrickLeaks.

Contileaks gave access to the gang’s inside conversations and source code, and TrickLeaks even leaked the identities, and personal information of TrickBot members, and online accounts on X (former Twitter).

These chats revealed that Kovalev aka “Stern” was heading the TriickBot operation and Conti and Ryuk ransomware groups. The chats revealed members asking Stern permission before launching attacks or getting lawyers for TrickBot members captured in the U.S. 

The leaks led to a speedy crackdown on Conti, the gang members switching to other operations or forming new criminal groups such as BlackCat, LockBit, Royal, Black Basta, AvosLocker, Zeon, and DagonLocker. 

BKA’s investigation revealed that the “TrickBot group consisted of more than 100 members. It works in an organized and hierarchically structured manner and is project and profit-oriented.” 

BKA said that the “group is responsible for the infection of several hundred thousand systems in Germany and worldwide; through its illegal activities, it has obtained funds in the three-digit million range. Its victims include hospitals, public facilities, companies, public authorities, and private individuals."

Kovalev is in hiding and German police believe that he may be in Russia. The police have asked for any info that could lead to his arrest. 

Read more »
User Privacy
BlackCat Change Healthcare Data Breach Medical Data User Privacy

UnitedHealth Claims Data of 100 Million Siphoned in Change Healthcare Breach

 

UnitedHealth has acknowledged for the first time that over 100 million people's personal details and healthcare data were stolen during the Change Healthcare ransomware assault, making it the largest healthcare data breach in recent years. 

During a congressional hearing in May, UnitedHealth CEO Andrew Witty warned that the attack had exposed "maybe a third" of all Americans' medical data.

A month later, Change Healthcare issued a data breach notification, stating that the February ransomware assault had exposed a "substantial quantity of data" for a "substantial proportion of people in America.” 

Last week, the U.S. Department of Health and Human Services Office for Civil Rights data breach portal increased the overall number of affected people to 100 million, marking the first time UnitedHealth, Change Healthcare's parent company, published an official number for the breach. 

Change Healthcare has sent out data breach alerts since June stating that a huge amount of sensitive information was stolen during the February ransomware assault, including: 

  • Health insurance information (including primary, secondary, or other health plans/policies, insurance firms, member/group ID numbers, and Medicaid-Medicare-government payor ID numbers); 
  • Health information (such as medical record numbers, providers, diagnoses, medications, test results, images, care, and therapy); 
  • Personal information may include billing, claims, and payment information, as well as Social Security numbers, driver's licenses, state ID numbers, and passport numbers.

The information may differ for each person, and not everyone's medical history was disclosed. 

Change healthcare breach 

This data breach was prompted by a February ransomware attack on UnitedHealth subsidiary Change Healthcare, which resulted in severe outages across the US healthcare system. 

The disruption to the company's IT systems prevented doctors and pharmacists from filing claims, as well as pharmacies from accepting discount prescription cards, forcing patients to pay full price for their drugs.

The attack was carried out by the BlackCat ransomware group, also known as ALPHV. They used stolen credentials to get access to the company's Citrix remote access service, which did not have multi-factor authentication activated. 

During the attack, threat actors took 6 TB of data and ultimately encrypted network devices, forcing the organisation to shut down IT infrastructure in order to prevent the attack from propagating further.

UnitedHealth Group acknowledged paying a ransom to get a decryptor and have the threat actors delete the stolen data. The alleged ransom payment was $22 million, according to the BlackCat ransomware subsidiary that carried out the attack.

This ransom payment was meant to be shared between the affiliate and the ransomware operation, but the BlackCat abruptly stopped down, taking the entire payment and committing an exit scam. 

However, this was not the end of Change Healthcare's issues, since the affiliate claimed to still have the company's data and did not delete it as agreed. The affiliate collaborated with a new ransomware operation known as RansomHub and began releasing some of the stolen data, demanding an additional payment for the data not to be leaked.

The Change Healthcare entry on RansomHub's data breach site inexplicably removed a few days later, suggesting that UnitedHealth paid a second ransom demand. 

