Search This Blog

Showing posts with label ransomware attacks. Show all posts

Analyzing the New Black Basta Ransomware

 

Black Basta, a new ransomware group has been highly active since April 2022 and has already breached a dozen companies worldwide. The list of victims includes the American Dental Association and German wind turbine giant Deutsche Windtechnik. 

Modus operandi of Black Basta 

While Black Basta assaults are relatively new, some information on their methodology has been made public. The data encryptor employed by ransomware requires administrator privileges to execute, otherwise, it is harmless. 

To launch the encryption executable, the ransomware targets a legitimate Windows service. After execution, the ransomware erases shadow copies from the compromised system using vssadmin.exe. This action removes the Windows backup so that after encryption victim cannot revert the system to its previous state. 

Subsequently, Black Basta drops two files: dlaksjdoiwq.jpg and fkdjsadasd.ico in the user Temp folder. The second file is a custom icon for all files with the “.basta” extension. The icon is assigned by designing and setting a new registry key “HKEY_CLASSES_ROOT\.basta\DefaultIcon”. 

The persistence technique of the Black Basta ransomware is executed by “stealing” an existing service name, deleting the service, and then creating a new service named ‘FAX. Before the encryption routine begins, the ransomware checks the boot options using GetSystemMetrics() API and then adds HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\Fax entry in the registry to start the FAX service in safe mode. 

After completing all the customizations, the ransomware sets up the operating system to boot in safe mode using bcedit.exechecks. Due to the reboot mode change, the PC will reboot in safe mode with the ‘Fax’ service running. This service will then execute the ransomware again, but this time for the purpose of encryption. 

 Methodologies Identical to Conti group 

Researchers at MalwareHunterTeam attribute the Black Basta ransomware to the team behind Conti ransomware. This assumption is based on similarities between their leak sites, their payment sites, and the way their “support” employees talk and behave. 

Lawrence Abrams of BleepingComputer also mentioned that the threat actors behind Black Basta seem like they are exerting a lot of effort to avoid any resemblance to their previous identity. 

To prevent Black Basta ransomware from further encryptions, it must be eliminated from the operating system. Unfortunately, removal will not restore already compromised data. The sole solution is recovering it from a backup if one was created beforehand and is stored elsewhere. 

Additionally, to avoid permanent data loss, researchers recommend keeping backups in multiple different locations (e.g., remote servers, unplugged storage devices, etc.

PYSA Ransomware Group: Experts Share In-Depth Details

 

Since August 2020, the cybercrime group adopted a five-stage system design, with the malware developers prioritizing enhancements to boost the efficiency of its activities, according to an 18-month examination of the PYSA ransomware operation. The GSOC explores the PYSA ransomware inside this Threat Analysis Report. Once the Federal Bureau of Investigation (FBI) informed of the ransomware's increased activity and significant harmful impact early this year, it became known as the PYSA ransomware. 

This includes a user-friendly tool, such as a full-text search engine, to make metadata extraction easier and allow threat actors to easily locate and access victim information. "The group is notorious for thoroughly researching high-value targets before unleashing its operations, compromising business systems, and forcing researchers to pay significant ransoms to retrieve sensitive data," stated PRODAFT, a Swiss cybersecurity firm, in a comprehensive report released last week. 

PYSA, which stands for "Protect Your System, Amigo" and is a descendant of the Mespinoza ransomware, was initially discovered in December 2019 and has since risen to become the third most common ransomware strain reported in the fourth quarter of 2021. The cybercriminal cell is thought to have exfiltrated confidential info linked to as many as 747 individuals since September 2020, until its databases were taken down earlier this January. 

The majority of its victims are in the United States and Europe, and the gang primarily targets the federal, medical, and educational sectors. "The United States was the most-affected country, contributing for 59.2 percent of all PYSA occurrences documented," Intel 471 stated in a review of ransomware assaults observed from October to December 2021. PYSA, like all other malware attacks, is renowned for using the "big game hunting" method of double ransom, which involves making the stolen data public if the victim refuses to comply with the firm's demands. 

Every relevant key is encrypted and assigned the ".pysa" extension, which can only be decoded with the RSA private key given after paying the fee. PYSA victims are claimed to have paid about 58 percent in digital payments to get access to protected data. PRODAFT was able to find a publicly accessible. git folder owned by PYSA operators and designated one of the project's writers as "dodo@mail.pcc," a danger actor based on the commit history thought to be situated in a country that observes daylight savings time.

As per the study, at least 11 accounts are in control of the whole operation, the mass of which was formed on January 8, 2021. However, four of these accounts — t1, t3, t4, and t5 — account for approximately 90% of activity on the management panel of the company. Other operational security failures committed by the group's members allowed a concealed system running on the TOR secrecy network — a server provider (Snel.com B.V.) based in the Netherlands — to be identified, providing insight into the actor's techniques. PYSA's infrastructure also includes dockerized containers for global leak servers, database servers, administrative servers, and an Amazon S3 cloud for storing the files, which total 31.47TB.

The panel is written in PHP 7.3.12 by using the Laravel framework and uses the Git version monitoring system to oversee the development process. Furthermore, the admin panel exposes several API endpoints that allow the system to display files, auto-generate GIFs, and scan data, which is used to group stolen victim data into broad categories for simple retrieval. Several or more potential threat groups spent nearly five months within the system of an undisclosed regional US government agency before delivering the LockBit ransomware malware at the start of the year, as per research from cybersecurity firm Sophos.

