Search This Blog

Showing posts with label Ransom. Show all posts

Medibank: Hacker Gained Access to 9.7M Customers' Data and Refuses to Pay a Ransom

 

On Monday, Medibank Private Ltd (MPL.AX), Australia's largest health insurer, stated that no ransom payment will be made to the criminal responsible for a recent data theft in which the data of approximately 9.7 million current and former customers was compromised. 

Highlighting the findings of the firm's investigation thus far, Medibank confirmed that the data theft accessed the name, date of birth, address, phone number, and email addresses of approximately 9.7 million current and former customers. Cyber security issues in Australia have skyrocketed in recent years, according to a government report, with one attack occurring every seven minutes.

"Based on the extensive advice we have received from cybercrime experts we believe there is only a limited chance paying a ransom would ensure the return of our customers' data and prevent it from being published," Medibank CEO David Koczkar said.

Paying a ransom could encourage the hacker to directly extort customers, causing more people to suffer, according to Koczkar. The insurer reiterated that business operations remained normal during the cyberattack, with customers continuing to have access to health care.

Medibank has warned its customers to be cautious because the criminal may leak the data online or attempt to contact them directly.

In the last few weeks, Singapore Telecommunications' (STEL.SI) unit Optus disclosed a breach of up to 10 million customer accounts, and Woolworths (WOW.AX) revealed that the data of millions of customers using its bargain shopping website had been compromised.  

Medibank has announced that it will commission an external review in order to learn from the cyberattack, as well as expand its Cyber Response Support Program. 

Paying Off Hackers is Common, Says Top Australian Govt Cybersecurity Firm

 

Corporate insurers routinely pay hackers a ransom for the return of stolen customer data, according to a top Australian government cybersecurity provider, as the country's largest health insurer revealed the growing scope of a recent breach on  Oct 25. 

The claim from Macquarie Telecom, which manages cybersecurity for 42% of Australian federal employees, including the Australian Taxation Office, suggests a lack of preparedness in an industry that has been in the spotlight recently due to a wave of high-profile hacks.

"These are the largest corporations in the world, falling over themselves to pay criminals as fast as possible to cap their liability," Macquarie CEO David Tudehope told Reuters in an interview, referring to cyber insurance firms that he did not name. "In what other sphere of life do you see reputable corporates pay millions of dollars to criminals and somehow it's all okay?"

Insurers that paid ransom to hackers had no way of ensuring data deletion, which meant sensitive customer information remained at risk of being exposed online, according to Tudehope.

This month, Medibank Private, Australia's largest health insurer, revealed that a criminal had stolen the personal health data of 100 of its 4 million customers and demanded payment for the data's return. On Tuesday, Medibank announced that the criminal had revealed the personal information of another 1,000 customers, and that the number was likely to grow.

Optus, the country's No. 2 telco, said last month that a hacker demanded payment after stealing data from about 10 million customer accounts, equivalent to 40% of the Australian population.A person claiming to be the Optus hacker later withdrew the demand due to privacy concerns. Meanwhile, the federal government has announced that companies that suffer data breaches will face fines of up to A$50 million.

"This is an enormous wake-up call for the country," Cyber Security Clare O'Neil told parliament. "We need to do more as a country to step up."

O'Neill added that a national crisis management group formed during the COVID-19 outbreak was activated on Saturday and has met three times to discuss the Medibank hack. Tudehope, the CEO of Macquarie Telecom, declined to comment on specific incidents, but blamed underprepared cybersecurity chiefs who were too focused on internal stakeholder management and overly reliant on all-in-one protections such as firewall software.

"The challenge in cyber is it just changes so quickly and the people in senior management who, in many cases, do not have the background in cybersecurity because it wasn't a thing as they worked their way up through their career," Tudehope said.

"They're making decisions they don't have a strong understanding of in many cases," he added. "The people who have a deeper level of IT security (knowledge) are often at junior or middle levels of an IT department or government agency."

As per Tudehope, most businesses will face cyber attacks and should have a recovery plan in place, such as having confidential data backed up frequently in a separate location to ensure hackers cannot access it.

Ransomware Attacks Forced Organizations to Shut Down Operations Completely

 

Ransomware attacks have evolved constantly and now the spike in attacks is causing a massive concern for thousands of organizations worldwide. Hackers are taking advantage of security vulnerabilities and encrypting data belonging to all sorts of organizations: from private firms to healthcare facilities and governments. 

What motivates the ransomware attackers to become even more sophisticated and demand tens of millions of dollars is that numerous firms agree to pay the ransom and not reveal the attack. It usually happens because they are afraid of the devastating social consequences. 

Earlier this week, Trend Micro, a global cybersecurity leader, disclosed that a quarter of healthcare organizations hit by ransomware attacks were forced to shut operations completely. The study also revealed that 86% of global healthcare organizations impacted by ransomware attacks suffered operational outages. 

More than half of the global HCOs (57%) acknowledged being hit by ransomware attacks over the past three years. Of these, 25% were forced to shut down their operations, while 60% disclosed that some business processes were affected by an attack. 

On average, it took most responding organizations days (56%) or weeks (24%) to fully restore these operations. In a survey of 145 healthcare business and IT professionals, 60 percent of HCOs also suffered a data breach, potentially increasing compliance and reputational risk, as well as investigation, remediation, and clean-up costs. 

