Search This Blog
Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label Extortion. Show all posts
Ransomware
AI Anthropic Cyber Crime Extortion Ransomware

Cybercriminals Weaponize AI for Large-Scale Extortion and Ransomware Attacks

 

AI company Anthropic has uncovered alarming evidence that cybercriminals are weaponizing artificial intelligence tools for sophisticated criminal operations. The company's recent investigation revealed three particularly concerning applications of its Claude AI: large-scale extortion campaigns, fraudulent recruitment schemes linked to North Korea, and AI-generated ransomware development. 

Criminal AI applications emerge 

In what Anthropic describes as an "unprecedented" case, hackers utilized Claude to conduct comprehensive reconnaissance across 17 different organizations, systematically gathering usernames and passwords to infiltrate targeted networks.

The AI tool autonomously executed multiple malicious functions, including determining valuable data for exfiltration, calculating ransom demands based on victims' financial capabilities, and crafting threatening language to coerce compliance from targeted companies. 

The investigation also uncovered North Korean operatives employing Claude to create convincing fake personas capable of passing technical coding evaluations during job interviews with major U.S. technology firms. Once successfully hired, these operatives leveraged the AI to fulfill various technical responsibilities on their behalf, potentially gaining access to sensitive corporate systems and information. 

Additionally, Anthropic discovered that individuals with limited technical expertise were using Claude to develop complete ransomware packages, which were subsequently marketed online to other cybercriminals for prices reaching $1,200 per package. 

Defensive AI measures 

Recognizing AI's potential for both offense and defense, ethical security researchers and companies are racing to develop protective applications. XBOW, a prominent player in AI-driven vulnerability discovery, has demonstrated significant success using artificial intelligence to identify software flaws. The company's integration of OpenAI's GPT-5 model resulted in substantial performance improvements, enabling the discovery of "vastly more exploits" than previous methods.

Earlier this year, XBOW's AI-powered systems topped HackerOne's leaderboard for vulnerability identification, highlighting the technology's potential for legitimate security applications. Multiple organizations focused on offensive and defensive strategies are now exploring AI agents to infiltrate corporate networks for defense and intelligence purposes, assisting IT departments in identifying vulnerabilities before malicious actors can exploit them. 

Emerging cybersecurity arms race 

The simultaneous adoption of AI technologies by both cybersecurity defenders and criminal actors has initiated what experts characterize as a new arms race in digital security. This development represents a fundamental shift where AI systems are pitted against each other in an escalating battle between protection and exploitation. 

The race's outcome remains uncertain, but security experts emphasize the critical importance of equipping legitimate defenders with advanced AI tools before they fall into criminal hands. Success in this endeavor could prove instrumental in thwarting the emerging wave of AI-fueled cyberattacks that are becoming increasingly sophisticated and autonomous. 

This evolution marks a significant milestone in cybersecurity, as artificial intelligence transitions from merely advising on attack strategies to actively executing complex criminal operations independently.
Read more »
Windows
AI Android Apple Extortion Internet malware Ransomware Windows

Latest Malware "Mamona" Attacks Locally, Hides by Self Deletion

Latest Malware "Mamona" Attacks Locally, Hides by Self Deletion

Cybersecurity experts are tracing Mamona, a new ransomware strain that is famous for its stripped-down build and silent local execution. Experts believe that the ransomware prevents the usual command-and-control (C2) servers, choosing instead a self-contained method that moves past tools relying on network traffic analysis.  

The malware is executed locally on a Windows system as a standalone binary file. The offline approach reveals a blind spot in traditional defenses, raising questions about how even the best antivirus and detection mechanisms will work when there is no network.

Self-deletion and escape techniques make detection difficult

Once executed, it starts a three-second delay via a modified ping command, ”cmd.exe /C ping 127.0.0.7 -n 3 > Nul & Del /f /q.” After this, it self-deletes. The self-deletion helps to eliminate forensic artifacts that make it difficult for experts to track or examine the malware after it has been executed. 

The malware uses 127.0.0.7 instead of the popular 127.0.0.1, which helps in evading detection measures. This tactic escapes simple detection tests and doesn’t leave digital traces that older file-based scanners might tag. The malware also drops a ransom note titled README.HAes.txt and renames impacted files with the .HAes extension. This means the encryption was successful. 

“We integrated Sysmon with Wazuh to enrich logs from the infected endpoint and created Wazuh detection rules to identify malicious behaviour associated with Mamona ransomware,” said Wazuh in a blog post.

Spotting Mamona

Wazuh has alerted that the “plug-and-play” nature of the malware makes it easy for cybercriminals and helps in the commodization of ransomware. This change highlights an urgent need for robust inspections of what stands as the best ransomware protection when such attacks do not need remote control infrastructure. Wazu’s method to track Mamona involves combining Sysom for log capture and employing custom rules to flag particular behaviours like ransom note creation and ping-based delays.

According to TechRadar, “Rule 100901 targets the creation of the README.HAes.txt file, while Rule 100902 confirms the presence of ransomware when both ransom note activity and the delay/self-delete sequence appear together.”

Read more »
Ransomware
AI Cyber Security Dark Web Extortion Internet Ransomware

Investigation Reveals Employee Secretly Helped in Extortion Payments

Investigation Reveals Employee Secretly Helped in Extortion Payments

Employee helped in ransomware operations

Federal agents are investigating allegations that a former employee of a Chicago-based firm, DigitalMint, which specializes in cryptocurrency payments and ransomware negotiations, may have profited by collaborating with hackers in extortion cases. Founded in 2014, DigitalMint operates under the name Red Leaf Chicago and is recognized for securing cryptocurrency payments for companies that face ransomware threats. 

About DigitalMint

DigitalMint has taken over 2,000 ransomware cases since 2017, offering services like direct negotiations with hackers and incident response. The clients range from small firms to Fortune 500 companies. 

