Search This Blog
Powered by Blogger.

Blog Archive

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label Ransomware group. Show all posts
Ransomware group
Cyber Attacks DragonForce DragonForce Ransomware Group Ohio Lottery Ransomware attack Ransomware group

DragonForce Ransomware Gang Prompts Ohio Lottery to Shut Down


On 25 December 2023, the Ohio Lottery faced a major cyberattack, as a result, they had to shut down some crucial systems related to the undisclosed internal application. 

The threat actors behind the breach are the DragonForce ransomware group. 

While the investigation in regards to the breach is ongoing, the company confirms to its customers that its gaming systems are fully functional. The gaming system is still operational, although some services have suffered. At Super Retailers, prize cashing above $599 and mobile cashing are temporarily unavailable. 

The winning numbers for the KENO, Lucky One, and EZPLAY Progressive Jackpots can be found at any Ohio Lottery Retailer; they are unavailable on the internet or mobile app.

In its press release, the lottery states: "On December 24, 2023, the Ohio Lottery experienced a cybersecurity incident impacting some of its internal applications and immediately began work to mitigate the issue. The state's internal investigation is ongoing. We apologize for the inconvenience and are working as quickly as possible to restore all services."

What must the Customers do?

The company has requested customers to check the Ohio Lottery website and mobile app for winning numbers at this time.  WKYC informs that prizes up to $599 can be claimed at any Ohio Lottery Retailer, while prizes over $600 need to be sent by mail to the Ohio Lottery Central Office or using the online claim form. 

Ransomware Gang Claims Responsibility

While Ohio Lottery did not confirm who was behind the cyberattack, a ransomware group called DragonForce claimed responsibility. 

According to a report by BleepingComputer, the threat group claims that they have encrypted devices and accessed sensitive data like Social Security Numbers and the date of birth of affected customers. 

According to the DragonForce gang, over 3,000,000 lottery customers' names, addresses, emails, winning amounts, Social Security numbers, and dates of birth are among the data that have been hacked. The weight of the released data—more than 600 gigabytes—raises questions regarding the scope of the hack. 

DragonForce: A New Competitor in the Ransomware Arena

Despite being a relatively young ransomware gang, the DragonForce gang's methods and data leak website suggest a rather experienced extortion organization. As law enforcement steps up their efforts to combat ransomware activities, new organizations like DragonForce are coming into action, which raises the issue of rebranding within the threat landscape. 

In a similar case, the official Facebook page of the Philippines lottery system was recently hacked by anonymous hackers. The witnesses reported that threat actors were apparently spamming the website page with nude photos. This prompted the Philippine Charity Sweepstakes Office (PSCO) to shut down the page for the time being, during which the Cybercrime Investigation and Coordinating Center (CICC) will conduct its investigation.   

Read more »
South Korea
Andariel Data Breach Hacker group Military Data North Korea North Korean Hackers Ransomware group South Korea

Seoul Police Reveals: North Korean Hackers Stole South Korean Anti-Aircraft Data


South Korea: Seoul police have charged Andariel, a North Korea-based hacker group for stealing critical defense secrets from South Korea’s defense companies. Allegedly, the laundering ransomware is redirected to North Korea. One of the 1.2 terabytes of data the hackers took was information on sophisticated anti-aircraft weaponry.  

According to the Seoul Metropolitan Police Agency, the hacker group utilized servers that they had rented from a domestic server rental company to hack into dozens of South Korean organizations, including defense companies. Also, the ransomware campaign acquired ransoms from a number of private sector victim firms. 

Earlier this year, the law enforcement agency and the FBI jointly conducted an investigation to determine the scope of Andariel's hacking operations. This was prompted by reports from certain South Korean corporations regarding security problems that were believed to be the result of "a decline in corporate trust." 

Andariel Hacker Group 

In an investigation regarding the origin of Andariel, it was found that it is a subgroup of the Lazarus Group. The group has stolen up to 1.2 terabytes of data from South Korean enterprises and demanded 470 million won ($357,000) in Bitcoin as ransom from three domestic and international organizations.  

According to a study conducted by Mandiant, it was revealed that Andariel is operated by the North Korean intelligence organization Reconnaissance General Bureau, which gathers intelligence for the regime's advantage by mainly targeting international enterprises, governmental organizations, defense companies, and financial services infrastructure. 

Apparently, the ransomware group is also involved in cybercrime activities to raise funds for conducting its operation, using specially designed tools like the Maui ransomware and DTrack malware to target global businesses. In February, South Korea imposed sanctions on Andariel and other hacking groups operating in North Korea for engaging in illicit cyber operations to fund the dictatorial regime's nuclear and missile development projects.  

The threat actor has used a number of domestic and foreign crypto exchanges, like Bithumb and Binance, to launder the acquired ransom. Till now, a sum of 630,000 yuan ($89,000) has been transferred to China's K Bank in Liaoning Province. The hackers proceeded to redirect the laundered money from the K Bank branch to a location close to the North Korea-China border. 

Seoul police noted that they have seized the domestic servers and virtual asset exchange used by Andariel to conduct their campaigns. Also, the owner of the account, that was used in transferring the ransom, has been detained. 

"The Security Investigation Support Department of the Seoul Metropolitan Police Agency is actively conducting joint investigations with related agencies such as the U.S. FBI regarding the overseas attacks, victims and people involved in this incident, while continuing to investigate additional cases of damage and the possibility of similar hacking attempts," the agency said.

The police have warned businesses of the threat actor and have advised them to boost their cybersecurity and update security software to the latest versions. It has also been advised to organizations to encrypt any critical data, in order to mitigate any future attack. 

Moreover, police are planning to investigate server rental companies to verify their subscribers’ identities and to ensure that the servers have not been used in any cybercrime activity.  

Read more »
Royal Ransomware
Advisory BlackSuit BleepingComputer CISA Cyber Attacks FBI ransomware attacks Ransomware group Royal Ransomware

FBI and CISA Reveals: ‘Royal’ Ransomware Group Targeted 350 Victims for $275 Million


In a joint advisory, the FBI and CISA have revealed a network breach conducted by the ‘Royal ransomware gang’ that has targeted nearly 350 organizations globally since 2022. 

