Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Ransomware Gang. Show all posts

BlackCat Ransomware Linked to UnitedHealth Subsidiary Optum Hack

 

A cyberattack against Optum, a UnitedHealth Group company, was linked to the BlackCat ransomware gang and resulted in an ongoing outage that impacted the Change Healthcare payment exchange platform. 

Customers were notified by Change Healthcare earlier this week that due to a cybersecurity incident, some of its services are unavailable. The cyberattack was orchestrated by alleged "nation-state" hackers who gained access to Change Healthcare's IT systems, according to a statement made by UnitedHealth Group in an SEC 8-K filing a day later. 

Since then, Optum has been posting daily incident updates on a dedicated status page, alerting users to the fact that most services are temporarily unavailable due to Change Healthcare's systems being offline to contain the breach and prevent future damage. 

"We have a high level of confidence that Optum, UnitedHealthcare and UnitedHealth Group systems have not been affected by this issue," Optum stated. "We are working on multiple approaches to restore the impacted environment and will not take any shortcuts or take any additional risk as we bring our systems back online.” 

Links to BlackCat 

Change Healthcare has been holding Zoom calls with partners in the healthcare sector to share information regarding the cyberattack since it affected its systems

One of the individuals involved in these calls informed a local media source that forensic experts participating in the incident response had linked the attack to the BlackCat (ALPHV) ransomware gang (Reuters first reported the Blackcat link on Monday).

Last week, another source informed BleepingComputer that one indicator of attack is a critical ScreenConnect auth bypass vulnerability (CVE-2024-1709), which is being actively used in ransomware attacks against unpatched servers. 

Tyler Mason, vice president of UnitedHealth Group, stated that 90% of the impacted pharmacies had put new electronic claim procedures in place to deal with Change Healthcare issues, but he did not confirm if BlackCat was the root of the attack. 

"We estimate more than 90% of the nation’s 70,000+ pharmacies have modified electronic claim processing to mitigate impacts from the Change Healthcare cyber security issue; the remainder have offline processing workarounds," Mason stated. "Both Optum Rx and UnitedHealthcare are seeing minimal reports, including less than 100 out of more than 65 million PBM members not being able to get their prescriptions. Those patients have been immediately escalated and we have no reports of continuity of care issues.” 

8,000 hospitals and other care facilities, as well as more than 1.6 million doctors and other healthcare professionals, are under contract with United Health Group (UHG), a health insurance provider with operations in all 50 states of the United States. With 440,000 employees globally, UHG is the largest healthcare corporation in the world by sales ($324.2 billion in 2022).

UK Led Global Operations Disrupt LockBit's Criminal Network

 

One of the most notorious cybercrime organisations in the world has been hit by an unprecedented police operation involving the arrest and indictment of members of the Lockbit ransomware group by the FBI and Britain's National Crime Agency. 

The United States has charged two Russian citizens with deploying Lockbit ransomware against organisations and companies across the globe. Police in Poland and Ukraine made two arrests. 

The disruption of a criminal network, which has targeted over 2,000 victims globally, accepted over $120 million in ransom payments, and demanded hundreds of millions of dollars, was announced by the NCA, FBI, Europol, and U.S. Department of Justice at a meeting in London. 

Britain's National Crime Agency Cyber Division, in collaboration with the U.S. Department of Justice, the Federal Bureau of Investigation, and other law enforcement agencies seized control of websites used by Lockbit the gang and U.S. and British authorities said. The law enforcement agencies also went over and beyond by releasing internal data about the group through Lockbit's own website. 

“We have hacked the hackers," Graeme Biggar, director general of the National Crime Agency, told journalists. "We have taken control of their infrastructure, seized their source code and obtained keys that will help victims decrypt their systems.” 

The takedown, dubbed “Operation Cronos” was an international coalition of 10 countries, he added. “Together, we have arrested, indicted or sanctioned some of the perpetrators and we have gained unprecedented and comprehensive access to Lockbit’s systems”. 

Billions in damages 

Ransomware is malicious software that encrypts data; Lockbit and its affiliates profit by coercing victims into paying a ransom to decrypt or unlock that data using a digital key. In recent months, some of the world's largest organisations have been targeted by the gang's digital extortion tools.

Its affiliates are like-minded criminal groups that Lockbit recruits to carry out attacks with those tools. Those affiliates carry out the attacks and pay Lockbit a portion of the ransom, which is typically sought in cryptocurrency, making it difficult to track. 

Operation Cronos confiscated 34 of Lockbit's computers, detained two gang members, frozen 200 cryptocurrency accounts, and shuttered 14,000 "rouge accounts" used online to launch Lockbit's operations, the officials said. 

Lockbit has caused monetary losses totaling billions, the NCA's Biggar stated, to businesses who not only had to pay ransom payments, but also had to shoulder the cost of getting their systems back online. 

Before it was disrupted, Lockbit's website displayed an ever-growing gallery of victim organisations that was updated nearly daily. Next to their names were digital clocks that showed the number of days left to the deadline given to each organisation to provide ransom payment.

Kasseika Ransomware Employs AntiVirus Driver to Disarm Other Antiviruses

 

Kasseika, a ransomware gang, has become the latest to leverage the Bring Your Own Vulnerable Driver (BYOVD) assault to disable security-related processes on compromised Windows hosts, following groups such as Akira, AvosLocker, BlackByte, and RobbinHood. 

Trend Micro claimed in a research that the technique enables "threat actors to terminate antivirus processes and services in order to deploy ransomware." 

Kasseika, identified by the cybersecurity firm in mid-December 2023, shares similarities with the now-defunct BlackMatter, which formed following DarkSide's disintegration. 