US Health Provider LEHB Hit by Ransomware Attack, Network Compromised

Law Enforcement Health Benefits (LEHB), health and welfare funds for Philadelphia police offers, sheriffs, and county detectives, disclosed that the company was hit by a ransomware attack in 2021. "The Conti ransomware group has been responsible for a large number of these incidents, successfully attacking at least 16 US healthcare organizations and first responder networks during the year – as well as Ireland’s Health Service Executive and Department of Health," writes The Daily Swig. 

According to LEHB, attackers started coding files stored in the company network on 14 September 2021. An inquiry into the issue revealed that on Friday 25th, 'few affected files' containing members' data might have been excluded from the network by threat actors. Suspicious access to the US Department of Health and Human Services (HSS) breach portal hints that more than 85,000 users from LEHB may have been impacted by the incident. The compromised data includes names, DoBs, Social Security numbers, driving license info, bank account numbers, and health information. 

However, every LEHB member wasn't affected, and the data elements mentioned above were also not the same for every member. LEHB denies any case of identity theft or abuse of compromised data from the ransomware hit. However, the incident impacted members and offered credit monitoring services to those whose Social Security numbers might have been used. The health plan provider suggests its members set up 'fraud alerts' and security freezes on credit files, and ask for a free credit report. 

Cyber attack incidents are getting sophisticated as each day passes, resulting in LEHB implementing extra precautionary steps to protect its network and enhance internal procedures to detect and mitigate future cybersecurity threats. LEHB is assessing and updating its company policies and procedures to reduce the chances of ransomware incidents in the future. 

The Daily Swig reports "the healthcare sector has been particularly hard hit by ransomware since the start of the Covid-19 pandemic, with the FBI’s 2021 Internet Crime Report revealing earlier this month that of all critical infrastructure sectors, it was healthcare that faced the most ransomware attacks last year."

Nvidia Confirms Company Data Was Stolen in a Breach

 

Last week Chipmaker company Nvidia witnessed a cyberattack that breached its network. The company has confirmed that the intruders got access to proprietary information data and employee login data. 
As the breach came to light last week, the organization attributed the security breach to a threat group called "Lapsus$".

“We are aware that the threat actor took employee credentials and some Nvidia proprietary information from our systems and has begun leaking it online,” the company said in a statement. 

However, as of now, Nvidia didn’t produce any specific details of the stolen data. Meanwhile, LAPSUS$, the alleged culprit, has claimed that it has looted 1TB of data, including files related to the hardware and software belonging to the organization. Following the incident, Lapsus$ started demanding ransom in cryptocurrency in order to prevent the data from being published online. However, Nvidia has not confirmed its stance or response to the demands made by the hackers. 

The primary purpose of a ransomware attack is to encrypt the victim's credentials and threaten to permanently delete it unless a ransom is paid, often in Bitcoin due to the relative anonymity that cryptocurrency provides. Additionally, the threat groups use Ransomware attacks to steal the victim’s data and then threaten to release sensitive details in public unless certain demands are met. Either way, it amounts to extortion. 

According to the sources, the organization did not confirm technical details yet, therefore, it is difficult to confirm anything as of present. However, as a matter of concern, the information related to the attack continues to trickle out. For instance, some of the leaked data contain references to future GPU architectures, including Blackwell. Also, an anonymous source has apparently sent what they claim is proof of stolen DLSS source code to the folks at TechPowerUp. 

"We are investigating an incident. Our business and commercial activities continue uninterrupted. We are still working to evaluate the nature and scope of the event and don’t have any additional information to share at this time," NVIDIA initially said.

Walmart Dissects New 'Sugar' Ransomware

 

The cyber threat researchers’ team at retail giant Walmart has found a new variant of ransomware named Sugar, which is available to threat actors as a ransomware-as-a-service (RaaS). 

Ransomware as a Service (RaaS) is a way for threat actors to make a lot of money from ransomware while reducing their own efforts. According to the data, this new variant of ransomware was initially dictated in November 2021, but the organization had no technical details before. 

The Sugar ransomware format is written in Delphi and also borrows objects from the other families of ransomware. Furthermore, unlike the other ransomware families, the new variant Sugar primarily targets individual computers instead of entire enterprises networks, but it is equally dangerous, especially since it is offered as a RaaS. Walmart said in its findings that the threat actors are using crypter which is one of the most interesting features of Sugar. 

The crypter is being used because it has code reuse from the ransomware itself which makes it significantly more interesting than your typical crypter. It also employs a modified version of the RC4 encryption. Because of that, the team of researchers thinks there are possibilities that the Sugar ransomware and its crypter are controlled by the same threat group, or the crypter is being offered to affiliates as part of the service. 

“The malware is written in Delphi but the interesting part […] was the reuse of the same routine from the crypter as part of the string decoding in the malware, this would lead us to believe that they have the same dev and the crypter is probably part of the build process or some service the main actor offers to their affiliates,” Walmart’s researchers noted. 

Why is Ransomware as a Service so dangerous? 

In just a few years Ransomware as a Service (RaaS) has become very prevalent among cybercriminals since its first attack, Cryptolocker, was identified in 2013. Researchers said that 3-4 new ransomware families are now being distributed through RaaS channels. 