The good news is that most (95%) HCOs say they regularly update patches, while 91% limit email attachments to thwart malware risk. Many also employed detection and response tools for their network (NDR) endpoint (EDR) and across multiple layers (XDR). 

"In cybersecurity, we often talk in abstractions about data breaches and network compromise. But in the healthcare sector, ransomware can have a potentially genuine and very dangerous physical impact," Trend Micro Technical Director Bharat Mistry stated. 

"Operational outages put patient lives at risk. We can't rely on the bad guys to change their ways, so healthcare organizations need to get better at detection and response and share the appropriate intelligence with partners to secure their supply chains." 

The study published by cybersecurity firm Sophos in June revealed that HCOs spend nearly $1.85 million to recover systems after a ransomware attack, the second-highest across all sectors. The average ransom paid by healthcare organizations surged by 33% in 2021, an almost threefold increase in the proportion of victims paying ransoms of $1 million or more.

How Ransomware Turned Into the Stuff of Nightmares for Modern Businesses

 

Few cyberthreats have progressed as rapidly in recent years as ransomware, which has become a global scourge for businesses over the last two decades. 

Ransomware has evolved from simple infect and encrypt attacks to double- and now triple-extortion attacks, making it one of the most dangerous security threats of the modern era. Meanwhile, with the rise of ransomware-as-a-service, it has become more accessible to would-be cybercriminals as well.

Techradar spoke with Martin Lee, Technical Lead of Security Research at Cisco Talos, to learn more about the threat posed by ransomware and the steps businesses can take to protect themselves.

What characteristics make ransomware attacks so effective and difficult to counter?

Ransomware is essentially the 21st century equivalent of kidnapping. The criminal steals something valuable and demands payment in exchange for its return. The ransomware business model has progressed over time to become a highly efficient source of revenue for criminals.

A ransomware attack should not be taken lightly. Criminals attempt to evoke an immediate response by encrypting and rendering a system inaccessible. If a critical system is disrupted, the bad folks know that the victim will have a strong incentive to pay.

Ransomware attacks are launched through every possible entry point. Criminals will look for any vulnerability in perimeter defences in order to gain access. The profitability of ransomware drives criminals' tenacity; the attacks' ubiquity makes them difficult to defend against. To defend against such attacks, excellent defences and constant vigilance are required.

What are the most significant changes in ransomware operations since the days of simple infect and encrypt attacks?

Modern criminal ransomware attacks first appeared in the mid-2000s. Initially, these were mass-market' attacks in which criminals distributed as much malware as possible without regard for the nature or identity of the systems being targeted. Although the vast majority of malware would be blocked, a small percentage would be successful in infecting and encrypting systems, and a small number of these would result in payment of a ransom.

In 2016, ther noticed a change in the ransomware model. SamSam, a new ransomware variant, was distributed in an unusual manner. The group behind this malware planned ahead of time, exploiting vulnerabilities in externally facing systems to gain a foothold within the organisation. Once inside, they expanded their access, looked for key systems, and infected them with ransomware.

Criminals can significantly disrupt the operation of an organisation by researching their target and disrupting business critical systems. Criminals use this approach to demand a much higher ransom than if they compromise a single laptop, for example.

In what ways do you expect ransomware attacks to develop further in the years to come?

Ransomware has proven to be a reliable source of revenue for criminals. However, the success of the attacks is not guaranteed. The less profitable the activity becomes as more attacks are blocked.

Malicious emails and attempts to download malware can be blocked by perimeter defences. Filtering connections at the IP address or DNS layer can prevent malware from communicating with its command and control systems. End-point protection systems can detect and block malicious malware, and effective backup solutions can restore affected systems.

With a better understanding of the effects of ransomware and stronger defences, fewer successful attacks will be witnessed and ransomware will become unprofitable. However, as organisations become smarter, so do criminals, and ransomware will continue to exist.

North Korean Hackers Employ H0lyGh0st Ransomware to Target Businesses

 

Researchers from Microsoft’s Threat Intelligence Center (MSTIC) this week claimed that the North Korean hackers are employing the H0lyGh0st ransomware to target small and midsize businesses worldwide. 

The hacking group, which calls itself H0lyGh0st and is tracked by Microsoft as DEV-0530, has been employing ransomware since at least June 2021 and has successfully exploited multiple businesses since September 2021. 

The activities of DEV-0530 are similar to other ransomware gangs out there. The group engages in double extortion, threatening to publish personal data stolen from victims unless a ransom is paid. 

In recent years, North Korean hackers have siphoned hundreds of millions of dollars from foreign businesses to help their country which is struggling economically due to the U.S. sanctions and the COVID-19 pandemic. However, it is equally possible that the hackers are employing ransomware for personal gain, which could explain an “often-random selection of victims.” 

According to Microsoft, the activities of DEV-0530 are partially linked to a group known as Plutonium (also known as DarkSeoul or Andariel). Both groups have been spotted operating from the same infrastructure, employing custom malware controllers with similar names, and emailing accounts belonging to each other. 

“MSTIC has observed known DEV-0530 email accounts communicating with known PLUTONIUM attacker accounts. MSTIC has also observed both groups operating from the same infrastructure set, and even using custom malware controllers with similar names,” Microsoft says. 

The researchers also identified that the hacker’s activities are consistent with the UTC+9 time zone employed in North Korea. DEV-0530’s first malicious payload was spotted in June last year, BLTC_C.exe, which was classified as SiennaPurple, despite its lack of complexity compared to other variants in the same ransomware family. More powerful derivatives of the malware were released later, between October 2021 and May 2022, and were based on the Go programming language. 