Given that the source code of BlackMatter was never made public after its demise in November 2021, there is evidence to imply that the ransomware strain may have been created by an experienced threat actor who purchased or secured access to the code. 

Modus operandi 

Kasseika attack chains begin with phishing emails to gain access, then drop remote administration tools (RATs) to escalate privileges and propagate across the target network. 

The threat actors have been spotted employing Microsoft's Sysinternals PsExec command-line tool to run a malicious batch script. The script searches for a process called "Martini.exe" and ends it if it is located, thereby guaranteeing the process is only running on one machine. 

The executable's primary task is to disable 991 security tools by downloading and executing the "Martini.sys" driver from a remote server. It is important to note that "viragt64.sys," an authentic signed driver, has been placed on Microsoft's vulnerable driver blocklist and is known as "Martini.sys.” 

The researchers noted that "if Martini.sys does not exist, the malware will terminate itself and not proceed with its intended routine," highlighting the vital role that the driver plays in defence evasion.

After that, "Martini.exe" starts the ransomware payload ("smartscreen_protected.exe"), which uses the RSA and ChaCha20 algorithms to encrypt data. However, not before it terminates all services and processes that are attempting to reach Windows Restart Manager. 

The computer's wallpaper is subsequently modified to display a note requesting a 50 bitcoin payment to a wallet address within 72 hours, or risk paying an additional $500,000 every 24 hours once the deadline elapses. A ransom note is then dumped in every directory that has been encrypted. 

Furthermore, in order to acquire a decryptor, victims are required to send a screenshot of their successful payment to a Telegram channel that is managed by attackers. The Kasseika ransomware also has additional tricks up its sleeve, such as wiping traces of activity from the system's event logs using the wevtutil.exe component.

"The command wevutil.exe efficiently clears the Application, Security, and System event logs on the Windows system," the researchers concluded. "This technique is used to operate discreetly, making it more challenging for security tools to identify and respond to malicious activities.”

LockBit Ransomware Outfit Claims Subway as its Latest Victim

 

Due to an alleged ransomware attack by the notorious LockBit ransomware gang, the multinational fast-food restaurant giant Subway is facing a potential PR nightmare. Reports suggest Subway’s systems were exploited by the LockBit gang, known for its aggressive modus operandi. 

After the LockBit ransomware organisation claimed to have breached Subway's internal SUBS systems and stolen an abundance of data, the firm launched an investigation. The ransomware-as-a-service provider listed the company on its data leak website, claiming that one of its affiliates took gigabytes of critical details. 

LockBit indicated that they are allowing the company some time to preserve the data, "which includes hundreds of gigabytes of data and all financial of the franchise, including employee salaries, franchise royalty payments, master franchise commission payments, restaurant turnovers, etc." If they do not, the notorious outfit plans to sell it to competitors.

The message was posted on January 21, and the criminals gave Subway till February 2 to pay the extortion. However, Subway's spokesperson states that the company is still investigating the hackers' claims. 

For your information, LockBit is one of the most active ransomware groups, having targeted thousands of organisations. The US authorities claimed in June 2023 that the LockBit gang had targeted 1,700 companies in the US since 2020, collecting more than $90 million in ransom. 

Many people were surprised to learn that Subway was unaware of the ransomware attack. However, this is not surprising given that hackers are increasingly focusing on data theft rather than ransomware encryption, since developing, creating, maintaining, and delivering ransomware has become too difficult. Companies have significantly improved their data backup and defence systems; as a result, criminals steal data and demand payment for not releasing it publicly. 

It is worth mentioning that Subway has 20,000 stores worldwide and over 400,000 employees, so the data leak might have long-term consequences for its customers if it unfolds. To protect yourself from online risks, avoid clicking links or opening attachments, use strong passwords, enable two-factor authentication, maintain software and operating systems up to date, and invest in reliable antivirus and anti-malware software. Adequate cyber hygiene is the best approach to fight against cybercrime.

International Authorities Take Down ALPHV ransomware Gang’s Dark Web Leak Site

 

An international group of law enforcement groups has taken down the dark web leak site of the notorious ransomware gang known as ALPHV, or BlackCat. 

"The Federal Bureau of Investigation seized this site as part of a coordinated law enforcement action taken against ALPHV Blackcat Ransomware," a message currently reads on the gang's dark web leak site. 

According to the press release, law enforcement agencies from the United Kingdom, Denmark, Germany, Spain, and Australia were also involved in the takedown operation. 

The US Department of Justice later confirmed the disruption, stating that the global takedown effort, led by the FBI, allowed US officials to obtain visibility into the ransomware group's computer and seize "several websites" that ALPHV operated. 

Additionally, the FBI released a decryption tool that has already assisted over 500 victims of the ALPHV ransomware patch their systems. (The number of victims is 400 according to the government's search warrant.) The tool assisted several victims in the US and prevented them from having to pay ransom demands that came to around $68 million. 

According to the government's notification, ALPHV stole hundreds of millions of dollars by breaking into the networks of over a thousand victims worldwide. The gang has targeted vital infrastructure in the United States, including government structures, emergency services, defence industrial base companies, critical manufacturing, healthcare and public health facilities, and other businesses, educational institutions, and governmental entities. 

The FBI said it worked with a “confidential human source” linked to the ransomware gang, which granted agents access to the ALPHV/BlackCat affiliate panel that the gang used to manage its victims, according to the government's search warrant. The State Department previously stated that it will reward those who offer insights "about Blackcat, their affiliates, or activities.” 

“In disrupting the BlackCat ransomware group, the Justice Department has once again hacked the hackers,” stated U.S. deputy attorney general Lisa Monaco in remarks. “With a decryption tool provided by the FBI to hundreds of ransomware victims worldwide, businesses and schools were able to reopen, and healthcare and emergency services were able to come back online. We will continue to prioritize disruptions and place victims at the center of our strategy to dismantle the ecosystem fueling cybercrime.” 