DigitalMint President Marc Jason told partner firms that the US Department of Justice (DoJ) is investigating the allegations. The employee (identity unknown) was sacked soon after the scam was found. According to Bloomberg, Grens said, “As soon as we were able, we began communicating the facts to affected stakeholders.” 

About the investigation

DigitalMint is currently working with the DoJ, and it clarified that the company is not the target of investigation. Grens did not provide more details as the investigation is ongoing. The DoJ declined to offer any comments. 

The incident has led a few firms to warn clients against dealing with DigitalMint, concerned about the dangers involved in ransomware deals. Ransomware attacks can compromise systems, leak sensitive information, and encrypt data. The ransom demands sometimes go upto millions of dollars, worldwide, the extortion attacks cost billions of dollars every year.

Is ransomware negotiation worth it?

The controversy has also raised questions about conflicts of interest in the ransomware negotiation industry. According to James Talientoo, chief executive of the cyber intelligence services company AFTRDRK, “A negotiator is not incentivized to drive the price down or to inform the victim of all the facts if the company they work for is profiting off the size of the demand paid. Plain and simple.”

Security experts cautioned that paying ransom is a dangerous effort, even when done by expert ransom negotiation firms. A payment helps in furthering the operations of ransomware gangs, and sometimes it can also lead to further attacks.

Read more »
North Korea
AI Artificial Intelligence Cloud Cyber Crime Data Deepfakes Extortion Internet lazarus North Korea

Amid Federal Crackdown, Microsoft Warns Against Rising North Korean Jobs Scams

Amid Federal Crackdown, Microsoft Warns Against Rising North Korean Jobs Scams

North Korean hackers are infiltrating high-profile US-based tech firms through scams. Recently, they have even advanced their tactics, according to the experts. In a recent investigation by Microsoft, the company has requested its peers to enforce stronger pre-employment verification measures and make policies to stop unauthorized IT management tools. 

Further investigation by the US government revealed that these actors were working to steal money for the North Korean government and use the funds to run its government operations and its weapons program.  

US imposes sanctions against North Korea

The US has imposed strict sanctions on North Korea, which restrict US companies from hiring North Korean nationals. It has led to threat actors making fake identities and using all kinds of tricks (such as VPNs) to obscure their real identities and locations. This is being done to avoid getting caught and get easily hired. 

Recently, the threat actors have started using spoof tactics such as voice-changing tools and AI-generated documents to appear credible. In one incident, the scammers somehow used an individual residing in New Jersey, who set up shell companies to fool victims into believing they were paying a legitimate local business. The same individual also helped overseas partners to get recruited. 

DoJ arrests accused

The clever campaign has now come to an end, as the US Department of Justice (DoJ) arrested and charged a US national called Zhenxing “Danny” Wanf with operating a “year-long” scam. The scheme earned over $5 million. The agency also arrested eight more people - six Chinese and two Taiwanese nationals. The arrested individuals are charged with money laundering, identity theft, hacking, sanctions violations, and conspiring to commit wire fraud.

In addition to getting paid in these jobs, which Microsoft says is a hefty payment, these individuals also get access to private organization data. They exploit this access by stealing sensitive information and blackmailing the company.

Lazarus group behind such scams

One of the largest and most infamous hacking gangs worldwide is the North Korean state-sponsored group, Lazarus. According to experts, the gang extorted billions of dollars from the Korean government through similar scams. The entire campaign is popular as “Operation DreamJob”. 

"To disrupt this activity and protect our customers, we’ve suspended 3,000 known Microsoft consumer accounts (Outlook/Hotmail) created by North Korean IT workers," said Microsoft.

Read more »
Social Engineering
Cyber Attacks Extortion FBI Luna Moth Ransomware attack Social Engineering

FBI Warns of Luna Moth Ransomware Attacks Targeting U.S. Law Firms

 

The FBI said that over the last two years, an extortion group known as the Silent Ransom Group has targeted U.S. law firms through callback phishing and social engineering tactics. 

This threat outfit, also known as Luna Moth, Chatty Spider, and UNC3753, has been active since 2022. It was also responsible for BazarCall campaigns, which provided initial access to corporate networks for Ryuk and Conti ransomware assaults. Following Conti's shutdown in March 2022, the threat actors broke away from the cybercrime syndicate and created their own operation known as the Silent Ransom Group.

In recent attacks, SRG mimics the targets' IT help via email, bogus websites, and phone conversations, gaining access to their networks via social engineering tactics. This extortion group does not encrypt victims' systems and is infamous for demanding ransoms in order to keep sensitive information stolen from hacked devices from being leaked online. 

"SRG will then direct the employee to join a remote access session, either through an email sent to them, or navigating to a web page. Once the employee grants access to their device, they are told that work needs to be done overnight," the FBI stated in a private industry notification.

"Once in the victim's device, a typical SRG attack involves minimal privilege escalation and quickly pivots to data exfiltration conducted through 'WinSCP' (Windows Secure Copy) or a hidden or renamed version of 'Rclone.'” 

After acquiring the victims' data, they use ransom emails to blackmail them, threatening to sell or publish the information. They frequently call employees of breached organisations and force them into ransom negotiations. While they have a dedicated website for disclosing their victims' data, the FBI claims the extortion ring does not always followup on its data leak promises. 

To guard against these attacks, the FBI recommends adopting strong passwords, activating two-factor authentication for all employees, performing regular data backups, and teaching personnel on recognising phishing efforts.

The FBI's warning follows a recent EclecticIQ report detailing SRG attacks targeting legal and financial institutions in the United States, with attackers observed registering domains to "impersonate IT helpdesk or support portals for major U.S. law firms and financial services firms, using typosquatted patterns.”

A recent EclecticIQ report about SRG attacks against American legal and financial institutions revealed that the attackers were registering domains to "impersonate IT helpdesk or support portals for major U.S. law firms and financial services firms, using typosquatted patterns." The FBI issued the warning in response to this information. 