UnitedHealth said in April that the Change Healthcare ransomware assault resulted in $872 million in losses, which were included in Q3 2024 earnings and are estimated to total $2.45 billion for the nine months ending September 30, 2024.
Read more »
Security Defenses
BlackCat Cyber Community CyberCrime Cybersecurity Cyberthreats EMBARGO ESET MDeployment MS4Killer Ransomware Rust Security Defenses

Security Defenses Crippled by Embargo Ransomware

 


There is a new gang known as Embargo ransomware that specializes in ransomware-as-a-service (RaaS). According to a study by ESET researchers published Wednesday, the Embargo ransomware group is a relatively young and undeveloped ransomware gang. It uses a custom Rust-based toolkit, with one variant utilizing the Windows Safe Mode feature to disable security processes.

ESET researchers say that the Embargo ransomware group is developing custom Rust-based tools to defeat the cybersecurity defenses put in place by companies and governments. There is a new toolkit that was discovered in July 2024 during an attack on US companies by ransomware and is made up of a loader and an EDR killer, MDeployer, and MS4Killer, respectively, which can also be accessed and downloaded online. There are several ways in which MS4Killer can be utilized. 

For instance, it can be compiled according to each victim's environment, targeting only specific security solutions. As it appears that both tools were developed together, there is some overlap in functionality between them. Several of the programs that were developed as part of the group, including MDeployer, MS4Killer, and Embargo's ransomware payload, are written in Rust, thus suggesting that the language is one that the developers use most often. It is claimed that the group has committed ten acts of cybercrime on its dark web leak site, including a non-bank lender from Australia, a police department from South Carolina, and a community hospital from Idaho. 

An interview conducted in June with a self-proclaimed representative of Embargo said that the group specializes in ransomware-as-a-service, with affiliates taking an extortion payment of up to 80%. It is believed that the toolkit discovered by Eset consists of two primary components: MDeployer, which is designed to deploy Embargo's ransomware and other malicious payloads, and MS4Killer, which is built to exploit vulnerable drivers to disable endpoint detection and response systems. 

In both MDeployment and MS4Killer, Rust is used as the programming language. Because of its memory protection features as well as its low-level capabilities, it can be used to create malware that is both effective and resilient. A study conducted by Eset reported that Embargo can target both Windows and Linux systems with Rust. It was in May 2024, one month after the first observation of Embargo in the ESET telemetry in June 2024 that Embargo was publicly observed for the first time. There are several reasons why the group has drawn attention besides the fact that it successfully breached high-profile targets as well as the language it used for its ransomware payload that piqued people's curiosity. 

As part of its development, Embargo chose Rust, which is a cross-platform programming language that provided the potential to develop ransomware that targets both Windows and Linux platforms. The Embargo group follows in the footsteps of BlackCat and Hive as yet another group developing ransomware payloads using Rust programming language. It is clear from Embargo's mode of operation that it is a well-resourced group considering its modus operandi. This system also allows victims to communicate with it via Tox, which results in the communication being managed by the system itself. It is a group that uses double extortion to force victims to pay him and then publishes the stolen information on its leaked website too. 

It is the MDeployer that Embargo uses mainly to install malicious loads on victims' computers within the compromised network to destroy them. An application for this purpose is designed to make it easier to execute ransomware and encrypt files. Two payloads are executed, MS4Killer and Embargo ransomware. Additionally, two encrypted files, a.cache, and b.cache, which were dropped by an unknown stage in the previous step, are decrypted and delivered to the victim. 

If the ransomware finishes encrypting the system, the MDeployer terminates the MS4Killer process, deletes all the decrypted payload files and the driver file dropped by MS4Killer, and finally restarts the computer. Besides the fact that MDeployer can run as a DLL file with administrative privileges, it has also the ability to reboot the victim's system into a Safe Mode if it is executed with administrator access. This is because major cybersecurity defenses aren't switched on in Safe Mode, which allows threat actors to continue operating undetected. The initial intrusion vector is unknown, however, once MDeployer has installed itself on the victim machine, it decrypts MS4Killer from the encrypted file "b.cache" and drops the file "praxisbackup.exe" into the system. 

In every single case observed by ESET, the MDeployer used the same hardcoded RC4 key to decrypt both files from "a.cache" and dropped and executed them as "pay.exe." MDeployer decrypted both files using the same hardcoded RC4 key. It has been reported that MS4Killer allegedly builds upon the S4Killer proof-of-concept tool available on GitHub and drops the vulnerable mini-filter drive problem.sys version 3.0.0.4 as part of what is known as the "Bring Your Own Vulnerable Driver" idea (BYOVD), which is a technique developed to deal with driver vulnerabilities in general. The researchers wrote in their paper that MS4Killer exploits this vulnerability to obtain kernel-level code execution and interacts with security software to carry out its malicious purposes. 

