Search This Blog
Powered by Blogger.

Blog Archive

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label Ransomware. Show all posts
VMware ESXi
Cyber Attacks Linux Ransomware VMware VMware ESXi

Play Ransomware Group is Targeting VMWare ESXi Environments

 

Play ransomware is the latest ransomware gang to launch a specific Linux locker for encrypting VMware ESXi virtual machines. Trend Micro, whose analysts discovered the new ransomware variation, claims the locker is designed to verify whether it is operating in an ESXi environment before executing and can bypass detection on Linux systems.

"This is the first time that we've observed Play ransomware targeting ESXi environments," Trend Micro stated. "This development suggests that the group could be broadening its attacks across the Linux platform, leading to an expanded victim pool and more successful ransom negotiations."

This has been a well-known trend for years, with most ransomware organisations turning their focus to ESXi virtual machines after companies started using them for data storage and critical application hosting due to their far more effective resource management. Taking down an organization's ESXi VMs will cause significant business disruptions and outages, whereas encrypting files and backups severely limits the victims' ability to restore compromised data.

While examining this Play ransomware sample, Trend Micro discovered that the ransomware gang leverages URL-shortening services provided by a threat actor known as Prolific Puma. 

After successfully launching, Play ransomware Linux samples will search and power down all VMs discovered in the compromised environment before encrypting files (e.g., VM disc, configuration, and metadata files), inserting the.PLAY extension to the end of each file. According to Trend Micro, the encryptor will execute a specific code to shut down all running VMware ESXi virtual machines so that they can be encrypted. 

The Play ransomware emerged in June 2022, with the first victims seeking help in BleepingComputer forums. Its operators are infamous for stealing sensitive information from compromised devices, which they then use in double-extortion attempts to force victims into paying a ransom under the threat of releasing the stolen data online.

Rackspace, the City of Oakland in California, Arnold Clark, the Belgian city of Antwerp, and Dallas County are among the high-profile victims of the Play ransomware. In December, the FBI issued a joint advisory with CISA and the Australian Cyber Security Centre (ACSC) warning that the ransomware group had penetrated about 300 organisations worldwide until October 2023.
Read more »
Smishing Scam
Automotive Industry Cyber cyber attack IRS phishing Ransomware Smishing Scam

IRS Warns Car Dealers of New Phishing and Smishing Threats


 

The Internal Revenue Service (IRS) has issued an urgent warning to car dealers and sellers across the United States, highlighting a surge in sophisticated phishing and smishing scams targeting the automotive industry. These cyber threats pose a significant risk to the daily operations of businesses, potentially leading to severe disruptions.

The warning follows a recent ransomware attack on CDK Global, a software provider for car dealerships. This cyberattack affected approximately 15,000 dealerships nationwide, crippling their scheduling, sales, and order systems. Some dealers were forced to revert to manual processes to continue their operations. In response to the attack, CDK Global reportedly paid a $25 million ransom to regain control of their systems.

According to the IRS, scammers are increasingly impersonating the agency to extract sensitive financial and personal information. These fraudulent communications often come in the form of emails or text messages, urging recipients to click on suspicious links, download malicious files, or provide confidential details. The IRS emphasised that such tactics are a "favourite" among cybercriminals.


Recommendations for Protection

To safeguard against these scams, the IRS provided several recommendations for both businesses and individuals:

1. Stay Alert to Fake Communications: Be cautious of unsolicited messages that appear to come from legitimate organisations, friends, or family. These messages may impersonate banks or other financial entities to deceive recipients into clicking harmful links.

2. Avoid Clicking Unsolicited Links: Never click on links in unsolicited emails or text messages, as they may lead to identity theft or malware installation.

3. Verify the Sender: If you receive a suspicious message, verify its authenticity by contacting the sender through a different communication method. Do not use contact information provided in the unsolicited message.

4. Do Not Open Attachments: Avoid opening attachments in unsolicited emails, as they can contain malicious code that can infect your computer or mobile device.

5. Delete Suspicious Emails: To prevent potential harm, delete any unsolicited emails immediately.


Vigilance is Key

The IRS stressed the importance of vigilance in the face of these evolving cyber threats. By following the recommended precautions, car dealers and sellers can reduce their risk of falling victim to phishing and smishing scams. As cybercriminals continue to refine their tactics, staying informed and cautious remains crucial for protecting sensitive information and maintaining business continuity.


Read more »
Technology
Energy Oil ransom payments Ransomware Technology

Securing the Grid: How Ransomware is Targeting Energy and Oil Sectors


According to a new analysis from cybersecurity firm Sophos, ransomware attacks are hitting the energy and oil and gas sectors harder, costing utilities more in recovery time and money as victims appear to be more inclined to pay ransom demands.

Ransomware Attacks: A Growing Threat

The report examines ransomware's impact on critical infrastructure firms and is based on more than 200 responses from a larger survey of 5,000 cybersecurity and IT leaders conducted in January and February. Sophos reported that the global ransomware attack rate appears to be decreasing. Still, researchers discovered that recovery times for energy, oil and natural gas, and utilities have been gradually growing since at least 2022.

This slowness could represent the increased complexity and severity of attacks, needing more recovery labor. According to the paper, this also implies a rising lack of recovery planning.

Vulnerabilities in the Energy Sector

According to the report, more than half of energy, oil and gas, and utility ransomware victims required more than a month to recover, up from 19% in 2022.

The Biden administration has spent recent months warning about Chinese-backed infiltrations into sensitive civilian and military critical infrastructure. Security officials have stated that the "Volt Typhoon" hackers may attempt to impair essential infrastructure serving people to influence public opinion as tensions rise in Taiwan. 

Researchers cautioned that cyberattacks on IT infrastructure, such as bill payment systems, can influence operations and services, implying that even if an attack solely impacts the IT side of the business, key functions such as energy generation and transmission may be affected.

"There's a preponderance of older technologies configured to enable remote management without modern security controls like encryption and multifactor authentication," Chester Wisniewski, global field chief technology officer at Sophos, said in a news statement. "Like hospitals and schools these utilities are frequently operating with minimal staffing and without the IT staffing required to stay on top of patching, the latest security vulnerabilities, and the monitoring required for early detection and response."

