Search This Blog
Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label Ransom. Show all posts
Threat Intelligence
Business Security Cl0p Cyber Security Google Mandiant Ransom Threat Intelligence

Google Warns of Cl0p Extortion Campaign Against Oracle E-Business Users

 

Google Mandiant and the Google Threat Intelligence Group are tracking a suspected extortion campaign by the Cl0p ransomware group targeting executives with claims of stealing Oracle E-Business Suite data. 

The hackers have demanded ransoms reaching up to $50 million, with cybersecurity firm Halcyon reporting multiple seven and eight-figure ransom demands in recent days. The group claims to have breached Oracle's E-Business Suite, which manages core operations including financial, supply chain, and customer relationship management functions.

Modus operandi 

The attackers reportedly hacked user emails and exploited Oracle E-Business Suite's default password reset functionality to steal valid credentials. This technique bypassed single sign-on protections due to the lack of multi-factor authentication on local Oracle accounts. At least one company has confirmed that data from their Oracle systems was stolen, according to sources familiar with the matter. The hackers provided proof of compromise to victims, including screenshots and file trees.

This activity began on or before September 29, 2025, though Mandiant experts remain in early investigation stages and have not yet substantiated all claims made by the group. Charles Carmakal, Mandiant's CTO, described the operation as a high-volume email campaign launched from hundreds of compromised accounts. Initial analysis confirms at least one compromised account previously associated with FIN11, a long-running financially motivated threat group known for deploying ransomware and engaging in extortion.

Threat actor background 

Since August 2020, FIN11 has targeted organizations across multiple industries including defense, energy, finance, healthcare, legal, pharmaceutical, telecommunications, technology, and transportation. The group is believed to operate from Commonwealth of Independent States countries, with Russian-language file metadata found in their malware code. In 2020, Mandiant observed FIN11 hackers using spear-phishing messages to distribute a malware downloader called FRIENDSPEAK.

An email address in the extortion notes ties to a Cl0p affiliate and includes Cl0p site contacts, though Google lacks definitive proof to confirm the attackers' claims. The malicious emails contain contact information verified as publicly listed on the Cl0p data leak site, strongly suggesting association with Cl0p and leveraging their brand recognition. Cl0p has launched major attacks in recent years exploiting zero-day flaws in popular software including Accellion, SolarWinds, Fortra GoAnywhere, and MOVEit.

Security recommendations

Oracle confirmed the investigation on October 3, 2025, stating that attacks potentially relate to critical vulnerabilities disclosed in their July 2025 Critical Patch Update. The company strongly encouraged customers to review the July update and patch their systems for protection. Mandiant researchers recommend investigating environments for indicators of compromise associated with Cl0p operations.
Read more »
Ransom
Cyber PMC Data Breach Paraguay Ransom

Paraguay Faces Data Breach Threat as Cyber Group Demands Ransom

 


A cyber extortion group is pressuring the Paraguayan government to pay a ransom of $7.4 million, roughly equal to one dollar for each citizen of the country. The group, which calls itself Brigada Cyber PMC, claims to have stolen personal information from three different Paraguayan government systems, including records of about 7.2 million people from the national civil registry, which manages voter information and other key data.

The hackers posted their demands on their dark web site on Sunday, warning that if the payment is not made by June 13, they will leak all the stolen information to the public. However, by Thursday, the group’s leak site had gone offline and was showing a basic server message, making its current status unclear.


Who Are the Hackers?

Little is known about Brigada Cyber PMC. Their website simply states, “You don’t need to know who we are.” At this stage, it’s uncertain whether they are working independently or if they have backing from a larger organization or government.

According to cybersecurity company Resecurity, the first signs of this data breach appeared on May 28, when a user named "Gatito_FBI_Nz" posted on a cybercrime forum offering to sell two databases containing information on Paraguayan citizens. The seller also provided a sample of nearly 940,000 records and appeared to be connected to other leaks in South America, based on their usernames and contact details shared on Telegram.

Resecurity’s investigation suggests that the hacker involved may have also attacked government systems in other South American countries. Paraguay’s national cybersecurity team, CERT-PY, has been informed of the situation.


The Targeted Systems

One of the affected Paraguayan government websites belonged to the National Agency for Transit and Road Safety, which went offline on May 29 but was brought back the next day. Some of the leaked records appear to have come from this agency and include sensitive personal details such as names, ID numbers, dates of birth, professions, marital status, and nationalities.

Another incident was reported on May 31, when a different hacker named "el_farado" posted another large set of Paraguayan citizen data for sale. This data was allegedly taken from government systems in the Cordillera region. Resecurity noted possible links between this hacker and FunkSec, a ransomware group active since late 2024. The structure of this data suggests it may have come from a separate cyberattack.


History of Attacks

This is not the first time Paraguay’s government networks have been targeted. Resecurity pointed out that a civil registry database was stolen and leaked about two years ago, but it’s unclear whether that older data is now being reused by the current attackers.

In another major case in November 2024, Paraguay’s critical infrastructure was found to be compromised by a hacking group reportedly connected to China, according to a joint investigation by Paraguayan officials and the U.S. Southern Command. That breach was linked to the group known as Flax Typhoon, but no public data leaks or officially confirmed victims were reported in that incident.

Read more »
Ransom
Coinbase Crypto Crypto Wallet cryptocurrency Cyber Security Data Theft Extortion Ransom

$400Million Coinbase Breach Linked to Customer Data Leak from India


Coinbase data breach linked to India

A Reuters investigation revealed that cryptocurrency exchange Coinbase knew in January about a breach affecting outsourced customer support agents in India. Six people who knew about the incident said Coinbase was aware of sensitive user data compromise through its contractor, TaskUs, before it was officially announced in May. 

On 14th May, TaskUs filed an SEC document revealing that an India-based TaskUs employee was found taking pictures of a computer screen with her phone. Five former TaskUs employees confirmed that the worker and one accomplice were bribed by threat actors to get Coinbase user data.

The breach cost $400 million

After this information, more than 200 TaskUs employees were fired in a mass layoff from the Indore center, which drew media attention in India. Earlier, Coinbase suspected ‘overseas support agents’ but now the breach is estimated to cost 400 million dollars.

Coinbase had been a long-term partner of TaskUs, a Texas-based outsourcing firm, cost-cutting labor by giving customer support work to offshore teams. After 2017, TaskUs agents, mostly from developing countries, handled Coinbase customer inquiries. 

In the May SEC filing, Coinbase said it didn’t know about the full scale of the breach until it received an extortion demand of $20 Million on 11th May. As a cautionary measure, Coinbase cut ties with TaskUs employees and other unknown foreign actors. Coinbase has notified regulators, compensated affected users, and taken strict measures to strengthen security. 