Malicious emails with fake helpdesk numbers are being sent to victims, prompting them to call in order to fix a variety of non-existent issues. On the other hand, Luna Moth operators would try to deceive employees of targeted firms into installing remote monitoring & management (RMM) software via phoney IT help desk websites by posing as IT staff.

Once the RMM tool is installed and started, the threat actors have direct keyboard access, allowing them to search for valuable documents on compromised devices and shared drivers, which will then be exfiltrated via Rclone (cloud syncing) or WinSCP (SFTP). According to EclecticIQ, the Silent Ransom Group sends ransom demands ranging from one to eight million USD, depending on the size of the hacked company.
Read more »
North Korea
Black Mail Businesses Crypto Cyber Crime Extortion NFTs North Korea

US Seizes $7.7 Million From Crypto Linked to North Korea's IT Worker Scam


The US Department of Justice has filed a civil forfeiture complaint against North Korean IT workers for illegally gaining employment with US businesses, and earning millions for the Korean government, which amounts to violations of sanctions.

The government seized $7.7m in funds in 2023 that involved Sim Hyon Sop- a worker at the North Korean Foreign Trade Bank (FTB) who joined hands with IT workers to launder the money for Pyongyang.

According to the complaint, the North Korean IT workers escaped security via fraud IDs and tactics that hid their real location. The salaries were credited in stablecoins like USDT and USDC.

To launder the money, employees created accounts using fake IDs, transferred funds in small amounts to other blockchains (chain hopping), and/or converted them into other digital currencies (token swapping).

Scammers also bought non-fungible tokens (NFTs) and used US accounts to make their operations look real. Sim worked with Kim Sang Man, the CEO of the “Jinyong IT Cooperation Company,” who served as a middleman between the FTB and the IT workers. 

According to the Justice Department’s National Security Division, North Korea, for years has “exploited global remote IT contracting and cryptocurrency ecosystems to evade US sanctions and bankroll its weapons programs.” 

Department head Sue Bai said, “Today’s multimillion-dollar forfeiture action reflects the Department’s strategic focus on disrupting these illicit revenue schemes. We will continue to use every legal tool available to cut off the financial lifelines that sustain the DPRK and its destabilizing agenda.”

North Korean IT workers have been slithering their way into employment in US firms for many years.  However, the advancement of these operations was exposed in 2024 when security expert KnowBe4 disclosed that even their organization was tricked into hiring an IT specialist from North Korea.

After that, Google has cautioned that US businesses remain a primary target and also warned that the threat actors have nor started focusing their operations at Europan firms.  While few do normal work to get paid, there is also a concern that their organization access allows them to extract important data and use it for extortion.

Read more »
Ransom
Coinbase Crypto Crypto Wallet cryptocurrency Cyber Security Data Theft Extortion Ransom

$400Million Coinbase Breach Linked to Customer Data Leak from India


Coinbase data breach linked to India

A Reuters investigation revealed that cryptocurrency exchange Coinbase knew in January about a breach affecting outsourced customer support agents in India. Six people who knew about the incident said Coinbase was aware of sensitive user data compromise through its contractor, TaskUs, before it was officially announced in May. 

On 14th May, TaskUs filed an SEC document revealing that an India-based TaskUs employee was found taking pictures of a computer screen with her phone. Five former TaskUs employees confirmed that the worker and one accomplice were bribed by threat actors to get Coinbase user data.

The breach cost $400 million

After this information, more than 200 TaskUs employees were fired in a mass layoff from the Indore center, which drew media attention in India. Earlier, Coinbase suspected ‘overseas support agents’ but now the breach is estimated to cost 400 million dollars.

Coinbase had been a long-term partner of TaskUs, a Texas-based outsourcing firm, cost-cutting labor by giving customer support work to offshore teams. After 2017, TaskUs agents, mostly from developing countries, handled Coinbase customer inquiries. 

In the May SEC filing, Coinbase said it didn’t know about the full scale of the breach until it received an extortion demand of $20 Million on 11th May. As a cautionary measure, Coinbase cut ties with TaskUs employees and other unknown foreign actors. Coinbase has notified regulators, compensated affected users, and taken strict measures to strengthen security. 

In a public statement, TaskUs confirmed it had fired two staff (unnamed) for data theft but didn’t mention Coinbase. The company found the two staff involved in a cyber attack campaign that targeted other service providers linked to the client. 

Hackers use social engineering tactic

Hackers did not breach the Coinbase crypto wallets directly, they cleverly used the stolen information to impersonate the Coinbase employees in a series of social engineering scams. The hackers posed as support agents, fooling victims into transferring their crypto assets. 

According to Money Control, “The person familiar with the matter confirmed that Coinbase was the client and that the incident took place in January. Reuters could not determine whether any arrests have been made. Police in Indore did not return a message seeking comment.”

Read more »
ScatteredSpider
Cyberattack Cybersecurity Data Breach DragonForce Extortion Hacking Ransomware Retail ScatteredSpider

Marks & Spencer Cyberattack Fallout May Last Months Amid Growing Threat from Scattered Spider

 

Marks & Spencer is facing prolonged disruption after falling victim to a large-scale cyberattack. Experts warn that restoring normal operations could take months, highlighting a growing trend of sophisticated breaches targeting major retailers. This incident follows a wave of cyber intrusions, including those at Co-op and Harrods, allegedly orchestrated by the same hacking collective — Scattered Spider.

Described by ITPro as “the name on every security practitioner's mind right now,” Scattered Spider has gained notoriety for its aggressive tactics and global reach.

“Scattered Spider is one of the most dangerous and active hacking groups we are monitoring,” said Graeme Stewart of Check Point to Sky News.

Believed to be composed mainly of young, English-speaking individuals based in the UK and US, the group has reportedly executed over 100 cyberattacks since emerging in 2022. These attacks span sectors like telecommunications, finance, retail, and gaming.

One of their most prominent exploits occurred in 2023, when they severely disrupted two leading casino operators. Caesars Entertainment reportedly paid about $15 million to recover access, while MGM Resorts suffered estimated damages of around $100 million due to compromised customer data.