The Cost of Ransomware Attacks

As reported by Sophos, nearly half of all successful assaults were caused by an unpatched or untreated vulnerability, with compromised credentials accounting for slightly more than a quarter. According to the researchers, the energy, oil and gas, and utilities sectors are the "most likely to fall victim to the exploitation of unpatched vulnerabilities."

Furthermore, that same group is more inclined to pay a ransom to restore encrypted data rather than relying on backups.

According to the report, this is the first time that energy, oil/gas, and utility firms have reported a higher propensity to pay the ransom rather than employ backups.

The Rising Tide of Ransomware

While the survey highlights how ransomware remains one of the most disruptive to critical infrastructure operations, the general lack of information in the larger threat picture due to low reporting rules suggests that the true cost of ransomware could be significantly greater. 

The Cybersecurity and Infrastructure Security Agency is now working on a rulemaking process that will require many critical infrastructure businesses to report significant cyber events, with the final rule likely early next year.

Read more »
United Health
Data Extortion Healthcare Privacy Ransomware United Health

The Financial Fallout of UnitedHealth’s Ransomware Attack


A $2.3 Billion Lesson

The recent ransomware attack on UnitedHealth Group serves as a stark reminder of the vulnerabilities that even the largest corporations face. The attack, which has resulted in costs soaring to at least $2.3 billion, underscores the severe financial and operational impacts of cyber threats. 

The health insurance company revealed the estimate in its second-quarter earnings report on Tuesday. The $2 billion cost estimate is based on the millions UnitedHealth has already spent to restore its systems following the attack, which caused a severe outage in February.

The Attack and Immediate Response

UnitedHealth Group, a leading healthcare and insurance provider, fell victim to a sophisticated ransomware attack. The attackers encrypted critical data and demanded a ransom for its release. Despite the company’s robust cybersecurity measures, the breach highlighted gaps that were exploited by the cybercriminals.

In response to the attack, UnitedHealth made the difficult decision to pay a $22 million ransom. While this payment was significant, it represents only a fraction of the total costs incurred. The immediate priority was to restore systems and ensure the continuity of services for millions of customers who rely on UnitedHealth for their healthcare needs.

The Broader Financial Impact

System Restoration: Restoring encrypted data and rebuilding IT infrastructure required substantial investment. This process involved not only technical recovery but also ensuring that systems were secure against future attacks.

Lost Revenue: During the period of disruption, UnitedHealth experienced significant revenue losses. The inability to process claims, manage patient data, and provide timely services had a direct impact on the company’s financial performance.

Operational Costs: Additional costs were incurred in the form of overtime pay for employees working to mitigate the attack’s effects, hiring external cybersecurity experts, and implementing enhanced security measures.

Legal and Regulatory Expenses: Navigating the legal and regulatory landscape post-attack added another layer of costs. Compliance with data protection regulations and managing potential lawsuits required extensive legal resources.

Customer Support Initiatives: To maintain customer trust, UnitedHealth launched several support initiatives. These included offering free credit monitoring services to affected individuals and setting up dedicated helplines to address customer concerns.

Lessons Learned and the Path Forward

The ensuing disruption also hindered UnitedHealth from completing medical prescriptions, resulting in a revenue loss, according to the company's earnings report. 

In Q1, UnitedHealth predicted that the ransomware assault would cost the company between $1 billion and $1.2 billion. However, in Tuesday's results release, the business raised its forecasts to more over $2 billion, citing the need to pay for "financial support initiatives and consumer notification costs," which include providing loans and funds to affected hospitals and pharmacies.

In the second quarter alone, UnitedHealth incurred "$1.1 billion in unfavorable cyber attack effects," according to the business. 

UnitedHealth is still recovering from the ransomware attack, while the "majority" of its IT systems have been restored. Furthermore, multiple class-action lawsuits have been brought against UnitedHealth for failing to protect patient information. As a result, the ransomware attack's costs to the organization may continue to rise.

Read more »
Technology
Critical Infrastructure Ransom Payment Ransomware Sophos Technology

How Ransomware is Draining Resources from Critical Infrastructure

How Ransomware is Draining Resources from Critical Infrastructure

The Rising Cost of Ransomware Attacks on Critical Infrastructure

The costs of ransomware attacks on critical national infrastructure (CNI) firms have soared over the last year.

According to Sophos' newest numbers, which were revealed today, the typical ransom payment increased to $2.54 million, more than 41 times last year's total of $62,500. The mean payment for 2024 is considerably greater, at $3.225 million, representing a less dramatic 6-fold rise.

IT, technology, and telecoms were the least likely to pay large sums to hackers, with an average payment of $330,000, but lower education and federal government organizations reported the highest average payments of $6.6 million.

The figures are based solely on ransomware victims who were willing to reveal the specifics of their mistakes, thus they do not provide the full picture.

The Escalating Financial Burden

Only 86 of the 275 CNI organizations surveyed provided statistics on ransom payments. There's a significant risk that the results would be distorted if all of the CNI ransomware victims polled were completely upfront with their information.

Costs to recover from ransomware attacks have also increased dramatically since the researchers' findings last year, with some CNI industries' costs quadrupling to a median average of $3 million per event.

The Impact on Critical Infrastructure

According to the report, only one in every five people were able to recover in a week or less, down from 41 percent the previous year and 50 percent the year before that. The percentage of victims who take more than a month to recuperate has also increased to 55%, up from 36% last year. 

Sophos stated in its analysis that this could be due to attacks getting more sophisticated and complicated, requiring more work from the IT team to effectively repair all of the damage caused by the crimes. However, the vendor's global field CTO, Chester Wisniewski, believes the industries should reevaluate their propensity to pay ransoms.

Read more »
Ransomware
Malware. Scattered Spider Microsoft Qilin Ransomware

How Microsoft Connected Scattered Spider to Qilin Ransomware

How Microsoft Connected Scattered Spider to Qilin Ransomware

The Rising Threat of Scattered Spider and Qilin Ransomware

One of the latest and most concerning developments is the link between the notorious Scattered Spider cybercrime gang and the Qilin ransomware attacks. This connection, recently highlighted by Microsoft, underscores the growing sophistication and danger posed by these cyber criminals.

Who is Scattered Spider?

Scattered Spider, also known as Octo Tempest, is a cybercrime group that has been active in various malicious activities. They are known for their advanced tactics and persistent efforts to breach security defenses. Their operations have been marked by a high degree of organization and technical prowess, making them a formidable adversary in the cybersecurity world.