In a public statement, TaskUs confirmed it had fired two staff (unnamed) for data theft but didn’t mention Coinbase. The company found the two staff involved in a cyber attack campaign that targeted other service providers linked to the client. 

Hackers use social engineering tactic

Hackers did not breach the Coinbase crypto wallets directly, they cleverly used the stolen information to impersonate the Coinbase employees in a series of social engineering scams. The hackers posed as support agents, fooling victims into transferring their crypto assets. 

According to Money Control, “The person familiar with the matter confirmed that Coinbase was the client and that the incident took place in January. Reuters could not determine whether any arrests have been made. Police in Indore did not return a message seeking comment.”

Read more »
Ransom
Co-op Cyber Attacks Cyber Triggers CyberCrime Cyberhackers Cyberscams CyberThreat NCSC Ransom

Co-op Hack Triggers Widespread Scam Risk for Consumers


 

Several cyberattacks on major British retailers including Marks & Spencer, the Co-op Group, and others have been attributed to social engineering, the practice of deceiving internal support teams by impersonating legitimate employees to deceive internal support teams. It has been reported that the attackers contacted the companies' IT help desks and posed convincingly as employees seeking immediate assistance. 

Using trust and urgency as a basis, they were able to persuade help desk employees to reset passwords for internal accounts, giving them unauthorised access to sensitive corporate information. Using this technique, attackers could potentially gain access to sensitive data, internal communications, and systems that may be used to further exploit or steal data, as it bypasses traditional technical safeguards. 

Once inside the networks, the attackers could potentially gain access to confidential data, internal communications, and systems that could be used for further exploitation. According to the UK's National Cyber Security Centre (NCSC), in light of these developments, all organisations should conduct a thorough review of their authentication procedures for help desks. 

As social engineering attacks are becoming increasingly sophisticated and difficult to detect, NCSC stresses the importance of implementing strict identity verification methods and training employees to recognise such techniques to prevent them from occurring in the future. Approximately 2,000 grocery outlets are operated by the Co-operative Group, along with 800 funeral homes and legal and financial services, in addition to offering food and beverage services. 

It has been confirmed that precautionary measures have been taken to protect the company's digital infrastructure. These included temporarily suspending certain internal systems that are used by retail operations and the legal department for their operations. A number of the organisation's systems have been affected, including the platform used to monitor stock levels. 

A source familiar with the matter has indicated that unresolved disruptions may result in localised supply issues, which could lead to product shortages on store shelves if not handled promptly. It was also announced that some employees' access to certain digital tools was restricted in response to the breach, so that remote work capabilities would be limited starting Wednesday. As a result of these internal disruptions, the Co-op has said that its retail stores, including those which provide rapid delivery services and funeral care branches, will remain open and operational normally despite these disruptions. 

According to the National Cyber Security Centre (NCSC), it has acknowledged its involvement in the incident and is actively supporting the Co-operative Group as they investigate it. In addition, it is believed that the company is working closely with Marks & Spencer to assess the scope and nature of an incident that occurred in a separate but similarly timed manner, with efforts underway to determine whether there is any connection between the two breaches. 

As a matter of fact, the attack on two major retailers in close succession is unlikely to be a coincidence, according to Marijus Briedis, Chief Technology Officer of Nord Security. It suggests that there has been some coordination between both retailers or perhaps even a shared vulnerability. 

According to the Co-operative Group, although its back-office operations and customer service call centres have suffered disruption, the company's network of 2,000 grocery stores and 800 funeral homes across the UK remains fully functional and continues to serve its customers without interruption, despite these disruptions. 

When the cybercriminal group Scattered Spider first gained prominence in September 2023, it was after successfully infiltrating Caesars Entertainment and MGM Resorts International, an attack which, reportedly, forced Caesars to pay a ransom of $15 million. Recently, the group has been operating in the UK, and they seem to have changed their approach to attacking IT personnel by using sophisticated social engineering tactics rather than technical exploits. 

It has been reported that one of the suspects, Scottish national Tyler Buchanan, has been extradited to the United States from Spain, where he has been charged with attempting to compromise several corporate networks. As a result of Buchanan and his network's involvement in numerous complex and multistage cyber intrusions, U.S. prosecutors are emphasising the growing threat cybercrime poses to society. 

Despite Marks & Spencer's continued efforts to restore its digital systems, and as the Co-op assesses the full extent to which customer data might be exposed by the incidents, critical cybersecurity vulnerabilities have been revealed in enterprise cybersecurity protocols. It has become increasingly important for organisations to prioritise layered, adaptive security frameworks that go beyond traditional defences to combat threats from attackers exploiting human behaviour over system weaknesses. 

It is ultimately clear that in a digital-first economy, the presence of cyber threats must be built into every aspect of the organisation, and to do so, organisations must embed cybersecurity into every aspect of their business. It remains a fact that human factors are the most exploited vulnerability, and without constant vigilance and robust incident response plans, even industry leaders are vulnerable. As M&S continues to deal with major problems caused by a cyber attack attributed to the hacking collective Scatter Spider, the problems have emerged. 

In light of the M&S incident, the Co-op did not comment on whether the extra checks it had conducted resulted in the detection of attempted attacks on its systems. However, it did inform staff of the importance of protecting our systems, mentioning the recent issues surrounding M&S and the cyber-attack they have experienced in the past few weeks. As part of its commitment to reducing costs and preventing shoplifting, the company announced that technology would play an important role in reducing costs and preventing shoplifting. 

The Co-op's grocery stores are currently introducing new technologies such as electronic shelf edge pricing to reduce labour hours, as well as expanding fast-track online grocery delivery services. Morrisons has been at the centre of cyberattacks in the last couple of years. In the run-up to Christmas last year, the retailer suffered from an incident at its tech supplier Blue Yonder that caused the retailer to become extremely vulnerable to cyber threats. 

As recently as 2023, WH Smith was attacked by cyber criminals who illegally accessed their company information, including the personal details of current and former employees. This occurred less than a year after a cyber-attack on WH Smith's Funky Pigeon site forced the store to stop accepting orders for about a week following a cyber-attack. As a result of the recent cyber attacks on leading UK retailers, such as Marks & Spencer and the Co-operative, there is now an urgent and escalating challenge facing the UK: cybercrime is becoming a more prevalent threat in an increasingly digital retail environment. 

In addition to enhancing customer experience, retailers are increasingly embracing advanced technologies to increase efficiency, reduce operational costs, and improve efficiency, but they also increase their exposure to cyber risks, particularly those originating from human manipulation and procedural errors. It is important to note that in a complex ecosystem where automation, remote access systems, and third-party technology partnerships are converging, a single vulnerability can compromise entire networks, resulting in a complex ecosystem. 