Giving further details of the original advisory published in March, in the information acquired during the FBI investigation, the agencies noted that the ransomware campaign was connected to ransom demands totalling more than $275 million.

"Since September 2022, Royal has targeted over 350 known victims worldwide and ransomware demands have exceeded 275 million USD," the advisory reads.

"Royal conducts data exfiltration and extortion prior to encryption and then publishes victim data to a leak site if a ransom is not paid. Phishing emails are among the most successful vectors for initial access by Royal threat actors."

In March, the two agencies shared their initial indicators of an apparent compromise, along with a list of tactics, methods, and procedures (TTPs), in order to assist defenders in identifying and thwarting attempts to deploy Royal ransomware payloads onto their networks.

The Department of Health and Human Services (HHS) security team discovered in December 2022 that the ransomware operation was responsible for several attacks against U.S. healthcare organizations. This led to the release of the joint advisory.

Royal to BlackSuit

The advisory update also states that BlackSuit ransomware shares several coding traits with Royal, suggesting that Royal may be planning a rebranding campaign and/or a spinoff variation.

While it was anticipated that the Royal ransomware operation would rebrand in May, during the course of the BlackSuit ransomware operation, the rebranding never happened. 

According to a report published by BleepingCompter in June, the Royal ransomware gang was apparently testing a new BlackSuit encryptor, similar to the operation’s conventional encryptor. 

At the time, Partner and Head of Research and Development at RedSense – Yelisey Bohuslavskiy believed that this experiment did not in fact go well.

However, since then, Royal was able to rebrand into BlackSuit and restructure into a more centralized business, following the same blueprint as Team 2 (Conti2) when they were a member of the Conti syndicate.

"In September 2023, Royal accomplished a full rebrand into BlackSuit, most likely entirely dismantling their Royal infrastructure. Moreover, according to the primary source intel, Royal has also accomplished a broader reorganization during the rebrand, making the group structure more corporate and more similar to their Conti2 origins," said Yelisey Bohuslavskiy.  

Read more »
Sony Data Breach
Cyber Attacks Infection time LockBit Ransomware ransomware attacks Ransomware group Sony Data Breach

Time Taken by Ransomware to Infect Systems Witnesses a Significant Drop


The amount of time it will take for a threat actor to completely infect the targeted system with ransomware has decreased significantly over the past 12 months. 

According to a report published by The Register, the average dwell time — the interval between the start of an assault and the deployment of ransomware — was 5.5 days in 2021 and 4.5 days in 2022. The dwell duration was less than 24 hours last year, but less this year. Ransomware was even distributed within five hours after first access in 10% of cases, according to Secureworks' annual State of the Threat Report.

It is interesting to note that the cybersecurity industry has become much better at spotting the activity that occurs before a ransomware outbreak, which is one of the factors contributing to this dramatic decrease in infection time. Because of this, Secureworks explains, "threat actors are focusing on simpler and quicker to implement operations, rather than big, multi-site enterprise-wide encryption events that are significantly more complex."

Also, this year has witnessed a considerable increase in the number of ransomware victims and data leaks due to the significant emergence of "several new and very active threat groups." Attacks are therefore occurring more frequently and in greater numbers.

The ransomware groups are now majorly utilizing three vectors to try and infect targeted systems. The first is known as scan-and-exploit, which looks for exploitable flaws in a system. When detected, stolen credentials are also exploited, and phishing emails are used to try to deceive people into giving attackers access to secure systems quickly.

Currently, Sony is one of the most recent high-profile victims of ransomware gang, but the company did not yet reveal the extent to which its systems are affected or data stolen. Another ransomware attack was recently witnessed in a Danish cloud-hosting company that compromised most of its customer data. Furthermore, a case came to light when the LockBit ransomware gang stole data from 8.9 million dental insurance customers earlier this year. 

However, on a positive note, the FBI was able to take down the renowned Qakbot botnet, which was revealed to be in charge of 700,000 compromised machines and was utilized in numerous ransomware assaults.  

Read more »
Ransomware group
Cyber Attacks Gookee ransomware HelloKitty HelloKitty ransomware Ransomware group

Threat Actor Release HelloKitty Ransomware Source Code on Hacking Forum

A threat actor recently posted the entire source code for the first version of the HelloKitty ransomware on Russian-language hacking forum, while claiming to be working on a new, more potent encryptor.

Security expert 3xp0rt initially noticed the leak when he saw threat actor kapuchin0 distributing the "first branch" of the HelloKitty ransomware encryptor.

While the source code was released by someone with the username kapuchino, the threat actor was also seen using the alias ‘Gookee.’

Gookee has previously been linked by security researchers with malware and hacking activity, where the threat actors were attempting to acquire access of Sony Network Japan in 2020. The attack was a Ransomware-as-a-Service (RaaS) operation, dubbed as ‘Gookee Ransomware,’ which was putting malware source code for sale on an underground forum.

According to 3cport, kapuchin0/Gookee is the developer of the HelloKitty ransomware, who claims to be developing, “a new product and much more interesting than Lockbit.”

The leaked hellokitty.zip archive include the HelloKitty encryptor and decryptor, as well as the NTRUEncrypt library that this variant of the ransomware utilizes to encrypt files, are built using a Microsoft Visual Studio solution.

Furthermore, ransomware expert Micheal Gillespie confirms that the leaks codes are in fact the real source code for HelloKitty, used initially when their ransomware operation launched in 2020.

What is HelloKitty Ransomware Operation?

HelloKitty is a human-operated ransomware operation that first came to light in November 2020 after its victims posted about it on the BleepingComputer forums. The FBI later released a PIN (private industry notification) on the group in January 2021. 

The ransomware group is known for conducting corporate network hacks, stealing data, and encrypting systems. In double-extortion machines, when threat actors promise to release data if a ransom is not paid, the encrypted files and stolen data are then used as leverage.