It has been observed that the number of cases has been increased in recent years and at large numbers, networks are being compromised, which is a highly alarming behavior that indicates the involvement of professional malicious actors.

Cheap Malware Behind Surge in Attacks on Cryptocurrency Wallets

 

Due to the surge in low-cost, easy-to-use malware, cyber thieves may now steal cryptocurrency more easily than before. 

Whether stealing it be straight from cryptocurrency exchanges or demanding it as an extortion payment in ransomware attacks, Bitcoin has consistently been a favoured target for sophisticated cybercriminals. 

However, because of its rising value, cryptocurrency has swiftly become a target for cyber thieves, who are increasingly undertaking attacks aimed at stealing cryptocurrency from individual users' wallets. According to Chainalysis, cryptocurrency users are more vulnerable to malware such as information stealers, clippers (which allow attackers to alter text copied by the user, routing cryptocurrency to their own wallets), and trojans, all of which can be purchased for "quite cheap." 

On Russian cybercrime forums, for example, a type of info-stealer virus known as Redline is marketed for $150 for a month's subscription or $800 for a 'lifetime' membership. Unfortunately, for a cybercriminal aiming to steal cryptocurrencies, it's quite likely that they'll recoup their investment in software within a few attacks. 

The illegal service also gives users access to a tool that enables attackers to encrypt malware, making it harder for anti-virus software to identify it, boosting the chances of attacks successfully taking cryptocurrency from victims. 

"The proliferation of cheap access to malware families like Redline means that even relatively low-skilled cybercriminals can use them to steal cryptocurrency," warned the report. 

Overall, the malware families in the research got 5,974 transfers from victims in 2021, up from 5,449 in 2020 – but still far less than the 7,000 transfers seen in 2019. However, Redline is only one kind of malware designed to steal cryptocurrency, and the market for this type of malware is rising. Crypobot, an infostealer, was the most common theft of cryptocurrency wallets and account credentials among the occurrences tracked, acquiring about half a million dollars in bitcoin in 2021. 

Furthermore, progress in stealing cryptocurrency from consumers may encourage more ambitious cyber criminals to attack organisations and even cryptocurrency exchanges, implying that the possibility of cybercriminals attacking crypto wallets and credentials is something that businesses should be aware of. 

The blog post stated, "The cybersecurity industry has been dealing with malware for years, but the usage of these malicious programs to steal cryptocurrency means cybersecurity teams need new tools in their toolbox." 

"Likewise, cryptocurrency compliance teams already well-versed in blockchain analysis must educate themselves on malware in order to ensure these threat actors aren't taking advantage of their platforms to launder stolen cryptocurrency."

Defense Contractor Hensoldt Confirms Lorenz Ransomware Attack

 

Hensoldt, a multinational defence contractor, disclosed that Lorenz ransomware has infected part of its UK subsidiary's systems. A spokesman for Hensholdt acknowledged the security vulnerability to BleepingComputer this week. 

Hensoldt's Head of Public Relations, Lothar Belz, told BleepingComputer, "I can confirm that a small number of mobile devices in our UK subsidiary has been affected." 

Belz, on the other hand, refused to provide any other specifics on the incident, adding, "for obvious reasons, we do not reveal any more facts in such cases." 

Since April, the Lorenz ransomware group has targeted several institutions around the world, demanding hundreds of thousands of dollars in ransom. Lorenz operators, like other ransomware groups, use a double-extortion approach, acquiring data before encrypting it and threatening victims if they don't pay the ransom. Ransom demands have been quite high, between $500.000 and $700.000.

Hensoldt AG emphasizes sensor technology for security and surveillance missions in the defence, security, and aerospace sectors. Radar, optoelectronics, and avionics are the company's core product areas, and it is listed on the Frankfurt Stock Exchange. 

The defence multinational, which is listed on the Frankfurt Stock Exchange and with a revenue of 1.2 billion euros in 2020, offers sensor solutions for defence, aerospace, and security applications. The corporation works with the US government on classified and sensitive contracts, and its products include and equip tanks, helicopter platforms, submarines, and Littoral Combat Ships, among other things. 

The Lorenz ransomware group has already published the names of the firms that have been compromised on their Tor leak site. The ransomware group claims to have already transferred 95 percent of all stolen files to its leak site as of this time of writing. The gang named the archive file "Paid," implying that someone else paid to keep the Hensoldt files from being exposed. 

Tesorion, a cybersecurity firm, studied the Lorenz ransomware and produced a decryptor that may allow victims to decrypt their files for free in some situations.

Hive Ransomware Gang Breached Almost 350 Organization Within 4 Months

 

As said by security experts who obtained data from Hive's administrator panel, associates of the well-known ransomware organization breached over 350 enterprises in less than 4 months. This means that the average number of attacks per day has increased to three, beginning in June, when the gang's operation was well-publicized. 

Hive ransomware originally appeared in June, with the very first publicly reported cyberattack occurring on June 23rd. At the time, the gang targeted the Canadian IT firm Altus Group. According to an investigation of this cybercrime group by Group IBM researchers, it was unclear at first if the Hive ransomware organization used ransomware as a service (RaaS) business model. 

As per analysts, the Hive ransomware group's early intrusion techniques encompass phishing emails and compromised VPN credentials. 

