Search This Blog

Showing posts with label Extortion Threat. Show all posts

Businesses Hit By The Ransomware 0mega


Launched in May 2022, this new ransomware operation known as 0mega uses a double-extortion method to target corporations all over the world and seeks millions of dollars in ransom. 

Since a ransomware sample for the 0mega operation is not yet detected, not much is known about the encryption method used. However, what's known is that the malware adds the .0mega extension to the encrypted file names and produces ransom letters with the filename extension DECRYPT-FILES.txt, according to BleepingComputer. 

Such ransom notes are made specifically for each victim, and they typically include the name of the business and a list of the various kinds of data that were stolen. Additionally, some notes contain threats that, in the scenario that a ransom is not paid, the 0mega gang will reveal the information to commercial partners and trade associations. 

The victims can contact the ransomware group using the "help" chat feature of the Tor payment negotiation site included in ransom notes. It includes a special code to get in touch with the operators via the negotiating site. 

Like practically all ransomware operations that target businesses, 0mega has a specific site for data leaks where malicious actors disseminate stolen information if a ransom is not paid. 152 GB of data that was stolen from an electronics repair business in a May incident is now hosted on 0mega's leak site. 

Last week, though, there was a second victim who has since been eliminated, suggesting that the business has perhaps paid a ransom. In a published blog post The digest 'Crypto ransomware', researchers Lawrence Abrams and Andrew Ivanov discusss the malware in detail.

French Authorities Have Detained a Suspect in Case of Money Laundering of €19 Million


This week, French authorities apprehended a suspect under suspicion of laundering more than €19 million ($21.4 million) in ransomware extortion payouts. 

Law enforcement agencies have not revealed the accused's name, which has only been recognized as a person from the Vaucluse area in southeast France, and neither the title of the ransomware organization with which he worked. 

The detention this week follows as law enforcement agencies throughout the world have started to collaborate and crackdown on ransomware activities following years of recurrent attacks, most of which have disrupted government agencies and private sector organizations on many occasions. 

This year has seen several crackdowns targeting ransomware gangs, including: 

  • February – The arrest of Egregor/Maze members in Ukraine. 

According to French radio station France Inter, participants of the Egregor ransomware cartel were apprehended in Ukraine. The existence of a law enforcement activity was already verified by sources in the threat intelligence community. The Egregor gang, reportedly began operations in September 2020, follows a Ransomware-as-a-Service (RaaS) strategy. They rent ransomware strain access, but they depend on some other cybercrime gangs to organize attacks into corporate networks and distribute the file-encrypting ransomware. 

  • March – The arrest of a GandCrab affiliate in South Korea. 

The arrest of a 20-year-old accused on allegations of spreading and infecting victims with the GandCrab ransomware was announced by South Korean national police. The accused, whose identity has not been revealed, was a client of the GandCrab Ransomware-as-a-Service (RaaS) cybercrime organization. Police described the suspect as an associate — or a distributor — who operated by obtaining copies of the GandCrab ransomware and spreading them via email to victims around South Korea. 

  • June – The arrest of a group of Ukrainian money launderers who worked with the Clop gang.

Representatives of the Clop ransomware gang, who were apprehended in Ukraine as part of an international law enforcement operation, also provided money-laundering facilities to other cybercrime organizations. The group was involved in both cyber-attacks and "a high-risk exchanger" that laundered funds for the Clop ransomware gang and other criminal groups, according to cryptocurrency exchange portal Binance. 

  • September – Sanctions against Suex, a Russian crypto-exchange used to process ransomware 

Suex, a cryptocurrency exchange incorporated in the Czech Republic but managed by Russia, was sanctioned by the US Treasury. According to a blockchain analysis company, Suex has assisted ransomware and other cybercrime organizations in laundering more than $160 million in stolen assets. Suex has aided in the processing of ransom payments to gangs like Conti, Ryuk, and Maze.

  • October – The arrest of 12 suspects behind the LockerGoga ransomware. 

According to Europol, twelve members of a ransomware cell were apprehended in Ukraine and Switzerland. The accused are suspected of orchestrating the ransomware attack that damaged Norsk Hydro in 2019, the organization was linked to 1,800 ransomware assaults in 71 countries.

  • November – The arrest of a REvil affiliate in Ukraine for the Kaseya attack. 