It is important for cybersecurity tnot to be viewed simply as a technical function but rather as an integral part of every layer of an organisation's operations. Managing these threats requires organisations to use a holistic approach - issuing regular training to staff on social engineering awareness, setting up thorough verification processes, and auditing access control systems regularly - to mitigate such threats. 

In order to avoid reactive measures, the implementation of zero-trust frameworks, the cooperation with cybersecurity experts, and continual incident simulation exercises must become standard practice instead of reactive ones. For businesses to keep up with the pace of cybercriminals, as they often operate across borders using coordinated tactics, they must also evolve. In addition, boards and leadership teams are responsible for cybersecurity resilience by ensuring that adequate investments, governance, and crisis management plans have been established. 

Additionally, regulatory bodies and industry alliances should make an effort to establish unified standards and collaboratively share threat intelligence, particularly in sectors regarded as high risk. It is not an isolated incident; the recent breaches are a sign of a broader pattern that reveals a systemic vulnerability in the retail supply chain as a whole. The digital age has made it increasingly difficult to ignore cybersecurity when it comes to businesses that depend on trust, reputation, and uninterrupted service crucial element of long-term survival and customer trust.
Read more »
Ransom
Automobile Industry Cyber Attacks Hackers Ransom

Auto Industry Faces Sharp Rise in Cyberattacks, Raising Costs and Risks

 



The growing use of digital systems in cars, trucks, and mobility services has made the automotive industry a new favorite target for hackers. Companies involved in making vehicles, supplying parts, and even selling them are now dealing with a sudden rise in cyberattacks, many of which are leading to heavy losses.

A recent report by cybersecurity firm Upstream Security shows that these attacks are not only increasing but also affecting much larger groups of vehicles and connected systems. In 2024, nearly 60% of the reported incidents impacted thousands or even millions of assets—this includes vehicles, electric vehicle charging stations, smart driving apps, and other connected tools used in transportation.

Even more worrying is the spike in large-scale cyberattacks. Cases where millions of vehicles were hit at once rose sharply from 5% in 2023 to 19% in 2024. These massive events now account for almost 60% of all attacks recorded in the year.

Experts warn that attackers have changed their approach. Instead of just hacking into a single vehicle’s system, they now aim to cause widespread damage or steal large amounts of data. By doing so, they increase the pressure on companies to pay hefty ransoms to avoid public embarrassment or serious business disruption.

Jason Masker, a cybersecurity specialist from Upstream, explained that hackers often search for the most damaging way to force companies into paying them. If they can gain control of millions of vehicles or access sensitive information, they can easily threaten a company’s image and safety standards.

The report also shared a serious example of how hackers can even manipulate a car’s safety features. Researchers found that the radar used for adaptive cruise control— a system that keeps cars at a safe distance can be tricked. Hackers could make it appear that the vehicle ahead is speeding up when it isn’t, potentially causing a crash.

Several major cyber incidents have already occurred:

• A leading Japanese car company’s U.S. unit was targeted by ransomware, leaking 22GB of vehicle and customer data.

• A Chinese auto supplier suffered a large breach involving 1.2TB of sensitive information, affecting both local and global carmakers.

• In Italy, a German automaker’s branch faced a data breach that exposed private customer details.

The report further explains that traditional cyberattacks— like locking systems and demanding ransom, are slowly becoming less effective, as many companies have backups ready. Now, hackers prefer stealing data and threatening to leak it unless they’re paid.

What’s more concerning is the gap between what cybersecurity rules require and how prepared companies actually are. Many businesses falsely believe they are fully protected, while attackers continue finding new ways to break through.

Upstream Security suggests companies need to act beyond just following regulations. Safety, smooth operations, and protecting customer data must be prioritized.

To help prevent future attacks, Upstream monitors over 25 million vehicles worldwide, tracking billions of data points daily. They also watch online forums where cybercriminals sometimes plan their attacks.

Looking at the bigger picture, experts predict artificial intelligence will become a vital tool in spotting and blocking cyber threats quickly. As vehicles get more connected, the risk of cyberattacks is expected to grow, putting companies, drivers, and users of smart mobility systems at greater risk.


Read more »
Ransom
Cyber Attacks Data Breach Data Extortion FBI Ransom

FBI Warns Business Executives About Fake Extortion Scam

 



The Federal Bureau of Investigation (FBI) has warned corporate executives about a new scam designed to trick them into paying large sums of money. Criminals are sending threatening letters claiming to have stolen sensitive company data and demanding a ransom. They are falsely using the name of a well-known hacker group to appear more convincing. However, the FBI has found no actual link between the scammers and the group they claim to represent.  


How the Scam Operates  

According to an FBI alert issued on March 6, 2025, the scammers are mailing letters to company executives marked as urgent. These letters state that hackers have broken into their company's systems and taken confidential data. The scammers then demand a payment of anywhere between 250,000 and 500,000 dollars to prevent the data from being exposed online.  

To pressure victims into paying, the letter includes a QR code that directs them to a Bitcoin wallet for the ransom payment. The message also warns that the criminals will not negotiate, adding to the urgency.  

The letter claims to be from a group known for past cyberattacks, but investigators have found no evidence that the real organization is behind these threats. Instead, scammers are using the group's name to make their claims seem more credible and to scare victims into complying.  


Why Executives Are Being Targeted  

Top business leaders often have access to critical company information, making them valuable targets for cybercriminals. Attackers believe that these individuals will feel pressured to act quickly when they receive threats about stolen data. By creating a sense of urgency, the scammers hope their victims will pay the ransom without questioning its legitimacy.  

The FBI has stressed that companies should not assume the threats are real just because they mention a well-known hacking group. Instead, businesses should focus on improving their cybersecurity defenses and educating employees about potential scams.  


How to Protect Against This Scam  

The FBI and the Cybersecurity and Infrastructure Security Agency (CISA) have shared several important steps businesses can take to safeguard themselves against such scams:  

1. Inform and Educate – Business executives and employees should be aware of this type of scam so they can identify suspicious threats and avoid panic.  

2. Strengthen Security Systems – Companies should ensure that their firewalls, antivirus software, and security protocols are up to date and functioning effectively.  

3. Establish a Response Plan – Organizations should have a clear strategy in place for handling extortion threats. They should not respond or pay the ransom but instead follow proper security procedures.  

4. Report Suspicious Activity – If a business receives one of these extortion letters, it should immediately inform the FBI or report the incident through the Internet Crime Complaint Center (IC3). Reporting such cases helps authorities track cybercriminals and take action against them.  


Why Awareness is Crucial  

This scam highlights the growing trend of cybercriminals using fear to manipulate victims into handing over large amounts of money. While there is no confirmation that the real hacker group mentioned in the letter is involved, this situation serves as a reminder for businesses to stay cautious.  