“Hive affiliates resort to various initial compromise methods: vulnerable RDP servers compromised VPN credentials, as well as phishing emails with malicious attachments. The data encryption is often carried out during non-working hours or on the weekend. Taking into account that Hive targets organizations from various economic sectors from all around the world and their attacks are manually controlled by the affiliates, it’s crucial to closely monitor the changes in TTP of these ransomware operators,” said researchers. 

The Group-IB researchers probed further into their study of the Hive ransomware group and gained access to the ransomware administration panel. They began collecting data regarding its mode of operation in this manner. 

It was discovered that ransomware distribution and victim negotiations were made visible and simple since affiliates could develop a version of the software in 15 minutes. The negotiation would then be handled by Hive ransomware administrators, who would transmit the message through a chat window. Furthermore, affiliates may have access to this chat window. 

Some businesses reported that the decryption tool provided after paying the ransom lacked proper functionality and rendered the virtual machines' Master Boot Record unbootable. 

According to the research, all affiliates have access to the company's IDs via the Hive ransomware database. 

An Application Programming Interface is used by both the admin panel and the site where the data is exposed (API). Due to an API issue, the specialists were able to acquire data regarding the Hive attacks and concluded that by October 16, 355 firms had been infected by this ransomware group. 

The researchers added, “Based on the analysis of company data obtained through API, the number of victims grew by 72% in less than one month. On September 16, the total number of records related to victim companies was 181. Just one month later, on October 16, the number increased to 312. Notably, 43 companies listed as victims in September disappeared from API in October, most likely after paying the ransom”.

Ransomware Attackers and their Industry Standards for Attacking

 

Ransomware attackers have been developing 'industry standards' that they will use to determine a perfect target for their assaults. 

KELA identified 48 comment threads on dark web forums in July 2021 in this regard. Users alleged to be digital attackers trying to purchase network access. Approximately tow-fifth of the threads were established by individuals associated with Ransomware-as-a-Service (RaaS) schemes, comprising operators, associates, and middlemen, according to the intelligence solutions provider. KELA learned from those conversation threads that ransomware attackers hunt for specific criteria when purchasing accesses. 

These elements include the following: 

  • Geographically, almost half (47 percent) of ransomware attackers identified the United States as the preferred destination for their targets. Canada, Australia, and European countries were next on the list, with preferences of 37%, 37%, and 31%, respectively. 

  • Revenue: On aggregate, ransomware attackers expected their victims to make at least $100 million, while they occasionally indicated various ransom sums for different places. Attackers stated that they sought more than $5 million in compensation for victims in the United States, as well as at least $40 million in revenue from "third-world" countries. 

  • Disallowed Industries: Almost half (47%) of ransomware attackers indicated they were unwilling to pay for admission to companies involved in health care and education. Slightly fewer (37 percent) declined to target the government sector, while over a quarter of ransomware perpetrators stated that they would not purchase access to non-profit organizations. 

  • Countries Excluded: Some attackers declined to target companies or government agencies in Russian-speaking countries. They appear to have selected this based on the idea that if they did not target the region, local law enforcement would not worry them. Others ruled out targeting South America or third-world countries as a region. They reasoned that an attack there would not net them enough money. 

The aforementioned data is compatible with several of the ransomware assaults that made the headlines earlier in 2021. 

For instance, consider the attack on the Colonial Pipeline. As per Dun & Bradstreet, the Colonial Pipeline Company, headquartered in Port Arthur, Texas, earned $1.32 billion in revenue in 2020. The business doesn't operate in any of the prohibited industries listed above. Colonial, on the other hand, is a key infrastructure company in the United States. Due to the attacks like this, the FBI as well as other federal law enforcement agencies targeted the DarkSide RaaS gang just after the attack.

Another instance that met the same requirements was the Kaseya supply chain attack. The headquarters of the IT management software company is in Miami, Florida. Furthermore, Kaseya was valued at more than $2 billion by the end of 2019. 

According to KELA, businesses and government institutions could defend themselves from such ransomware attacks in three ways. Firstly, companies could train the employees and the C-suite through security awareness training. This will educate them on how to protect their data and identify suspicious activities on their employer's networks. Secondly, they could utilize vulnerability management to keep an eye on their systems for known flaws. They could then address such faults first. Finally, they could use an up-to-date asset inventory to keep an eye on their devices and systems for unusual behavior.

Dell and AWS Partner to Prevent Customer Data from Cyberattacks

 

Dell Technology has partnered with AWS (Amazon Web Services) to safeguard customer data from cyberattacks by incorporating Dell's cyber recovery solution to the AWS Marketplace with the release of Dell EMC PowerProtect Cyber Recovery for AWS. Outdated cybersecurity firms are finding it difficult to prevent against malware and cyberattacks. With an increase in with from home culture and remote work since past two years, cybersecurity throughout the internet and cloud platforms has become more sophisticated. 

During the same time, the number of ransomware, malware, and hacking attacks has risen drastically, with more than 33% of organizations suffering ransomware breaches. Even amateur threat actors use RaaS (ransomware as a service) platforms to execute efficient and sophisticated cyber attacks. Via the AWS Marketplace, consumers can easily buy and use air tight cyber vault from Dell, to help safeguard and separate data away from a ransomware attack. 

Dell EMC PowerProtect Cyber Recovery for AWS offers multiple levels of protection with a unique approach that helps AWS customers to start normal business task easily and without any fear after a ransomware attack. In a statement, Dell said "the solution moves a customer’s critical data away from the attack surface, physically and logically isolating it with a secure, automated operational air gap. Unlike standard backup solutions, this air gap locks down management interfaces, requiring separate security credentials and multi-factor authentication for access." 