The US Department of Justice charged a 22-year-old Ukrainian national with coordinating the ransomware assaults against Kaseya servers on July 4th of this year.

  • December – The arrest of a Canadian citizen for the attack against an Alaskan healthcare provider. 

Since 2018, Canadian authorities had jailed an Ottawa resident on suspicion of organizing ransomware attacks on commercial companies and government agencies in Canada and the United States.

New 'SnapMC' Hacker Group Breaches Networks in Under 30 Minutes


Cybersecurity researchers have unearthed a new threat group known as SnapMC, that aims to secure access to the company’s files, steal their sensitive data and demand ransom to keep it from being leaked.

According to NCC Group’s Threat Intelligence team, SnapMC has not been linked as of yet to any known threat actors. The name is derived from the actor’s lightning-fast hacks, typically completed in under 30 minutes, and the exfiltration tool mc.exe it uses.

To perform the attack, SnapMC scans for multiple vulnerabilities in both web servers and virtual private networking solutions. In particular, the threat group utilizes the so-called Blue Mockingbird vulnerability that affects older versions of the Telerik UI for ASP.NET applications. 

Once inside, the group sends extortion emails to victims. Typically, a victim is given 24 hours to respond to the email and another 72 hours to negotiate a ransom payment; a list of stolen data as evidence that the group has gained access to the victim’s infrastructure is included by the actors. 

To intimidate victims to begin negotiations, the threat group releases small portions of the data, threatens to leak the files online, threatens to tell media outlets regarding the breach or notify a victim’s customers about the hack. 

“There are multiple reasons for the success of these attacks: First, regulation and public awareness make victims more inclined to have the certainty of containing the incident by paying,” said Christo Butcher, global head for threat intelligence at the NCC Group Research and Intelligence Fusion Team. “Second, the threat actors behind various data breach extortion attacks are gaining more experience with every breach and subsequent extortion negotiation, which allows them to improve their skills in both negotiating as well as understanding the mindset of their victims.”

SnapMC does not deploy ransomware, despite having access to a victim’s internal network – the group focuses solely on data exfiltration and the subsequent extortion, the researchers observed while tracking the group.

Earlier this week, researchers published a technical report containing the tools and methodologies employed by SnapMC in their intrusions – in the hopes that organizations deploy proper defenses. 

NCC Group recommends that organizations should keep all their web-facing assets up to date; doing so will help in mitigating the risks. Gaining visibility into susceptible software and putting in place effective detection and response systems can also help in combating the attacks.

Leaked Apple Schematics & Extortion Threats Removed From Dark Web


According to MacRumors, the ransomware group that stole schematics from Apple supplier Quanta Computer last week and threatened to release the trove of documents has mysteriously deleted all references to the extortion attempt from its dark web blog. 

Last Tuesday, the ransomware group REvil claimed that it had gained access to Quanta's internal computers and obtained some photographs and schematics of unreleased Apple products. The group requested $50 million from Quanta in order to retrieve the data. However, according to a statement posted on the hacker group's website on April 20, Quanta declined to pay the ransom, which led the criminals to turn their attention to Apple. 

The hackers publicly posted a handful of images depicting unreleased product schematics, including in total, 21 images showing different features of an alleged upcoming MacBook Pro, an SD card slot, HDMI slot, and a MagSafe charger, to prove they had hacked into Quanta's servers and to increase the pressure on Apple. 

Unless Apple paid the $50 million ransom demand in return for removing the files, the group threatened to publish new data every day leading up to May 1. The extortion attempt was timed to coincide with Apple's "Spring Loaded" digital event on April 20, at which the company unveiled AirTag item trackers, new iPad Pro models, and new iMacs. Despite the threat, after the original demand was made public, no further stolen documents have been leaked online. 

REvil isn't known for bluffing and regularly shares stolen documents if its victims don't pay up, so it's unclear why the group didn't follow through this time. According to MacRumors, the photos were mysteriously deleted from their dark web location. The group has not stated why the photos were deleted, and all references to the blackmail attempt have been removed. 

Apple is still yet to comment on the breach, although it has a history of refusing to deal with hackers. A hacker group tried to extort money from Apple in 2017 by keeping consumer data hostage. "We do not reward cybercriminals for violating the law," Apple told the community, and the company has yet to comment on the breach. 

The group is still aggressively extorting other businesses, so it's unclear what caused it to delete all material related to the Quanta hack.