In November 2021 DEV-0530 successfully exploited several small-to-midsized businesses in the manufacturing, finance, education, and event and meeting planning sectors in multiple nations. Likely opportunistic, the attacks exploited vulnerabilities such as CVE-2022-26352 on public-facing web assets for initial access. 

Subsequently, the hackers would steal “a full copy of the victims’ files” and then shift to encrypt the contents on the system, appending the .h0lyenc extension to impacted files. In addition to dropping a ransom note, the attackers emailed the victim to inform them that their data was stolen and encrypted by H0lyGh0st. 

“Based on our investigation, the attackers frequently asked victims for anywhere from 1.2 to 5 Bitcoins. However, the attackers were usually willing to negotiate and, in some cases, lowered the price to less than one-third of the initial asking price. As of early July 2022, a review of the attackers’ wallet transactions shows that they have not successfully extorted ransom payments from their victims,” Microsoft researchers explained.

Luna Moth: Hackers After the Subscription Scam 

Luna Moth is a brand-new data extortion group that has been breaking into businesses to spoof users' data. If the victims don't pay a ransom to prevent the information from being made public, hackers threaten to make the records publicly accessible. 

The hacker group adopted the alias Luna Moth and has been engaged in phishing efforts since at least March in which remote access tools (RAT) were distributed, enabling corporate data theft.

How does the scam work?

The Luna Moth ransomware gang has been analyzed by the incident response team at cybersecurity firm Sygnia, it was noted that the actor is attempting to establish a reputation under the name Silent Ransom Group (SRG).

In a report published, Sygnia claims that although the goal of Luna Moth, also known as TG2729, is to acquire key data, its method of operation is similar to that of a scammer.

The organization has been posing as Zoho MasterClass Inc. and Duolingo over the last three months, operating a widespread phishing scam.  The malicious emails are sent from Gmail accounts that were altered to look like official company email accounts, claiming to be from the Zoho Corporation or Duolingo.

Domains used

In April 2022, the first verified campaign-related domain was registered. Hostwinds, a service provider, hosts both the exfiltration and phishing domains, which are both listed under Namecheap.

The two primary sets of domains and IPs that make up Luna Moth infrastructure  can be tied to subscription fraud:

  • Domains with the XYZ TLD, such as maaays[.]xyz, are exfiltration domains. The organization uses these domains as the endpoint for the exfiltrated data when using the Rclone obfuscation method.
  • Phishing sites like masterzohoclass[.]com that pretend to be associated with Duolingo or Zoho. The majority of these domains only last for four hours or less.

Standard tools

Atera, Splashtop, Syncro, and AnyDesk are just a couple of good remote administration tools (RATs) that the hackers mainly employ to control compromised devices. These tools also give the hackers some flexibility and persistence: even if one of the RATs is taken out of the system, the others can still reinstall it. Furthermore, off-the-shelf tools like SharpShares, and SoftPerfect Network Scanner,  are being utilized by the group.

The tools are saved on spyware with fake names that make them appear to be legitimate These technologies enable threat actors to conduct basic reconnaissance tasks, acquire access to additional resources, and steal data from compromised networks in addition to RATs.



Maastricht University Retrieves Ransom Amount Paid in 2019

 

Earlier this month, the southern Maastricht University (UM) in Netherland with more than 22,000 students, revealed that it had retrieved the ransom paid after a ransomware assault that targeted its network in December 2019. 

After a detailed investigation of the incident, Fox-IT researchers attributed the attack to a financially motivated hacker gang tracked as TA505 (or SectorJ04). The hacking group has been active since at least 2014 and has primarily targeted retail and financial organizations. 

The hackers breached the university's systems through phishing e-mails in mid-October and installed Clop ransomware payloads on 267 Windows systems on December 23, after moving laterally via the network. 

After a week, the university decided to accede to the criminal gang's demand and paid a 30 bitcoin ransom (roughly €200,000 at the time) for the ransomware decryptor. This was partly because private data was in danger of being lost and students were unable to take an exam or work on their theses. Secondly, the rebuilding of all compromised systems from scratch or creating a decryptor were not viable options. 

"It is a decision that was not taken lightly by the Executive Board. But it was also a decision that had to be made," University explained in a blog post. "We felt, in consultation with our management and our supervisory bodies, that we could not make any other responsible choice when considering the interests of our students and staff."

However, as UM recently revealed, the local police traced and seized a wallet containing the cryptocurrency paid by the university as ransom in 2019.

"The investigation [..] eventually paved the way for the seizure of the cryptocurrency by the Dutch Public Prosecution Service. As early as February 2020, the investigation team froze a so-called wallet containing part of the paid ransom," UM said. The value of the cryptocurrencies found at that time was €40,000; at the current exchange rate, they are worth approximately €500,000."

Although this might appear like the university made a considerable profit within a relatively short time, the €500,000 seized by Netherlands' Public Prosecution Service represents significantly less than the damage inflicted during the ransomware attack. These seized funds are now in a bank account under the control of the law enforcement agents, and the Ministry of Justice has already initiated legal proceedings to transfer them to the university.

Dutch University Receives Bitcoin Ransom Paid in 2019

 

The southern Maastricht University in Netherland that fell victim to a major ransomware assault has partly received back its stolen money, a local news organization reported on Saturday. 