The best way to prevent falling victim to such scams is through strong security measures, employee awareness, and prompt reporting of suspicious activity. The FBI is closely monitoring the situation and urges companies to take cybersecurity seriously to avoid financial and reputational damage.

Read more »
Scam
Cybersecurity FBI malware Ransom Scam

FBI Warns of Fake Ransom Demands Sent by Mail to US Executives

 



A new scam is targeting top business leaders in the United States, where criminals are sending letters demanding large ransom payments. Unlike typical ransomware attacks that involve hacking into computer systems, this scheme relies on physical mail. The letters claim that hackers have stolen company data and will leak it unless a ransom of $250,000 to $500,000 is paid. However, cybersecurity experts believe this is a fraud, with no actual hacking involved.  


How the Scam Works  

Investigators from the GuidePoint Research and Intelligence Team (GRIT) discovered that several companies have received these ransom letters through the US Postal Service (USPS). The letters are addressed to high-level executives and claim to be from the BianLian ransomware group, a known cybercriminal organization.  

The message states that the company's confidential information has been stolen and will be exposed unless the demanded payment is made within ten days. To make the threat appear real, the letter includes a Bitcoin wallet address and a QR code that links directly to it. Some letters also provide links to BianLian’s dark web site to add legitimacy to the claim.  

Despite these details, security analysts have found no proof that any actual data theft has occurred. The scam relies on fear and deception, hoping that executives will panic and send money.  


Why Experts Believe the Threat Is Fake  

Cybersecurity specialists have carefully examined multiple cases of this scam and found no signs of hacking or data breaches. The companies targeted in this scheme have not reported any unusual activity or unauthorized access to their systems. This strongly suggests that the criminals behind the letters are only pretending to be the BianLian ransomware group.  

The FBI has confirmed that these letters are part of a fraud campaign and do not represent a real cyberattack. Many of the envelopes are marked as "Time Sensitive" to create urgency, and some even list a return address in Boston, Massachusetts, which appears to be another false detail.  

Since there is no actual ransomware attack, businesses do not need to take technical action like removing malware or restoring stolen files. The main risk comes from executives believing the scam and paying the ransom.  


What to Do If You Receive One of These Letters  

If your company receives a similar ransom demand, take the following precautions:  

1. Check Your Systems for Security Issues – Ensure that company networks are protected and that there are no signs of hacking or data leaks. Keeping cybersecurity measures updated is always important.  

2. Do Not Send Any Money – These threats are fake, and paying the ransom will only encourage further scams.  

3. Report the Scam – Contact law enforcement and inform the nearest FBI field office about the letter. Complaints can also be filed with the Internet Crime Complaint Center (IC3).  

4. Inform Key Personnel – Let executives and employees know about this scam so they can recognize and ignore similar fraud attempts in the future.  

 

This scam is a reminder that cybercriminals do not always rely on advanced hacking techniques. Sometimes, they use old-fashioned methods like physical mail to create fear and manipulate victims into paying. While real ransomware attacks remain a serious concern, this particular scheme is based on false claims.  

Companies should stay informed and take precautions to avoid falling victim to these types of fraud. Being aware of such scams is the best way to protect against them.

Read more »
Ransom
Crypto Extortion Crypto Scam Cyber Crime Kidnapping Ransom

Crypto Dealers Targeted in Alarming Kidnapping and Extortion Cases

 

Recent incidents have revealed a troubling trend of cryptocurrency dealers being targeted for kidnappings and extortion. These cases underline the risks associated with the growing prominence of the cryptocurrency sector.

French authorities recently rescued a 56-year-old man found tied in the trunk of a car in Le Mans. According to France Bleu Normandie, the man had been abducted on New Year’s Eve by masked assailants who broke into his home, tied him and his wife up, and transported him approximately 500 kilometers across the country.

The captors used encrypted communication networks to demand a ransom from his son, a cryptocurrency influencer based in Dubai. The victim was discovered disoriented and covered in gasoline, prompting an ongoing investigation as the perpetrators remain at large.

Global Surge in Crypto-Related Crimes

Cryptocurrency's rising value and adoption have made it a lucrative target for cybercriminals. On December 17, Bitcoin (BTC) reportedly reached significant highs, amplifying interest in the sector. This growth has drawn attention from threat actors engaging in malware attacks, kidnappings, and extortion schemes.

For instance, on December 25, a cryptocurrency merchant in Pakistan was kidnapped in Karachi. The assailants coerced the victim into transferring $340,000 in cryptocurrency before abandoning him. Seven individuals, including a Counter-Terrorism Department officer, were later arrested, and charges for kidnapping and extortion were filed under the Pakistan Penal Code.

Cryptocurrency and Ransom Scams

In Australia, a case involving a Saudi royal highlighted the use of social platforms in abduction schemes. The victim was lured via a dating app to a location where he was ambushed and restrained. Threatened with severe harm, he transferred $40,000 in Bitcoin. While the lead perpetrator, Catherine Colivas, avoided prison due to mitigating circumstances, the case underscores the broader vulnerabilities in cryptocurrency transactions.

According to analysts at Chainalysis, the expanding ransomware landscape compounds these risks. Tracking incidents and ransom payments made in cryptocurrencies remains a significant challenge, emphasizing the need for heightened security and vigilance in the sector.

Read more »
User Data
Data Breach Data Leak Ransom Stolen Data User Data

AT&T Paid Attackers $370K to Delete Stolen Customer Data

 

AT&T reportedly paid a hacker more than $370,000 to remove stolen customer data. In an extraordinary turn of events, the ransom may not have gone to those responsible for the breach.

Last Friday, AT&T disclosed that an April data breach had exposed the call and text records of "nearly all" of its customers, including phone numbers and call counts. In a filing with the Securities and Exchange Commission (SEC), AT&T claimed it has since tightened its cybersecurity measures and is working together with law authorities to investigate the incident.

It now appears that AT&T has taken additional steps in response to the intrusion. According to Wired, AT&T paid a ransom of 5.7 bitcoin to a member of the hacking group ShinyHunters in mid-May, which was worth little more than $373,000 at the time. In exchange for this money, the hacker allegedly deleted the stolen data from the cloud server where it was stored, as well as providing video footage of the act. 

However, there is no guarantee that the millions of people affected by the latest massive AT&T attack will be entirely safe, as digital data can be easily copied. The security expert who mediated negotiations between AT&T and the hacker told Wired that they believe the only complete copy of the stolen dataset was wiped. However, partial fragments may remain at large. 