Nowadays, organizations are adopting various IT infrastructures across the on-premises environment and public cloud, data safety solutions can help in robust data security. Dell EMC PowerProtect Cyber Recovery for AWS offers customers help via addressing the rising risks of ransomware and different cyberattacks. Dell VP of data protection product management, David Noy said "data is a strategic asset and protecting it against ransomware and other cyberattacks is critical for organizations to make informed decisions about their business and thrive in today’s digital economy."

Significant Rise in Cyberattacks Against Healthcare Facilities, 68 Attacks in Q3 2021

 

Cyberattacks against healthcare facilities increased alarmingly last month, around 68 healthcare providers were locked out of their networks by ransomware attacks in the third quarter of this year, putting patient security and privacy at risk. 

Without a holistic whole-facility cybersecurity approach, specialists fear that patients would be unable to get essential care at a targeted facility. The Hillel Yaffe Medical Center in Hadera, Israel, and Johnson Memorial Health Hospital in Franklin, Indiana, are just two examples of the medical facilities targeted. 

The early-October cyberattack at Johnson Memorial Hospital locked databases and compromised patient data. A ransom amount was surprisingly not demanded. Hillel Yaffe Medical Center was attacked by Black Shadow, a reportedly Iran-backed group, in early November. Investigators believed it would take many weeks to recover and grasp the full scope of what had happened because 290,000 people's personal data had been leaked. 

Healthcare facilities' legacy OT equipment becomes exposed to hackers as they upgrade. Water, HVAC, oxygen, electrical, and other key systems are all connected, yet they may not be properly monitored or protected in terms of cybersecurity. Any of these utilities being compromised will have a detrimental influence on patient care, perhaps putting the lives of individuals being treated at risk. 

Ilan Barda, CEO of Radiflow stated, “Accessing patient data is worrisome, but the idea of hackers gaining access to components in a specific ward or even a single operating room is alarming.” 

“CISOs at facilities should focus on both IT systems and OT environments, starting from risk assessment to threat monitoring. There should be continuous holistic risk management for more mature organizations that combine both IT and OT systems. With Radiflow, teams can monitor the full range of a healthcare OT security from one central location.” 

With 68 global attacks on healthcare facilities in Q3 of this year alone, the US Department of Health and Human Services (HHS) had warned of worrisome trends in 2021.

Ransomware Threat Actors on the Rise in US, Target Big Organizations

 

A hacker earlier linked with the Thieflock ransomware campaign, currently might be using the rising Yanluowang ransomware in a chain of attacks against U.S organizations. Symantec cybersecurity experts, a subdivision of Broadcom software, discovered links between Yanluowang and Thieflock, details of the former were revealed in October after experts found its use against a big firm. They believe that a hacker has been using this ransomware to attack financial organizations in the U.S. The threat actor also compromised various firms in the manufacturing sector, engineering, consultancy, and IT services, using the novel ransomware.

Experts noticed a probable link between new Yanluowang attacks and earlier attacks which involved Thieflock, a RaaS (ransomware as a service), built by the Canthroid group, aka Fivehands. This shows how there's no loyalty in ransomware users, especially those who work as affiliates of RaaS operations. As per ThreatPost, "Data-capture tools are also part of the attack vector, including a screen capture tool and a file exfiltration tool (filegrab.exe), as well as Cobalt Strike Beacon, which researchers saw deployed against at least one target." 

The ransomware developers pivot here and there, they switch business based on profit margins offered by ransomware threat actors, there's no loyalty in the business, says Vikram Thakur, chief research manager at Symantec. The experts have given a summary of some of the tools used in these attacks (Yanluowang), a few of these share some commonalities with the 

Thieflock attacks, which may lead someone to believe that the actor orchestrating the attack is an expert with Thieflock's deployment. "In most scenarios, attackers use PowerShell to download tools to compromised systems, including BazarLoader, which assists in reconnaissance of a system before attacks occur. The attackers then enable RDP via registry to enable remote access, deploying the legitimate remote access tool ConnectWise, formerly known as ScreenConnect, once they’ve gained this access," said ThreatPost.

Supernus Pharmaceuticals Hit by a Ransomware Attack

 

Last week, Supernus Pharmaceuticals, a biopharmaceutical company, claimed that it had been a target of a ransomware attack that led to a significant amount of information being compromised out of its system. As per the Rockville, Maryland-based firm, the extortion gang obtained data on certain systems, installed software to restrict file access, and then claimed to reveal the exfiltrated contents. 

Notwithstanding this, Supernus Pharmaceuticals argues that perhaps the occurrence had no significant effect on the business since its operations were not adversely affected. 

However, at this time, the Company seems to have no plans to pay any ransom money to any illegal ransomware organization. 

Supernus Pharmaceuticals also claims to have recovered the damaged files and also has undertaken efforts to boost the security of its network and data. Nevertheless, the organization believes that the crooks will most likely try to benefit from the unlawfully obtained information. 

The Hive ransomware group claimed responsibility for the attack, claiming that on November 14, it got into Supernus Pharmaceuticals' network and exfiltrated 1,268,906 files comprising 1.5 TB of data. 

“The Company continues to operate without interruption and does not currently anticipate paying any ransom amounts to any criminal ransomware group,” the company says. 