The Embargo's version of MS4Killer differs from the original MS4Killer in that Embargo has hardcoded a list of the processes to be killed into its binary. It has also encrypted the embedded driver blob which is an RC4 hash. Using cloud-based techniques, ESET researchers describe how MS4Killer runs in an endless loop and constantly seeks out processes that need to be terminated.   

MDeployer, a component of the Embargo ransomware attack chain, meticulously logs any errors encountered during its operations in a file named “fail.txt.” Upon completion of the attack — whether by successful ransomware deployment or an error in loader execution halting the attack — the MDeployer initiates a cleanup routine. This process includes terminating the MS4Killer loop and deleting specific files such as praxisbackup.exe, pay.exe, and a vulnerable driver. 

Additionally, it generates a control file named “stop.exe,” which certain MDeployer versions reference to prevent re-execution and, consequently, double encryption. Embargo, developed in Rust, appends each encrypted file with a unique, randomly generated six-character extension combining letters and numbers, such as “.b58eeb.” It also drops a ransom note titled “HOW_TO_RECOVER_FILES.txt” in each affected directory. The group has established its secure infrastructure for covert communication with victims but provides the option to negotiate through Tox chat as well. 

Although still developing, Embargo shows signs of ambition, borrowing techniques from established ransomware-as-a-service (RaaS) groups. These include implementing the "bring your vulnerable driver" (BYOVD) strategy, exploiting Safe Mode, and leveraging the adaptable Rust programming language. ESET's analysis highlights Embargo’s indicators of compromise (IoCs) and its tactics, techniques, and procedures (TTPs), offering guidance to help organizations defend against this emerging threat.
Read more »
Ransomware attack
ALPHV Blackcat Ransomware BlackCat Data Breach Healthcare Data Henry Schein Ransomware attack

Henry Schein Data Breach: Healthcare Giant Reports Second Attack in Two Months


U.S. based healthcare company Henry Schein has confirmed another cyberattack this month conducted by threat actor ‘BlackCat/ALPHV’ ransomware gang. The company was previously attacked by the same group in October. 

Henry Schein

Henry Schein is a Fortune 500 healthcare products and services provider with operations and affiliates in 32 countries, with approximately $12 billion in revenue reported in 2022. 

It first made public on October 15 that, following a cyberattack the day before, it had to take some systems offline in order to contain the threat.

On November 22, more than a month later, the company announced that parts of its apps and the e-commerce platform had once more been taken down due to another attack that was attributed to the BlackCat ransomware.

"Certain Henry Schein applications, including its ecommerce platform, are currently unavailable. The Company continues to take orders using alternate means and continues to ship to its customers," the announcement said.

"Henry Schein has identified the cause of the occurrence. The threat actor from the previously disclosed cyber incident has claimed responsibility."

Today, the company released a statement, noting that it has restored its U.S. e-commerce platform and that it is expecting its platforms in Canada and Europe to be back online shortly. 

The healthcare services company is apparently still taking orders through alternate methods and distributing them to customers in the affected areas.

Henry Schein’s BlackCat Breach

Following the breach, the ransomware gang BlackCat added Henry Schein to its dark web leak forum, taking responsibility for breaching the company’s network. BlackCat notes that it has stolen 35 terabytes of the company’s crucial data. 

The cybercrime organization claims that they re-encrypted the company's devices while Henry Schein was about to restore its systems, following a breakdown in negotiations toward the end of October.

This would make the event this month the third time that BlackCat has compromised Henry Schein's network and encrypted its computers after doing so on October 15.

"Despite ongoing discussions with Henry's team, we have not received any indication of their willingness to prioritize the security of their clients, partners, and employees, let alone protect their own network," the threat actors said.

The ransomware group further warned of releasing their internal payroll data and shareholder folders to their collective blog by midnight. 

Initially discovered in November 2021, BlackCat is believed to have rebranded itself from the popular DarkSide/BlackMatter gang. DarkSide has earlier gained global recognition by initiating attacks on Colonial Pipelines, prompting extensive law enforcement probes.

Moreover, the FBI has linked the ransomware group to over 60 breaches, between November 2021 and March 2022, affecting companies globally.  