Prior to AT&T's announcement of the incident, it was revealed that Santander Bank and Ticketmaster had also been penetrated using login credentials that had been taken by an employee of the independent cloud storage provider Snowflake. According to Wired, following the Ticketmaster breach, hackers may have infiltrated over 160 companies at once using a script.
Read more »
Ransomware
Cyber Attacks French HealthCare Ransom Ransomware

French Hospital CHC-SV Refuses to Pay LockBit Ransomware Demand

 

The Hôpital de Cannes - Simone Veil (CHC-SV) in France revealed that it has received a ransom demand from the Lockbit 3.0 ransomware gang and refused to pay the ransom. 

On April 17, the 840-bed hospital announced a serious operational disruption caused by a cyberattack, forcing it to shut down all computers and reschedule non-emergency procedures and appointments. 

Earlier this week, the establishment revealed on X that it had received a ransom demand from the Lockbit 3.0 ransomware operation, which it referred to the Gendarmerie and the National Agency for Information Systems Security (ANSSI). 

At the same time, the LockBit ransomware organisation added CHC-SV to their darkweb extortion site, warning to release the first sample pack of files stolen during the attack before the end of the day. The healthcare organisation tweeted that they will not pay the ransom and will notify affected individuals if the threat actors begin leaking data. 

“In the event of a data release potentially belonging to the hospital, we will communicate to our patients and stakeholders, after a detailed review of the files that may have been exfiltrated, about the nature of the stolen information.” 

Meanwhile, the hospital's IT workers are currently working to restore compromised systems to normal operational status, as internal inquiries into the incident continue. 

Ruthless stance 

 
The FBI's disruption of the LockBit ransomware-as-a-service operation through 'Operation Cronos' and the simultaneous release of a decryptor in mid-February 2024 have had a negative impact on the threat group. 

Affiliates have lost faith in the project, and others have chosen to remain anonymous for fear of being identified and prosecuted. Despite the inconvenience, the ransomware operation relaunched a week later, with fresh data leak sites and updated encryptors and ransom demands. 

LockBit's attitude regarding assaults on healthcare providers has always been ambiguous at best, with the group's leaders failing to enforce the declared restrictions on affiliates carrying out attacks that compromised patient care. The attack on CHC-SV confirms the threat group's utter disdain for the sensitive topic of preventing disruptions to healthcare services. 

Read more »
Ransom
Cyber Attacks Data Leak Healthcare Breach Patient Data Ransom

UnitedHealth Paid Ransom After Massive Change Healthcare Cyber Assault

 

The Russian cybercriminals who targeted a UnitedHealth Group-owned company in February did not leave empty-handed.

"A ransom was paid as part of the company's commitment to do everything possible to protect patient data from disclosure," a spokesperson for UnitedHealth Group stated earlier this week. 

The spokesperson did not reveal how much the healthcare giant paid following the cyberattack, which halted operations at hospitals and pharmacies for more than a week. Multiple media outlets claimed that UnitedHealth paid $22 million in bitcoin. 

"We know this attack has caused concern and been disruptive for consumers and providers and we are committed to doing everything possible to help and provide support to anyone who may need it," UnitedHealth CEO Andrew Witty said in a statement Monday. 

UnitedHealth attributed the intrusion on the Russian ransomware gang ALPHV, also known as BlackCat. The group claimed responsibility for the attack, stating that it took more than six terabytes of data, including "sensitive" medical records, from Change Healthcare, which handles health insurance claims for patients who visit hospitals, medical centres, or pharmacies. 

The attack's scale—Change Healthcare performs 15 billion transactions every year, according to the American Hospital Association—meant that even people who were not UnitedHealth clients could have been affected. The attack has already cost UnitedHealth Group almost $900 million, company officials said in reporting first-quarter earnings last week. 

Ransomware attacks, which include disabling a target's computer systems, are becoming more widespread in the healthcare industry. In 2022, a study published in JAMA Health Forum found that the yearly frequency of ransomware attacks against hospitals and other providers increased.

It was "straight out an attack on the U.S. health system and designed to create maximum damage," Witty informed analysts last week during an earnings call about the Change Healthcare incident. According to UnitedHealth's earnings report, the cyberattack is ultimately estimated to cost the organisation between $1.3 billion and $1.6 billion this year.
Read more »
USA
cyber attack Cyber Attacks Cyber Concerns Hospital Information System Ransom Threats to Hospitals USA

Cybersecurity Crisis on US Healthcare Sector Children Hospital in Alarms

 

In a recent and alarming development, Lurie Children's Hospital, a distinguished pediatric care facility in Chicago, has been forced to disconnect its network due to a pressing "cybersecurity matter." This precautionary step is a response to the escalating cyber threats targeting healthcare systems nationwide, causing concern among experts and regulatory bodies. 

The decision to take the network offline emphasizes the severity of the situation, highlighting the hospital's firm commitment to protecting patient data and maintaining operational integrity. Cybersecurity experts are issuing warnings, emphasizing the urgent need for heightened vigilance across the healthcare sector, as potential vulnerabilities pose a significant threat on a national scale. 

Lurie Children’s Hospital, utilizing Epic System’s electronic health record software, has affirmed its proactive response to the ongoing cybersecurity issue. The hospital is actively engaged in collaboration with experts and law enforcement to address the situation, underscoring the gravity of the threat. 

While the Illinois-based medical facility remains operational, it has proactively disabled phone lines, email services, and the electronic medical system. These necessary precautions have, unfortunately, led to disruptions, impacting scheduled surgeries and creating communication challenges for families attempting to reach doctors, CBSNews reported that these disruptions began on Wednesday. 

This incident further amplifies the growing concerns voiced by regulators and experts about the expanding landscape of cybersecurity threats in the healthcare sector. 

In response to a 2023 report warning of "dramatic increases" in cyber attacks impacting US hospitals, the Department of Health and Human Services has released voluntary cybersecurity objectives for the health sector. The report underscored the potential compromise of hospital operations and financial extortion, emphasizing the crucial need for heightened vigilance and proactive measures within the healthcare industry. Moreover, the health sector witnessed an unprecedented surge in data breaches last year, affecting a staggering 116 million patients, as reported by STAT

This significant increase is primarily attributed to the rise in hacking and IT incidents, more than doubling the impact compared to the preceding year, prompting a plea for strengthened cybersecurity measures to safeguard patient information. 

The concerning trend goes beyond data breaches, as evidenced by surpassing the record-breaking breaches of 2015 last year, impacting over 112 million individuals. The current year continues to witness a worrisome escalation, with numerous health organizations reporting breaches related to hacking or IT incidents. 

A recent incident at Chicago's Saint Anthony Hospital, involving an "unknown actor" copying patient data, further underscores the vulnerabilities in the healthcare sector. Ransomware attacks have surged, fueled by the widespread adoption of connected medical devices, cloud services, and remote work systems. 