“In the second quarter of 2024, financially motivated threat actor Octo Tempest, our most closely tracked ransomware threat actor, added RansomHub and Qilin to its ransomware payloads in campaigns,“ said Microsoft.

The Qilin Ransomware

Qilin ransomware is a relatively new addition to the arsenal of cyber threats. Ransomware, in general, is a type of malicious software designed to block access to a computer system or data until a ransom is paid. 

Qilin ransomware follows this pattern but has enhanced capabilities, making it particularly dangerous. It encrypts files on the victim’s system, rendering them inaccessible, and demands a ransom for the decryption key.

The Connection

Microsoft’s recent findings have linked Scattered Spider to the deployment of Qilin ransomware in their attacks. This connection is significant for several reasons. Firstly, it indicates that Scattered Spider continuously evolves its tactics and tools to stay ahead of cybersecurity defenses. By incorporating Qilin ransomware into their operations, they have added a potent weapon to their formidable arsenal.

Secondly, this link highlights the increasing collaboration and resource-sharing among cybercriminal groups. The use of Qilin ransomware by Scattered Spider suggests that these groups are not working in isolation but are instead leveraging each other’s tools and techniques to maximize their impact.

The Impact

The impact of these attacks can be devastating. Ransomware attacks, in general, can lead to significant financial losses, operational disruptions, and reputational damage for the affected organizations. The involvement of a sophisticated group like Scattered Spider only amplifies these risks. 

Their ability to breach security defenses and deploy advanced ransomware like Qilin means that no organization is safe from their reach.

Read more »
Ransomware
AI Black Basta Cyber Security Cyber Threats DDoS Ransomware

Are We Ready for the Next Wave of Cyber Threats?



In our increasingly digital world, cybersecurity is a growing concern for everyone— from businesses and governments to everyday individuals. As technology advances, it opens up exciting possibilities and creates new, sophisticated cyber threats. Recent high-profile attacks, like those on Ascension and the French government, show just how damaging these threats can be.

Cybercriminals are always finding new ways to exploit weaknesses. According to Cybersecurity Ventures, global cybercrime damages could hit $10.5 trillion a year by 2025. This huge number highlights why strong cybersecurity measures are so important.

One major evolution in cyber threats is seen in ransomware attacks. These attacks used to be about locking up data and demanding a ransom to unlock it. Cybercriminals also steal data and threaten to release it publicly, which can disrupt businesses and ruin reputations. For example, in May, the Black Basta group attacked Ascension, the largest non-profit Catholic health system in the U.S., disrupting operations in its 140 hospitals and affecting patient care.

Supply chain attacks are another big concern. These attacks target vulnerabilities in the network of suppliers and partners that businesses rely on. This makes securing the entire supply chain crucial.

Cybercriminals are also using artificial intelligence (AI) to make their attacks more powerful. Examples include DeepLocker, a type of AI-powered malware that stays hidden until it reaches its target, and deepfake scams, where AI creates fake videos or audio to trick people into transferring money. AI-driven malware can change its behaviour to avoid detection, making it even more dangerous.

Distributed denial-of-service (DDoS) attacks are another serious threat. These attacks flood a website or network with so much traffic that it can’t function. In March 2024, a massive DDoS attack targeted over 300 web domains and 177,000 IP addresses linked to the French government, causing major disruptions.

Building a Strong Cybersecurity Defense

To fight these evolving threats, businesses need to build strong cybersecurity defenses. One effective approach is the zero-trust model, which means every access request is verified, no matter where it comes from. Key parts of this model include multi-factor authentication (MFA), which requires more than one form of verification to access systems, and least privilege access, which ensures users only have access to what they need to do their job.

Advanced monitoring tools are also essential. Security information and event management (SIEM) systems, combined with AI-driven analytics, help detect and respond to threats in real time by providing a comprehensive view of network activities.

Human error is a major vulnerability in cybersecurity, so employee training and awareness are crucial. Regular training programs can help employees recognise and respond to threats like phishing attacks, creating a culture of security awareness.

The Role of AI in Cybersecurity

While AI helps cybercriminals, it also offers powerful tools for defending against cyber threats. AI can analyse vast amounts of data to spot patterns and anomalies that might indicate an attack. It can detect unusual behaviour in networks and help security analysts respond more quickly and efficiently to threats.

AI can also identify and mitigate insider threats by analysing user behaviour and spotting deviations from typical activity patterns. This helps strengthen overall security.

The future of cybersecurity will involve constant innovation and adaptation to new challenges. AI will play a central role in both defence and predictive analytics, helping foresee and prevent potential threats. Ethical considerations and developing frameworks for responsible AI use will be important.

Businesses need to stay ahead by adopting new technologies and continuously improving their cybersecurity practices. Collaboration between industries and with government agencies will be crucial in creating comprehensive strategies.

Looking to the future, we need to keep an eye on potential threats and innovations. Quantum computing promises new breakthroughs but also poses a threat to current encryption methods. Advances in cryptography will lead to more secure ways to protect data against emerging threats.

As cyber threats evolve, staying informed and adopting best practices are essential. Continuous innovation and strategic planning are key to staying ahead of cybercriminals and protecting critical assets.


Read more »
Threat actors
Akira Ransomware Cyber Attacks Data Exploit Ransomware Threat actors

Akira Ransomware: The Need for Rapid Response

Akira Ransomware: The Need for Rapid Response

Threat actors wielding the Akira ransomware demonstrated unprecedented efficiency in a recent cyber attack that sent shockwaves through the cybersecurity community. 

Their lightning-fast data exfiltration took just over two hours, representing a dramatic shift in the average time it takes a cybercriminal to go from first access to information exfiltration and leaving organizations scrambling to respond. Let’s delve into the details of this alarming incident.

Attack Overview

The victim in this case was a Latin American airline. The attackers exploited a vulnerability in their infrastructure, emphasizing the importance of robust security measures for critical industries. They gained entry through an unpatched Veeam backup server, leveraging the Secure Shell (SSH) protocol. Veeam servers are attractive targets due to their tendency to store sensitive data and credentials.

The BlackBerry Threat Research and Intelligence Team has revealed a summary of a June Akira ransomware assault against a Latin American airline. According to BlackBerry's anatomy of the attack, the threat actor acquired first access via an unpatched Veeam backup server and promptly began stealing data before installing the Akira ransomware the next day.