In recent years, the ALPHV/BlackCat ransomware group has been one of the most active and devastating. ALPHV, which is believed to be a successor to the now-defunct sanctioned REvil hacking gang, claims to have infiltrated a number of high-profile victims, including news-sharing site Reddit, healthcare provider Norton, and the United Kingdom's Barts Health NHS Trust. 

The group's tactics have become more violent in recent months. The ALPHV filed a first-of-its-kind complaint with the U.S. Securities and Exchange Commission (SEC) in November, alleging that digital lending provider MeridianLink failed to disclose "a significant breach compromising customer data and operational information," which the gang claimed responsibility for.

LockBit is Recruiting Members of ALPHV/BlackCat and NoEscape Ransomware Outfit

 

Recruiting affiliates and developers from the troubled BlackCat/ALPHV and NoEscape ransomware operations is one of the calculated steps being taken by the LockBit ransomware group. An ideal opportunity emerged for LockBit to expand its network due to the recent disruptions and exit scams within NoEscape and BlackCat/ALPHV. 

Affiliates of NoEscape and BlackCat/ALPHV Tor organisations are in disarray due to the sudden inaccessibility of their websites, as well as reports of escape scams and ransom payments being stolen. While the exact reason of the disruptions is unknown, speculations include hardware malfunctions, internal issues, and law enforcement intervention. 

LockBitSupp, the manager of LockBit, has actively recruited affiliates on Russian-speaking hacking forums in response to the chaos surrounding BlackCat and NoEscape. LockBitSupp makes a tempting offer, stating that affiliates who have copies of stolen data can use LockBit's bargaining panel and data leak website to keep blackmailing victims. 

Additionally, LockBitSupp is trying to hire the coder who created the ALPHV encryptor. Although LockBit's relationship to the troubled ransomware gangs is still unknown, there have been reports of a victim who was BlackCat's previous target now showing up on LockBit's data leak website. 

The change emphasises how groups dealing with ransomware experience disruptions, rebranding, and sometimes even changing affiliations. The ransomware ecosystem continues to evolve, and outfits such as LockBit, by taking advantage of other people's vulnerabilities and interruptions, demonstrate the flexibility and intelligence that these nefarious activities possess.

In the always changing threat landscape, this particular situation may lead to additional rebranding and restructuring as it calls into doubt the reliability of ransomware groups such as BlackCat and NoEscape.

Europol Dismantles Ukrainian Ransomware Gang

A well-known ransomware organization operating in Ukraine has been successfully taken down by an international team under the direction of Europol, marking a major win against cybercrime. In this operation, the criminal group behind several high-profile attacks was the target of multiple raids.

The joint effort, which included law enforcement agencies from various countries, highlights the growing need for global cooperation in combating cyber threats. The dismantled group had been a prominent player in the world of ransomware, utilizing sophisticated techniques to extort individuals and organizations.

The operation comes at a crucial time, with Ukraine already facing challenges due to ongoing geopolitical tensions. Europol's involvement underscores the commitment of the international community to address cyber threats regardless of the geopolitical landscape.

One of the key events leading to the takedown was a series of coordinated raids across Ukraine. These actions, supported by Europol, aimed at disrupting the ransomware gang's infrastructure and apprehending key individuals involved in the criminal activities. The raids not only targeted the group's operational base but also sought to gather crucial evidence for further investigations.

Europol, in a statement, emphasized the significance of international collaboration in combating cybercrime. "This successful operation demonstrates the power of coordinated efforts in tackling transnational threats. Cybercriminals operate globally, and law enforcement must respond with a united front," stated the Europol representative.

The dismantled ransomware gang was reportedly using the Lockergoga ransomware variant, known for its sophisticated encryption methods and targeted attacks on high-profile victims. The group's activities had raised concerns globally, making its takedown a priority for law enforcement agencies.

In the aftermath of the operation, cybersecurity experts are optimistic about the potential impact on reducing ransomware threats. However, they also stress the importance of continued vigilance and collaboration to stay ahead of evolving cyber threats.

As the international community celebrates this successful operation, it serves as a reminder of the ongoing battle against cybercrime. The events leading to the dismantlement of the Ukrainian-based ransomware gang underscore the necessity for countries to pool their resources and expertise to protect individuals, businesses, and critical infrastructure from the ever-evolving landscape of cyber threats.

Toyota Acknowledges Security Breach After Medusa Ransomware Threatens to Leak Data

 

Toyota Financial Services (TFS) announced that unauthorised access was detected on some of its systems in Europe and Africa after the Medusa ransomware claimed responsibility for the attack. 

Toyota Financial Services, a subsidiary of Toyota Motor Corporation, is a global entity that provides auto financing to customers in 90% of the markets where Toyota sells its vehicles. 

The Medusa ransomware gang added TFS to its data leak site on the dark web earlier this week, demanding $8,000,000 to delete data allegedly stolen from the Japanese company. Toyota was given ten days by the threat actors to respond, with the option to extend for an additional $10,000 per day. 

Toyota Finance did not confirm whether data was taken in the attack, but the threat actors say they have files exfiltrated and threaten to release data if the ransom is not paid.

The hackers published sample data, such as spreadsheets, purchase invoices, agreements, passport scans, financial performance reports, internal organisation charts, hashed account passwords, cleartext user IDs and passwords, and more, as proof of the intrusion. 

The file tree structure of all the data that Medusa claims to have taken from Toyota's systems is also included in a.TXT file that they supply. The majority of the documents are written in German, suggesting that the hackers were able to gain access to the systems supporting Toyota's activities in Central Europe.