John Riggi, the American Hospital Association's national cybersecurity and risk advisor, highlights the national security implications of these attacks, advocating for heightened cybersecurity measures. Riggi condemns attacks on children's hospitals, considering it a "new low" that directly impacts vulnerable patients. 

Nitin Natarajan from the federal Cybersecurity & Infrastructure Security Agency notes that health organizations are viewed as "target rich, cyber poor," making them attractive targets for adversaries. The broader spectrum of cybersecurity threats extends beyond healthcare, as FBI Director Christopher Wray alerts Congress to state-sponsored Chinese hackers targeting U.S. infrastructure. 

However, there is currently no indication that the Lurie incident is related to such a national security threat. The healthcare sector is now at a pivotal moment, necessitating immediate and robust responses to mitigate the growing risks posed by cyber threats.
Read more »
Ransom
Bank fraud Cyber Insurance Cyber Security Cyberattacks FBI Information Technology Insurance Policy Ransom

Cybersecurity Nightmare: A Bank's Dilemma – To Pay or Risk It All

 


Schools, hospitals, and other institutions need to take more precautions to prevent cybercrimes from disrupting operations and putting people's data and safety at risk. As part of a congressional hearing held on Wednesday in Washington, DC, a familiar face among the Navarro and Judson school districts testified about how this issue is affecting individual children. 

In the event of a major cyberattack taking place, the possibility of a bank's failure is not too remote. The number of cyberattacks against financial institutions has risen significantly since 2006, and the number of attacks is expected to continue to rise shortly.  

As a result of the increasing risk of cyberattacks, and their potential impact on banks, financial institutions and the government are the top concerns when it comes to cyberattacks. Financial institutions are 300 times more likely to experience them than other institutions. 

As part of a joint hearing of two committees of the House Committee on Oversight and Accountability, Gosch offered a rare view into how institutions faced with ransomware threats are coping with these increasingly common attacks. As Gosch and Judson Independent encountered, a wide range of institutions are facing the same dilemma, not the least of which are banks as they have become disproportionately attractive targets for cybercriminals searching for ransomware. 

The US credit bureaus have reported that at least 15 banks and credit unions have reported that ransomware groups have stolen customer information from them this summer. Several reports have been made recently by cyber security consortiums that offer security services to banks that frequently refer to ransomware as a major concern. 

According to the district's Assistant Superintendent of Technology, the Judson Independent School District in San Antonio, Texas, which has approximately 30,000 students and staff, was attacked by adversaries using ransomware in June 2021, but no state or federal agency ever visited or offered assistance for regaining access to school resources after the attack.  

On Sept. 27, Lacey Gosch, the chairwoman of the House Oversight Subcommittee, urged lawmakers not only to restore budgets for school libraries, but also to increase funding for cyberattack mitigation, data protection, and equipment upgrades. It was also recommended that formal programs be developed within schools to help with school cybersecurity recovery and mitigation. 

It was also reported that a witness from the University of Vermont Medical Center – which suffered from a ransomware attack in October of 2020 – was present at the joint hearing of the House Oversight Committees on Cybersecurity, Information Technology, Government Innovation, Economic Growth, Energy Policy, and Regulatory Affairs. 

As Stephen Leffler, the president of the medical centre, said during the hearing, it was by far much more difficult for his staff to deal with the cyberattack than what they had to deal with during the COVID-19 pandemic, which affected the entire area. As a result of the attack, the hospital was taken offline for 28 days and the organization had to pay 65 million dollars for the incident. 

The Pros and Cons of Paying Ransoms 


Gosch's story is a cautionary tale that illustrates the stakes banks face when trying to prevent and mitigate ransomware attacks as the threat of ransomware for banks continues to grow and the threat of ransomware is growing. 

Moreover, showing banks the dilemma they are facing when receiving a ransom note in the wake of an attack, serves as an illustration of the difficulty they face. As a result, the FBI claims that paying the ransom encourages perpetrators to target more victims and increases the likelihood that other individuals will engage in this type of criminal activity. 

The biggest problem with a ransom payment is that it does not even guarantee that the data has been deleted. It was not until 12 days after being informed of the ransomware attack that Judson Independent negotiated a ransom with the ransomware actors, on Gosch's 34th day at the company. 

In exchange for the promise, but not the guarantee, that the hackers would delete the stolen data, Judson Independent paid a negotiated ransom of $547,000 to them. It was a difficult decision for Gosch, but he felt it was necessary to protect his constituents, even though it was difficult. 

There is an insurance policy available to the district against cyber-attacks, but it is primarily for attorneys' fees, data mining, and identity protection. "The insurance does not cover ransom payments or the costs of upgrading to mitigate damage to the system," Gosch stated. Cyber insurance coverage for ransom payments is a hot topic among experts.  

There has been some controversy about it. It has been reported, however, by the Royal United Services Institute, a London-based think tank, that cyber insurance providers do sometimes cover ransom payments. Despite this, according to the institute, there is no evidence that victims with cyber insurance are significantly more likely to pay ransom than victims without cyber insurance. 
Read more »
Vulnerabilities and Exploits
BBA Clop Ransomware Cyberattacks CyberCrime Cybersecurity malware MOVEit Ransom Ransomware Software Security Technical Security Vulnerabilities and Exploits

Security in the Software Sector: Lessons Learned from the MOVEit Mass Hack

 


MOVEit's mass hack into its system will likely be remembered as one of the most damaging cyberattacks in history, and it is expected to make history. 

An exploit in Progress Software's MOVEit managed file transfer service was exploited by hackers to gain access to customers' sensitive data through SQL commands injected into the system. The MOVEit service is used by thousands of organizations to secure the transfer of large amounts of sensitive files. 

There was a zero-day vulnerability exploited in the attack, which meant Progress was not aware of the flaw and was not able to patch it in time, which essentially left Progress' customers without any defence from the attack. 

There has been a public listing of alleged victims of the hacks started by the Russia-linked Clop ransomware group since June 14, the group that claimed responsibility for the hacks. Banks, hospitals, hotels, energy giants, and others are all included in the growing list of companies affected, part of a campaign being conducted in an attempt to pressure victims into paying ransom demands so that their information will not be breached online. 

The company Clop announced in a blog post this week that it will release the "secrets and data" of all victims of MOVEit who refused to negotiate with Clop on August 15. There had been similar hacks targeting the file-transfer tools of Fortra and Acellion earlier in the year as well; it was unlikely that this was Clop's first mass hack. 

The latest Emsisoft statistics indicate that more than 40 million people have been affected by the MOVEit hack, according to Emsisoft's latest statistics. Since the hacks started almost a year ago, those numbers have continued to increase almost daily. 