What makes Scattered Spider particularly elusive is its decentralized structure and independence from state backing. “They operate more like an organised criminal network, decentralised and adaptive,” Stewart added. Even after multiple arrests in the US and Europe, the group continues to rebound swiftly. “This is not a loose group of opportunistic hackers,” he emphasized.

Rather than relying solely on software flaws, Scattered Spider frequently exploits human error. The M&S and Co-op attacks, for example, were the result of “social engineering,” where attackers manipulated employees into revealing credentials.

Their tactics include mimicking corporate emails, sim swapping (cloning a phone number to hijack accounts), and building convincing fake login portals. “This is akin to ‘breaking down the front door’ of networks,” Paul Cashmore, CEO of Solace Cyber, told The Times. Once inside, Scattered Spider typically partners with ransomware gangs to carry out the final blow.

In these recent cases, the group appears to have collaborated with DragonForce, a ransomware cartel. Initially known as a pro-Palestinian hacktivist group based in Malaysia, DragonForce now operates a “ransomware-as-a-service” model. According to Bleeping Computer, they allow affiliates to use their tools and infrastructure in exchange for 20-30% of ransom payments.

The core motivation is financial gain. DragonForce reportedly reached out to the BBC claiming the Co-op breach was more severe than disclosed, hinting at an extortion attempt.

Organizations like the Co-op, which house personal data of millions, are prime targets. Once a system is locked, hackers demand large ransoms in return for decryption tools and promises to delete stolen data. “If a ransom is not paid, the ransomware operation typically publishes the stolen data on their dark web data leak site,” Bleeping Computer explained.

Whether or not to pay remains a complex dilemma. “Paying may provide a quick way to restore operations, protect customer data and limit immediate financial and reputational damage,” noted The Times. However, it also risks emboldening cybercriminals and marking companies as future targets.
Read more »
Ransomware
Akira Attack Breach Cloud Cybersecurity Data Encryption Extortion FBI Hitachi malware Ransomware

Hitachi Vantara Takes Servers Offline Following Akira Ransomware Attack

 

Hitachi Vantara, a subsidiary of Japan's Hitachi conglomerate, temporarily shut down several servers over the weekend after falling victim to a ransomware incident attributed to the Akira group.

The company, known for offering data infrastructure, cloud operations, and cyber resilience solutions, serves government agencies and major global enterprises like BMW, Telefónica, T-Mobile, and China Telecom.

In a statement to BleepingComputer, Hitachi Vantara confirmed the cyberattack and revealed it had brought in external cybersecurity specialists to assess the situation. The company is now working to restore all affected systems.

“On April 26, 2025, Hitachi Vantara experienced a ransomware incident that has resulted in a disruption to some of our systems," Hitachi Vantara told BleepingComputer.

"Upon detecting suspicious activity, we immediately launched our incident response protocols and engaged third-party subject matter experts to support our investigation and remediation process. Additionally, we proactively took our servers offline in order to contain the incident.

We are working as quickly as possible with our third-party subject matter experts to remediate this incident, continue to support our customers, and bring our systems back online in a secure manner. We thank our customers and partners for their patience and flexibility during this time."

Although the company has not officially attributed the breach to any specific threat actor, BleepingComputer reports that sources have linked the attack to the Akira ransomware operation. Insiders allege that the attackers exfiltrated sensitive data and left ransom notes on infiltrated systems.

While cloud services remained unaffected, sources noted that internal platforms at Hitachi Vantara and its manufacturing arm experienced disruption. Despite these outages, clients operating self-hosted systems are still able to access their data.

A separate source confirmed that several government-led initiatives have also been impacted by the cyberattack.

Akira ransomware first appeared in March 2023 and swiftly became notorious for targeting a wide range of sectors worldwide. Since its emergence, the group has reportedly compromised more than 300 organizations, including high-profile names like Stanford University and Nissan (in Oceania and Australia).

The FBI estimates that Akira collected over $42 million in ransom payments by April 2024 after infiltrating over 250 organizations. According to chat logs reviewed by BleepingComputer, the gang typically demands between $200,000 and several million dollars, depending on the scale and sensitivity of the targeted entity.

Keywords: ransomware, cybersecurity, Hitachi, Akira, cloud, breach, data, FBI, malware, attack, encryption, extortion, hacking, disruption, recovery, infrastructure, digital, protection
Read more »
Rhysida ransomware gang
Data Breach Data Leak Extortion Ransomware attack Ransomware group Ransomwares Rhysida Rhysida Ransomware Rhysida ransomware gang

Rhysida Ransomware Group Leaks 1.3M Files Stolen from Oregon DEQ After Failed Extortion Attempt

 

A major ransomware breach has rocked the Oregon Department of Environmental Quality (DEQ), with over 1.3 million files—amounting to 2.4 terabytes—dumped online by the cybercriminal group Rhysida. The stolen data, now circulating on the dark web, reportedly includes confidential information linked to DEQ employees. Whether personal data of Oregon residents outside the agency was compromised remains unconfirmed. DEQ first disclosed system disruptions on April 9, attributing them to a suspected cyberattack. 

The agency, responsible for regulating pollution, waste, air quality, and smog checks for vehicle registrations, had to suspend several core services as a result. An investigation into the breach is underway, but DEQ has not officially confirmed the volume or content of the compromised data. However, Rhysida’s own dark web site claimed responsibility, stating that it attempted to contact DEQ but was ignored. The group then released the data publicly, writing: “They think their data hasn’t been stolen. They’re sorely mistaken.” Before the leak, the group had placed a $2.5 million price tag—30 Bitcoins—on the files, offering them at auction to the highest bidder. 

By April 24, some of the stolen content had reportedly been sold, while the remaining files were made freely available for download. The breach has had serious operational consequences. For nearly a week following the attack, DEQ employees were locked out of their internal systems and email. Emails sent between April 9 and 11 were lost entirely. Vehicle emissions testing—a requirement for registrations in parts of Oregon—was halted across all non-DEQ testing locations, though some services resumed at DEQ-owned facilities on April 14. In a statement issued April 19, DEQ confirmed that employees were gradually regaining access to their work devices, moving from phones back to laptops. 