HelloKitty is known for a number of attacks and has been utilized by other ransomware operations. One of the most high-profile attack conducted by HelloKitty is the one on CD Product Red executed in February 2021. Threat actors claimed to have stolen the source code for Cyberpunk 2077, Witcher 3, Gwent, and other games during this attack, which they said were sold later.  

Read more »
Sony Group Corporation
Data Breach RansomedVC Ransomware group Sony Sony Data Breach Sony Group Corporation

RasomedVC: Ransomware Group Claims to Have Breached Sony’s Computer Systems


A newly discovered ransomware group, RansomedVC confirmed to have exploited the computer systems of entertainment giant Sony. Apparently, the announcement was made in a dark web portal.

The announcement states that Sony’s data is for sale: “Sony Group Corporation, formerly Tokyo Telecommunications Engineering Corporation, and Sony Corporation, is a Japanese multinational conglomerate corporation headquartered in Minato, Tokyo, Japan.

"We have successfully compromised [sic] all of Sony systems. We won't ransom them! we will sell the data. due to Sony not wanting to pay. DATA IS FOR SALE.”

Since Sony has not yet commented on the claim, they may still be false or perhaps more likely, exaggerated. 

However, if RansomedVC's claims are true, Sony seems to have not yet caved to their demands.

Sony will join a rather long list of game and entertainment companies that have had data stolen or ransomed if it confirms the breach. Due to the high value and high visibility of their intellectual property, gaming companies are frequent targets for theft and extortion.

Capcom and Ubisoft were notable victims in 2020, and CD PROJEKT RED, the company behind Cyberpunk 2077 and Witcher 3, was a victim in 2021— the same year that Electronic Arts had its source code for FIFA 21 stolen. In 2022, Rockstar Games experienced a significant breach by the short-lived Lapsus$ gang, while Bandai Namco came under a ransomware attack.

In case the claims are true, Sony’s customers must take measures in order to safeguard their data. While the information on the matter is still vague, here we are mentioning specific measures in case a customer is suffering a data breach or potential ransomware attack:

  • Block potential forms of entries: Establish a strategy for swiftly correcting internet-facing system vulnerabilities; stop or harden VPNs and RDP remote access; and utilize endpoint security software to identify malware and exploits that spread ransomware. 
  • Detect intrusions: By segmenting networks and carefully allocating access privileges, you can make it more difficult for intruders to function inside your company. To spot anomalous activity before an assault happens, use MDR or EDR.
  • Install endpoint detection and response software: Malwarebytes EDR, for example, can detect ransomware using a variety of detection methods and perform ransomware rollbacks to restore corrupted system data. 
  • Create offsite and offline backups.

About RanomedVC 

RansomedVC initially came to light by Malwarebytes researchers in August 2023. Apparently, the ransomware group had mentioned the details of nine of its victims on its dark website. The threat to report victims for General Data Protection Regulation (GDPR) violations is the only deviation it makes from the typical cut-and-paste criminality of ransomware gangs. While it obviously is not what it claims to be—a "digital tax for peace"—it does call itself that. This has been said multiple times before, and each time it is merely a money grab.  

Read more »
Shell
CIOp MOVEit Attacks cybercrime gang Data Breach MFT MoveIt Hack Ransomware attack Ransomware group Shell

Shell Confirms MOVEit-based Hack After the Threat Group Leaks Data


The CIOp ransomware gang has targeted a zero-day vulnerability in the MOVEit managed file transfer (MFT) product, acquiring data of at least 130 companies that had been utilizing the solution. At least 15 million people are thought to have been affected as of now.

CIOp , the Russia-based cybercrime gang has now started to expose its victim organizations that have refused to negotiate with its demands. Apparently, the victims’ names have been exposed on its leak website, will Shell being the first company to be revealed.

Following the leak, Shell confirmed being affected by the MOVEit attack. In a statement published on Wednesday, the company clarified that the MFT software was “used by a small number of Shell employees and customers.”

“Some personal information relating to employees of the BG Group has been accessed without authorization,” it added.

Shell confirmed the incident only after the Cl0p hacking gang disclosed files allegedly taken from the company. The fact that the group made 23 archive files with the label "part1" public may indicate that they have access to more information.

Following this discloser, the ransomware gang added that they did so since the company refused to negotiate.

However, it is yet not particularly clear of what information has been compromised. Although, the firm confirmed to have informed the affected victims.

Moreover, toll-free phone numbers have been made available to employees in in Malaysia, South Africa, Singapore, Philippines, UK, Canada, Australia, Oman, Indonesia, Kazakhstan, and Netherlands. Thus, indicating that the affected individuals are more likely to be from these countries.

Since no file-encrypting software was used in the attack, Shell noted that "this was not a ransomware event" and that there is no proof that any other IT systems were impacted.

It is worth mentioning that this was not the first time that Shell has been targeted by the CIOs group, since in 2020 the threat actors targeted the company’s Accellion file transfer service. The company noted that during this hack the hackers stole their personal and corporate data.

Some of the other notable companies targeted by the latest MOVEit exploit includes Siemens Energy, Schneider Electric, UCLA, and EY.

It has also been confirmed by some government organizations that they as well were impacted by the hack, while the ransomware group claims to have deleted all the data acquired from such entities.  

Read more »
VMware Carbon Black
8Base 8Base Ransomware Cyber Attacks MalwareBytes Phobos RansomHouse Ransomware Ransomware group VMware Carbon Black

8Base Ransomware: Researchers Raise Concerns Over its Increased Activities


The 8Base ransomware has well maintained its covert presence, avoiding detection for over a year. Although, a recent investigation into the ransomware revealed a significant rise in its operation during the period of May and June. It has been made clear that the ransomware group has been active since at least March 2022. The threat group labels itself as “simple pentesters,” indicating a basic level of proficiency in penetration testing.