"Without being able to assess the depth and scope of the damage, at this point, there is no way to make an informed guess," Brett Callow, a ransomware expert and threat analyst at Emsisoft, told TechCrunch+. "We do not yet know how many organizations were affected and what data was compromised.” 

There is no doubt that around a third of those known victims have been affected by third parties, and others are impacted by vendors, subcontractors, and other third parties. According to him, because of this complexity, it's very likely that some organizations that may have been affected aren't aware that they have been affected, and that's what makes it so irreparable. 

While this hack had an unprecedented impact because of its scale, its methodology isn't new and there's nothing innovative about the way it was executed. In recent years, supply chain attacks have become more prevalent as a result of zero-day flaws being exploited by adversaries, and one exploit can potentially affect hundreds if not thousands, of customers due to the potential for the release of a zero-day vulnerability. 

Taking action now to prevent the threat of a mass hack should be as critical for organizations as anything else they can do. 

Recovering From the Disaster 


When you have been the victim of a hack, it may seem like the damage has already been done and there is no way to recover from it. Even though it can take months or years to recover from an incident like this, and many organizations are likely to be affected by it, they need to act quickly to understand not only which type of data was compromised, but also their possible violations of compliance standards or laws governing data privacy. 

Demands For Ransom


"Supply-chain attacks" are what is referred to as the hack in question. Initially, the news was announced in November last year when Progress Software revealed hackers had managed to infiltrate its MOVEit Transfer tool using a backdoor. 

In an attempt to gain access to the accounts of several companies, hackers exploited a security flaw in the software. Even organizations that do not use MOVEit themselves are affected by third-party arrangements because they do not even use MOVEit themselves. 

It has been understood by the company that uses Zellis that eight companies are affected, many of them airline companies such as British Airways and Aer Lingus, as well as retailers like Boots that use Zellis. It is thought that MOVEit is also used by a slew of other UK companies. 

A hacker group linked to the ransomware group Clop has been blamed for the hack. It is believed to be based out of Russia, but the hackers could be anywhere. As a consequence, they have threatened to publish data of companies that have not emailed them by Wednesday, which is the deadline for beginning negotiations. 

As the BBC's chief cyber correspondent Joe Tidy pointed out, the group has a reputation for carrying out its threats, and organizations in the next few weeks may find their private information published on the gang's dark website. 

The information told me that there is a high probability that if a victim does not appear on Clop's website then they may have signed up for a ransom payment by the group in which they may have secretly paid it, which can range from hundreds of thousands to millions of dollars. 

The victims are always advised not to pay to prevent the growth of this criminal enterprise as paying can fuel the growth of this malicious enterprise, and there is no guarantee that the hackers will not use the data for a secondary attack. 

When such a massive breach like MOVEit Mass Hack occurs, it is highly challenging to recover data from such an event, which requires meticulous efforts to identify the extent of the compromised data, and any potential compliance violations, as well as violations of local privacy laws. 

Many articles warn that paying ransom demands is not a guarantee that a cybercriminal will not come after you in the future, and will not perpetuate the criminal enterprise. MOVEit Mass Hack can be viewed as an example of a cautionary tale about the software sector that shouldn't be overlooked. A key aspect of this report is the emphasis it places on cybersecurity strategies and supply-chain vigilance so that the effects of cyber threats can be mitigated as quickly as possible.
Read more »
zero Day vulnerability
CLOP Clop Ransomware Data Evade Detection Extortion MOVEit Ransom Ransomware Safety Security zero Day vulnerability

Clop Ransomware Adopts Torrents for Data Leaks in Effort to Evade Detection

 

The Clop ransomware group has once again adjusted its tactics for extortion, now employing torrents to disseminate stolen information obtained from MOVEit attacks. 

Beginning on May 27th, the Clop ransomware syndicate initiated a series of data theft assaults by exploiting a zero-day vulnerability within the MOVEit Transfer secure file transfer system. Exploiting this flaw enabled the hackers to pilfer data from nearly 600 global organizations, catching them off guard.

On June 14th, the ransomware group commenced their extortion endeavors by gradually unveiling victims' names on their Tor-based data leak site and eventually making the files public. 

Nevertheless, the use of a Tor site for data leakage had limitations due to sluggish download speeds, which curtailed the potential damage of the leak.

In a bid to overcome these issues, the Clop group established clearweb sites to release stolen data from some of the victims of the MOVEit data theft. However, this approach was susceptible to being dismantled by authorities and companies. In response, the group has turned to torrents as a new method for disseminating the stolen data from the MOVEit breach.

This novel approach was identified by cybersecurity researcher Dominic Alvieri. The Clop ransomware gang has developed torrents for twenty victims, including well-known entities like Aon, K & L Gates, Putnam, Delaware Life, Zurich Brazil, and Heidelberg. 

In the fresh extortion strategy, Clop has established a new Tor site that provides guidance on using torrent clients to download the leaked information. They have also included lists of magnet links for the twenty affected parties.

Torrents leverage peer-to-peer transfers among different users, resulting in faster transfer speeds compared to traditional Tor data leak sites. Testing by BleepingComputer demonstrated improved data transfer speeds, reaching 5.4 Mbps, even when seeded from a single IP address in Russia. 

Additionally, this distribution technique is decentralized, making it difficult for law enforcement to shut down. Even if the original seeder is taken offline, a new device can take over seeding duties.

Should this approach prove effective for Clop, it's likely they will continue to utilize it due to its ease of setup, lack of need for a complex website, and the potential for wider distribution of stolen data, which could place more pressure on victims. 

Coveware has estimated that the Clop gang could amass between $75 million and $100 million in extortion payments. This projection is not solely due to numerous victims paying, but rather a small number of companies being persuaded to pay substantial ransom amounts. Whether the use of torrents will contribute to more payments remains uncertain; however, given the substantial earnings, the outcome may be inconsequential.
Read more »
User Security
Cyber Attacks Cyber Safety Data Leak Data Privacy Ransom Research School Targets Schools Student Data User Data User Safety User Security

Schools: Prime Targets for Hackers Amid Poor Cybersecurity and Ransom Payments

 

New data indicates that school districts have become highly susceptible to online exploitation, emerging as the primary target for hackers. According to a recent global survey conducted by the British cybersecurity company 

Sophos, a staggering 80% of schools experienced ransomware attacks last year, representing a significant increase from the 56% reported in 2021. This doubling of the victimization rate over two years has led researchers to label ransomware as the most significant cyber risk faced by educational institutions today.

Comparing various industries, schools fared the worst in terms of victimization rates, surpassing even sectors like healthcare, technology, financial services, and manufacturing. 

The survey, which included responses from 400 education IT professionals worldwide, revealed that United States institutions are particularly attractive targets for hacking groups, especially since the events surrounding Russia's invasion of Ukraine.

