Search This Blog
Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label new ransomware actors. Show all posts
new ransomware actors
cyber resilience Cyber Security Cyber Security Ransomware Attacks Cybersecurity measures Cybersecurity Policy new ransomware actors

UK May Enforce Partial Ransomware Payment Ban as Cyber Reforms Advance

Governments across the globe test varied methods to reduce cybercrime, yet outlawing ransomware payouts stands out as especially controversial. A move toward limiting such payments gains traction in the United Kingdom, suggests Jen Ellis, an expert immersed in shaping national responses to ransomware threats.  

Banning ransom payments might come soon in Britain, according to Ellis, who shares leadership of the Ransomware Task Force at the Institute for Security and Technology. While she expects this step, she warns against seeing it as a fix-all move. From her point of view, curbing victim payouts does little to reduce how often hackers strike - since offenders operate beyond such rules. Still, paying ransoms brings moral weight: those funds flow into networks built on digital crime. Though impact may be narrow, letting money change hands rewards illegal behavior. 

Now comes the part where Ellis anticipates UK authorities will boost their overall cybersecurity setup before touching payment rules. Lately, an upgraded Cyber Action Plan has emerged - this one reshapes goals meant to sharpen how the country prepares for and reacts to digital threats. Out in the open now, this document hints at a fresh push to overhaul national defenses online. 

A key new law now moving forward is the Cyber Security and Resilience Bill, having just reached its second parliamentary debate stage. Should it become law, stricter rules on disclosing breaches will apply, while monitoring weak points in supplier networks becomes compulsory for many businesses outside government. With these steps, clearer insight into digital threats emerges - alongside fewer large-scale dangers tied to external vendors. Though details remain under review, accountability shifts noticeably toward proactive defense. 

After advances in these efforts, according to Ellis, officials might consider limiting ransomware payments. Though unclear when or how broadly such limits would take effect, she anticipates they would not apply uniformly. It remains undecided if constraints would affect solely major entities, focus on particular sectors, or permit exceptions based on set conditions. Whether groups allowed to make payments must first gain authorization - especially to align with sanction rules - is also unsettled. 

In talking with the Information Security Media Group lately, Ellis touched on shifts in how ransomware groups operate. Not every group follows the same pattern - some now avoid extreme disruption, though outfits like Scattered Spider still stand out by acting boldly and unpredictably. Payment restrictions came up too, since they might reshape what both hackers and targeted organizations expect from these incidents. 

Working alongside security chiefs and tech firms, Ellis leads NextJenSecurity to deepen insight into digital threats. Her involvement extends beyond the private sector - advising UK government units like the Cabinet Office’s cyber panel. Institutions ranging from the Royal United Services Institute to the CVE Program include her in key functions. Engagement with policy experts and advocacy groups forms part of her broader effort to reshape how online risks are understood.
Read more »
Security
blocking unauthorized access countermeasures Cyber Attacks Data multifactor authentication network segmentation new ransomware actors Safety Security

Akira Ransomware Adapts to Linux Systems, Incorporates New Tactics and TTPs

 

Arika ransomware, which initially targeted Windows systems, has evolved significantly since its emergence in March. It has now expanded its scope to include Linux servers, employing a diverse set of tactics, techniques, and procedures (TTPs).

A comprehensive report by LogPoint delves into the highly sophisticated nature of Akira ransomware. This malware encrypts victim files, erases shadow copies, and demands a ransom for data recovery. The attack chain actively exploits the CVE-2023-20269 vulnerability, focusing on Cisco ASA VPNs lacking multifactor authentication as an entry point.

As of early September, the group had successfully targeted 110 victims, with a particular emphasis on the US and the UK. A notable recent victim was the British quality-assurance company Intertek. The group also set its sights on manufacturing, professional services, and automotive organizations.

According to a recent report from GuidePoint Security's GRI, educational institutions have borne a disproportionate brunt of Akira's attacks, accounting for eight out of its 36 observed victims.

The ransomware campaign involves multiple strains of malware that carry out distinct steps, including shadow copy deletion, file search, enumeration, and encryption when executed.

Akira employs a double-extortion technique: it steals personal data, encrypts it, and then extorts money from the victims. If payment is refused, the group threatens to release the data on the Dark Web.

Upon gaining access, the group utilizes tools such as AnyDesk and RustDesk for remote desktop access, as well as WinRAR for encryption and archiving. Additionally, the advanced system information tool and task manager PC Hunter assist the group in lateral movement through compromised systems, alongside wmiexc.

The group can also disable real-time monitoring to avoid detection by Windows Defender, and shadow copies are eliminated through PowerShell. Ransom note files are deposited across the victim's system, containing payment instructions and decryption assistance.

Anish Bogati, a security research engineer at Logpoint, highlights that Akira's use of Windows internal binaries (also known as LOLBAS) is particularly concerning. These binaries typically go unnoticed by endpoint protection and are already present in the system, sparing adversaries the need to download them.

Bogati emphasizes that the ability to create a task configuration for encryption parameters without manual intervention shouldn't be underestimated.

Taking Countermeasures
Bogati underscores the need for organizations to implement MFA and restrict permissions to prevent brute-force attacks on credentials. Keeping software and systems up-to-date is crucial in staying ahead of adversaries exploiting newly discovered vulnerabilities.

The report also recommends auditing privileged accounts and providing regular security awareness training. Network segmentation is advised to isolate critical systems and sensitive data, reducing the risk of breaches and limiting lateral movement by attackers.

Bogati suggests organizations should consider blocking unauthorized tunneling and remote access tools, like Cloudflare ZeroTrust, ZeroTier, and TailScale, which are often employed by adversaries to gain covert access to compromised networks.

Changing Landscape of Ransomware

The Akira group, named after a 1988 Japanese anime cult classic, emerged as a significant cyber threat force in April of this year, primarily focusing on Windows systems.

The transition by Akira into Linux enterprise environments mirrors similar moves by more established ransomware groups like Cl0p, Royal, and IceFire. Akira represents a new wave of ransomware actors reshaping the threat landscape, marked by the emergence of smaller groups and new tactics. Established gangs like LockBit are witnessing fewer victims.

Among the newer ransomware groups are 8Base, Malas, Rancoz, and BlackSuit, each with its distinct characteristics and targets.

Bogati warns that, judging by their victim count, Akira is poised to become one of the most active threat actors. They are developing multiple variants of their malware with various capabilities and are poised to exploit unpatched systems at every opportunity.
Read more »
Subscribe to: Comments (Atom)