The Japanese automaker was contacted by BleepingComputer for a comment regarding the leaked data, and a company representative gave the following statement: 

“Toyota Financial Services Europe & Africa recently identified unauthorized activity on systems in a limited number of its locations. We took certain systems offline to investigate this activity and to reduce risk and have also begun working with law enforcement. As of now, this incident is limited to Toyota Financial Services Europe & Africa.” 

The spokesperson informed us that most countries are currently in the process of bringing their systems back online. This information pertains to the status of the affected systems and when they are expected to resume regular operations.

One more breach of Citrix Bleed?

Security analyst Kevin Beaumont brought attention to the fact that the company's German office had an internet-exposed Citrix Gateway endpoint that had not been updated since August 2023, making it susceptible to the critical Citrix Bleed (CVE-2023-4966) security vulnerability earlier today, in response to Medusa's revelation that TFS was their victim. 

It was confirmed a few days ago that the hackers behind the Lockbit ransomware were breaching the Industrial and Commercial Bank of China (ICBC), DP World, Allen & Overy, and Boeing by means of publicly accessible Citrix Bleed exploits.

It's likely that added ransomware groups have begun to utilise Citrix Bleed, capitalising on the extensive attack surface that is believed to encompass thousands of endpoints.

Sony Launches Investigation After Hackers Threaten to Sell Stolen Data on Dark Web

 

It's likely that you have seen the prominent headlines about the "Sony data breach 2023" and are wondering whether you are at risk or not. Sony, however, is likewise unaware of what is happening at the moment, but at least they have begun investigating it.

Sony has once again found itself in the crosshairs of a cyber attack, this time from the ruthless group known as 'Ransomed.vc' claiming to have successfully breached the tech giant's networks. The gang has stated its aim to sell the stolen data on the black market. 

Earlier in the week Ransomed.vc boldly claimed that it had accessed "all Sony systems" and was ready to dump the stolen data because the company was supposedly "unwilling to pay" a ransom. The group went a step further, warning that if no purchasers materialised by Thursday, September 28, they may start publicising the stolen information. 

Despite the gravity of these allegations, it is critical to recognise that they remain unverified. However, Ransomed.vc did provide some evidence in the form of posted files (about 6,000 in total). This pales in comparison to the broad claim that they corrupted "all Sony systems," including your beloved PlayStation. 

In response to these concerning developments, Sony said on September 26 that it had launched an investigation. The company's spokesperson replied, "We are currently investigating the situation, and we have no further comment at this time." 

Sony's measured response reflects the gravity of the problem and the importance of conducting an in-depth investigation into the suspected breach. 

There is still some ambiguity over the scope of the data that "Ransomed.vc" acquired access to and whether any consumer personal information has been stolen as the investigation into the Sony Data Breach 2023 progresses. The stakes are unquestionably high, and Sony will be meticulously investigating the situation and securing its networks with the assistance of cybersecurity professionals.

The current Sony cyber controversy is being closely watched across the globe. It serves as an alarming reminder of the constantly changing panorama of online risks and the crucial role that cybersecurity measures play in protecting private information in the interconnected world.

BianLian Ransomware Gang Siphons 6.8TB of Data from Save The Children

 

One of the biggest and oldest charities in the world, Save the Children, has admitted it was a victim of a ransomware attack by the BianLian operation. The attack first came to light on Monday, September 11, when details concerning the assault were posted to the gang's leak site. 

The attack was originally tracked by VX Underground and Brett Callow of Emsisoft. VX Underground declared that the gang needed "to be punched in the face," which is a statement that is difficult to dispute. 

Save the Children was not specifically mentioned at first by BianLian, who instead claimed to have struck "the world's leading non-profit organisation, employing around 25,000 staff and operating in 116 countries" with $2.8 billion in revenue. 

The charity's own boilerplate matches some of this description, but BianLian's assessment of Save the Children's financial situation seems to be wildly off; the organisation's entire revenue in 2022 was £294m. 

It claimed to have stolen 6.8TB of data, including 800GB of the charity's financial data, along with data on its human resources department, as well as individual users' personal information, including their health and medical records and email texts.

The BianLian ransomware gang is largely unknown, and although its name refers to a type of Chinese opera from Sichuan Province, it is far more likely that the group is a Russian-speaking one. It was one of many crews that appeared during 2022, ascending around the same time as groups like Black Basta, Hive, and Alphv/BlackCat and establishing themselves as a successful criminal organisation. 

It joined the group of ransomware groups that, as of 2023, have shifted away from encrypting the data of their victims and instead prefer to just grab it and demand payment in exchange for a promise not to disclose it. 

The US Cybersecurity and Infrastructure Security Agency (CISA) claims that BianLian generally uses legitimate Remote Desktop Protocol (RDP) credentials to access its victims' systems and makes use of a number of open source tools and command-line scripting for credential harvesting. 

It uses a variety of techniques to steal their data, most commonly using File Transfer Protocol (FTP) and legal cloud storage and file transfer services like Rclone and Mega. It makes a show of printing its ransom note on printers on its networks to put pressure on its victims, and staff of victimised companies have reported receiving threatening phone calls from individuals posing as group members.

MOVEit Attacks Makes Clop the Most-active Ransomware Threat Actor This Summer


According to numerous threat intelligence reports, this July, Clop had been the reason for about one-third, executing financially-motivated, placing the financially driven threat actor to emerge as the most active ransomware threat actor this summer.

The ransomware gang’s mass exploit of a zero-day vulnerability in the MOVEit file transfer service has now made it to the top of the ransomware threat actor hierarchy.