Swift Data Exfiltration

Within a remarkably short timeframe, the threat actors exfiltrated data from the Veeam backup folder. This included documents, images, and spreadsheets. The speed of their operation highlights the need for proactive security practices.

The Culprit: Storm-1567

Storm-1567, a notorious user of the Akira ransomware-as-a-service (RaaS) platform, is the likely perpetrator. Known for double-extortion tactics, Storm-1567 has targeted over 250 organizations globally since emerging in March 2023.

Technical Insights

1. Legitimate Tools and Utilities

The attackers demonstrated technical prowess by using legitimate tools and utilities during the attack. These tools allowed them to:

  • Conduct reconnaissance to identify valuable data.
  • Establish persistence within the compromised network.
  • Efficiently exfiltrate sensitive information.
2. Escalation from Initial Access to Data Theft

Storm-1567’s ability to escalate from initial access to data theft in such a short span underscores their expertise. Organizations must prioritize timely patching and secure backup systems to prevent similar incidents.

Key Takeaways

Patch Promptly 

Regularly update and patch all software, especially critical components like backup servers. Vulnerabilities left unaddressed can lead to devastating consequences.

Backup Security Matters

Secure backup systems are essential. They often contain critical data and serve as gateways for attackers. Implement access controls, monitor for suspicious activity, and encrypt backups.

Threat Intelligence and Vigilance

Stay informed about emerging threats and threat actors. Vigilance and proactive defense are crucial in the ever-evolving landscape of cyber threats.


Read more »
Ransomware
Crypto DoNex Encryption malware Ransomware

Decrypting DoNex: The Flaw That Brought Down a Ransomware Empire

Decrypting DoNex: The Flaw That Brought Down a Ransomware Empire

DoNex Ransomware Encryption: Flaw in Cryptographic Schema

Experts uncovered a critical flaw in the encryption schema of the DoNex ransomware, including all variations and predecessors. Since March 2024, they've worked with law enforcement to give a decryptor to affected DoNex victims covertly.

The cryptographic vulnerability was widely discussed at Recon 2024, compelling the researchers to reveal the problem and its ramifications publically.

The Vulnerability

Avast researchers discovered that the DoNex ransomware went through many rebrandings after its original identification as Muse in April 2022. Subsequent revisions of DoNex included a rebrand to a reported Fake LockBit 3.0 in November 2022, followed by DarkRace in May 2023, and lastly DoNex in March 2024. 

Since April 2024, the team has discovered no further copies, and the ransomware group's public TOR address remained dormant, implying that DoNex's evolution and rebranding efforts may have ended.

How It Works

The DoNex malware uses a complicated encryption method. During execution, the CryptGenRandom function generates an encryption key. This key creates a ChaCha20 symmetric key, which is later used to encrypt files.

Following encryption, the symmetric key is encrypted with RSA-4096 and appended to the impacted file. Files up to 1 MB are encrypted in their whole, whilst larger files are encrypted in block segments. An XOR-encrypted configuration file stores the ransomware's configuration, as well as information on whitelisted extensions, files, and services to terminate.

While the researchers have not described the specific process they used to understand the decryption, more information about the same cryptographic flaw is available in files related to the Recon 2024 event lecture titled "Cryptography is hard: Breaking the DoNex ransomware." The event was hosted by Gijs Rijnders, a malware reverse engineer and cyber threat intelligence specialist of the Dutch National Police.

Implications

DoNex particularly targeted victims in the United States, Italy, and Belgium with tailored attacks. The researchers confirmed that the leaked DoNex decryptor can decrypt all forms of the DoNex ransomware, including earlier versions.

Victims of the DoNex ransomware can identify an attack based on the ransom note left by the software. Although several varieties of DoNex (Fake LockBit, DarkRace, and DoNex) create different ransom notes, they all have the same layout.

  • Victim Relief: Victims no longer need to rely on paying the ransom to regain access to their files. The decryptor provides a straightforward solution.
  • Public Disclosure: The flaw was publicly discussed at the Recon 2024 conference, leading to the official release of details and the decryptor. Transparency is crucial in the fight against ransomware.
  • Ongoing Vigilance: While this breakthrough is significant, it’s essential to remain vigilant. Cybercriminals adapt quickly, and new variants may emerge. Regular backups and robust security practices remain crucial.

Read more »
Ransomware
cyber attack Cyber Attacks Digital Security Finland NATO Ransomware

NoName Ransomware Group Allegedly Targets Denmark and Finland Over NATO Support


 

The ransomware group NoName has reportedly launched cyberattacks against key institutions in Denmark and Finland, citing their support for NATO as the provocation. The alleged attacks targeted Denmark’s digital identification system MitID, the Finland Chamber of Commerce, and Finland’s largest financial services provider, OP Financial Group.

On a dark web forum, NoName announced these attacks, positioning them as a reaction to Denmark and Finland's recent military and infrastructural actions favouring NATO. The group specifically called out Denmark for training Ukrainian specialists in F-16 fighter jet maintenance:

"Denmark has trained the first 50 Ukrainian specialists in servicing F-16 fighter jets. Most of the specialists have already returned to Ukraine to prepare for the reception of F-16s at local air bases. The training of the first group of Ukrainian pilots continues in Denmark.”

They also criticised Finland for infrastructure upgrades intended to support NATO troops:

“Finland has begun repairing roads and bridges in Lapland to prepare for the deployment of NATO troops on its territory. ERR.EE reports on its change of stance on NATO forces and planned infrastructure work.”

NoName concluded their message with a warning, suggesting that Denmark and Finland's governments had not learned from past mistakes and threatened further actions.

Potential Impact on Targeted Entities

MitID: Denmark's MitID is a crucial component of the country's digital infrastructure, enabling secure access to various public and private services. An attack on this system could disrupt numerous services and damage public trust in digital security.

Finland Chamber of Commerce: The Chamber plays a vital role in supporting Finnish businesses, promoting economic growth, and facilitating international trade. A cyberattack could destabilise economic activities and harm business confidence.

OP Financial Group: As the largest financial services group in Finland, OP Financial Group provides a range of services from banking to insurance. A successful cyberattack could affect millions of customers, disrupt financial transactions, and cause significant economic damage.

Despite the claims, the official websites of MitID, the Finland Chamber of Commerce, and OP Financial Group showed no immediate signs of being compromised. The Cyber Express Team has reached out to these institutions for confirmation but has not received any official responses as of the time of writing, leaving the allegations unconfirmed.