The Dutch University suffered a large cyberattack in 2019 that locked them, and their students, out of valuable data until they agreed to pay a €200,000 ($208,000) ransom in Bitcoin which hackers demanded to decrypt the data.

"The criminals had encrypted hundreds of Windows servers and backup systems, preventing 25,000 students and employees from accessing scientific data, library and mail," the daily De Volkskrant told. 

"After a week the university decide to accede to the criminal gang's demand," the paper said. This was partly because personal data was in danger of being lost and students were unable to take an exam or work on their theses.” 

As part of an investigation into the cyberattack, local police traced part of the ransom paid to an account belonging to a money launderer in Ukraine. In 2020, the authorities seized the perpetrator's account, which contained a number of different cryptocurrencies including part of the ransom money paid by Maastricht University. 

Earlier this week, the authorities were able to return the ransom back to the university. But the value of the Bitcoin held in the Ukrainian account has increased from its then-value of €40,000 to €500,000.

"When, now after more than two years, it was finally possible to get that money to the Netherlands, the value had increased from 40,000 euros to half-a-million euros," the paper further read. Maastricht University will now get the 500,000 euros ($521,000) back. 

"This money will not go to a general fund, but into a fund to help financially strapped students," Maastricht University ICT director Michiel Borgers stated. 

The administrators of Maastricht University should count themselves lucky as they were able to retrieve their stolen money. Last year, the University of California paid $1.14 million to NetWalker attackers after they encrypted data within its School of Medicine’s servers, and the University of Utah paid hackers $457,000 to prevent them from releasing data stolen during an attack on its network. 

In 2021, ransomware attackers targeted 58 U.S. education organizations and school districts, including 830 individual schools, according to the report published by Emsisoft threat analyst Brett Callow. Emsisoft estimates that in 2020, 84 incidents disrupted learning at 1,681 individual schools, colleges, and universities.

New Emotet Variant Capturing Users' Credit Card Data from Google Chrome

 

The Emotet botnet is now attempting to infect potential victims with a credit card stealer module designed to capture credit card information from Google Chrome user accounts. 

After obtaining credit card information (such as name, expiration month and year, and card numbers), the malware will transfer it to command-and-control (C2) servers that are not the same as those used by the Emotet card stealer module. 

The Proofpoint Threat Insights team said, "On June 6th, Proofpoint observed a new Emotet module being dropped by the E4 botnet. To our surprise, it was a credit card stealer that was solely targeting the Chrome browser. Once card details were collected they were exfiltrated to different C2 servers than the module loader." 

This shift in behaviour follows an increase in activity in April and a move to 64-bit modules, as discovered by the Cryptolaemus security research group. One week later, Emotet began using Windows shortcut files (.LNK) to run PowerShell instructions on victims' devices, abandoning Microsoft Office macros, which were disabled by default beginning in early April 2022. 

The re-emergence of Emotet malware:

In 2014, the Emotet malware was created and used in assaults as a banking trojan. It has developed into a botnet used by the TA542 threat group (also known as Mummy Spider) to deliver second-stage payloads. 

It also enables its operators to steal user data, conduct reconnaissance on compromised networks, and migrate laterally to susceptible devices. Emotet is renowned for deploying Qbot and Trickbot malware trojan payloads on infected PCs, which are then used to spread more malware, such as Cobalt Strike beacons and ransomware like Ryuk and Conti. Emotet's infrastructure was destroyed in early 2021 as part of an international law enforcement operation that also resulted in the arrest of two people.

When Emotet research organisation Cryptolaemus, computer security firm GData, and cybersecurity firm Advanced Intel all spotted the TrickBot malware being used to deliver an Emotet loader in November 2021, the botnet returned utilising TrickBot's previously established infrastructure.

According to ESET, Emotet's activity has increased more than 100-fold since the beginning of the year, with its activity rising more than 100-fold against T3 2021.

BlackCat Ransomware Group Demands $5Million to Unlock Austrian State

 

The BlackCat ransomware group, also known as ALPHV, has targeted the Austrian federal state Carinthia, demanding $5 million to open encrypted computer systems. The threat actor allegedly locked thousands of workstations during the attack on Tuesday, causing serious operational interruption to government services. 

The website and email service for Carinthia are temporarily down, and the government is unable to issue new passports or traffic penalties. Furthermore, the intrusion hampered the completion of COVID-19 testing and contact tracking through the region's administrative offices. 

For $5 million, the hackers offered to deliver a functioning decryption tool. Gerd Kurath, a state spokesperson, told Euractiv that the attacker's demands will not be fulfilled. 

According to the press spokesperson, there is presently no proof that BlackCat was able to take any data from the state's systems, and the aim is to restore the workstations using accessible backups. Kurath stated that the first of the 3,000 impacted systems are likely to be operational again soon. 

At the time of writing, there is no material from Carinthia on BlackCat's data leak site, where hackers post files taken from victims who did not pay a ransom. This might imply a recent incident or that discussion with the victim are still ongoing. 

In November 2021, the ALPHV/BlackCat ransomware group emerged as one of the more advanced ransomware attacks. They are a rebranded version of the DarkSide/BlackMatter gang, which is responsible for the Colonial Pipeline attack last year. 

BlackCat affiliates launched attacks on high-profile companies and brands such as the Moncler fashion firm and the Swissport airline freight handling services provider in early 2022. 

By the completion of the first quarter of the current year, the FBI issued a warning that BlackCat had breached at least 60 businesses globally, adopting the position that it was expected to achieve as one of the most active and dangerous ransomware projects out there. 