Despite the cyber disruption, spokesperson Lauren Wirtis said DEQ’s mission-critical services via its online platform DEQ Online remained operational and unaffected. Rhysida, an increasingly active ransomware gang, has previously attacked global organizations including the British Library, Chilean Army, and the Port of Seattle. Their tactics typically include data theft, extortion, and high-pressure ransom demands. 

Oregon’s Enterprise Information Services is leading the forensic investigation, alongside efforts to strengthen state cybersecurity systems. As of April 26, DEQ clarified that no ransom negotiations had occurred, and the timeline for completing the investigation remains uncertain.
Read more »
sensitive user information
Data Breach Data Safety User Data data security Extortion GitLab Sensitive Information sensitive user information

Europcar GitLab Breach Exposes Sensitive User Data and Configuration Files

 

A cybersecurity breach allegedly targeting Europcar has brought attention to vulnerabilities in corporate development platforms. A threat actor operating under the alias “Europcar” recently claimed on an underground forum that they had gained unauthorized access to the car rental giant’s GitLab repository, leading to the extraction of thousands of sensitive files. The attacker reportedly obtained over 9,000 SQL files and at least 269 .ENV files, which are commonly used to store application configuration settings, API keys, and other sensitive operational data. 

The scale of the breach raised concerns about the potential exposure of customer and internal company information. Europcar later confirmed the breach to BleepingComputer, clarifying that only a limited portion of its GitLab repository was compromised, and not the entire system as initially claimed. The company stated it is currently assessing the scope of the intrusion and is in the process of notifying affected users. Initial findings suggest that customer names and email addresses from affiliated brands such as Goldcar and Ubeeqo, generated between 2017 and 2020, may have been exposed. Importantly, payment data was not compromised in this incident. 

The Europcar data breach is believed to have been part of an extortion attempt, although it remains unclear whether any ransom was paid. The method used to access Europcar’s GitLab remains under investigation, but cybersecurity experts suspect phishing or infostealer malware as the most likely attack vectors. Credential theft through malware or social engineering continues to be a leading cause of repository leaks across industries.  

GitLab, a widely used platform for code collaboration and storage, is frequently targeted by cybercriminals. Attackers often exploit its popularity by spoofing repositories or distributing malicious packages. Developers are advised to exercise caution by verifying repository sources, reading user feedback, and implementing multi-layered security protocols. The GitLab repository leak highlights the broader issue of digital supply chain vulnerabilities. 

When attackers gain access to development environments, the consequences can include compromised applications, internal data leaks, and reputational damage. This incident reinforces the importance of robust cybersecurity hygiene, particularly for companies managing user-sensitive platforms. As Europcar continues to investigate the breach and tighten security protocols, the incident serves as another reminder of the growing sophistication of cyberattacks and the urgent need for proactive security measures.
Read more »
RIBridges
brain cipher Data Breach Extortion Rhode Island RIBridges

RIBridges Data Breach: Sensitive Information of Rhode Islanders Exposed

 



The RIBridges system, a very important tool for Rhode Island's social services, has become the latest victim of a ransomware attack, resulting in the leak of personal data belonging to hundreds of thousands of residents. This breach, orchestrated by the Brain Cipher ransomware group, has raised serious concerns about the security of systems handling sensitive information.


What is RIBridges?

RIBridges is the vital system for Rhode Island that runs social support programs, such as access to health care, food assistance, childcare, and more. Much of the private data in this compromise was made vulnerable to exploitation.  


Timeline of the Incident

1. First Warning: On December 5, Deloitte, the vendor responsible for RIBridges, warned Rhode Island officials that there may have been a security breach. 

2. Confirmation of Breach: By December 10, it was confirmed that hackers had indeed accessed the system. The hackers even published screenshots of the stolen file directories on Deloitte's screen.

3. Action Taken: Confirmation of presence of harmful code led to system shut down to minimize damage, and this occurred on December 13. 

 

What Data Was Leaked?

Last week, a group known as Brain Cipher began to leak their stolen files on the dark web. It claims to have included names, addresses, birth dates, Social Security numbers, and banking details of people. The list contained both adults and minors. Other reports also suggest that some file folders contained database backups and system archives. 


Implications for Rhode Island Residents

This breach has potentially exposed around 650,000 individuals to identity theft and fraud. Governor Dan McKee has advised residents to take immediate steps to protect their data. This includes freezing credit reports, monitoring accounts for unusual activity, and staying cautious of phishing attempts that may exploit the stolen information.  

The Brain Cipher ransomware group, operating since mid-2024, is known to use advanced encryption tools and a data leak website to extort victims. Its operations were first brought to public attention after attacking Indonesia's temporary National Data Center. In that attack, it used a modified version of a leaked codebase for an encryptor to breach RIBridges.

Although the data leak site from the gang remains inaccessible, reportedly as a result of a distributed denial-of-service attack, their negotiation page on Tor remains active. It appears they are still pushing the victims or perhaps even looking for further extortions.  


What's Being Done?

The IT teams in state work to comprehend the full effect of the breach and to secure the system. Residents are advised to stay vigilant and to take proactive steps to prevent these risks caused by the leakage of such data. This attack calls out the increased risk of ransomware and an increased need for cybersecurity measures in securing crucial public systems and sensitive information on individuals.




Read more »
Victim
Cyber Security Cybersecurity Data Breach Encryption Extortion Healthcare HHS Ransomware Ransomware attack Trinity Victim

New Trinity Ransomware Strain Targets U.S. Healthcare, Federal Officials Warn

 

A new ransomware strain, known as Trinity, has reportedly compromised at least one healthcare organization in the U.S., according to a recent report from federal authorities.