Details of the 8Base

According to a research conducted by Malwarebytes and NCC Group, as of May, the ransomware group may have been linked with a total of whopping 67 attacks. Among these cyber incidents, around half of the manufacturing, construction, and business services industries together account for around half of the affected firms. The targeted firms are primarily located in the United States and Brazil, indicating a geographic focus by the threat group. 

June saw a significant surge in ransomware activities. The fact that the offenders used a dual extortion tactic raised the stakes for their victims is notable.

A list of 35 victims who have been identified has so far been on the 8Base-affiliated dark web extortion site. There have even been occasions where up to six companies have fallen victim to the ransomware operators' nefarious activities at once on specific days.

According to the VMware Carbon Black team, based on its recent activities, and its similarities of ransom notes and content on leak sites along with identical FAQ pages, 8Base could as well be a rebranding of the popular ‘RansomHouse’ ransomware group. RansomHouse, however flexibly promotes its partnership, while 8Base does not.

It is also noteworthy that a Phobos ransomware sample was also discovered by the VMware researchers, that was utilizing the “.8base” file extension, indicating the 8Base could well be the successor of or utilizing the existing ransomware strain.

The researchers concluded that the efficient operations conducted by the 8Base ransomware group may continue to group, which could be an onset of a mature organization. However, it has not yet been made clear whether the group is based on Phobos or RansomHouse.

As for now, there are speculations on 8Base's use of various ransomware strains, whether it be in earlier iterations or as a fundamental component of its typical mode of operation. However, it is commonly known that this organization is very active, with a concentration on smaller firms as a significant target.  

Read more »
Toronto-area Police
Cyber Attacks FBI Hacking Group Hive Hive Ransomware Ransomware group Toronto-area Police

Here is How Toronto-area Police Force Helped Take Down a Russian-linked Hacking Group


The Toronto police force has recently been explanatory on how it ended up getting involved with the international attempt on legally hack Hive, one of most ruthless ransomware groups in the world. 

The contributions made by the Peel Regional Police are one of the reasons why Canadian flag is among the icons displayed on what was the dark website for the Russian-linked ransomware group Hive, along with the logos of the U.S. Department of Justice, the FBI, and a variety of police forces around the globe. 

According to Detective Const. Karim Hussain in an interview with CTV News Toronto, Peel's detectives got engaged early when a local firm contacted them in 2021 claiming that their systems were down and a text message on their desktops revealed a ransom note. 

“We had one of the first cases in Canada of Hive ransomware[…]It was the first to market. At the time we started gathering evidence, Hive was a fairly new ransomware group. Everything we brought to the table was interesting because no one had seen it before,” he says. 

The attributes of the Hive case were similar to numerous other high-profile incidents, like a hospital in Louisiana where threat actors had accessed data of around 270,000 patients, and a Ohio hospital that was attacked and made them incapable of accepting new patients even during the massive surge of COVID-19. 

Those were only a few of the more than 1,500 attacks throughout the globe that had the digital traces of Hive, an organization whose associates, according to authorities, have made $150 million since 2021 as they demand money from companies in exchange for access to their data or system. 

The attacks are carried out via a "ransomware as a service" (RaaS) model, in which a small group of individuals create malicious software and then distribute it to numerous users, allowing them to quickly scale up their attacks before the security flaws they exploit are addressed. 

“You have an overarching group that provides everything down to the infrastructure, to lesser-capable cyber criminals, and they provide them the tools to conduct the hack,” Hussain said. 

The case brought the RCMP, the FBI, the police from France, Germany, Norway, and Lithuania together with Peel Police and other agencies dealing with Hive's impact. 

In retaliation, the group took over Hive's website earlier this year and replaced it with a landing page with the logos of numerous investigative agencies. “Simply put, using lawful means, we hacked the hackers,” said U.S. Deputy Attorney General Lisa Monaco in a press conference in January. 

Adding to this, she says that the police had found and then openly disseminated decryptor keys that may aid anyone who had been assaulted in independently recovering their data or liberating their systems. 

According to Christopher Wray, director of the FBI, these actions have prevented around $130 million in ransom from being paid. “This cut off the gas that is fueling Hive’s fire,” Wray said. 

According to Hussain, the inquiry is still ongoing as the prevalence of ransomware grows. Ransomware assaults made up 11% of all cyber security incidents in 2021, according to Statistics Canada. 

“There’s no end in sight to cybercrime right now,” Hussain said.  

Read more »
US Department Of Justice
Cyber Crime DOJ FBI Hive Hive Ransomware Ransomware Ransomware group US Department Of Justice

DOJ Reveals: FBI Hacked Hive Ransomware Gang


The U.S. Department of Justice (DOJ) recently confirmed that the FBI has infiltrated the activities of a popular cyber-crime gang, covertly disrupting their hacking attacks for more than six months. 

According to DOJ, FBI gained deep access to the Hive ransomware group in the late July 2022. The infiltration prevented them from blackmailing $130 million in emancipate bills from more than 300 organizations. 

The files of victims are encrypted by ransomware gangs using malicious software, locking them up and rendering them unavailable unless a ransom is paid to obtain a decryption key. 

It is being estimated that Hive and its affiliates have accumulated over $100 from more than 1,500 victims that included hospitals, school districts, financial companies and critical infrastructure, in more than 80 countries across the globe. 

The FBI revealed that it has collaborated with the local law enforcement agencies to help victims recover from the attack, including the UK's National Crime Agency, which claims to have given around 50 UK organizations decryptor keys to overcome the breaches. 

On Thursday, the US announced that it had put an end to the operation by disabling Hive's websites and communication systems with the aid of police forces in Germany and Netherlands. 

Attorney General Merrick Garland stated that "Last night, the Justice Department dismantled an international ransomware network responsible for extorting and attempting to extort hundreds of millions of dollars from victims in the United States and around the world." 

While the Equity Division had not yet been used to capture any individual connected to Hive attacks, a senior official suggested that such releases might happen soon. 

In regards to the infiltrations, Deputy Attorney General Lisa O Monaco said, "simply put, using lawful means, we hacked the hackers." 