The attack on Carinthia and the hefty ransom demands demonstrate that the threat actor targets firms that can pay substantial sums of money to get their systems decrypted and prevent additional financial losses due to lengthy operational interruption.

Russian Group Attack on Bulgarian Refugee Agency

 

A ransomware group that shares strong ties with Russia warned on Wednesday that it will publicly post the files it has stolen from the Bulgarian government agency that is responsible for the refugee management.

LockBit 2.0 published a notice on the dark website saying it had files from the Bulgarian State Agency for Refugees under the Council of Ministers. “All available data will be published!” the notice read under the group’s trademark bright red countdown clock, which has a May 9 publication date. It's worth noting that there was no specific post for a ransom demand. 

According to the Sofia Globe, a news organization in the country’s capital, nearly 5.7 million Ukrainian refugees have fled their country since February and approximately 230,000 fled to Bulgaria, while 100,700 are remaining in the country. 

The official website of the agency remains active, however, a notice on the site’s home page reads, “due to network problems, the e-addresses of the State Agency for Refugees at the Council of Ministers are temporarily unavailable.”

Press contacted an official for a comment on the same matter but the agency didn’t immediately respond to the email. Later, a spokesperson at the Bulgarian embassy in Washington, D.C., said that he did not have information on the incident and would look into the matter. 

LockBit 2.0 is an updated version of LockBit, a ransomware variant that first was spotted in September 2019, as per the cybersecurity firm Emsisoft. Originally known as ABCD ransomware, LockBit is famous for the file extension appended to encrypted files, with the extension later updating to “LockBit”.  Moreover, in September, the group made headlines for launching its own leak website. 

“This is simply the latest in a very long list of hits on organizations which provide critical services...,” said Brett Callow, a threat analyst at Emsisoft. 

“...Hospitals, [search and rescue], fire departments, and charities for the disabled have all been targeted. The individuals involved with ransomware are conscienceless scumbags and the sooner we find a way to deal with the problem, the better.”

Hackers Expose 190GB of Alleged Samsung Data

 

Hackers that exposed secret information from Nvidia have now turned their attention to Samsung. The hacker group known as Lapsus$ is suspected of taking 190GB of data from Samsung, including encryption and source codes for many of the company's new devices. 

On Saturday, hackers launched an attack on Samsung, leaking critical data collected through the attack and making it accessible via torrent. The hackers shared the complete data in three sections in a note to their followers, as seen by Bleeping Computer, along with a text file that details the stuff available in the download. 

The exposed material includes "source code from every Trusted Applet" installed on every Samsung smartphone, as per the message. It also includes "confidential Qualcomm source code," algorithms for "all biometric unlock operations," bootloader source code for the devices, and source codes for Samsung's activation servers and Samsung account authentications, including APIs and services. 

In short, the Lapsus$ attack targets Samsung Github for critical data compromise: mobile defence engineering, Samsung account backend, Samsung pass backend/frontend, and SES, which includes Bixby, Smartthings, and store. 

The attack on Samsung comes after the cyber organisation attempted to extort money from Nvidia in a ransom scheme. It's worth noting that it's not a straightforward monetary request. Instead, the hackers have asked Nvidia to lift the restriction on Ethereum cryptocurrency mining that it has placed on its Nvidia 30-series GPUs. Nvidia's GPU drivers must be open-sourced forever, according to the hackers. 

The hackers are plainly looking for money from the disclosed data, as evidenced by the updates. For $1 million, one of them promised to sell anyone a bypass for the crypto nerf on Nvidia GPUs. Another communication from the group, according to The Verge, claimed that instead of making the data public, they are attempting to sell it straight to a buyer. 

Last Monday, Nvidia confirmed the breach, acknowledging a leak of "employee credentials" and "proprietary information." It, on the other hand, disputed that the attack was linked to the ongoing Russia-Ukraine crisis and claimed that the cyberattack would have no impact on its operations. 

As of currently, there are no reports of Lapsus$ demanding a similar ransom from Samsung. If they do, however, Samsung is likely to suffer a significant setback, especially given the type of data that the hacking group now claims to have access to.

Swissport Ransomware Attack Delays Flights, Disturbs Operations

 

Swissport International, a supplier of aviation services, was struck by a ransomware attack that disrupted its operations. 

Swissport International Ltd. is an aviation services firm controlled by an international group of investors that provides airport ground, lounge hospitality, and cargo handling services. On behalf of 850 aviation clients, the corporation manages over 282 million passengers and 4.8 million tonnes of cargo each year. Swissport employs over 66,000 people at 307 locations across 50 countries and has combined operating revenue of EUR 2.8 billion. 

Swissport International was the victim of a ransomware assault that disrupted company operations and prompted aircraft delays. As per the German website Spiegel, the ransomware attack only affected a minor section of the corporation's global IT infrastructure, and a company spokesperson verified that the security breach occurred at 6 a.m. on Thursday. 

The attack has been substantially contained, according to the company, which is attempting to rectify the situation as swiftly as possible. 

A spokeswoman for Zurich Airport added, “Due to system problems at our airport partner Swissport, 22 flights were delayed by 3 to 20 minutes yesterday.”

The company spokesman added, “The attack has now been contained and everything is being done to solve the problem as quickly as possible and limit the impact on flight operations. Swissport can continue to provide ground services for airlines safely, but there may be delays in some cases.” 

