Search This Blog
Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label Extortion Group. Show all posts
Scattered Spider
Customer Data Data Breach Extortion Group NCA Ransomware Salesforce Scattered Spider

Salesforce Refuses to Pay Extortion Demand After Alleged Theft of Nearly One Billion Records




Salesforce has confirmed it will not pay a ransom to an extortion group that claims to have stolen close to one billion records belonging to several of its customers. The company stated that it will not enter negotiations or make payments to any threat actor, reaffirming its policy of non-engagement with cybercriminals.


Extortion Group Claims to Have Breached Dozens of Salesforce Customers

The group behind the alleged theft calls itself “Scattered LAPSUS$ Hunters”, a name that appears to blend identities from three notorious cyber-extortion collectives: Scattered Spider, LAPSUS$, and ShinyHunters. Cybersecurity firm Mandiant, owned by Google, has been tracking this activity under the identifier UNC6040, though analysts say the group’s exact origins and membership remain unconfirmed.

According to Mandiant’s June report, the campaign began in May, when attackers used voice-based social engineering, or “vishing,” to trick employees at several organizations using Salesforce’s platform. Pretending to represent technical support teams, the callers persuaded employees to connect an attacker-controlled application to their company’s Salesforce environment. Once integrated, the app provided unauthorized access to stored customer data.

Security researchers described the tactic as simple but highly effective, since it relies on human trust rather than exploiting software vulnerabilities. Several organizations unknowingly granted the attackers access, enabling them to exfiltrate vast amounts of data.

Earlier this month, the extortionists created a leak site listing approximately 40 affected Salesforce customers, including large global firms. The site claimed that 989.45 million records had been compromised and demanded that Salesforce begin ransom negotiations “or all your customers’ data will be leaked.” The attackers added that if Salesforce agreed to pay, other victim companies would not be required to do so individually.

Salesforce, however, made its position clear. In a statement to media outlets, a company spokesperson said, “Salesforce will not engage, negotiate with, or pay any extortion demand.” The company also informed customers via email that it had received credible intelligence about plans by ShinyHunters to release the stolen data publicly, but it would still not yield to any ransom demand.


Broader Concerns Over Ransomware Economics

The incident adds to a growing global debate over ransom payments. Analysts say extortion and ransomware attacks persist largely because organizations continue to pay. According to Deepstrike Security, global ransom payments in 2024 reached $813 million, a decline from $1.1 billion in 2023 but still a major incentive for criminal groups.

Experts such as independent security researcher Kevin Beaumont have repeatedly criticized the practice of paying ransoms, arguing that it directly funds organized crime and perpetuates the cycle of attacks. Beaumont noted that while law enforcement agencies like the UK’s National Crime Agency (NCA) publicly discourage payments, some companies still proceed with negotiations, sometimes even with NCA representatives present.


Risks and Lessons for Organizations

Data stolen from cloud-based platforms like Salesforce may include customer identifiers, contact details, transaction histories, and other business records. Even without financial information, such data can be weaponized in phishing, identity theft, or fraud campaigns.

Security professionals advise all organizations using cloud platforms to implement multi-factor authentication, enforce least-privilege access controls, and review all third-party applications connected to their systems. Employees should be trained to verify unexpected support calls or administrative requests through official channels before granting access.

The Salesforce case underscores the growing sophistication of social engineering attacks targeting major enterprise platforms. As digital ecosystems expand, cybercriminals are increasingly exploiting human error rather than software flaws. Salesforce’s refusal to pay marks a firm stance in an era when ransom-driven extortion continues to dominate the threat landscape, sending a strong message to both the cybersecurity community and the attackers themselves.



Read more »
US Court
Cyber Crime DOJ Extortion Group Ransomware group US Authorities US Court

US Authorities Charge Alleged Key Member of Russian Karakurt Ransomware Outfit

 

The U.S. Department of Justice (DOJ) released a statement this week charging a member of a Russian cybercrime group with financial fraud, extortion, and money laundering in a U.S. court. The 33-year-old Moscow-based Latvian national Deniss Zolotarjovs was extradited to the United States earlier this month after being detained by Georgian authorities in December 2023.