Moreover, the DOJ says it would pursue those behind the Hive until they were brought to justice. 

"A good covert operation can degrade confidence in operational security and inject suspicion among actors,” Mandiant Threat Intelligence head John Hultquist said. "Until the group is arrested, they will never truly be gone. They will have to reconstitute, which takes time, but I'll bet they reappear in time."    

Read more »
Ukraine-Russia Conflict
Cyber Attacks Data Leak Ransomware group Ukraine-Russia Conflict

Conti Ransomware Assault Continues Despite the Recent Breach

 

The notorious ransomware group Conti has continued its assaults on businesses despite the exposure of the group’s operations earlier this year. 

Researchers from Secureworks state that the Conti ransomware gang, tracked as a Russia-based threat actor Gold Ulrick, is the second most prevalent group in the ransomware landscape, responsible for 19% of all assaults in the three months between October and December 2021. 

Conti is one of the most prolific ransomware groups of the last year along with LockBit 2.0, PYSA, and Hive, and has blocked hospital, corporate, and government agency networks while demanding ransom for sharing the decryption key as part of their name-and-shame scheme. 

After the ransomware gang sided with Russia in February to invade Ukraine, an anonymous pro-Ukraine hacktivist under the Twitter handle ContiLeaks released the malware source code, credentials, chat logs, and operational workflows. 

"The chats reveal a mature cybercrime ecosystem with multiple threat groups that often collaborate and support each other," Secureworks said in a report published in March. Groups include Gold Blackburn (TrickBot and Diavol), Gold Crestwood (Emotet), Gold Mystic (LockBit), and Gold Swathmore (IcedID). 

According to Secureworks researchers, Conti has targeted more than 100 organizations in March after the ransomware gang claimed that half of their victims pay ransoms averaging $700,000. More than 30 new victims have already been published on the Conti website in April. 

Recent attacks targeted wind turbine giant Nordex, industrial components provider Parker Hannifin, and cookware and bakeware distribution giant Meyer Corporation. The group has also taken responsibility for a highly disruptive attack on Costa Rican government systems. 

"If GOLD ULRICK operations continue at that pace, the group will continue to pose one of the most significant cybercrime threats to organizations globally," said SecureWorks. 

Meanwhile, technical monitoring of Emotet campaigns by Intel 471 between December 25, 2021, and March 25, 2022, revealed that more than a dozen Conti ransomware targets were in fact victims of Emotet malspam attacks, showing just how close the two operations are intertwined. 

"While not every instance of Emotet means that a ransomware attack is imminent, our research shows that there is a heightened chance of an attack if Emotet is spotted on organizations' systems," said Intel 471.
Read more »
User Security
Cyber Security Ransomware group U.S. Firms User Security

Multiple Similarities Identified in BlackMatter And BlackCat Ransomware

 

Cisco Talos researchers have spotted overlaps in the tactics, techniques, and procedures (TTPs) between BlackCat and BlackMatter, indicating a robust link strong connection between the two ransomware groups. 

According to the Cisco Talos findings, BlackCat first emerged on the ransomware-as-a-service (RaaS) scene in November 2021 and has since targeted several companies by exploiting vulnerabilities in the Windows system. It has been called out for being similar to BlackMatter, a short-lived ransomware family that originated from DarkSide, which made news by infiltrating the Colonial Pipeline system last year in a ransomware assault. 

In an interview with the cybersecurity firm Recorded Future last month, a BlackCat spokesperson dismissed rumors that it's a rebranding of BlackMatter while noting that it's made up of affiliates linked with other RaaS groups.

"In part, we are all connected to gandrevil [GandCrab / REvil], blackside [BlackMatter / DarkSide], mazegreggor [Maze / Egregor], lockbit, etc., because we are adverts (aka affiliates)," the unnamed representative stated.

"We borrowed their advantages and eliminated their disadvantages." "BlackCat seems to be a case of vertical business expansion," Cisco Talos researchers Tiago Pereira and Caitlin Huey said. "In essence, it's a way to control the upstream supply chain by making a service that is key to their business (the RaaS operator) better suited for their needs and adding another source of revenue."

In addition, researchers uncovered multiple similarities between a BlackMatter attack in September 2021 and that of a BlackCat attack in December 2021, including the tools and file names employed, as well as a domain used to provide persistent access to the target network.

This overlapping use of the same command-and-control address suggests that a BlackMatter affiliate was likely an early adopter — possibly in the first month of operation of BlackCat, with both the attacks taking more than two weeks to reach the encryption stage.

"As we have seen several times before, RaaS services come and go. Their affiliates, however, are likely to simply move on to a new service. And with them, many of the TTPs are likely to persist," the researchers added.

The best way to mitigate risks is by investing in the best antivirus software, allowing for peace of mind when conducting business or sending private information. So far, the BlackCat group has targeted U.S.-based companies more than 30% of the time, so enterprises in North America are advised to be ready in case they are the next subject of attack for the ransomware group.
Read more »
User Security
Automotive Supplier Data Breach Ransomware group User Security

Automotive Components Supplier Denso Targeted by Pandora Ransomware Group

 

Automotive component supplier Denso on Monday confirmed that its group company in Germany's network suffered a cyber-attack after the Pandora ransomware gang began leaking sensitive details allegedly stolen during the assault. 

Denso, one of the world's largest automotive components manufacturers firms is a global supplier of automotive components, including those developed for autonomous vehicle features, connectivity, and mobility services. The company's clients include Toyota, Honda, General Motors, and Ford. 

On March 10, the company detected unauthorized access using ransomware at DENSO Automotive Deutschland GmbH, a group firm responsible for managing sales and engineering in Germany, Denso spokesperson told Reuters. After the breach was detected, DENSO cut down the exposed system from the network and ensured that no other systems inside the facility were impacted. 

While the incident is under investigation, Denso says that there is "no impact" on other facilities and no disruption has been caused to production plants or manufacturing schedules. The company has not shared any details regarding the attackers, a cybercrime group named Pandora has taken credit for the attack, claiming to have stolen 1.4 Tb of data. 