The timing of these alleged cyberattacks aligns with recent military and infrastructural developments in Denmark and Finland. Denmark's initiative to train Ukrainian specialists in F-16 maintenance is a significant support measure for Ukraine amidst its ongoing conflict with Russia. Similarly, Finland's infrastructure enhancements in Lapland for NATO troops reflect its strategic alignment with NATO standards following its membership.

The NoName ransomware group's alleged cyberattacks on Danish and Finnish institutions highlight the increasing use of cyber warfare for political and military leverage. These attacks aim to disrupt critical infrastructure and send a strong message of deterrence and retaliation. The situation remains under close scrutiny, with further updates expected as more information or official responses become available.


Read more »
Sensitive data
cryptocurrency Data Breach LukaLocker ransomware Ransomware Sensitive data

Ransomware Group Uses Harassment Tactics to Secure Payments


 

A newly identified ransomware group named Volcano Demon is using aggressive tactics to compel victims to pay ransoms. Halycon, an anti-ransomware firm, recently reported that this group has targeted several organisations in the past weeks with a new encryption tool called LukaLocker.

Attack Strategy

Volcano Demon’s attack method is both simple and effective. Initially, the hackers infiltrate the target’s network, mapping it out and stealing as many sensitive files as they can. Following this, they deploy LukaLocker to encrypt files and entire systems. The victims are then instructed to pay a ransom in cryptocurrency to receive the decryption key and prevent the stolen data from being leaked.

Technical Details of LukaLocker

LukaLocker works by adding a .nba extension to encrypted files and is capable of operating on both Windows and Linux systems. The encryptor is proficient at hiding its tracks by erasing logs before exploitation, making it difficult for cybersecurity experts to perform a full forensic analysis. Furthermore, LukaLocker can disable processes linked to most major antivirus and anti-malware solutions, making recovery efforts even more challenging.

Unlike typical ransomware groups that maintain dedicated data leak sites, Volcano Demon employs a more direct and intimidating approach. They contact the leadership of the victimised companies via phone calls from unidentified numbers to negotiate ransom payments. These calls are often threatening in nature, adding psychological pressure to the already stressful situation of a ransomware attack.

Impact on Businesses

The harassment tactic used by Volcano Demon increases the urgency and stress for affected businesses. The inability to conduct thorough forensic investigations due to LukaLocker’s log-clearing capabilities leaves victims vulnerable and with limited recovery options.

Businesses must enhance their cybersecurity measures to reduce the risk of such attacks. Implementing comprehensive logging and monitoring solutions, maintaining regular backups, and educating employees about common infiltration methods like phishing are critical steps. Additionally, organisations should ensure their antivirus and anti-malware solutions are robust and regularly updated to counteract disabling mechanisms like those employed by LukaLocker.

Volcano Demon’s innovative approach to ransomware, characterised by harassing phone calls and sophisticated encryption methods, underscores the developing nature of cyber threats. As cybercriminals develop new strategies to exploit vulnerabilities, it is essential for businesses to remain vigilant and proactive in their cybersecurity efforts to protect sensitive data and ensure operational continuity.




Read more »
UK
Cyber Security Data Theft Databreach NHS Ransomware UK

Cybersecurity Expert Warns NHS Still Vulnerable After Major Ransomware Attack

 

A leading cybersecurity expert has warned that the NHS remains at risk of further cyber-attacks unless it updates its computer systems. This stark warning follows a significant ransomware attack that severely disrupted healthcare services across London. 

Prof Ciaran Martin, the founding CEO of the UK's National Cyber Security Centre (NCSC), told the BBC: "I was horrified, but not completely surprised. Ransomware attacks on healthcare are a major global problem." NHS England announced it was increasing its cybersecurity resilience and had invested $338 million over the past seven years to address the issue. 

However, Prof Martin’s warnings suggest more urgent action is necessary. A recent British Medical Association report highlighted the NHS's ageing IT infrastructure, revealing that doctors waste 13.5 million hours annually due to outdated systems - equivalent to 8,000 full-time medics' time. 

 The cyber-attack on 3 June, described by Prof Martin as one of the most serious in British history, targeted Synnovis, a pathology testing organisation. This severely affected services at Guy's, St Thomas', King's College, and Evelina London Children's Hospitals. 

NHS England declared it a regional incident, resulting in 4,913 outpatient appointments and 1,391 operations being postponed, alongside major data security concerns. The Russian-based hacking group Qilin, believed to be part of a Kremlin-protected cyber army, demanded a $40 million ransom. When the NHS refused to pay, the group published stolen data on the dark web. 

This incident reflects a growing trend of Russian cyber criminals targeting global healthcare systems. Now a professor at the University of Oxford, Prof Martin highlighted three critical issues facing NHS cybersecurity: outdated IT systems, the need to identify vulnerable points, and the importance of basic security practices.

He further said, "In parts of the NHS estate, it's quite clear that some of the IT is out of date." He stressed the importance of identifying "single points of failure" in the system and implementing better backups. 

Additionally, he emphasized that improving basic security measures could significantly hinder attackers, noting: "Those little things make the point of entry quite a lot harder for the thugs to get in." Emphasizing the severity of the recent attack, he said, "It was obvious that this was going to be one of the most serious cyber incidents in British history because of the disruption to healthcare."
Read more »
Ransomware
BianLian Business Continuity Data Breach Incident response Ransomware

BianLian Ransomware Strikes: US Companies Grapple with Data Breach Fallout


The BianLian ransomware organization is accused of cyberattacking against three major US companies, consisting of large amounts of sensitive data. The victims of the BianLian ransomware attack—Island Transportation Corp., Legend Properties Inc., and Transit Mutual Insurance Corporation of Wisconsin—had their breaches detailed on a dark web forum by the ransomware gang.

This escalation illustrates the growing threat ransomware attacks present against important sectors across the United States.

The Targets

1. Island Transportation Corp.: A heavyweight in the bulk carrier industry, Island Transportation Corp. services the petroleum sector. Unfortunately, they fell victim to the BianLian ransomware attack, compromising a staggering 300 GB of organizational data. Among the exposed information are vital business records, accounting files, project details, and personal data.

2. Legend Properties Inc.: As a well-established commercial real estate and brokerage firm, Legend Properties Inc. found itself in the crosshairs. The attackers gained unauthorized access to 400 GB of sensitive data, including critical business information, accounting records, and personal details.