The U.S. Department of Health and Human Services (HHS) issued a warning on Friday, alerting hospitals about the serious threat posed by the ransomware group. They highlighted that Trinity’s methods make it a "notable risk" to both the U.S. healthcare and public health sectors.

HHS's Health Sector Cybersecurity Coordination Center confirmed that one U.S. healthcare entity has recently fallen victim to the Trinity ransomware, which was first detected around May 2024.

To date, seven victims of Trinity ransomware have been identified, including two healthcare providers—one in the U.K. and another in the U.S. The latter, a gastroenterology services provider, lost 330 GB of data. While the facility remains unnamed, it has been listed on Trinity’s data leak site and is currently facing technical disruptions, including limited phone access.

Additionally, researchers have found another case involving a dental group based in New Jersey.

HHS noted similarities between Trinity and two other ransomware groups—2023Lock and Venus—hinting at potential collaboration between these cybercriminals.

Trinity ransomware mirrors other known operations by exploiting common vulnerabilities to extract data and extort victims.

After installation, the ransomware gathers system information, such as available processors and drives, to escalate its attack. Operators then scan for weaknesses to spread the ransomware within the network.

The files encrypted by the attack are marked with the “trinitylock” extension, and victims receive a ransom note demanding payment within 24 hours, with threats of data exposure if they fail to comply.

At present, there is no available decryption tool for Trinity, leaving victims with few options, according to the HHS advisory.

The attackers operate two websites: one to assist those who pay the ransom with decryption, and another that displays stolen data to extort victims further.

Federal officials have discovered code similarities between the Trinity and Venus ransomware strains, noting identical encryption methods and naming schemes, which suggest a close link between them. Trinity also shares features with 2023Lock, including identical ransom notes and code, implying it could be an updated variant.

Cybersecurity researchers have also pointed out that Trinity may be a rebranded version of both Venus and 2023Lock. According to Allan Liska of Recorded Future, Trinity is "not a highly advanced strain of ransomware," and the attackers do not appear particularly sophisticated.

HHS emphasized that the potential collaboration between these threat actors could enhance the complexity and impact of future ransomware attacks.

Previous HHS warnings have covered other ransomware groups such as Royal, Cuba, Venus, Lorenz, and Hive.

Despite heightened law enforcement efforts, ransomware attacks persist, with operations continuing to generate significant revenue—approximately $450 million in the first half of 2024 alone.

The healthcare sector has been particularly affected by these attacks, causing severe disruptions. Just last week, a Texas hospital, the only level 1 trauma center in a 400-mile radius, had to reduce services and turn away ambulances due to a ransomware incident.

As of Friday, the hospital reported restored phone services, with only a limited number of ambulances being redirected to other facilities.
Read more »
Threat Landscape
Cyber Crime Data Leak Extortion Ransomware Threat Landscape

BlackByte Ransomware Outfit is Targeting More Orgs Than Previously Known

 

Researchers from Cisco have discovered that the BlackByte ransomware group is only disclosing a small portion of its successful attacks on its leak site this year. Talos, the company's cybersecurity department, believes the gang is creating extortion posts for only 20% to 30% of its successful attacks. 

The study of the ransomware outfit's leak site shows it posted 41 victims in 2023 but only three so far in 2024. BlackByte has been extremely active this year, but it's unclear why the group hasn't posted any further leaks. 

BlackByte has carried out high-profile assaults on local governments in Newburgh, New York, and Augusta, Georgia, as well as organisations such as the San Francisco 49ers and Yamaha. 

Researchers from Cisco Talos claimed that their involvement in a number of recent incident response investigations showed how quickly the organisation is evolving and how often it leads the way in exploiting vulnerabilities such as CVE-2024-37085, an ESXi software problem that Microsoft brought to light last month.

“Talos IR observed the threat actor leveraging this vulnerability, which initially received limited attention from the security community, within days of its publication,” the researchers stated. “This highlights the speed with which ransomware groups like BlackByte can adapt their [tactics, techniques and procedures] to incorporate newly disclosed vulnerabilities, and the level of time and effort put into identifying potential avenues for advancing an attack.” 

The analysts believe the ransomware-as-a-service (RaaS) gang is an offshoot of the now-defunct Conti operation, which appeared in late 2021. According to Cisco Talos, BlackByte has a history of searching for and exploiting public-facing vulnerabilities. However, the RaaS model's flexibility "allows threat actors to quickly counter new defensive strategies developed by cybersecurity experts by iterating and updating its tooling.” 

Callie Guenther, a Critical Start cyberthreat researcher, stated that the exploitation of CVE-2024-37085 was notable since it targeted VMware ESXi hypervisors, which allow servers to operate many virtual machines and efficiently distribute computing resources. The focus on ESXi hypervisors by Ransomware outfits such as BlackByte is especially troubling because the technology is often vital for firms' IT infrastructure and critical business applications.

“The adoption of the CVE-2024-37085 vulnerability by BlackByte signals an understanding of the value in targeting these systems, as they offer a high return on investment for the attackers in terms of potential ransom payouts,” she added.
Read more »
SIM card cloning
BSNL data breach cyberattack on BSNL dark web forum Data Breach Extortion Identity Theft kiberphant0m sensitive user information SIM card cloning

BSNL Reportedly Suffers Major Data Breach: Sensitive User Information at Risk

 

Bharat Sanchar Nigam Limited (BSNL) has reportedly experienced a significant data breach, with the responsible threat actor claiming to have acquired sensitive user and operational data. The government-owned telecom provider's servers were attacked, resulting in the hackers obtaining SIM card details, home location register data, and critical security keys. This stolen data could potentially be used for criminal activities such as SIM card cloning, identity theft, and extortion.

According to a report by digital risk management firm Athenian Tech, cited by News18, the cyberattack was carried out by a threat actor using the dark web forum username “kiberphant0m”. It remains unclear if the attack was executed by an individual or a group of hackers.