“After detecting the unauthorized entry, Denso promptly lower off the community connection of units that obtained unauthorized entry and confirmed that there isn’t an impression on different Denso,” the company mentioned in a press release. "Denso would like to express its sincerest apologies for any concern or inconvenience resulting from this incident. Denso Group will once again strengthen security measures and work to prevent a recurrence."

In an effort to support their claims, the attackers released samples of the stolen datasets, as well as several images of documents. Based on the samples published by threat actors, tens of thousands of documents, spreadsheets, presentations, and images have been exposed, including many that reference customers and employees. 

It remains unclear how malicious actors secured access to the company’s network, but after Pandora took responsibility for the attack, one researcher claimed he alerted the company a couple of months ago that attackers had been selling access to its network. 

The Pandora ransomware seems to be new, but security expert pancak3 believes that it is a rebranding of the Rook ransomware due to code similarities and packers used by the operation. A sample of the Pandora ransomware was spotted on VirusTotal by Intezer as Rook, suggesting code similarities.
Read more »
RTM Group
Cyber Security Phishing Attack Ransomware Ransomware group RTM Group

The Potential Damage to Russia from Cybercrime in 2022 was Estimated at 2.2 Million Dollars

 

RTM Group experts believe that the damage from criminal actions using computer technology in Russia this year will continue to grow and may reach 165 billion rubles. 

The growth will be facilitated by the low level of cyber-literacy of the population, as well as people's desire to save money in conditions of rising prices and uncertainty.

In 2021, the total amount of damage from cybercrimes exceeded 150 billion rubles ($2 million). In total, 518 thousand cyber crimes were committed last year, which is almost 2 times more than in 2019. 

According to Yevgeny Tsarev, the manager of RTM Group, the number of successful cyber attacks in 2021 increased by one-third (+35%). And in 2022 the growth of cybercrime will continue and will reach at least 30% due to the development of social engineering schemes and the use of new technologies. By the end of the year, the total damage may exceed 165 billion rubles ($2.2 million). 

Phone calls to a potential victim have become the most common way of fraud, and viruses and phishing attacks are the most popular way of stealing funds. At the same time, RTM Group experts admit that only a small part of those who suffered from the actions of criminals goes to court as they realize that money can not be refunded anyway. 

Experts agreed that fraudsters will become even more active and the growth of cyberattacks will continue since the criminal procedure law is not currently adapted to this kind of crime. In addition, law enforcement agencies do not have enough qualified personnel to carry out investigations. 

According to experts, "people now live in a state of uncertainty of prospects on the one hand, and constantly rising prices on the other," which leads to a desire to save money. And this is abused by scammers in the mail, in social networks and by phone. 

In addition, according to Kaspersky Lab experts, ransomware hackers attacked 16 thousand Russian companies in 2021, while attacks are becoming less massive and more targeted. The company clarified that in 2021 alone, 49 new ransomware families and more than 14 thousand of their modifications were discovered around the world. Before encryption, hackers steal data from companies and threaten to release it to the public unless they are paid.
Read more »
Vodafone
Cyber Attacks Ransomware group Security Issues Vodafone

Vodafone Portugal Services were Disrupted due to a Cyberattack

 

Vodafone was the target of a network disruption that began on the night of February 7, 2022, as a result of an intentional and malicious cyberattack targeted at inflicting damage and disruption. As soon as the first indication of a network issue was noticed, Vodafone responded quickly to identify, contain, and restore services. This situation is affecting the provision of services based on data networks, such as 4G/5G networks, fixed voice, television, SMS, and voice/digital answering services. 

"We have already recovered mobile voice services and mobile data services are available exclusively on the 3G network almost throughout the country but, unfortunately, the size and severity of the criminal act to which we have been subjected implies for all other services a careful and prolonged recovery work involving multiple national, international teams and external partners," the company said in a statement. 

According to Vodafone Portugal CEO Mário Vaz, the attack affected millions of people, businesses, and public services such as ambulance services, fire departments, and hospitals. He stated that emergency services were prioritized in efforts to restore communications. He told reporters that whoever was behind the incident had not demanded a ransom. 

"The attack sought to make (Vodafone Portugal) inoperative," he said. He refused to go into detail about the company's and police's inquiry. According to the company, it delivers fiber services to 3.4 million Portuguese homes and businesses, and it has 4.7 million cellphone clients.

Vodafone said it is attempting to restore the remaining services with the assistance of local and international teams in what is presently the company's largest cybersecurity incident. The company also stated that it is cooperating with authorities to investigate the issue and that, based on existing evidence, no customer data appears to have been accessed or compromised. Despite the existence of various claims on the internet, Vodafone Portugal has not linked the ongoing situation to a ransomware attack. 

These rumors are currently making the rounds on the internet after a ransomware gang extorted Impresa and Cofina, two of Portugal's leading news media sites, over the past month. The Lapsus$ ransomware group, which was responsible for the two attacks, has not claimed responsibility for the Vodafone Portugal outage on any of its online accounts. 

When contacted through LinkedIn, a Vodafone Portugal employee stated that they were only aware of the technical disruption and were unaware of the company's press statement attributing the outage to a hack.
Read more »
Ransomware group
Cyber Attacks Media Firm Ransom Ransomware group

Lapsus$ Ransomware Gang Hacked Portugal's Largest Media Conglomerate

 

The Lapsus$ ransomware group has compromised and is actively extorting Impresa, Portugal's largest media conglomerate and owner of SIC and Expresso, the country's leading TV channel and a weekly newspaper, respectively. The attack occurred during the New Year's holiday and targeted the company's online IT server infrastructure. Impresa, Expresso, and all SIC TV channels' websites are presently offline. National airwave and cable TV broadcasts are unaffected, however, the attack has disabled SIC's internet streaming capability. 

Both the Expresso newspaper and the SIC TV station stated that they had reported the incident to the PJ criminal investigation police agency and the National Cybersecurity Centre (CNCS) and would file a complaint. The claimed hackers posted a message on the websites threatening to reveal internal data if the media firm did not pay a ransom. The message includes contact information for e-mail and Telegram. 