Court records indicate that Zolotarjovs is linked with the ransomware outfit Karakurt, which exfiltrates victim data and holds it hostage until a cryptocurrency ransom is paid. The gang runs an auction portal and leak site where they identify the victim companies and allow users to download stolen data. The group has demanded ransom in Bitcoin ranging from $25,000 to $13 million. 

Previous findings suggest that Karakurt was related to the now-defunct ransomware gang Conti. Researchers believe Karakurt was a side project of the group behind Conti, allowing them to monetise data stolen during attacks when organisations were able to halt the ransomware encryption process. Zolotarjovs allegedly used the alias "Sforza_cesarini" and was an active member of Karakurt. 

He is suspected of engaging with other members, laundering cryptocurrency, and exploiting the group's victims. According to the DOJ, he is the first alleged member of the organisation to be arrested and extradited to the United States. According to court records, Zolotarjovs is involved in attacks on at least six undisclosed US companies. 

Karakurt stole "a large volume of private client data" in one attack in 2021, which included lab results, medical information, Social Security numbers that matched names, addresses, dates of birth, and home addresses. The company negotiated a ransom payment of $250,000 down from Karakurt's initial demand of about $650,000. 

In addition to carrying out open-source research to find phone numbers, emails, or other accounts through which victims could be contacted and pressured to either pay a ransom or re-enter a chat with the ransomware group, Zolotarjovs was probably in charge of negotiating Karakurt's "cold case extortions." 

“Some of the chats indicated that Sforza’s efforts to revive cold cases were successful in extracting ransom payments,” court documents noted.
Read more »
Russian Gang
Cyber Attacks Extortion Group Ransom Payment Ransomware Russian Gang

Black Basta's Ransom Money Surpasses $100 million in Less Than Two Years

 

Researchers have discovered that since the Black Basta ransomware gang first surfaced early last year, victims of its double-extortion attacks have paid the gang more than $100 million. With the haul, which included taking over $1 million from at least 17 victims and $9 million from one victim, the Russian-affiliated gang is now among the highest-ranking ransomware operators. 

Blockchain analytics startup Elliptic and cyber insurance provider Corvus claimed in a joint research post published on November 29 that Black Basta had targeted at least 329 organisations and had received payments totaling at least $107 million from over 90 victims. The researchers said that based on the number of victims in the 2022–2023 period, the gang was the fourth most active strain of ransomware. 

“It should be noted that these figures are a lower bound – there are likely to be other ransom payments made to Black Basta that our analysis is yet to identify – particularly relating to recent victims,” the researchers explained. 

In June, the Cybersecurity and Infrastructure Security Agency (CISA) released an advisory stating that LockBit, a "prolific" rival gang, had received $91 million from victims in the United States between early 2020 and mid-2023, which puts the group's earnings into perspective. This year, Black Basta has taken down major victims such as ABB, a Swiss technology company, Capita, a British outsourcing company, and Dish Network. 

The gang is thought to have split off from the Conti Group, a notorious ransomware operator that disbanded last year. It employs double-extortion techniques, stealing confidential information from victims, encrypting their networks, and threatening to release the data if a ransom isn't paid. Qakbot malware was frequently used to spread the Black Basta ransomware. 

According to the Elliptic and Corvus report, Qakbot's botnet was taken down by authorities in August, which could account for the notable decline in Black Basta attacks in the second half of the year. Elliptic researchers discovered links between Black Basta and Qakbot on the Bitcoin blockchain, with parts of ransoms paid to Black Basta being transferred to Qakbot wallets. 

“These transactions indicate that approximately 10% of the ransom amount was forwarded on to Qakbot, in cases where they were involved in providing access to the victim,” the researchers added. “Our analysis of Black Basta’s crypto transactions also provides new evidence of their links to Conti Group. In particular, we have traced Bitcoin worth several million dollars from Conti-linked wallets to those associated with the Black Basta operator.”
Read more »
User Security
Cyber Crime Data Safety Extortion Group Ransomware Ransomware Gang User Security

Ransomware Gang BianLian Switches to Extortion as its Primary Goal

 

The BianLian gang has abandoned its strategy of encrypting files and demanding a ransom in favour of outright extortion. 