Emsisoft and KonBriefing Research traceked Clop’s activities, noting that till now, the threat actor has compromised more than 730 organizations in the course of its campaign.

In July, Clop had been responsible for 171 out of the 502 ransomware attacks reported by NCC Group, the firm confirmed. NCC Group added, Clop's actions are most likely to blame for a 16% overall rise in ransomware assaults from the preceding month. NCC and Flashpoint further noted that clop was the threat actor behind for at least twice as many attacks as Lockbit, its next-closest rival, in illegal ransomware activity in July.

“Many organizations are still contending with the impact of Clop’s MOVEit attack, which goes to show just how far-reaching and long-lasting ransomware attacks can be — no organization or individual is safe[…]This campaign is particularly significant given that Clop has been able to extort hundreds of organizations by compromising one environment,” Hull said. “Not only do you need to be vigilant in protecting your own environment, but you must also pay close attention to the security protocols of the organizations you work with as part of your supply chain,” Matt Hull, global head of threat intelligence at NCC Group, said in a statement.

These instances eventually indicate that the impact of Clop's attacks against companies in highly sensitive and regulated industries is enormous, as is the possible exposure. It is still not clear as of how many victims are actually downstream. 

Some other instances of Clop’s threat activities include Colorado State University, which was hit six times, in six different ways. Also, the ransomware’s target include three of the big four accounting firms – Deloitte, Ernst & Young and PwC – consequently putting their sensitive customer data in high risk.  

LockBit Attack: Ransomware Gang Threatens to Leak Cancer Patients’ Medical Data


LockBit ransomware group recently revealed its intent to leak private medical data of cancer patients, stolen in the breach on Varian Medical Systems.

Varian, a subsidiary of Siemens Healthineeres, provides software for the oncology department's applications and specializes in offering therapeutic and diagnostic oncology services. The California-based corporation has more than 10,000 employees as of 2021 and had an annual profit of £269 million. 

While it is still unclear how LockBit got access to Varian's systems or how much data was stolen, the ransomware gang warned readers of its "victim blog" that if the company did not meet their demands within two weeks, soon, its private databases and patient medical data would be made public. Apparently, Varian has until 17 August to meet the negotiation demands in order to restore their stolen data, if they wish to avoid ‘all databases and patient data’ from being exposed in LockBit’s blog. 

The attack is most likely to be a part of ‘triple extortion,’ a strategy usually used by ransomware actors. The strategy involves a three-part attack on an organization that starts with the theft of data that appears to be sensitive before it is encrypted. The corporate victim of the breach can only get their data back and keep it private if they pay a ransom, following which they will receive – in theory – a decryption key from the hackers. 

In regards to the breach, Siemens Healthineers – Varian’s parent company confirmed that an internal investigation is ongoing. However, they did not provide any further details of the breach. 

“Siemens Healthineers is aware that a segment of our business is allegedly affected by the Lockbit ransomware group[…]Cybersecurity is of utmost importance to Siemens Healthineers, and we are making every effort to continually improve our security and data privacy,” said a spokesperson.

Growing Cases of LockBit

Recent months have witnessed a good many cyberattacks conducted by LockBit against some major companies. According to a report by the US Cybersecurity and Infrastructure Security Agency, in the first quarter of 2023, the ransomware gang has already targeted 1,653 companies. They frequently repurposed freeware and open-source tools for use in network reconnaissance, remote access, tunnelling, credential dumping, and file exfiltration. 

Some examples of the LockBit hit companies would be their recent campaign against the port of Nagoya, which ossified supply chains for Japanese automobile company Toyota, and SpaceX in which the ransomware gang claims to have led to a haul of 3,000 proprietary schematics, and an attempt to extort $70 million from Taiwanese chip maker TSMC.  

BlackCat Attackers Target Italian Asset Manager Azimut

 

Azimut Group, an Italian asset management firm that oversees over $87.2 billion in assets, declared in a public statement that it will "not comply by any means" with a ransomware demand from the notorious hacking organisation BlackCat. 

Israeli hacking monitoring start-up DarkFeed said the same ransomware group in September stole large amounts of data from state-owned Italian energy services firm GSE. It revealed on its website that Azimut was one of BlackCat's 477 victims on July 21. Azimut did not respond immediately. 

BlackCat, also known as ALPHV, first appeared in late 2021 and is notorious for carrying out sophisticated assaults on a number of firms in the United States and Europe. 

"The attack did not affect data or information that might allow access to the personal position of clients and financial advisors or the execution of unauthorised transactions," Azimut said in a press release. 

Palo Alto Networks, a cybersecurity firm based in California, also confirmed that BlackCat was behind the hack. 

According to the firm, Azimut was one of 23 enterprises targeted in July alone. The hackers claimed to have taken more than 500GB (Gigabytes) of private data from Azimut. 

Security experts at Unit 42 claimed that BlackCat is the second most active multi-extortion ransomware organisation behind LockBit, based on leak site tracking. 

"We've seen a wide range of industries [as targets], including law firms, engineering firms, health care systems, manufacturing, and more," the researchers stated.

Azimut, which handles 85 billion euros in assets, nearly half of which are in Italy, claimed it discovered an unauthorised entry to its IT systems as part of its usual monitoring activity. 

It had notified the appropriate authorities and had implemented an internal safety procedure that "successfully limited the impact of the criminal action," the company added.

TSMC Cyberattack: LockBit Demands a Ransom of $70m


Taiwan Semiconductor Manufacturing Company (TSMC) accused one of its equipment suppliers for its LockBit breach that, that has emerged in the on the gang’s dark web victim blog. Apparently, the ransomware has demanded a whopping $70 million ransom demand./ Without disclosing the type of data hacked, the corporation has named the affected third-party supplier as Kinmax Technology, a system integrator with offices in Taiwan.