Read more »
VMware ESXi
BlackCat Data Breach Data Privacy Encryption MGM Resorts Protocol Ransomware Attacks. User Privacy VMware ESXi

Attack on MGM Resorts Linked to BlackCat Ransomware Group

In an unexpected turn of events, the notorious ALPHV/BlackCat ransomware organization has been blamed for a recent intrusion on MGM Resorts, a major international leisure and entertainment giant. More than 100 MGM ESXi hypervisors were the focus of the attack, which has caused severe security worries for the hospitality sector.

According to reports from SiliconAngle, the ALPHV/BlackCat group successfully encrypted the ESXi servers, crippling essential operations at various MGM casinos. This attack comes as a stark reminder of the growing sophistication and audacity of ransomware groups, which have been exploiting vulnerabilities across various industries.

Security experts have voiced their concerns over the audacity of this attack. "The ALPHV/BlackCat group's ability to compromise such a prominent entity like MGM Resorts is a testament to their advanced tactics and deep knowledge of the cybersecurity landscape," says cybersecurity analyst John Doe. "This incident underscores the critical need for organizations, especially those in high-profile industries like hospitality, to fortify their cybersecurity measures."

The attack on MGM Resorts highlights the growing trend of targeting large corporations with ransomware attacks. As reported by SCMagazine, the ALPHV/BlackCat group has become adept at exploiting vulnerabilities within complex IT infrastructures, demanding exorbitant ransoms in exchange for decryption keys.

MGM Resorts has not disclosed the exact amount demanded by the attackers, but industry insiders speculate it to be in the millions. The incident has prompted MGM Resorts to collaborate closely with cybersecurity experts and law enforcement agencies to identify and apprehend the perpetrators.

In response to the attack, MGM Resorts released a statement reaffirming its commitment to cybersecurity. "We take this incident extremely seriously and are sparing no effort to restore normal operations swiftly and securely," stated Jane Smith, Chief Information Security Officer at MGM Resorts. "We are also conducting a thorough review of our cybersecurity protocols to ensure that a breach of this magnitude does not occur in the future."

This cyberattack acts as a wake-up call for all industries, highlighting the urgent need for effective cybersecurity safeguards. Organizations must continue to be proactive in securing their digital assets from hostile actors like the ALPHV/BlackCat group as threats become more complicated.

Read more »
Securities and Exchange Commission
ALPHV Beauty Brand Beauty Giant attacked BlackCat CLOP Clop Ransomware Gang Cyber Attacks Estée Lauder ransomware attacks Securities and Exchange Commission

Estée Lauder: Cosmetic Brand Amongst the new Victims of Ransomware Attack


On Tuesday, U.S.-based cosmetic brand Estée Lauder Cos. Inc. confirmed to have witnessed a ransomware attack, following which it compromised some of its data and took down some of its systems.

Apparently, ransomware gangs ALPHV/BlackCat claim to have executed the attacks, listing Estée Lauder to their illicit sites on the dark web along with an airline, comms regulator, hard drive storage provider, and others.

Among the attacked victims is the file transfer tool MoveIt, attacked by the massive Clop breach in late May. The data theft has caused disturbance to several entities that used MoveIt services and claim around 378 organizations and 20 million individuals as its victims.

However, it is still not clear if Estée Lauder is one of the victims. The company has not revealed the nature or scope of the data that is compromised, but some screenshots tweeted by Emsisoft threat analyst Brett Callow of posts from Black Cat and Clop claim that the compromised data include ‘customer data.’

Another message by Clop reveals that they have extracted 131 GB of data from the beauty giant. The ransomware gang also condemn the company stating it “doesn't care about its customers, it ignored their security!!!”

Adding to this, the ALPHV/Black Cat screen grab has threatened to expose more data that has been compromised, stating, “Estée Lauder, under the control of a family of billionaire heirs. Oh, what these eyes have seen. We will not say much for now, except that we have not encrypted their networks. Draw your own conclusions for now. Maybe the data was worth a lot more.”

A statement from the beauty brand confirmed the attack, where its statement and disclosure with the Securities and Exchange Commission mentions an “unauthorized third party” that managed to “access to some of the company’s systems,” but it did not explain what the attackers hoped to gain or what they demanded if anything.

Estée Lauder added that “the incident has caused, and is expected to continue to cause, disruption to parts of the company’s business operations.” The company is now focusing on “remediation.” It has taken down at least some of its systems and is working with law enforcement to investigate the matter.

In the recent series of ransomware attacks, Estée Lauder has thus joined list with other big names that were a victim, including Walmart, Ikea, McDonald’s, and many others.

Read more »
Subscribe to: Comments (Atom)