The report states that approximately 278GB of data from BSNL's telecom operations was compromised. This data includes not only user information but also server snapshots that could be exploited for further attacks, posing severe security risks. The threat actor claims to have obtained critical details such as International Mobile Subscriber Identity (IMSI) numbers, SIM card details, PIN codes, authentication keys, and snapshots of BSNL's SOLARIS servers.

The hacker has reportedly offered the stolen data for sale at $5,000 (roughly Rs. 4.18 lakh). Discussions on the dark web forum suggest potential misuse of the data for activities like SIM cloning, identity theft, and extortion.

Kanishk Gaur, CEO of Athenian Tech, explained that while the specific vulnerabilities exploited by “kiberphant0m” are not publicly disclosed, access to critical systems such as the Home Location Register (HLR) and SOLARIS server snapshots indicates a deep penetration. This likely involved exploiting software vulnerabilities or sophisticated social engineering techniques. The server snapshots suggest possible exploitation of known vulnerabilities within BSNL's server infrastructure, highlighting the need for rigorous patch management and security updates.

The alleged data breach poses a serious threat to millions of BSNL users whose sensitive information may have been compromised. Notably, BSNL experienced a similar data breach in December 2023. Gadgets 360 has reached out to BSNL for a comment and will update the story once a response is received.
Read more »
Online fraud
Bengaluru Cyber bullying Cyber Crime Extortion Goa Online fraud

Bengaluru Man Arrested for Exploiting Woman in Online Interview

 



Panaji: In a disturbing cybercrime case, the Goa Cyber Crime Police arrested a Bengaluru resident, Mohan Raj V, for allegedly cyberbullying and extorting a woman from Goa. The arrest was made on Saturday after a strategic operation by the police team.

The case began when the victim, a woman from Goa, filed a complaint with the cyber crime police. She reported that the accused had posted a fake job advertisement for a position at a foreign bank. Responding to the advertisement, the woman was contacted via a chatting app by the accused, who arranged an online interview. During the video call, individuals posing as company representatives coerced the woman into undressing. They recorded the video and took screenshots, which were later used to blackmail her.

According to the complaint, the accused demanded sexual favours in exchange for deleting the compromising material. Over the past two months, he persistently harassed the woman, threatening to make the videos and pictures public if she did not comply. He also demanded that she meet him in Bengaluru.

Following the complaint, the police, led by Superintendent of Police Rahul Gupta, devised a plan to apprehend the accused. A team, including the victim, travelled to Bengaluru and laid a trap. After extensive efforts and a lengthy chase, the accused was caught when he arrived to meet the victim. The police recovered the chats and videos from the accused's phone, which will be sent for a cyber forensic examination.

The investigation revealed that Mohan Raj V used VPN phone numbers to create fake Telegram accounts and post fraudulent job offers. He targeted women by promising high salary packages and conducting fake online interviews.

The accused has confessed to his crimes and has been booked under several sections of the Indian Penal Code, including section 354A (sexual harassment), section 384 (extortion), and relevant provisions of the Information Technology Act. The case is being further investigated by Police Inspector Deepak Pednekar.

SP Rahul Gupta urged the public to verify the authenticity of online job offers through local or cyber police stations before engaging with them. He also cautioned against complying with unethical online demands, no matter the promised benefits.

This case highlights the growing menace of cybercrime and the importance of vigilance in online interactions. The Goa Cyber Crime Police's successful operation furthers the cause for robust cyber security measures and public awareness to prevent such incidents.



Read more »
VPM
Child pornography Extortion Honeytrap malware VPM

Malware Author Lures Child Abusers Into Honeytrap to Extort Them

 

You rarely root for online criminals, but a new malware campaign targeting child exploiters does not make you feel awful about the victims. 

Since 2012, threat actors have developed a range of malware and ransomware that impersonate government agencies and earn affected Windows users that they are seeing CSAM. The software informs users that they must pay a "penalty" to keep their information from being transferred to law enforcement. 

One of the first "modern" ransomware operations, known as Anti-Child Porn Spam Protection or ACCDFISA, used this extortion strategy in conjunction with initially locking Windows systems and eventually encrypting files. 

Similar extortion techniques were used by cybersecurity researcher MalwareHunterTeam to share an executable malware sample named "CryptVPN" [VirusTotal] with BleepingComputer last week. This time, though, the malware creator is going after people who actively seek child pornography rather than innocent people. 

Security specialists investigated the malware and discovered that threat actors posed as UsenetClub, a subscription service that allows users to download films and images from Usenet with "uncensored" access.

Usenet is an online discussion platform that allows users to discuss different topics in "newsgroups" to which they have subscribed. While Usenet is used for valid discussion of a variety of topics, it is also a notorious source of child pornography.

Threat actors designed a fraudulent site pretending to be UsenetClub and offered three subscription tiers for the site's content. The first two were paid subscriptions, ranging from $69.99 per month to $279.99 annually. However, a third option claimed to allow free access if you install and employ the free "CryptVPN" software to access the site. 

Clicking the "Download & Install" button will download a CryptVPN.zip file from the website, which when unpacked will contain a Windows shortcut called "CLICK-HERE-TO-INSTALL". 

This file is a shortcut to the PowerShell.exe executable that downloads and saves the CryptVPN.exe executable to C:\Windows\Tasks.exe before executing it. The malware executable is packaged with UPX, however when unpacked, it contains a PDB string indicating that the creator titled the malware "PedoRansom". 

The malware does nothing uncharacteristic except change the target's wallpaper to an extortion demand and drop a ransom note named README.TXT on the desktop, which includes similar extortion demands. 

"You were searching for child exploitation and/or child sexual abuse material. You were stupid enough to get hacked," reads the extortion demand. "We have collected all your information, now you must pay us a ransom or your life is over.”

The extortion goes on to say that the victim must pay $500 to the bc1q4zfspf0s2gfmuu8h5k0679sxgxjkd7aj5e6qyl Bitcoin address within ten days or their identity will be leaked. Currently, this bitcoin address has only received roughly $86 in payments. 