TSMC stated on the issue, saying "TSMC has recently been aware that one of our IT hardware suppliers experienced a cybersecurity incident, which led to the leak of information pertinent to server initial setup and configuration." The company confirms that no customer data has been exposed in the breach.

“After the incident, TSMC has immediately terminated its data exchange with this concerned supplier in accordance with the company’s security protocols and standard operating procedures,” the statement added.

One of the affiliates of LockBit, National Hazard Agency shared screenshots of directory listings of stolen TSMC files on their leak website on Thursday, giving them a deadline of August 6 to pay the ransom amount. However, the ransomware gang did not reveal details of the amount of data it stole from the company.

The blog also gave the company an option to extend the said deadline by 24 hours for $5,000, or to delete all stolen content or download it immediately for $70 million.

Kinmax Issues an Apology

Kinmax Technology expertise in networking, cloud computing, storage, security and database management. The company claims to have experienced a breach on 29 June, stating “internal specific testing environment was attacked, and some information was leaked.” The leaked information included “system installation preparation that the company provided to our customers,” Kinmax said.

LockBit Emerges Again

LockBit is a Russian ransomware gang that first came to light in year 2019. As of the first quarter of 2023, it has a total of 1,653 alleged victims, as per a report released by US cybersecurity firm CISA.

According to the report, since its first known attack in January 2020, the cybercrime group has gathered nearly $91m in ransoms from US victims.

LockBit has also been a reason for a number of high-profile cyberattacks in the UK. This year, the gang has been responsible for the popular Royal Mail attacks, where it demanded a ransom of $80m in Bitcoin. The company however did not pay the ransom, deeming the demand as “ridiculous.” The ransomware gang then responded by exposing the data online, along with the copies of the negotiations held between LockBit and the Royal Mail representatives.

The ransomware gang was also responsible for stealing data from WH Smith, a high-end retailer in the UK. The attack was directed at present and former employees' personal information. Since then, there has been no information indicating whether the business has paid the ransom.

CIOp Attacks: Ransomware Group Reveal Names of the MOVEit Zero-Day Attack Victims


CIOp ransomware group has revealed names of more than two dozen organizations that are apparently attacked in their campaign via a zero-day vulnerability in the MOVEit managed file transfer (MFT) software.

The ransomware group utilized the MOVEit transfer vulnerability, CVE-2023-34362, to steal data from firms that had been using the product. Despite some evidence indicating that the hackers tested the vulnerability as early as 2021, broad exploitation appears to have begun in late May 2023.

In no time, the attacked were proved to be connected to the CIOp group, that had earlier utilized a zero-day in the GoAnywhere MFT products, stealing data of several firms. The MOVEit zero-day campaign's perpetrators have acknowledged their involvement, and they have given victims until June 14 to contact them in order to stop the release of data taken from their systems. They say they have struck hundreds of targets.

The victims of the attacks include energy giant Shell, as well as firms from various sectors like financial, healthcare, manufacturing, IT, pharmaceutical, and education sectors. A large number of victims include US-based banks and other financial institutions, followed by healthcare organizations. The hackers declared they would not target pediatric healthcare facilities after the breach was discovered.

The first known victims of the attacks included UK-based payroll and HR company Zellis (and its clients British Airways, Aer Lingus, the BBC, and the Boots), the Canadian province of Nova Scotia, the University of Rochester, the Illinois Department of Innovation & Technology (DoIT), and the Minnesota Department of Education (MDE).

Following the ransomware attacks, the group has not yet leaked any data stolen from these organizations.

The number of businesses that have reported being impacted keeps expanding. In recent days, statements about the incident have been released by Johns Hopkins University and Johns Hopkins Health System, UK media authority Ofcom, and a Missouri state agency.

Moreover, in a report published on Thursday, CNN noted that a number of US federal government organizations were also impacted with the attacks, as per Eric Goldstein who is the executive director for CISA. These agencies include Department of Energy, which is now working on the issue to control the impact of the attack.

However, the ransomware gang claims that their prime motive behind these attacks is to acquire ransoms from businesses and confirms that all the state-related data they may have acquired in the attacks has been deleted.

Royal Ransomware Gang adds BlackSuit Encryptor to their Arsenal

A new encryptor named BlackSuit is currently being tested by the notorious Royal ransomware gang. This encryptor bears striking resemblances to their customary encryption tool, suggesting it may be an evolved version or a closely related variant. 

In January 2023, the Royal ransomware gang emerged as the direct successor to the infamous Conti operation, which ceased its activities in June 2022. This private ransomware group consists of skilled pentesters and affiliates hailing from 'Conti Team 1,' as well as individuals recruited from various other ransomware gangs that target enterprises. 

Since its inception, Royal Ransomware has quickly gained notoriety as one of the most active and prolific operations, carrying out numerous high-profile attacks on enterprises. Furthermore, starting from late April, there have been growing indications that the Royal ransomware operation has been contemplating a rebranding effort under a fresh identity. 

This notion gained significant momentum when the group encountered intensified scrutiny from law enforcement following their targeted attack on the City of Dallas, Texas. Feeling the mounting pressure from authorities, the ransomware group has seemingly considered the necessity of adopting a new name, potentially as part of their strategy to evade detection and evade the repercussions of their illicit activities. 

In May, a distinct ransomware operation known as BlackSuit emerged, employing its unique encryptor and Tor negotiation sites. Speculation arose suggesting that this could be the rebranded version of the Royal ransomware group as initially anticipated. However, contrary to expectations, the Royal ransomware gang has not undergone a rebranding process and continues its active assault on enterprise targets. 