“To date, the Company has not paid any ransom and has been able to restore all of the information encrypted by the criminal ransomware group,” Supernus Pharmaceuticals further added. 

The hacker group claimed on its Tor network leak webpage that the stolen information would be uploaded online soon, stressing out that the corporation failed to notify the event in their most recent 8-K Form filed with the Securities and Exchange Commission (SEC). 

Meanwhile, Supernus Pharmaceuticals submitted an additional 8-K Form with the SEC on Friday 26th of November, this time specifically disclosing the ransomware attack. Considering Supernus Pharmaceuticals' assertion that it has no intention of paying a ransom, the Hive ransomware programmers say they have already been in contact with the company since the attack.

Ransomware Targeted Almost 1,000 Schools in US This Year

 

Ransomware attacks against the US schools are on a surge, experts say threat actors are actively targeting schools as classrooms switched to remote learning last year.

According to tallies by Emsisoft and Recorded Future – cybersecurity firms known for tracking and investigating ransomware attacks  almost 1,000 schools across the United States have suffered a ransomware attack this year. 

Threat actors targeted 985 schools across 73 school districts and it’s very likely there are some schools that are missing from the list, meaning the total number of victims is likely higher than 1,000, said Brett Callow, a researcher at Emsisoft. 

The list shared by Callow includes high-profile schools such as the Mesquite Independent School District in Texas, which comprises 49 different schools; the Haverhill Public Schools in Massachusetts, which comprises 16 schools; and the Visalia Unified School District in California, which comprises 41 schools.

“There is a huge jump in ransomware attacks hitting schools starting in 2019 and that trend is accelerating,” Allan Liska, cybersecurity researcher at cybersecurity firm Recorded Future told Motherboard in an online chat.

There is no denying that 2021 is the year of ransomware but there are some good stories too. Earlier this year, when threat actors targeted the Affton School District in Missouri, the district had to cancel classes for a day out of precaution, but the attackers were not able to encrypt any critical computer or system, as the entire school was operating on Google’s cloud, according to Adam Jasinski, the district’s head of IT.

“While school districts are falling victim to ransomware at the same rate as ever, it seems that fewer large districts are now being hit. And that could be cause for hope,” Callow told Motherboard in an email. “If larger districts have been able to up their security game, smaller districts can too. We just need to work out what shortcomings exist and ensure they have the resources to address those shortcomings.” 

“The increased efforts by governments, law enforcement, and private-public sector initiatives seem to be paying off and we’re seeing more wins. Cybercrime operations are being disrupted, and their revenue streams are being disrupted which, combined, alters the risk/reward ratio and will hopefully disincentivize attacks,” he added.

Threat Actors are Still Exploting Old Bugs to Target Organizations

 

Cybersecurity researchers at Qualys have published a free ransomware risk and assessment tool designed to scan systems, identify flaws and finally automate patching and remediation.

Researchers at Qualys analyzed 36 leading ransomware families and their attacks in recent years. It was found that unpatched flaws, device misconfigurations, internet-facing assets, and cracked software were consistently ranked among the top attack vectors.

According to researchers, the top five CVEs exploited by leading ransomware families to target organizations worldwide, have been known for almost a decade and had vendor patches available. But because many organizations still haven't applied the available security updates, they remain susceptible to ransomware attacks. 

CVE-2012-1723, is the oldest of the top five vulnerabilities, a flaw in the Java Runtime Environment (JRE) component in Oracle Java SE 7, detailed in 2012. According to researchers, it's been commonly used to distribute Urausy ransomware. 

The other two other common flaws detailed by researchers are from 2013; CVE-2013-0431 is a vulnerability in JRE leveraged by Reveton ransomware, while CVE-2013-1493 is a vulnerability in Oracle Java that is exploited by Exxroute ransomware. In both cases, security updates have been available for more than eight years.

CVE-2018-12808, on the other hand, is a three-year-old bug in Adobe Acrobat, which is used to deliver ransomware via phishing emails and malicious PDF files. Both Ryuk ransomware and Conti ransomware have been known to use this attack method. The latest bug on the list is Adobe CVE-2019-1458, a privilege escalation flaw in Windows that appeared in December 2019 and has been commonly used by the NetWalker ransomware group.

“For IT and information security teams, applying all the patches needed to keep a network secure is often an uphill battle. The rate at which vulnerabilities are rising is exponentially higher than the rate at which operations teams are patching. This is the number one driving factor for why vulnerabilities remain unpatched It is easy for operations teams to get overwhelmed when they do not have a prioritized list of patches or software listings provided from security teams," Shailesh Athalye, SVP of product management at Qualys, stated. 

Threat actors exploit these flaws because they know many organizations don’t pay attention to the security updates and so they are actively searching for flaws that allow them to lay down the foundations for ransomware attacks.

"There is no silver bullet to prevent ransomware and remediate vulnerabilities, but overall, driving processes for reducing an attack surface should be the goal. The important part of vulnerability management is the combination of vulnerability assessment, prioritization, and remediation," Athalye further told.

Ransomware Attacks At An All Time High, Reports Palo Alto

 

Presently, RaaS (ransom as a service) and ransomware attacks are at an all time high, topping the list in cybersecurity community since the last few months, threat actors and hackers are constantly attacking businesses, corporate and emails for personal monetory gains. The BEC (Business Email Compromise), EAC (personal email account compromise) , scams have caused the most threat and impact, as per the cybersecurity reports. 