Two factors have made schools especially vulnerable to cyber threats in the United States. First, the cybersecurity measures in educational settings often lag behind those in major businesses, such as banks and technology companies. Second, schools prove to be easy targets for exploitation due to their willingness to pay ransoms. 

Last year, nearly half of the attacks on schools resulted in ransom payments, further enticing threat actors. Unfortunately, this combination of weak defenses and a readiness to pay has made schools a "double whammy" for hackers, according to Chester Wisniewski, the field chief technology officer of applied research at Sophos.

The motivation to pay ransoms seems to be influenced by insurance coverage. In districts with standalone cyber insurance, 56% of victims paid the ransom, while those with broader insurance policies covering cybersecurity saw a payment rate of 43%. Insurance companies often cover ransom demands, giving them significant sway over which districts comply with the extortion demands.

Elder, a school representative, acknowledges the difficult decisions schools face when dealing with ransomware attacks. While it is essential to safeguard confidential information and protect people, the pressure to manage resources and finances can make the choice challenging.

Ultimately, the data suggests that schools must prioritize and strengthen their cybersecurity practices to avoid falling prey to hackers and ransom demands. 

Relying on insurance alone may not provide a comprehensive solution, as hackers continue to exploit vulnerabilities, and insurance companies struggle to keep pace with evolving threats.
Read more »
Security
Cyber Attacks Data Data Safety data security Ransom Ransomware Safety Security

Inside the World of Ransomware Negotiations: From Colonial Pipeline to JBS

 

In January 2021, JBS, the world's largest meat-processing company, revealed that it paid a ransom of $11 million in Bitcoin to cyber attackers. 

Similarly, in May of the same year, Colonial Pipeline, the largest refined-products pipeline in the U.S., experienced a severe cyber attack, leading to the company shutting down operations and freezing its IT systems. To restore operations, Colonial Pipeline paid a ransom of $4.4 million in Bitcoin.

What linked both incidents was the use of ransomware. Ransomware is a type of malware designed to deny users access to their data, with attackers demanding a ransom in exchange for restoring access.

Despite reports of a decrease in ransomware attacks in 2022, a Statista survey showed that 71% of companies worldwide were affected by ransomware that year, with the average ransom payment reaching $925,162. Now, in 2023, there is a resurgence of ransomware attacks, as reported by security company Black Kite.

The negotiation tactics for ransom payments are seldom reported in the news due to law enforcement agencies like the FBI and Cybersecurity and Infrastructure Security Agency strongly advising against paying ransoms. However, many organizations still choose to pay the ransom as they consider it the quickest way to recover their systems.

The process of ransom payments involves the attackers dictating the communication and payment channels, often utilizing cryptocurrencies like Bitcoin for their anonymity and speed. 

Ransomware attackers typically exploit the sensitive data they have encrypted to put pressure on affected organizations during negotiations. Negotiators might assume different personas, even pretending to be empathetic and building a rapport with attackers to secure the best deal possible.

The recovery of ransom payments can be challenging, but it is not impossible. In some cases, law enforcement agencies have successfully followed the money trail in cryptocurrency wallets to recover part of the ransom. However, tracing illicit ransom payments remains costly and time-intensive.

While paying a ransom might lead to data recovery, it does not guarantee full restoration, and organizations often remain vulnerable to subsequent attacks from the same threat actors.

Banning ransom payments entirely might not solve the problem, as some situations may warrant paying the ransom, such as critical infrastructures being affected.

The battle against ransomware requires cooperation between the private sector and government agencies. The government's involvement is crucial in intelligence gathering and threat mitigation, as cyber attackers constantly evolve their tactics.

Regulatory compliance also plays a significant role in cybersecurity at the national level, setting the tone for security measures in the private sector.

The U.S. government's National Cyber Strategy aims to hold private companies responsible for cybersecurity, emphasizing their role in cybersecurity efforts and engaging the private sector in disruption activities through scalable mechanisms.

It remains to be seen how these strategies will unfold, but tapping into offensive cyber talent could potentially enhance America's defensive and offensive cyber capabilities significantly.
Read more »
Ransomware Gang
Cyber Crime Data Backup Data Recovery Online Security Ransom Ransomware Gang

Backups can be Quicker and Less Expensive than Paying the Ransom

 

Ransomware operators want to spend as little time as possible within your systems, which means the encryption they use is shoddy and frequently corrupts your data. 

As a result, paying ransoms is typically a more expensive chore than simply refusing to pay and working from our own backups. That is the perspective of Richard Addiscott, a senior director analyst at Gartner. 

"They encrypt at an extremely fast rate," he said on Monday at the firm's IT Infrastructure, Operations, and Cloud Strategies Conference 2023 in Sydney. "They encrypt faster than you can run a directory listing."

Therefore, ransomware creators use poor encryption techniques and end up losing some of the data they later try to sell you. If ransomware operators deliver all the data they claim, Addiscott said, it is not simple to restore from corrupt data dumps delivered by criminals. Many people don't; instead, they start a new round of discussions regarding the cost of more releases by demanding a ransom. 

According to him, just 4% of ransomware victims actually manage to get all of their data back. Only 61 percent actually retrieve any data. Additionally, the average disruption to a victim's business is 25 days. 

Addiscott proposed that organisations design and practise ransomware recovery playbooks to shorten the period. Securing funding to prepare for a speedy post-ransomware recovery requires couching the risk in business terms rather than IT terms. 

According to Addiscott, the themes that are likely to release the purse strings are revenue protection, risk reduction, and cost control. Although he shook his head as he recalled instances when business leaders authorised enormous and speedy ransom payments that dwarfed the denied investments that may have rendered them unnecessary. 

He advised good preparation because ransomware crooks have figured out one technique to speed up stalled payment negotiations: whacking their victims with a DDoS attack, so they're battling two fires at once, and are thus willing to pay to make at least one problem go away. 

Ransomware operators also like to double-dip by demanding payment from the organisations whose data they have stolen, then mining the data to locate new targets. Addiscott mentioned an attack on a healthcare provider in which clients were confronted with a payment demand or their medical records will be revealed. 

Customers identified in a stolen data heist may be targeted with the suggestion that they notify suppliers that they want payments made in order to reduce the risk of their data being disclosed. Immutable backups and an isolated recovery environment, according to Addiscott, are a good combination of defences. 

However, he also stated that the people behind ransomware are brilliant, vicious, inventive, and relentless, so they will find new and even more nefarious ways to strike. 

The analyst did have one piece of good news: there would be a 21% decrease in ransomware attacks in 2022 compared to 2021. He hypothesised that the decline was caused by sanctions making it more difficult for Russian-based ransomware groups to operate.
Read more »
Subscribe to: Posts (Atom)