Avast, a cybersecurity company, released a free decryptor for BianLian victims in January, which appears to have persuaded the criminals that extortion was the only viable option rather than the ransomware business. 

Threat analysts for cybersecurity firm Redacted stated in a report that BianLian is increasingly choosing to forgo encrypting victims' data and instead concentrate on persuading victims to pay solely using an extortion demand in exchange for BianLian's silence, as opposed to the typical double-extortion model of encrypting files and threatening to leak data. 

Several ransomware organisations are starting to depend less on data encryption and more on extortion. Yet, it appears that that Avast tool served as the catalyst for this gang's action.

The BianLian group boasted that it generated unique keys for each victim in a message posted on its leak site when the security company released the decryptor. They also claimed that Avast's decryption tool was based on a build of the malware from the summer of 2022 and that it would fatally corrupt files encrypted by other builds. 

Since then, the message has been deleted, and BianLian has modified some of its strategies. That includes abandoning the practise of holding the data ransom and the attackers' practise of revealing victim information on their leak site while hiding their identities in an effort to further persuade the victims to pay. 

Concealing victim data

Before the decryptor tool became accessible, they had this strategy in their toolbox, but "the group's use of the technique has exploded with the release of the programme," Redacted researchers Lauren Fievisohn, Brad Pittack, and Danny Quist, director of special projects, noted. 

BianLian contributed 16% of the postings to the group's leak site between July 2022 and mid-January by posting concealed details. Masked victim details were present in 53% of the postings in the two months following the decryptor's publication. Even faster, often within 48 hours of the compromise, they are posting the masked details on the leak site.

In order to put more pressure on the groups, the group is also doing research and increasingly customising its messages to the victims. Several of the messages made mention of the legal and regulatory concerns that businesses would face if a data breach became public, with the rules mentioned appearing to be those that apply to the victim's country of residence.

"With this shift in tactics, a more reliable leak site, and an increase in the speed of leaking victim data, it appears that the previous underlying issues of BianLian's inability to run the business side of a ransomware campaign appear to have been addressed," the researchers added. "Unfortunately, these improvements in their business acumen are likely the result of gaining more experience through their successful compromise of victim organizations." 

Expanding influence

The BianLian gang first appeared in July 2022 and quickly established itself as a serious danger, notably to the IT, engineering, and healthcare sectors, with healthcare accounting for 14 percent of the group's victims (9 percent). As on March 13, the criminals' leak site named 118 victims, according to Redacted. The US accounts for about 71 percent of those victims. 

The malware is built in Go, one of the more recent languages that hackers are using, along with Rust, to escape endpoint security software, avoid detection, and conduct numerous calculations at once. 

The ransomware gang is maintaining its consistency with regard to initial access and lateral movement within a victim's network even though some of its strategies have changed. The bespoke Go-based backdoor has undergone certain modifications, but its fundamental functioning has not changed, according to the research. 

The researchers wrote that Redacted, which has been tracking BianLian since last year, is also getting a view of the close relationship between the backdoor deployment and the command-and-control (C2) server, which suggests that "by the time a BianLian C2 is discovered, it is likely that the group has already established a solid foothold into a victim's network." 

Each C2 server is active for roughly two weeks when it is brought online by the threat group, which deploys almost 30 new C2 servers each month.
Read more »
User Security
Cyber Attacks Datatheft Extortion Group Ransomware US Agencies User Security

Hive Ransomware Operators Extort $100m from Over 1,300 Firms Worldwide

 

The operators behind the Hive ransomware-as-a-service (RaaS) model have launched assaults against over 1,300 firms across the globe and received approximately $100 million in ransom payments as of November 2022, US government agencies stated in an alert. 

Active since June 2021, the malicious ransomware model has been employed in assaults against enterprises and critical infrastructure entities, including healthcare, government, communications, IT, and manufacturing organizations. 