While BlackSuit has been employed in a limited number of attacks, the overall identity and operations of the Royal ransomware group remain unchanged. The notion of a rebranding for the Royal ransomware group appears to have lost its viability, given the recent findings presented in a report by Trend Micro. 

The report highlights significant resemblances between the encryptors used by BlackSuit and the Royal Ransomware, rendering it challenging to persuade anyone that they are distinct and unrelated entities. Consequently, attempting to present themselves as a new ransomware operation would likely face considerable skepticism due to these noticeable similarities. 

The resemblances between BlackSuit and Royal Ransomware go beyond surface-level similarities. In-depth analysis, as outlined in the Trend Micro report, reveals a range of shared characteristics. These include similarities in command line arguments, code structures, file exclusion patterns, and even intermittent encryption techniques. 

Such consistent parallels across various aspects make it increasingly difficult to present BlackSuit as a genuinely distinct ransomware operation separate from the Royal group. These findings strongly suggest a strong connection or shared origin between the two entities.

Kyocera AVX: Electronic Manufacturer Company the Current Target of LockBit


Kyocera, a global electronics manufacturer, has apparently experienced what seems like a data breach, wherein their data was exposed by ransomware gang LockBit on their dark web blog. The company was one of several who felt the aftershocks of a breach at Japanese tech firm Fujitsu last year.

The group has set a June 9 deadline for the payment of an undetermined ransom. According to the blog, "all available data will be published" if the company does not collaborate with the cybercriminals before then.

Kyocera AVX

Kyocera AVX’s clients involves military, industrial and automotive industries, for whom the company manufactures electronic products. It was established in the 1970s, and since 1990, it has been a part of Kyocera, a Japanese electronics business best known for its printers. Over 10,000 individuals are employed by it globally.

On May 26th, security researchers revealed that selected data of the company has been leaked and posted to LockBit’s dark web victim blog.

Apparently, the company’s data was breached following a cyberattack that took place on Fujitsu last year. The attack might have been the reason why LockBit was able to launch a supply chain attack on Kyocera AVX, and other companies that are partnered with Fujitsu via cyber or other social engineering attacks.

According to a Financial Times report, Fujitsu confirmed the attacks in December following a heads-up given by police agency of a potential intrusion. The intrusion further gave outsiders access to emails sent through an email system powered by Fujitsu.

It was later revealed that at least ten Japan-based companies, along with Kyocera AVX were victims of the attack.

LockBit Continues Cyber Activities Against Russia’s Enemy 

Ransomware gang LockBit, which is assumed to have originated in Russia has been on news highlights pertaining to its interest on targeting organizations based in US and allied countries. 

According to a report by security firm Malwarebytes, 126 victims have been posted by the ransomware gang in February alone.

This year, the gang targeted the UK Royal Mail, demanding ransom of $80 million in bitcoin. When the business refused to pay up, labeling the demands "ridiculous," the gang retaliated by sharing the information along with copies of the conversations between LockBit and Royal Mail's officials.

Later, it stole client information from WH Smith, a high-end street retailer in the UK. The hacker used current and previous employees' personal information. Since then, there has been no information indicating whether the business has paid the ransom.

In its recent case, this month, an individual named Mikhail Pavlovich Matveev who claims to have been involved with LockBit, has a bounty of $10 million on his head placed by the FBI. With connections to both the Hive and Babuk organizations, Matveev is believed to be a major participant in the Russian ransomware ecosystem.  

Iranian Attackers Employ Novel Moneybird Ransomware to Target Israeli Organizations

 

A new ransomware variant called "Moneybird" is currently being used by the threat actor "Agrius," which is thought to be funded by the Iranian government, to target Israeli organisations.

Since at least 2021, Agrius has been using various identities to deliberately target organisations in Israel and the Middle East while using data wipers in disruptive attacks. 

Researchers from Check Point who found the new ransomware strain believe that Agrius created it to aid in the growth of their activities, and that the threat group's use of "Moneybird" is just another effort to hide their footprints.

Modus operandi

According to Check Point researchers, threat actors first acquire access to company networks by taking advantage of flaws in servers that are visible to the public, giving Agrius its first network footing. 

The hackers then conceal themselves behind Israeli ProtonVPN nodes to launch ASPXSpy webshell variations concealed inside "Certificate" text files, a strategy Agrius has employed in the past. 

After deploying the webshells, the attackers employ open-source tools to move laterally, communicate securely using Plink/PuTTY, steal credentials using ProcDump, and exfiltrate data using FileZilla. These tools include SoftPerfect Network Scanner, Plink/PuTTY, ProcDump, and ProcDump.

The Moneybird ransomware executable is obtained by Agrius in the subsequent stage of the attack through reliable file hosting services like 'ufile.io' and 'easyupload.io.'

The C++ ransomware strain will encrypt target files using AES-256 with GCM (Galois/Counter Mode), creating distinct encryption keys for each file and appending encrypted metadata at their conclusion. This process begins immediately after the target files are launched.

In the instances observed by Check Point, the ransomware only targeted "F:User Shares," a typical shared folder on business networks used to hold company records, databases, and other items pertaining to collaboration.

This focused targeting suggests that Moneybird is more interested in disrupting business than in locking down the affected machines. 

Since the private keys used to encrypt each file are produced using information from the system GUID, file content, file path, and random integers, Check Point argues that data restoration and file decryption would be incredibly difficult.

Following the encryption, ransom notes are left on the affected systems, advising the victim to click the provided link within 24 hours for instructions on data recovery. 

"Hello WE ARE MONEYBIRD! All of your data encrypted! If u want you to restore them follow this link with in 24H," reads the Moneybird ransom note. 