On Friday afternoon, the Swissport website was unavailable. The organisation has not yet revealed information regarding the attack, such as the ransomware family that attacked its systems or if the attack resulted in a data leak. The attack on their leak sites was not claimed by any ransomware group. 

Other recent attacks in Europe have affected key infrastructure, such as the one that crippled Oiltanking GmbH, a German petrol distributor that supplies Shell gas stations across the country. The oil provider Mabanaft GmbH was also impacted by the attack, according to the media. The Marquard & Bahls group owns both companies. As per local media, the attacks could have compromised the country's fuel supplies. 

A cyberattack was launched this week on some of the main oil terminals in Western Europe's largest ports. The Amsterdam-Rotterdam-Antwerp oil trading centre, as well as the SEA-Tank Terminal in Antwerp, are among the affected port infrastructure.

REvil Ransomware Operations Seem Unaffected by Recent Arrests

 

According to threat intelligence firm ReversingLabs, the REvil (Sodinokibi) ransomware cooperative's operation has not reduced despite Russia's recent arrest of numerous suspected members of the group. 

The Russian law enforcement agency FSB declared the takedown of the REvil organisation "at the request of US authorities" two weeks ago, yet the ransomware-as-a-service (RaaS) business is still running. 

After years of being accused of permitting malicious hackers to flourish within its borders as long as no Russian citizens or organisations are harmed, Russia appeared to be sending a distinct signal with the arrest of 14 members of the REvil group, even if some witnessed it as a political move amidst rising tensions along the Ukraine border. 

The high-profile arrests of affiliates, however, did not halt REvil operations, as ReversingLabs points out. In reality, the group is operating at the same speed as it was before the arrests. 

Europol reported the arrests of seven people engaged in the spread of REvil and GandCrab ransomware assaults in November 2021 (during seven months), at a time when ReversingLabs was seeing an average of 47 new REvil implants per day (326 per week). 

This was greater than September (43 new implants per day - 307 per week) and October (22 new daily implants - 150 per week), but far lower than July (87 per day - 608 per week) when the group went offline. Following the arrests in Russia, the number of REvil implants observed jumped from 24 per day (169 per week) to an average of 26 per day (180 per week). 

“While it's true that more time may be needed to assess the full impact of the arrests on REvil’s activity, the data so far would suggest that it is ‘business as usual’ for the ransomware gang,” ReversingLabs noted. ReversingLabs senior threat researcher Andrew Yeates stated.

“Threat groups exploit regionalised regulation and distributed organizational structure with sovereign state safe housing, all while leveraging a ‘no-rule’ borderless attack strategy. That makes it ever harder for national and international criminal policing organizations to put an end to threat groups such as REvil.” 

While synchronised action against REvil infrastructure may have had short-term repercussions on the RaaS's prevalence, much stronger action is required to truly stop the cybercrime ring's operations, especially given the group's corporation-like structure, where affiliates launch attacks and receive payments. 

As a result, removing simply affiliates does not affect the core of the RaaS, allowing it to continue operating. Affiliates, on the other hand, can either rebuild the enterprise or relocate to a new RaaS if only the core is removed, and this is relevant for other comparable cybercriminal groups as well.

Defense Contractor Hensoldt Confirms Lorenz Ransomware Attack

 

Hensoldt, a multinational defence contractor, disclosed that Lorenz ransomware has infected part of its UK subsidiary's systems. A spokesman for Hensholdt acknowledged the security vulnerability to BleepingComputer this week. 

Hensoldt's Head of Public Relations, Lothar Belz, told BleepingComputer, "I can confirm that a small number of mobile devices in our UK subsidiary has been affected." 

Belz, on the other hand, refused to provide any other specifics on the incident, adding, "for obvious reasons, we do not reveal any more facts in such cases." 

Since April, the Lorenz ransomware group has targeted several institutions around the world, demanding hundreds of thousands of dollars in ransom. Lorenz operators, like other ransomware groups, use a double-extortion approach, acquiring data before encrypting it and threatening victims if they don't pay the ransom. Ransom demands have been quite high, between $500.000 and $700.000.

Hensoldt AG emphasizes sensor technology for security and surveillance missions in the defence, security, and aerospace sectors. Radar, optoelectronics, and avionics are the company's core product areas, and it is listed on the Frankfurt Stock Exchange. 

The defence multinational, which is listed on the Frankfurt Stock Exchange and with a revenue of 1.2 billion euros in 2020, offers sensor solutions for defence, aerospace, and security applications. The corporation works with the US government on classified and sensitive contracts, and its products include and equip tanks, helicopter platforms, submarines, and Littoral Combat Ships, among other things. 

The Lorenz ransomware group has already published the names of the firms that have been compromised on their Tor leak site. The ransomware group claims to have already transferred 95 percent of all stolen files to its leak site as of this time of writing. The gang named the archive file "Paid," implying that someone else paid to keep the Hensoldt files from being exposed. 

Tesorion, a cybersecurity firm, studied the Lorenz ransomware and produced a decryptor that may allow victims to decrypt their files for free in some situations.

The GootLoader Hackers are After Law Firms and Accounting Firms

 

GootLoader is a piece of initial access malware that allows its operators to install a variety of other malware families, including ransomware, on affected devices. It was first discovered in December 2020. The GootLoader hacking organization has been primarily targeting personnel at law and accounting firms in recent weeks, with the most recent attack occurring on January 6. So far, eSentire claims to have intercepted three such assaults. Potential victims are directed to hacked genuine websites that include hundreds of pages of business-related content, including free document samples for download, but they are instead infected with GootLoader. 