The Lapsus$ group claimed responsibility for the attack by displaying a ransom letter on all of Impresa's websites. In addition to a ransom demand, the message says that the organization has gained access to Impresa's Amazon Web Services account. When all of the sites were put into maintenance mode on Monday, Impresa workers looked to have regained control of this account, but the attackers promptly tweeted using Expresso's verified Twitter account to demonstrate that they still had access to company resources. 

Lino Santos, CNCS's coordinator, informed the Observador newspaper that this was the group's first attack in the country. In the meantime, both media outlets are disseminating news pieces via their social media networks. It was an "unprecedented attack on press freedom in the digital age," they said. 

The Impresa hack is among the most significant cybersecurity events in Portugal's history. Impresa is by far the largest media group in the country. According to September 2021 TV ratings, SIC and all of its secondary channels lead the TV market, while Expresso has the highest weekly periodical circulation numbers. Nonetheless, Impresa owns a slew of other media organizations and periodicals, all of which are likely to be impacted by the attack.

Before the Impresa attack, the Lapsus$ group hacked and ransomed the Ministry of Health of Brazil, as well as Claro and Embratel, two South American telecommunications firms. This is the second ransom attack on a media conglomerate during the holiday season, following the Ryuk gang's December 2018 attack on Tribune Publishing, owner of the Los Angeles Times.
Read more »
RATs
Cobalt Strike Cyber Crime Phishing emails Ransomware group RATs

Cuba Ransomware Group Compromised the Networks of at Least 49 Organizations

 

The FBI has issued a new warning regarding the Cuba ransomware, stating that the gang has targeted "49 entities in five critical infrastructure sectors" and made at least $43.9 million in ransom. The FBI claimed the gang is targeting enterprises in the financial, government, healthcare, manufacturing, and information technology sectors, and is employing the Hancitor malware to gain access to Windows systems, according to an alert sent out on Friday. 

The Hancitor malware downloader is used to transmit Cuba ransomware to victims' networks, allowing the ransomware gang to have greater access to previously hacked corporate networks. Hancitor (Chancitor) is a ransomware that distributes data stealers, Remote Access Trojans (RATs), and other ransomware. It was discovered spreading the Vawtrak information-stealing trojan, according to Zscaler. Since then, it has shifted to password-stealers such as Pony and Ficker, as well as Cobalt Strike. 

Hancitor employs phishing emails and stolen passwords to get access to their victims' systems, as well as exploiting Microsoft Exchange vulnerabilities and breaking in via Remote Desktop Protocol (RDP) tools. Cuba ransomware operators would exploit legal Windows services (e.g., PowerShell, PsExec, and numerous other unspecified services) to remotely deliver their ransomware payloads and encrypt files with the ".cuba" extension once they have gained access using Hancitor.

When a victim's computer is infected, the ransomware downloads and installs a CobaltStrike beacon, as well as two executable files. Attackers can use the two files to get passwords and "write to the compromised system's temporary (TMP) file."

"Once the TMP file is uploaded, the 'krots.exe' file is deleted, and the TMP file is executed in the compromised network. The TMP file includes Application Programming Interface (API) calls related to memory injection that, once executed, deletes itself from the system. Upon deletion of the TMP file, the compromised network begins communicating with a reported malware repository located at Montenegro-based Uniform Resource Locator (URL) teoresp.com," the FBI explained. 

Other assault details were included by the FBI, as well as a sample ransom note and email sent by the attackers. Given their degree of activity in comparison to other more well-known ransomware gangs, experts were startled by the amount of money the group had amassed. The data, according to Emsisoft threat analyst Brett Callow, demonstrated how lucrative the ransomware market is, despite the fact that the Cuba ransomware organization is not among the top ten in terms of activity.
Read more »
Vulnerabilities and Exploits
Conti Ransomware Microsoft Exchange ProxyShell Vulnerabilities Ransomware group Vulnerabilities and Exploits

With ProxyShell Exploits, Conti Ransomware is Now Targeting Exchange Servers

 

Using recently disclosed ProxyShell vulnerability exploits, the Conti ransomware group is hacking into Microsoft Exchange servers and compromising corporate networks. ProxyShell is a moniker for an attack that uses three chained Microsoft Exchange vulnerabilities (CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207) to allow unauthenticated, remote code execution on susceptible servers that haven't been patched. 

The attacks occur at a breakneck speed. A second web shell was installed minutes after the first web shell was installed on one occasion. The Conti attackers compiled a complete list of the network's computers, domain controllers, and domain administrators in less than 30 minutes. After obtaining the credentials of domain administrator accounts, the attackers began executing demands four hours later. 

The attackers had exfiltrated around 1 terabyte of data within 48 hours of gaining access. Conti malware was installed on every system on the network within five days, specifically targeting individual network shares on each workstation. 

The Conti affiliates also installed no fewer than seven back doors on the network during the attack: two web shells, Cobalt Strike, and four commercial remote access programmes dubbed AnyDesk, Aterta, Splashtop, and Remote Utilities. Early access was provided by web shells, with Cobalt Strike and AnyDesk serving as the primary tools for the rest of the attack. 

“We want to highlight the speed at which the attack took place,” said Peter Mackenzie, manager of incident response at Sophos. “Contrary to the typical attacker dwell time of months or weeks before they drop ransomware, in this case, the Conti attackers gained access to the target’s network and set up a remote web shell in under one minute.” 

Microsoft reported and patched the vulnerabilities early this year, but not all firms updated their systems, as is often the case with software upgrades. In March, Microsoft issued a warning that Chinese state-sponsored hackers were targeting the flaws. The best approach to protect against the assaults, according to Tom Burt, Microsoft's corporate vice president of customer security and trust, is to apply the updates. In April, the US Federal Bureau of Investigation took the unusual step of breaking into compromised Exchange servers to fix the flaws. 