3. Transit Mutual Insurance Corporation of Wisconsin: A key player in the insurance industry, Transit Mutual Insurance Corporation of Wisconsin suffered a similar fate. The ransomware breach exposed 400 GB of organizational data, encompassing business records, accounting files, project data, and personal information.

The Broader Implications

  • Data Privacy: The compromised data includes personal information, which could lead to identity theft or financial fraud. Companies must prioritize robust data protection mechanisms.
  • Business Continuity: Disruptions caused by ransomware attacks can cripple operations. Organizations need robust backup systems and incident response plans.
  • Industry Vulnerability: No sector is immune. Whether shipping, real estate, or insurance, all must fortify their defenses against cyber threats.

Recommendations

  • Multi-Layered Security: Companies should adopt a multi-layered security approach, including firewalls, intrusion detection systems, and regular security audits.
  • Employee Training: Educate employees about phishing, social engineering, and safe online practices. Human error remains a significant vulnerability.
  • Incident Response Plans: Develop and test incident response plans to minimize damage during an attack.

The situation underscores the growing threat posed by ransomware attacks to critical sectors across the United States. 

While Island Transportation Corp.'s website remains functional, Legend Properties Inc. and Transit Mutual Insurance Corporation of Wisconsin have displayed blocking messages, indicating potential disruptions due to the attack.

Read more »
Window System
Cyber Attacks Ransomware Threat Landscape VMware ESXi Window System

Eldorado Ransomware is Targeting Windows, VMware ESXi VMs

 

Eldorado, a new ransomware-as-a-service (RaaS), was released in March and has locker variations for VMware ESXi and Windows. The gang has already claimed 16 victims, the majority of whom are in the United States and work in real estate, education, healthcare, and manufacturing. 

Researchers at cybersecurity firm Group-IB monitored Eldorado's activity and discovered its operators advertising the malicious service on RAMP forums and looking for skilled affiliates to join the affiliate programme. Eldorado also maintains a data leak site that lists victims, although it was unavailable at the time of writing.

Eldorado is a Go-based ransomware that can encrypt Windows and Linux platforms using two unique variations with numerous operational similarities. The researchers acquired an encryptor from the developer, along with a user manual indicating that 32/64-bit variations are available for VMware ESXi hypervisors and Windows. According to Group-IB, Eldorado is a unique development that does not rely on previously available builder sources. 

The malware encrypts each locked file with the ChaCha20 algorithm, generating a unique 32-byte key and 12-byte nonce. The keys and nonces are then encrypted with RSA under the Optimal Asymmetric Encryption Padding (OAEP) scheme. 

After encryption, files are added with the ".00000001" extension, and ransom notes named "HOW_RETURN_YOUR_DATA.TXT" are placed in the Documents and Desktop folders. Eldorado additionally encrypts network shares using the SMB communication protocol to expand its impact and deletes shadow volume copies from compromised Windows machines to prevent recovery. 

To avoid the system from becoming unbootable/unusable, the ransomware skips DLLs, LNK, SYS, and EXE files, as well as files and directories associated with system boot and basic operation. Finally, it is configured by default to self-delete in order to avoid detection and analysis by response teams. 

Researchers from Group-IB, who infiltrated the group, claim that affiliates have the ability to customise their attacks. On Windows, for example, attackers can choose which directories to encrypt, skip local files, target network shares on particular subnets, and prevent the malware from deleting itself. However, Linux customisation parameters only allow threat actors to encrypt the directories.
Read more »
threat report
Cyber Crime Extortion Scheme Ransomware Ransomware Actors threat report

Ransomware Extortion Demands Increase to $5.2 Million Per Attack

 

Ransomware demands are skyrocketing in 2024, with the average extortion demand per ransomware attack exceeding $5.2 million per incident in the first half of the year. 

Following an attack on India's Regional Cancer Centre (RCC) on April 20, a review of 56 ransom demands from January to June of this year revealed that the highest demand was $100 million. The second and third highest extortion demands were issued to Synnovis, a UK pathology supplier, and London Drugs, a Canadian retailer, at $50 million and $25 million, respectively. 

Even though there were 421 ransomware attacks in the first half of 2024 as opposed to 704 attacks in the same time of 2023, the numbers for 2024 are probably going to rise as long as there are more SEC-mandated breach disclosures. In terms of how much data has been stolen in these attacks, private companies have had 29.7 million records compromised thus far, whilst governments have had 52,390, and the healthcare industry has had a startling 5.4 million exposed records. 

Prevention tips 

Maintain backups: The researchers recommend that backing up critical information is the single most effective strategy to recover from a ransomware outbreak. There are a few things to consider, however. Backup files should be securely safeguarded and stored offline or out-of-band to prevent attackers from targeting them. 

Using cloud services may help alleviate a ransomware outbreak as many retain previous versions of files, allowing you to restore to an unencrypted version.Regularly test backups for efficacy. In the case of an attack, be sure your backups aren't infected before rolling back. 

Develop strategies and policies: Create an incident response strategy so that your IT security personnel knows what to do in the case of a ransomware attack. The plan should include the roles and communications to be shared during an assault. 

You should also include a list of contacts, such as any partners or vendors that need to be informed. Do you have a "suspicious email" policy? If not, try implementing a company-wide policy. This will help instruct employees on what to do if they receive an email that they don't understand. It may be as simple as forwarding the email to the IT security staff. 

Keep systems up-to-date: Make sure that all of your organization's operating systems, apps, and software are constantly updated. Applying the most recent updates will help close the security gaps that attackers are attempting to exploit. Wherever possible, enable auto-updates so that you always have the most recent security fixes.
Read more »
Ransomware
Cyber Attacks Cyber Espionage Campaign Cyberwarfare / Nation-State Attack Ransomware

Chinese-Linked Cyberespionage Groups Now Using Ransomware to Hide Activities

 

Chinese-linked cyberespionage campaigns are increasingly deploying ransomware to either make money, distract their adversaries, or make it harder to attribute their activities, according to researchers from SentinelLabs and Recorded Future. This shift marks a change from the traditional practices of state-backed hackers, who previously avoided using ransomware. 

A report published on Wednesday identified that ransomware attacks in 2022, including those on the Brazilian presidency and the All India Institute of Medical Sciences (AIIMS), were actually the work of a Chinese-linked cyberespionage group known as ChamelGang or CamoFei. 