GootLoader is distributed using Drive-By-Download programmes, which are driven by SEO, specifically through Google. The hackers are enticing business professionals to authentic but compromised websites that they have packed with hundreds of pages of content, including multiple connections to business agreements, including legal and financial agreements, in these recent attacks.
 
The content claims to provide free downloads of these documents. eSentire's Threat Response Unit (TRU) discovered that the GootLoader hackers set up over 100,000 malicious webpages marketing various forms of commercial deals during an intensive GootLoader campaign that began last December. 

How are the GootLoader threat actors able to infiltrate reputable websites with hundreds of pages of malicious content? 

Tragically, it is just too simple. Hundreds of legitimate websites employing WordPress as the content management system have been detected by the GootLoader gang. WordPress, like many other content management systems, has several vulnerabilities, which hackers may simply exploit to load websites with as many harmful pages as all without the knowledge of the website owner. These websites, according to the TRU team, encompass a wide spectrum of industries, including hotel, high-end retail, education, healthcare, music, and visual arts. 

"The abundance of content that threat actors have pushed onto the web, when professional looks for a sample business agreement on Google, the hackers' malicious web pages appear in the top Google searches," said Keegan Keplinger, TRU's research and reporting lead. 

Three law businesses and an accounting firm were targeted by the cybersecurity services provider, which said it intercepted and demolished the attacks and the victims' identities have not been revealed. Organizations should implement a vetting process for business agreement samples, train staff to open documents only from reputable sources, and confirm that the content downloaded matches the content intended for download.

Night Sky: New Ransomware Targeting Corporate Networks

 

The new year has brought with it new ransomware named 'Night Sky,' which targets corporate networks and steals data in double-extortion attacks. 

The Night Sky operation began on December 27th, according to MalwareHunterTeam, which was the first to identify the new ransomware. The ransomware has since published the data of two victims. 

One of the victims got an initial ransom demand of $800,000 in exchange for a decryptor and the promise that the stolen material would not be made public. 

How Night Sky encrypts devices

A sample of the Night Sky ransomware seen by BleepingComputer has a personalised ransom note and hardcoded login credentials to access the victim's negotiation page. 

When the ransomware is activated, it encrypts all files except those with the.dll or.exe file extensions. The ransomware will not encrypt the following files or folders: 
AppData
Boot
Windows
Windows.old
Tor Browser
Internet Explorer
Google
Opera
Opera Software
Mozilla
Mozilla Firefox
$Recycle.Bin
ProgramData
All Users
autorun.inf
boot.ini
bootfont.bin
bootsect.bak
bootmgr
bootmgr.efi
bootmgfw.efi
desktop.ini
iconcache.db
ntldr
ntuser.dat
ntuser.dat.log
ntuser.ini
thumbs.db
Program Files
Program Files (x86)
#recycle

Night Sky appends the.nightsky extension to encrypted file names while encrypting them. A ransom letter named NightSkyReadMe.hta is included in each folder, and it provides details about what was stolen, contact emails, and hardcoded passwords to the victim's negotiation page. 

Instead of communicating with victims through a Tor site, Night Sky employs email addresses and a transparent website that runs Rocket.Chat. The credentials are used to access the Rocket.Chat URL specified in the ransom note. 

Double extortion tactic: 

Before encrypting devices on the network, ransomware operations frequently grab unencrypted data from victims. Threat actors then utilize the stolen data in a "double-extortion" scheme, threatening to leak the information unless a ransom is paid. 

Night Sky built a Tor data leak site to leak the data of victims, which now contains two victims, one from Bangladesh and the other from Japan. While there hasn't been much activity with the new Night Sky ransomware operation, one should keep a watch on it as we enter the new year.

Lapsus$ Ransomware Gang Hacked Portugal's Largest Media Conglomerate

 

The Lapsus$ ransomware group has compromised and is actively extorting Impresa, Portugal's largest media conglomerate and owner of SIC and Expresso, the country's leading TV channel and a weekly newspaper, respectively. The attack occurred during the New Year's holiday and targeted the company's online IT server infrastructure. Impresa, Expresso, and all SIC TV channels' websites are presently offline. National airwave and cable TV broadcasts are unaffected, however, the attack has disabled SIC's internet streaming capability. 

Both the Expresso newspaper and the SIC TV station stated that they had reported the incident to the PJ criminal investigation police agency and the National Cybersecurity Centre (CNCS) and would file a complaint. The claimed hackers posted a message on the websites threatening to reveal internal data if the media firm did not pay a ransom. The message includes contact information for e-mail and Telegram. 

The Lapsus$ group claimed responsibility for the attack by displaying a ransom letter on all of Impresa's websites. In addition to a ransom demand, the message says that the organization has gained access to Impresa's Amazon Web Services account. When all of the sites were put into maintenance mode on Monday, Impresa workers looked to have regained control of this account, but the attackers promptly tweeted using Expresso's verified Twitter account to demonstrate that they still had access to company resources. 

Lino Santos, CNCS's coordinator, informed the Observador newspaper that this was the group's first attack in the country. In the meantime, both media outlets are disseminating news pieces via their social media networks. It was an "unprecedented attack on press freedom in the digital age," they said. 