The Conti ransomware group has been active since 2020, and it has been linked to a number of attacks, including one in May that targeted Ireland's health system. Industrial computer firm Advantech Co. Ltd. was a victim of Conti in November, as was VOIP hardware and software supplier Sangoma Technologies Corp. in December, and hospitals in Florida and Texas in February. 
Read more »
Shipping Ports
Cyber Security ransomware attacks Ransomware group Shipping Ports

Ransomware on a Charge: Another Wake-Up Call for U.S. Shipping Industry

 

As the threat of ransomware attacks increases, the U.S. shipping industry is facing a particularly high resistance in safeguarding its global supply chain. 

The U.S. shipping industry is on the hit list of ransomware attackers — specifically the heavily computerized ports that receive cargo ships, as well as the actual crafts, security experts warned. The other major factor is the increasing strain on the global supply chain due to the Covid-19 pandemic with U.S. citizens ordering more goods to their homes than ever before. The White House has issued an executive order mandating organizations to strengthen cybersecurity protocols. 

Data analytical firms are keeping a close eye on the surge of ransomware attacks. Here are the recent reports highlighting the ransomware trends and implications: 

• Security researchers at Trend Micro discovered that 84% of the US firms have filed a complaint regarding phishing or ransomware threats in the last 12 months.

 • In the first half of 2021, the average ransomware payment surged 82% to a record $570,000 from $312,000 in 2020, according to a report from Palo Alto Networks’ Unit 42 security consulting group. 

• By 2031, the ransomware costs are expected to reach $265 billion, and that there will be a new attack every 2 seconds as ransomware attackers are continuously upgrading their malware payloads and related extortion activities, a report from Cybersecurity Ventures predicted.

Shipping ports are the ripe targets for ransomware attackers due to their heavy reliance on robotic operations and digitized inventory rather than human labor. “It keeps me up at night. Most of those systems weren’t designed with the notion that somebody was going to try to mess with them. Wasn’t part of the calculus,” Nina Kollars, associate professor of strategic and operational research at the U.S. Naval War College said. 

In 2018, ransomware attackers targeted shipping ports in San Diego and Barcelona, Spain with minor ones. In July, hackers locked up Transnet, a South Africa-owned company that oversees operations for the country’s major seaports. A ransomware attack halted operations at four of the eight ports. While many of the company’s computer networks were quickly restored, it led to rolling delays that pushed back some shipments by weeks. 

Earlier this year, the European Union Agency for Cybersecurity predicted there will be four times more software supply chain attacks in 2021 than there were in 2020, as ransomware attackers shift to larger, cross-border targets.

Researchers analyzed 24 supply chain attacks between January 2020 and July 2021 and stated that 66% of supply chain attacks were committed by exploiting an unknown flaw, while 16% leveraged known software vulnerabilities. 

When it came to supplier assets, most attacks during the specified timeline aimed to compromise code (66%), followed by data (20%) and processes (12%). As for customer assets, supply chain attacks most commonly targeted customer data (58%), followed by key people (16%) and financial resources (8%).
Read more »
TTPs
GoldWinter Hades malware Ransomware group TTPs

Unique TTPs Connect Hades Ransomware to New Threat Group

 

Researchers claim to have uncovered the origins of Hades ransomware's operators, as well as the unique tactics, methods, and procedures (TTPs) they use in their attacks. 

The Hades ransomware initially appeared in December 2020, following a series of attacks on a variety of institutions, but limited information about the culprits has been released to date. 

Gold Winter has been identified as the threat group behind the Hades ransomware, according to Secureworks' Counter Threat Unit (CTU). They also disclosed data about Gold Winter's actions that set it apart from other similar threat organizations, implying that it is a financially driven, most likely Russian-based "big game hunter" after high-value targets, primarily North American manufacture. 

The researchers stated, “Some third-party reporting attributes Hades to the Hafnium threat group, but CTU research does not support that attribution.” 

“Other reporting attributes Hades to the financially motivated Gold Drake threat group based on similarities to that group’s WastedLocker ransomware. Despite the use of similar application programming interface (API) calls, the CryptOne crypter, and some of the same commands, CTU researchers attribute Hades and WastedLocker to two distinct groups as of this publication” 

According to the researchers, the investigation of Gold Winter showed TTPs that were not found in other ransomware families, with some showing resemblance but with uncommon characteristics added.

As per the researchers, GoldWinter: 

- It names and shames victims, but it doesn't employ a centralized leak site to make stolen information public. Instead, Tor-based Hades websites appear to be personalized for each victim, including a victim-specific Tox chat ID for conversation. Tox instant messaging is a technique CTU researchers haven't seen in other ransomware families. 

- Is renowned for copying ransom notes from other high-profile families like REvil and Conti, substituting webpages with contact email addresses, and adding unique victim identifiers.

- Replaces randomly generated five-character strings for the victim ID and encrypted file extension with words—e.g., cypherpunk. 

- SocGholish malware disguised as a phoney Chrome update and single-factor authentication VPN access is used as first access vectors. 

- Deletes volume shadow copies using the “vssadmin.exe Delete Shadows/All/Quiet” command but uses a distinctive self-delete command with an unusual inclusion of a “wait for” command. 

Marcelle Lee, senior security researcher, CTU-CIC at Secureworks, tells CSO, “Typically when we see a variety of playbooks used around particular ransomware, it points to the ransomware being delivered as ransomware-as-a-service (RaaS) with different pockets of threat actors using their own methods. We do not, however, think that is the case with Hades.” It is most likely that Gold Winter operates as a private ransomware group, she added.

It is also possible that Gold Winter has been organized by another threat group to throw law enforcement and researchers off their trail, Lee continues. 

For Hades, Lee suggests adopting common ransomware defense and mitigation strategies: Implement an endpoint detection and response solution, as well as multi-factor authentication for internet-facing devices and for user apps, as well as efficient asset management. She also suggests efficient patch management and membership to customized threat intelligence to raise awareness of emerging dangers and have a tested incident plan and team.
Read more »
Subscribe to: Posts (Atom)