FBI in its enquiry found that BEC and EAC accounts for a minimum $1.86 billion losses in 2020, that too in the US region only, a 5% jump in losses compared to 2019. EAC and BEC amount for 45% of total reported cybersecurity incidents in the US and 11% of users are over the age of 60. 

A roughly estimate suggests that largest reported ransomware payment till date has been $40 million. Unit 42 reports "when scammers use this tactic, it usually starts with a baited email enticing the recipient to open the attachment or click on the link to a webpage. 

The emails usually focus on some segment of business operations (including finance, human resources, logistics and general office operations) and point to an attachment or link related to topics requiring user action." Experts say that average ransomware demands in 2020 were $847,344, meanwhile, the average ransom that victims paid was $312,493. 

In 2021, the ransom amount paid has risen upto 82% to $570,000. The amount mentioned for average ransom clients paid only includes direct financial losses given in ransoms. They do not include losses related with organization which lost revenue while being compelled to work in a compromised state during a cyberattack, and do not consist resources cost during the incident breach, but only include attacks that are known. The company decides not to report a cybersecurity incident depending upon nature and impact of the ransomware attack. 

In the end, the decision complicates it for federal and cybersecurity agencies to calculate the full impact of these attacks. The EAC and BEC ransomware attacks have one thing in common, they need access privilege to victim's account and networks. 

"The lucrative nature of BEC/EAC scams drives criminals to continually modify and upgrade their tactics to defeat protections. One of the newer techniques integrates spear phishing, custom webpages and the complex cloud single sign-on ecosystem to trick users into unwittingly divulging their credentials," reports Unit 42 of palo alto networks.

JVCKenwood Company Suffers Ransomware Attacks, Hackers Demand $7 Million Ransom

 

JVCKenwood was hit by a Conti ransomware attack, the attackers claim that 1.7 TB of data has been stolen and are asking for a $7 million ransom. JVCKenwood is an electronics multinational company from Japan having around 17000 employees and total revenue of $2.45 Billion in 2021. The company is famous for its brands Victor, Kenwood, and JVC which builds cat and home sound equipments, healthcare and radio equipments, portable power stations, and professional and in-vehicle cameras. 
Earlier this week, JVCKenwood revealed that its servers belonging to sales companies from Europe were compromised on 22 September and the hackers might have had access to data while the attack was ongoing. The company noticed unauthorized access in September 2021 to the servers handled by  JVCKenwood Group's sales organizations in Europe. The company in a press conference revealed that there might be a potential of data leak by third parties that made unauthorized entry attempts. 

As of now, a thorough inquiry is being done by external specialized firms of the company teamed up with associated authorities. Experts haven't confirmed any data leak, to date. Other details related to the breach would be given on the company website after they are available. According to experts, a source shared a ransom note for the Conti ransomware sample used in the JVCKenwood data breach. While negotiating, the hacking group claims to have stolen 1.5 TB of files and is asking $7 million for ransom for not leaking the data in return for providing the decryption key. To make sure that the attack was legit, the hackers shared a file that contained scanned passport copies of employees, as proof. 

After the hackers gave proof, the JVCKenwood representative hasn't made any contact with the hacker which means that the company isn't willing to pay the ransom. "Conti is a ransomware family believed to be operated by the TrickBot threat actor group and is commonly installed after networks are compromised by the TrickBot, BazarBackdoor, and Anchor trojans. The ransomware gang has been responsible for a wide range of attacks over the years, including high-profile attacks against the City of Tulsa, Ireland's Health Service Executive (HSE), Advantech, and numerous health care organizations," reports Bleeping Computers.

Ransomware Attack on Hospital Associated with Baby’s Death

 

An infant birthed in Alabama subsequently died of heavy brain injury due to botching because the hospital faced a ransomware attack, a lawsuit states. However, this 2019 ransomware paralyzed hospital in the United States will defend itself in November against the death of a baby which is reportedly caused by a cyber attack. 

The file is the very first public credible allegation that anyone was killed at least partially by attackers who shut down hospital computers remotely in an effort at extraction, a steadily growing practice in cybercrime. 

The prosecution was originally reported by The Wall Street Journal by Teiranni Kidd, the baby's mother. It says that Springhill Medical Center, a hospital, had not told her that perhaps the hospital computers went down because of a cyberattack, and when she came to deliver her daughter, they provided her severely reduced treatment. 

In 2019, Springhill stated it had suffered a "network security incident," a typical cyber strike euphemism. Springhill stated at that time to see a regular amount of patients, as that of the local news station WKRG reported, although some of them turned away due to a ransomware attack. 

First, in January 2020 Kidd sued the hospital and then modified the case when her daughter died in July. A response request was not answered by the hospital. Kidd refused to speak since her case is underway. 

The legal proceedings showed that Kidd wasn't notified about the cyberattack when she went to give birth to a baby girl and also that doctors and nurses then overlooked several key tests, which showed that the umbilical cord was wrapped all around the neck of the baby and caused brain damage, which resulted in death, nine months later. 

“It’s an awful thing, but we’ve been expecting this for years to happen, because when things go wrong, eventually somebody’s going to die,” Liska said. 