The Impresa hack is among the most significant cybersecurity events in Portugal's history. Impresa is by far the largest media group in the country. According to September 2021 TV ratings, SIC and all of its secondary channels lead the TV market, while Expresso has the highest weekly periodical circulation numbers. Nonetheless, Impresa owns a slew of other media organizations and periodicals, all of which are likely to be impacted by the attack.

Before the Impresa attack, the Lapsus$ group hacked and ransomed the Ministry of Health of Brazil, as well as Claro and Embratel, two South American telecommunications firms. This is the second ransom attack on a media conglomerate during the holiday season, following the Ryuk gang's December 2018 attack on Tribune Publishing, owner of the Los Angeles Times.

Report: PYSA Emerges as Top Ransomware Actor in November

 

As per NCC Group, a UK-based risk mitigation organisation, PYSA and Lockbit were the most significant ransomware attacks in November 2021.

Lockbit has been a leading ransomware threat since August of this year, with Conti dominating the landscape as well. Conti's popularity began to fade in November, and PYSA took its place. The total number of organisations infected with PYSA climbed by 50% last month. 

The number of hacked governmental institutions has also increased by 400 per cent, according to the NCC Group. PYSA is for 'Protect Your System Amigo,' and it has been active since late 2019, mostly targeting the education, healthcare, and government sectors.

In March 2021, the FBI issued a warning about PYSA. PYSA was thought to only target Windows systems until September 2021, but the evidence was discovered that the ransomware was getting prepared to target Linux PCs as well. 

NCC Group noted, “PYSA is a malware capable of exfiltrating data and encrypting users’ critical files and data, which typically targets large or high-value finance, government and healthcare organizations.” 

In November, the total number of ransomware assaults was 1.9 per cent higher than in October, with firms in North America and Europe being hit the hardest. According to the NCC Group, ransomware affected 154 companies in North America last month (140 in the United States and 14 in Canada). A total of 96 European victims have been identified, the majority of whom are from the United Kingdom (32), France (14), Italy, and Germany (11 each). 

“The industrial sector continued to be the most targeted sector in November. Meanwhile, automotive, housing, entertainment, and retail businesses overtook technology this month, with attacks targeting the sector decreasing by 38.1%,” NCC Group stated. 

The cybersecurity firm also saw the Everest ransomware group providing paid access to their victims' infrastructure in November. Other groups are also anticipated to forego a ransom demand in the future and instead grant access to the compromised infrastructure.

MediaMarkt Struck by Hive Ransomware, Initial $240 Million Ransom Demand

 

A Hive ransomware operation hit MediaMarkt, a German multinational chain of consumer electronics stores, with the threat actors initially demanding a ransom of $240 million. IT systems in the Netherlands and Germany were closed down as a result of the incident and store operations were hampered. 

With over 1,000 stores in 13 countries, MediaMarkt is Europe's largest consumer electronics retailer. It employs around 53,000 people and has total sales of €20.8 billion. At the start of this week, a ransomware attack targeted MediaMarkt, encrypting servers, workstations and creating an outage of IT services to stop the attack from propagating. 

The ransomware attack, according to BleepingComputer, affected several retail stores across Europe, particularly in the Netherlands. While online sales are unaffected, affected stores' cash registers are unable to accept credit cards or generate receipts. The system shutdown is also restricting returns due to the inability to search for previous purchases. Employees are instructed to avoid encrypted systems and to turn off networked cash registers on the network. 

As per screenshots of alleged internal communications posted on Twitter, the hack compromised 3,100 servers. However, at this moment, BleepingComputer has been unable to verify those claims. The Hive Ransomware organization is behind the attack, according to BleepingComputer, and requested a huge, but unrealistic, $240 million ransom to acquire a decryptor for encrypted files. 

Ransomware groups frequently demand high ransoms at first to allow for negotiation, and they generally only get a portion of what they demand. However, BleepingComputer has been told that during the attack on MediaMarkt, it was almost automatically dropped to a significantly smaller amount. 

While it is unclear whether unencrypted data was captured in the attack, Hive ransomware is known to steal files and post them on its 'HiveLeaks' data breach site if a ransom is not paid. When BleepingComputer contacted MediaMarkt about the hack, they received the following response: 

“The MediaMarktSaturn Retail Group and its national organizations became the target of a cyberattack. The company immediately informed the relevant authorities and is working at full speed to identify the affected systems and repair any damage caused as quickly as possible. In the stationary stores, there may currently be limited access to some services. MediaMarktSaturn continues to be available to its customers via all sales channels and is working intensively to ensure that all services will be available again without restriction as soon as possible. The company will provide information on further developments on the topic. - MediaMarkt.”

About the Hive ransomware 
Hive ransomware was first discovered in June 2021 and has already hit over 30 companies, counting just those who did not pay the demanded ransom. The Hive group, according to the FBI, uses a range of tactics, methods, and processes to breach targeted networks. 

Hive ransomware was first discovered in June 2021 and has already hit over 30 companies, counting just those who did not pay the demanded ransom. The Hive group, according to the FBI, uses a range of tactics, methods, and processes to breach targeted networks. 

Hive ransomware is a data encryption malware that has gained notoriety as a result of strikes against the Memorial Health System, where employees were made to work with paper charts as their computers were encrypted. Altus Group was another victim, with hackers stealing corporate information and data from the software supplier, which were then made public on HiveLeaks. 

Hive has also created variants to encrypt Linux and FreeBSD servers, which are often used to host virtual machines.