Threat actors have long used "sextortion" strategies, such as sending bulk emails to a large number of people in an attempt to scare them into paying an extortion demand. 

These approaches worked very well at first, with spammers extorting more than $50,000 per week during the early operations. However, as time passes and the victims of these frauds become more aware, sextortion operations no longer yield the same money. 

While this strategy is more innovative and will scare many individuals looking for this type of stuff, we doubt many people will pay the extortion demand.
Read more »
Websites
Attack Blackcat hackers Change Healthcare critical infrastructure providers Data Breach digital decryption keys Extortion Hospitals International law enforcement seizure Websites

Notorious Hacker Group Strikes US Pharmacies

In December, international law enforcement targeted a gang, leading to the seizure of various websites and digital decryption keys, as reported by Reuters. In response to this crackdown, the Blackcat hackers threatened to extort critical infrastructure providers and hospitals.

A recent attack on Change Healthcare, resulting in its parent company UnitedHealth Group disconnecting its systems to prevent further impact, has caused disruptions in prescription insurance claims, according to the American Pharmacists Association. This outage, which has persisted through Tuesday, is attributed to a notorious hacker group, as per a new report.

The outage at Change Healthcare, which handles payment management for UnitedHealth Group, was caused by a ransomware attack by hackers associated with Blackcat, also known as ALPHV, according to Reuters, citing anonymous sources. Blackcat has been involved in several recent high-profile data breaches, including attacks on Reddit, Caesars Entertainment, and MGM Resorts.

As a result of the breach, pharmacies nationwide are facing significant delays in processing customer prescriptions. Change Healthcare stated they are actively working to restore the affected environment and ensure system security.

UnitedHealth Group mentioned that most pharmacies have implemented workarounds to mitigate the impact of the outage on claim processing. The company expressed confidence that other data systems in its healthcare portfolio were unaffected by the breach.

While last week's breach was suspected to be "nation-state-associated," according to an SEC filing by UnitedHealth, it's uncertain if the group responsible was sponsored by foreign actors. Cybersecurity firms Mandiant and Palo Alto Networks, appointed by UnitedHealth, will lead the investigation into the breach.
Read more »
TrendMicro
Bitcoin Canti Conti CorvusInsurance Cyber Crime Cybersecurity Darkweb DigitalCurrency Elliptic Extortion Garantex Hackers Laundering Ransomware TrendMicro

Researchers: 'Black Basta' Group Rakes in Over $100 Million

 

A cyber extortion group believed to be an offshoot of the infamous Russian Conti hacker organization has reportedly amassed over $100 million since its emergence last year, according to a report published on Wednesday by digital currency tracking service Elliptic and Corvus Insurance.

The group, known as "Black Basta," has allegedly extorted at least $107 million in bitcoin, with a significant portion of the laundered ransom payments flowing to the sanctioned Russian cryptocurrency exchange Garantex, as revealed in the joint report. Attempts to contact Black Basta through its dark web site were unsuccessful. Garantex, which faced U.S. Treasury sanctions in April of the previous year, expressed support for global initiatives combatting cybercrime and urged information-sharing regarding the hackers' finances, pledging to block suspicious funds.

Elliptic co-founder Tom Robinson characterized Black Basta's substantial earnings as making it "one of the most profitable ransomware strains of all time." The researchers arrived at this figure by identifying known ransom payments linked to the group, tracing the laundering of digital currency, and discovering additional payments.

Robert McArdle, a cybercrime expert from security firm TrendMicro not involved in the report, deemed the reported Black Basta figure "certainly in a believable range for their operations."

The Elliptic-Corvus report also presented evidence linking Black Basta to the now-defunct Russian group "Canti." Conti, formerly a prominent ransomware gang, gained notoriety for coercing victims through data encryption, ransom demands, and threats to publish stolen information. 

The report suggests that individuals from Conti, following the dismantling of its leak site after Russia's invasion of Ukraine and the subsequent posting of U.S. bounties on its leadership, may have reorganized and rebranded, with Black Basta potentially being a manifestation of this restructuring.

"Conti was perhaps the most successful ransomware gang we've seen," remarked Robinson. The recent findings indicate that some individuals responsible for Conti's success might be replicating it with the Black Basta ransomware, he added.
Read more »
Sensitive data
aerospace giant Boeing data breach CISA report Cybersecurity Data Breach Extortion Hacking Group Lockbit cybercrime Online Threat Ransomware attack Sensitive data

Boeing Evaluates Cyber Group's Data Dump Threat

 

Boeing Co announced on Friday that it is currently evaluating a claim made by the Lockbit cybercrime group, which asserts that it has obtained a significant volume of sensitive data from the aerospace giant. The group has threatened to release this information online unless Boeing pays a ransom by November 2.

To emphasize their ultimatum, the hackers displayed a countdown timer on their data leak website, accompanied by a message stating, "Sensitive data was exfiltrated and ready to be published if Boeing do not contact within the deadline!"

The group conveyed that, for now, they will refrain from providing lists or samples of the data in order to safeguard the company. However, they asserted that this stance may change before the deadline arrives.

Lockbit typically deploys ransomware on an organization's system to encrypt it and also pilfers sensitive information as a means of extortion.

A spokesperson for Boeing stated, "We are assessing this claim" via email.

According to the U.S. Cybersecurity and Infrastructure Security Agency (CISA), Lockbit was the most active ransomware group globally last year, based on the number of victims it claimed on its data leak blog.

The gang, known for its eponymous ransomware, which emerged on Russian-language cybercrime forums in January 2020, has reportedly conducted 1,700 attacks on U.S. organizations since then, as per CISA's report in June.

Lockbit did not disclose the volume of data it purportedly acquired from Boeing, nor did they reveal the ransom amount they are demanding. Boeing declined to provide further comments.

The hacking group has yet to respond to a request for comment sent to the address mentioned on their data leak site.
Read more »
Subscribe to: Posts (Atom)