By employing ransomware, these cyberespionage groups can obscure their true identity and activities, making it appear as if the attacks were carried out by independent cybercriminals instead of state-sponsored actors. 

"Misattributing cyberespionage as purely financially motivated cybercrime can have strategic repercussions," the researchers noted. This is particularly concerning when ransomware attacks target government or critical infrastructure organizations. 

Ransomware attacks typically lock files and data, with attackers demanding a ransom for decryption. However, sometimes the attackers never decrypt the data, turning the attack into a destructive one. This complicates efforts to restore systems and obscures the true nature of the attack, benefiting cyberespionage groups by erasing traces of their operations. 

In November 2022, Delhi police labeled the AIIMS attack an act of “cyber terrorism,” with anonymous officials attributing it to Chinese hackers. Despite these allegations, the Chinese Embassy in Washington, D.C., denied involvement, emphasizing the complexity of tracing cyberattacks and the need for substantial evidence. 

The report comes amid growing concerns from U.S. officials about aggressive Chinese cyber activities, such as Volt Typhoon, which are designed to influence U.S. decision-making in the event of a conflict. While Chinese cyber operations using ransomware is not unprecedented, it reflects a broader trend of state-linked groups, including Russian military intelligence, using disruptive malware to mislead and amplify psychological impacts. 

Ransomware acts as a smoke screen, serving various strategic goals and allowing state-aligned operations to replenish their disruptive tools more quickly. Ben Carr, chief security and trust officer at Halcyon, suggests that this approach allows cyberespionage groups to gather intelligence and simulate more malicious activities, effectively "wargaming" potential future scenarios.
Read more »
Ticketmaster
Consumer Data malware Ransomware Taylor Swift Ticketmaster

Inside the Ticketmaster Hack: 440,000 Taylor Swift Fans at Risk

Inside the Ticketmaster Hack: 440,000 Taylor Swift Fans at Risk

In May, the hacking group ShinyHunters claimed to have gotten personal information from more than 500 million Ticketmaster users and was selling the data on the dark web, and the business has now admitted that consumer data may have been "exposed." 

The breach, initially believed to be limited in scope, has now escalated, affecting millions of ticket holders, including fans attending Taylor Swift’s Eras Tour. Let’s delve into the details of this high-stakes cybercrime.

Ticketmaster Data Breach: What You Need to Know

In an email sent to affected customers, Ticketmaster said that they had discovered "unauthorised activity" in a third-party cloud database, and that personal data of "some customers" who purchased tickets to events in North America (the United States, Canada, and/or Mexico) could have been compromised.

Ticketmaster confirmed that unauthorized access occurred, leading to the compromise of sensitive customer data. The hackers gained access to 193 million ticket barcodes, valued at an astonishing $22.6 billion. Among these, 440,000 tickets belong to Taylor Swift’s ongoing tour, leaving fans anxious and concerned.

The Ransom Demand

ShinyHunters, known for their audacity, demanded an $8 million ransom for the safe return of the stolen data. The group threatened to leak the ticket barcodes if their demands were not met promptly. Ticketmaster faced a dilemma: pay the ransom or risk exposing millions of customers’ personal information.

The American Ticket Sales and Distribution Company shared, "Ticketmaster’s SafeTix technology protects tickets by automatically refreshing a new and unique barcode every few seconds so it cannot be stolen or copied. This is just one of many fraud protections we implement to keep tickets safe and secure."

"Some outlets are inaccurately reporting about a ransom offer. We were never engaged for a ransom and did not offer them money," Ticketmaster confirmed. 

Potential Implications

1. Privacy Concerns

Customers trust platforms like Ticketmaster with their personal details, including names, addresses, and payment information. The breach jeopardizes this trust and raises questions about data security practices within the industry.

2. Financial Impact

Ticketmaster faces a double bind: pay the ransom and potentially encourage further attacks, or refuse and risk public outrage. The financial implications extend beyond the ransom amount. Legal fees, compensation to affected customers, and damage control efforts will strain the company’s resources.

3. Reputation Damage

Ticketmaster’s reputation hangs in the balance. Swift action is crucial to mitigate reputational harm. Customers may think twice before purchasing tickets through the platform, affecting future sales and partnerships.

Some Key Takeaways

  • Third-Party Risk: Organizations must carefully assess the security practices of third-party vendors who handle sensitive data.
  • Encryption Matters: While Ticketmaster’s payment card information was encrypted, it’s crucial to ensure strong encryption methods are in place.
  • Prompt Communication: Ticketmaster’s quick response in notifying affected customers demonstrates the value of timely communication during a breach.

Read more »
Ransomware
Italy malware RansomHouse RansomHub Ransomware

RansomHub and RansomHouse: Unmasking the Culprits Behind Italy’s Attacks

RansomHub and RansomHouse: Unmasking the Culprits Behind Italy’s Attacks

Hackers have claimed responsibility for three major cyberattacks in Italy in the last 24 hours. The RansomHub and RansomHouse gangs allegedly carried out the ransomware assaults in Italy. RansomHub targeted the websites of Cloud Europe and Mangimi Fusco, while RansomHouse claimed responsibility for conducting a cyberattack against Francesco Parisi.

Italy's Ransomware Attacks

Cloud Europe is a Tier IV carrier-neutral data center based in Rome's Tecnopolo Tiburtino. According to the company's website, it specializes in data center architecture and management, focusing on security and service continuity. The company creates, hosts, and operates modular infrastructure for data centers in both the private and public sectors.

The Attacks

1. Cloud Europe: On June 29, 2024, RansomHub claimed responsibility for infiltrating the servers of Cloud Europe, a prominent Tier IV certified data center in Rome. The attackers allegedly encrypted the servers and exfiltrated 70 terabytes of data. Among the stolen information were 541.41 gigabytes of sensitive data, including client records, financial documents, and proprietary software.

2. Mangimi Fusco: The same day, RansomHub targeted Mangimi Fusco, an animal food manufacturer. The group claimed to have stolen 490 gigabytes of confidential data, including client files, budget details, and payroll information. However, as of now, Mangini Fusco’s website shows no signs of the reported attack, leaving room for skepticism.