It wasn't the first occasion wherein homicide allegations involving ransomware have been brought, but it is the first instance where a case has indeed been brought before the court. The nearest was an instance from September last when a German patient passed away in a re-routing ambulance owing to ransomware attacked the hospital. At the moment a negligent murder inquiry was initiated by German police and they stated that they could be liable for attacking them. 

Furthermore, given the time and lack of scruples to be directed at a healthcare center, Springhill has refused to name the ransomware behind the July 2019 attack.

Wawa Paying $9 Million in Cash, Gift Cards in Data Breach Settlement


The Wawa convenience store chain is paying out up to $9 million in cash and gift cards to customers who were affected by a previous data breach, as reimbursements for their loss and inconvenience. 

The affected customers can request gift cards or cash that Wawa is paying out to settle a lawsuit over the security incident. Here's everything you need to learn about the proposed class action settlement – who's eligible, how to submit a claim for cash or a gift card, and how to object to the deal. 

Customers who used their payments cards at any Wawa store or gas pump during the data breach, but were not impacted by the fraud, qualifies to receive a $5 gift card, as compensation. These claimants are referred to as 'Tier One Claimants'. 

However, the claimants will be required to submit proof of the purchase they conducted at a Wawa store or fuel pump between March 04, 2019, and December 12, 2019 – when the data breach occurred – in order to claim the gift card. Customers would essentially be required to provide proof of the transaction date, preferably a store receipt of a statement by the bank, or a screenshot from the concerned bank or credit card company website or app. 

The next category of claimants, referred to as 'Tier Two Claimants' could receive a gift card worth $15 if they show reasonable proof of an actual or attempted fraudulent charge on their debit or credit card post-transaction. 

The last category of claimants, referred to as 'Tier Three Claimants' qualify to receive a cash reimbursement of upto $500, if they provide reasonably documented proof of money they spent in connection with the actual or attempted fraudulent transaction on their payment card. It must be reasonably attributed to the data breach incident. 

During the 9 month span of the data breach, around 22 million class members made a financial transaction at one of the Wawa stores. Customers have been given a deadline of November 29, 2021, to submit a claim for recompensation. By doing so, they are giving up their right to sue Wawa over the 2019 security incident. 

Those who wish to retain their right to sue the company over the security incident and do not wish to receive the payment will be required to exclude themselves from the class. The deadline given for the same is November 12, 2021. 
 

What is this settlement for?


In 2019, the Wawa convenience store chain experienced a data breach wherein cybercriminals hacked their point-of-sale systems to install malware and steal customers' card info. As the fraud impacted Wawa's 850 locations along the East Coast, the U.S based convenience store company found itself buried in a series of lawsuits. One of which – filed by the law firm Chimicles Schwartz Kriner & Donaldson-Smith, of Haverford – claimed that the data breach “was the inevitable result of Wawa's inadequate data security measures and cavalier approach to data security.”

The massive data breach that lasted for nine months,
affected in-store payments and payments at fuel pumps, including “credit and debit card numbers, expiration dates, and cardholder names on payment cards.” Meanwhile, hackers also attempted to sell the stolen financial data on the dark web. 

As a result, a police investigation was called in for and the organization also conducted an internal investigation by appointing a forensics firm for the same.

Ransomware Attacks Increased Exponentially in 2021

 

The growing threat of ransomware has been highlighted by NCC Group's Research Intelligence and Fusion Team (RIFT) analysis. Between January-March 2021 and April-June 2021, the number of ransomware assaults studied by the team climbed by 288%, indicating that enterprises are still facing waves of digital extortion in the form of targeted ransomware. 

The rise of the "triple extortion" ransomware technique whereby attackers, in addition to stealing sensitive data and threatening to release it publicly unless a payment is made, also target the organization's customers, vendors, or business partners in the same way, has fuelled the increase in attacks. 

Conti ransomware, which commonly employs email phishing to remote into a network via an employee's device, was responsible for 22% of ransomware data leaks studied between April and June. The Avaddon ransomware, which was linked to 17% of ransomware data leaks, was just behind it. While victims of this ransomware strain faced data encryption, the potential of data breaches, and the larger risk of DDoS attacks disrupting operations, the ransomware strain is now thought to be dormant. 

In addition to the substantial increase in ransomware assaults, organizations have seen a 29% of cyber-attacks worldwide, with the largest growth rates in the Europe Middle East and Africa (EMEA) area and America, at 36% and 24%, respectively. While the Asia-Pacific (APAC) region witnessed only a 13% increase in attacks, it had the highest number of weekly cyber intrusions at 1,338. The weekly number for EMEA was 777, while the weekly number for America was 688. 

This issue is hurting organizations all over the world, with the United States accounting for 49% of victims with known locations in the last three months, followed by France at 7% and Germany at 4%. The Colonial Pipeline ransomware attack in June, which was carried out by DarkSide ransomware affiliates, is one significant case. Oil supplies were disrupted, and there were fuel shortages across the United States as a result of the strike. 

Christo Butcher, global lead for threat intelligence at NCC Group, said: “Over the years, ransomware has become a significant threat to organizations and governments alike. We’ve seen targets range from IT companies and suppliers to financial institutions and critical national infrastructure providers, with ransomware-as-a-service increasingly being sold by ransomware gangs in a subscription model.” 

“It’s therefore crucial for organizations to be proactive about their resilience. This should include proactive remediation of security issues, and operating a least-privilege model, which means that if a user’s account is compromised, the attacker will only be able to access and/or destroy a limited amount of information,” he added.