"Hive ransomware has targeted a wide range of businesses and critical infrastructure sectors, including government facilities, communications, critical manufacturing, information technology, and — especially — Healthcare and Public Health (HPH)," read the joint advisory by the FBI, the US Cybersecurity and Infrastructure Security Agency, and the Department of Health and Human Services.

Modus Operandi 

Hive's RaaS campaign involves a mix of operators, who design and manage the malware, and affiliates, who are responsible for launching the assaults on victim networks by often purchasing initial access from initial access brokers (IABs). 

In most scenarios, securing a foothold involves the exploitation of ProxyShell vulnerabilities in Microsoft Exchange Server, followed by the detection and termination of processes linked to antimalware, backups, file copying, and deleting Windows event logs. 

Subsequently, the ransomware designs a file with the .key extension in the root directory – this file, which is unique to the system it was created on, is required for decryption. A ransom note is dropped into each exploited directory, warning targets not to tamper with the .key file, as that would restrict them from data recovery, and also asks victims to contact the hackers via live chat on a website accessible via the Tor browser. 

The ransomware actor also threatens victims that, if a ransom is not paid, data would be leaked publicly on the Tor site ‘HiveLeaks’. Threat analysts also detected crooks employing anonymous file-sharing sites to publish siphoned data. 

"Hive actors have been known to reinfect — with either Hive ransomware or another ransomware variant — the networks of victim organizations who have restored their network without making a ransom payment," the advisory further reads. 

According to the recent report published by cybersecurity firm Malwarebytes, the ransomware targeted seven victims in August 2022, 14 in September, and two other organizations in October, marking a fall in the operations from July, when the gang targeted 26 victims.
Read more »
Ransomware attack
Conti Conti Ransomware Cyber Attacks Extortion Group Ransomware attack

Karakurt Hacking Group Linked to Conti and Diavol Ransomware Crew

 

Cybersecurity researchers from Arctic Wolf Networks published a blog post on Friday claiming that the cyber extortion group Karakurt is operationally associated with both the Conti and Diavol ransomware groups, operating as an exfiltration arm of the ransomware organizations. 

In a blog post, researchers said since its first attacks in August 2021, Karakurt hacking group has targeted more than 40 organizations in a number of industries in at least eight nations.

In conducting the in-depth research Tetra Defense, an Arctic Wolf firm, collaborated with Chainalysis and Northwave to examine the cryptocurrency wallets tied to the Karakurt hacker group, combined with their specific technique for data theft. The analysis confirmed that the group's membership overlaps with the Conti and Diavol ransomware crews. 

Tetra's report reveals the experience of a client firm that was targeted by the Conti group, and subsequently targeted again by a data theft perpetrated by the Karakurt hacking group. The analysis confirmed that the Karakurt attack employed an identical backdoor to exploit the client's systems as the earlier Conti assault. These associations debunk the Conti group’s assurance to victims that paying the ransom will shield them from future assaults.

"Such access could only be obtained through some sort of purchase, relationship, or surreptitiously gaining access to Conti group infrastructure," Tetra explained in its report. 

It is essential to distinguish the several types of cyber assault described right here, according to Tetra. In a ransomware attack, critical information is encrypted and the ransom is paid in exchange for a decryption key so that the victim can recover its data and resume operating. In a data theft, which has been the sole type of attack orchestrated by the Karakurt group, threat actors steal sensitive corporate data and demand money in exchange for not releasing it. 

The Karakurt attacks of this type — there have been more than a dozen to date, according to Tetra — also employed cryptocurrency wallets associated with Conti victim payment addresses, further strengthening the argument that the two groups' membership may overlap significantly. 

“Traditionally, we have seen the criminals honor their offers,” Nathan Little, senior vice chairman of digital forensics and incident response at Tetra stated. “Early on, when these [data theft attacks] began in 2019, it was widespread that corporations had been frightened sufficient that they’d pay, to not cover the incident, however to keep away from the results.”
Read more »
Subscribe to: Posts (Atom)