3. Francesco Parisi: RansomHouse, another hacking collective, breached the website of Francesco Parisi, a group specializing in freight forwarding and shipping services. The attack occurred on May 29, 2024, and resulted in the theft of 150 gigabytes of company data. Francesco Parisi has acknowledged the breach and is working to restore normalcy while enhancing its cybersecurity defenses.

The Implications

These attacks raise critical questions about the state of cybersecurity readiness among Italian businesses:

Vulnerabilities: Despite advancements in security protocols, organizations remain vulnerable to sophisticated attacks. The ability of threat actors to infiltrate well-established data centers and corporate websites highlights the need for continuous vigilance.

Data Privacy: The stolen data contains sensitive information that could be exploited for financial gain or used maliciously. Companies must prioritize data privacy and invest in robust encryption, access controls, and incident response plans.

Business Continuity: When ransomware strikes, business operations grind to a halt. Cloud Europe’s experience serves as a stark reminder that even data centers, designed to ensure continuity, are not immune. Organizations must have contingency plans to minimize disruptions.

How to Stay Safe?

To safeguard against ransomware and other cyber threats, companies should consider the following strategies:

  • Regular Backups: Frequent backups of critical data are essential. These backups should be stored securely and tested periodically to ensure their integrity.
  • Employee Training: Human error often opens the door to cyberattacks. Regular training sessions can educate employees about phishing emails, suspicious links, and safe online practices.
  • Multi-Factor Authentication (MFA): Implementing MFA adds an extra layer of security, making it harder for unauthorized individuals to gain access.
  • Incident Response Plans: Organizations should develop comprehensive incident response plans that outline steps to take during a breach. Swift action can minimize damage and prevent data loss.

Read more »
Ransomware
brain cipher Cyber Attacks Cyberattack data attacks Indonesia Ransomware

Brain Cipher Ransomware Targets Indonesia's National Data Center in Major Cyberattack

 

A new ransomware operation known as Brain Cipher has emerged, targeting organizations worldwide. This operation recently gained media attention due to an attack on Indonesia's temporary National Data Center.

Indonesia is developing National Data Centers to securely store servers used by the government for online services and data hosting. On June 20th, one of these temporary centers was attacked, leading to the encryption of government servers. This disruption affected immigration services, passport control, event permit issuance, and other online services.

The Indonesian government confirmed that Brain Cipher, a new ransomware operation, was responsible for the attack, impacting over 200 government agencies. The attackers demanded $8 million in Monero cryptocurrency for a decryptor and to prevent the leak of allegedly stolen data.

BleepingComputer has learned from negotiation chats that the threat actors claimed they would issue a "press release" about the "quality of personal data protection" in the attack, implying that data was stolen.

Brain Cipher is a new ransomware operation that began earlier this month and has been conducting attacks on organizations worldwide. Initially, the ransomware gang did not have a data leak site, but their latest ransom notes now include links to one, indicating their use of double-extortion tactics. BleepingComputer has found numerous samples of Brain Cipher ransomware on various malware-sharing sites over the past two weeks.

These samples [1, 2, 3] were created using the leaked LockBit 3.0 builder, which has been widely used by other threat actors to launch their own ransomware operations. However, Brain Cipher has made minor modifications to the encryptor.

One change is that it not only appends an extension to encrypted files but also encrypts the file names. The encryptor also creates ransom notes named in the format of [extension].README.txt, which briefly describe the attack, make threats, and provide links to the Tor negotiation and data leak sites. In one instance seen by BleepingComputer, the ransom note deviated from the template and was named 'How To Restore Your Files.txt.'

Each victim receives a unique encryption ID to enter into the threat actor's Tor negotiation site. Similar to other recent ransomware operations, the negotiation site is straightforward, featuring a chat system for communication with the ransomware gang.

Brain Cipher has also launched a new data leak site, although it currently does not list any victims. In negotiations observed by BleepingComputer, the ransomware gang has demanded ransoms ranging from $20,000 to $8 million.

The encryptor, based on the leaked LockBit 3 encryptor, has been thoroughly analyzed. Unless Brain Cipher has modified the encryption algorithm, there are no known methods to recover files for free.
Read more »
Ransomware
Businesses Data Breach data security Japan Kadokawa Group Ransomware

Kadokawa Group Hit by Major Ransomware Attack


 

Kadokawa Group, the parent company of renowned game developer FromSoftware, has fallen victim to a gruesome ransomware attack. The Japanese conglomerate, known for its diverse involvement in book publishing, the video-sharing service Niconico, and various other media enterprises, revealed the breach on Thursday. While the extent of the damage is still being assessed, the company is actively investigating potential information leaks and their impact on its business operations for the upcoming year.

The cyberattack, which occurred on Saturday, June 8, targeted the servers located in Kadokawa Group’s data centre. Niconico and its related services were the primary targets of this attack. Kadokawa Group stated that they are working on solutions and workarounds on a company-wide basis to restore normalcy to their systems and business activities. Despite the attack, Kadokawa assured that they do not store credit card information in their systems, which provides some relief regarding financial data security.

FromSoftware, the acclaimed studio behind hits like Dark Souls and Elden Ring, has not been specifically mentioned in Kadokawa’s disclosure about the affected businesses. This leaves some uncertainty about whether FromSoftware’s data and systems were compromised. However, Kadokawa’s broad approach to addressing the issue suggests a company-wide effort to mitigate any potential damage.

This incident is not an isolated one in the gaming industry. FromSoftware’s publishing partner, Bandai Namco, experienced a ransomware attack in 2022. Other prominent gaming companies, including Capcom, CD Projekt Red, and Insomniac Games, have also faced similar breaches. Notably, Rockstar Games suffered a major data breach in 2022, which resulted in the leak of an in-development build of Grand Theft Auto VI. In response, Rockstar took measures to enhance security, including limiting remote work.

Kadokawa Group is expected to provide further updates on the ransomware attack and the status of their systems in July. The company’s ongoing efforts to investigate and resolve the issue are crucial in determining the full impact of the breach.

While FromSoftware’s next project remains a mystery, fans eagerly anticipate the possibility of a Bloodborne sequel. Despite the current uncertainties surrounding the ransomware attack, the gaming community continues to look forward to future announcements from the esteemed game studio.

Kadokawa Group’s handling of this cyberattack will be closely watched as it unfolds, with implications for both their media operations and the wider industry’s approach to cybersecurity.


Read more »
Subscribe to: Posts (Atom)