Moneybird is thought to be ransomware, not a wiper, in contrast to earlier assaults connected to Agrius, and it is intended to generate money to support the threat actors' nefarious activities. 

However, in the case observed by Check Point Research, the ransom demand was so high that it was understood from the beginning that a payment would probably not be made, effectively rendering the attack harmful. 

"Yes negotiations could be possible but the demand was extremely high, which leads us to believe that it’s part of the trick. They knew no one would pay so the damage and data leaked was expected. It was not a wiper," stated Eli Smadga, Research Group Manager at Check Point Research.

An easy-to-use but powerful ransomware 

According to Check Point, Moneybird depends on an embedded configuration blob rather than command-line parsing, which would enable victim-specific customizations and increased deployment flexibility.

Because the ransomware's behaviour parameters are pre-defined and difficult to customise for each target or situation, the strain is inappropriate for mass marketing efforts. 

But for Agrius, Moneybird remains a powerful instrument for business disruption, and future advancements that result in the release of newer, more powerful versions may make it a serious danger to a wider variety of Israeli organisations.

Backups can be Quicker and Less Expensive than Paying the Ransom

 

Ransomware operators want to spend as little time as possible within your systems, which means the encryption they use is shoddy and frequently corrupts your data. 

As a result, paying ransoms is typically a more expensive chore than simply refusing to pay and working from our own backups. That is the perspective of Richard Addiscott, a senior director analyst at Gartner. 

"They encrypt at an extremely fast rate," he said on Monday at the firm's IT Infrastructure, Operations, and Cloud Strategies Conference 2023 in Sydney. "They encrypt faster than you can run a directory listing."

Therefore, ransomware creators use poor encryption techniques and end up losing some of the data they later try to sell you. If ransomware operators deliver all the data they claim, Addiscott said, it is not simple to restore from corrupt data dumps delivered by criminals. Many people don't; instead, they start a new round of discussions regarding the cost of more releases by demanding a ransom. 

According to him, just 4% of ransomware victims actually manage to get all of their data back. Only 61 percent actually retrieve any data. Additionally, the average disruption to a victim's business is 25 days. 

Addiscott proposed that organisations design and practise ransomware recovery playbooks to shorten the period. Securing funding to prepare for a speedy post-ransomware recovery requires couching the risk in business terms rather than IT terms. 

According to Addiscott, the themes that are likely to release the purse strings are revenue protection, risk reduction, and cost control. Although he shook his head as he recalled instances when business leaders authorised enormous and speedy ransom payments that dwarfed the denied investments that may have rendered them unnecessary. 

He advised good preparation because ransomware crooks have figured out one technique to speed up stalled payment negotiations: whacking their victims with a DDoS attack, so they're battling two fires at once, and are thus willing to pay to make at least one problem go away. 

Ransomware operators also like to double-dip by demanding payment from the organisations whose data they have stolen, then mining the data to locate new targets. Addiscott mentioned an attack on a healthcare provider in which clients were confronted with a payment demand or their medical records will be revealed. 

Customers identified in a stolen data heist may be targeted with the suggestion that they notify suppliers that they want payments made in order to reduce the risk of their data being disclosed. Immutable backups and an isolated recovery environment, according to Addiscott, are a good combination of defences. 

However, he also stated that the people behind ransomware are brilliant, vicious, inventive, and relentless, so they will find new and even more nefarious ways to strike. 

The analyst did have one piece of good news: there would be a 21% decrease in ransomware attacks in 2022 compared to 2021. He hypothesised that the decline was caused by sanctions making it more difficult for Russian-based ransomware groups to operate.

VMware ESXi Ransomware on the Rise Due to Leaked Babuk Code

 

Security experts claim to have discovered ten distinct ransomware families that have recently diverged from Babuk, a ransomware outbreak whose source code was exposed online in 2021. 

Hackers have been using leaked source code from well-known ransomware firms like LockBit, Conti, and REvil for years, experts in the field have long warned. SentinelLabs claimed in research made public on Thursday that about a dozen organisations have created their own malware based on Babuk.

The Babuk Locker ransomware builder was made publicly available online in June 2021, making it simple for any would-be criminal organisation to enter the ransomware market with little to no development work. 

Hackers are drawn to the Babuk Locker "builder" because it allows them to make unique variations of the Linux-based Babuk Locker ransomware that can be used to attack the common ESXi servers used by big organisations and corporations.

“Over the past two years, organized ransomware groups adopted Linux lockers, including ALPHV, Black Basta, Conti, Lockbit, and REvil,” SentinelLabs’ Alex Delamotte stated. “These groups focus on ESXi before other Linux variants, leveraging built-in tools for the ESXi hypervisor to kill guest machines, then encrypt crucial hypervisor files.” 

According to Delamotte, the ten versions they found appeared in the second half of 2022 and the first part of 2023, indicating "an increasing trend of Babuk source code adoption." 

SentinelLabs discovered connections between the stolen Babuk source code and the ESXi lockers of numerous well-known ransomware organisations, including Conti, REvil, Play, and Ransom House, which have all been linked to some of the most damaging intrusions in the past two years.

In order to create ESXi lockers for themselves, smaller ransomware organisations have adopted the Babuk source code. 

To contrast it to the other versions of the Babuk that are available online, SentinelLabs created what they referred to as a "baseline" Babuk. The way the malware encrypted documents and coding resemblances were among the numerous connections they discovered. 

The researchers also noted that Babuk and ESXiArgs, which raised concerns in February after more than 3,800 organisations in the US, France, and Italy were attacked, hardly had any similarities. At the time, some falsely accused Babuk of being responsible for the series of attacks that targeted Rice University, the Georgia Institute of Technology, and the Supreme Court of Florida.