Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label BlackMatter. Show all posts

Florida Circuit Court Targeted in Attack by ALPHV Ransomware Group

 

The ALPHV, also known as BlackCat, ransomware group has asserted responsibility for a recent assault on state courts in Northwest Florida, falling under the jurisdiction of the First Judicial Circuit. 

The attackers claim to have obtained sensitive information such as Social Security numbers and CVs of employees, including judges. It's a common tactic for ransomware groups to threaten the public release of stolen data as leverage for negotiations.

The presence of the Florida First Judicial Circuit's data leak page on ALPHV's website suggests that the court has either not engaged in talks with the ransomware group or has firmly refused to meet their demands. 

The breach occurred last week, prompting the Florida circuit court to announce an ongoing investigation into the cyberattack, which disrupted operations on October 2nd. A statement released by the court stated that this incident would have a significant impact on court operations across the Circuit, affecting courts in Escambia, Okaloosa, Santa Rosa, and Walton counties for an extended period. 

The Circuit is prioritizing essential court proceedings but has decided to cancel and reschedule other proceedings, along with suspending related operations for several days starting from October 2, 2023.

In the midst of the investigation, judges in the affected counties have been in contact with litigants and attorneys regarding their regularly scheduled hearings. 

Additionally, the court authorities confirmed that all facilities are operating without any disruptions. As of now, the court has not independently verified the ransomware attack claims made by the ALPHV gang.

The ALPHV ransomware operation, originally known as DarkSide, emerged in November 2021 and is believed to be a rebranding of DarkSide/BlackMatter. 

This group gained international notoriety after the Colonial Pipeline breach, drawing the attention of law enforcement agencies worldwide. After a rebranding to BlackMatter in July 2021, their activities abruptly halted in November 2021 when authorities seized their servers and security firm Emsisoft developed a decryptor exploiting a ransomware vulnerability. 

This ransomware operation is known for consistently targeting global enterprises and continuously refining their tactics.

In a recent incident, an affiliate known as Scattered Spider claimed responsibility for an attack on MGM Resorts, asserting to have encrypted over 100 ESXi hypervisors after the company declined ransom negotiations following the shutdown of internal infrastructure. 

As reported by BleepingComputer, ALPHV's ransomware attack on MGM Resorts resulted in losses of approximately $100 million, as well as the theft of its customers' personal information. The FBI issued a warning in April, highlighting the group's involvement in successful breaches of over 60 entities worldwide between November 2021 and March 2022.

Constellation Software Cyberattack Claimed by ALPHV

 


According to the ALPHV/BlackCat ransomware group's claims, Constellation Software's network was compromised as a result of a cyberattack, it was also mentioned in the recent posting on the ransomware gang's leak site. Essen Medical Associates, as well as a Canadian software company, were victimized by the ransomware gang. 

A statement by Constellation Software Inc., a Toronto-based company, revealed that on Wednesday, it had been affected by a cyber-security incident that affected only one of its IT infrastructure systems. 

As a result, some limited personal information was affected by this incident. Additionally, Constellation's businesses also impacted a limited number of business partners. Rather than directly contacting these individuals or business partners, Constellation's operating groups and businesses will now contact them.  

Those who had their data compromised and those who have business associates in the affected area have also been contacted for further information. 

A small number of individuals had their private information compromised in the incident. Some data belonged to a small number of business partners of various Constellation businesses that were potentially affected. 

The constellation software company is composed of six divisions dedicated to acquiring, managing, and growing software companies. These divisions are Volaris, Harris, Jonas, Vela Software, Perseus Group, and Topics. 

As a Canadian company that employs over 25,000 people in North America, Europe, Australia, South America, and Africa, and generates $4 billion in revenue every year, Vanguard has a global presence. It has also acquired more than 500 companies in the software industry since 1995 and provides services to more than 125,000 customers in more than 100 countries. 

According to Constellation, the incident involved a small number of systems involved in internal financial reports and data storage related to them. There was a requirement for Constellation's operating groups and businesses to comply with this. There was no impact on the operations and businesses of Constellation's autonomous IT systems that were within its control. In addition, the company's business operations have not been adversely affected by the incident. 

Listed on ALPHV/BlackCat's leak site was the list of attachments the ransomware group had gathered from two data breaches that had been compromised. 

Following the Essen Medical Associates cyberattack, 24 attachments were breached as a result, although 25 attachments were breached following the Constellation Software cyberattack.   

Statement from the company regarding the cyberattack on Constellation Software 

As a result of the ALPHV/BlackCat leak site post released shortly after the announcement of the cyberattack, Constellation Software issued a press release confirming the attack. On April 3, a limited number of the company's IT systems were compromised due to a cyber incident reported by the company. 

It is understood that only a few business and operating groups within the organization utilize the organization's financial reporting and data storage systems. These groups provide internal financial reporting to the organization.   

Constellation's independent IT systems are not impacted by this incident in any shape or form, so it is not an issue with any of its operating groups or businesses. According to the press release issued, Constellation's business operations have not been impacted by the incident.   

ALPHV has already leaked some documents containing business information online to prove they were accessing and exfiltrating files from Constellation's network. This information can be found in the documents they leaked.  

In November 2021, the DarkSide/BlackMatter gang launched a ransomware operation that has been hacked to get the keys to the country. This was believed to be a rebranding of them. First becoming aware of the group as DarkSide, they attacked the Colonial Pipeline in 2012 and immediately found themselves in the crosshairs of international law enforcement. 

As a result of the servers being seized in November, they were forced to shut down operations one month later in July 2021. This was even though they rebranded themselves as BlackMatter one month later. The Emsisoft decryptor exploits a vulnerability in ransomware to exploit a weakness in the encryption algorithm.   

To demonstrate the access that ALPHV gained and the exfiltration of files from Constellation's network, ALPHV has already posted many documents online that contain business information about Constellation. 

A lot of people are currently aware of the ALPHV group as one of the biggest ransomware threats threatening corporations all around the globe. It was also named as the most likely attacker by the FBI in April, after they hacked over 60 companies between November 2021 and March 2022 as part of a ransomware operation. According to the FBI, ALPHV has "extensive networks and extensive experience with ransomware operations."

This Ransomware Sent North Carolina A&T University Rushing to Restore Services

 

Last month, North Carolina A&T State University, the country's largest historically black college, was hit by the ALPHV ransomware group, which forced university staff to rush to restore services. 

Melanie McLellan, an industrial system engineering student, told the school newspaper, The A&T Register “It’s affecting a lot of my classes, especially since I do take a couple of coding classes, my classes have been cancelled. They have been remote, I still haven’t been able to do my assignments.” 

According to the paper, the breach happened during the week of March 7th, when students and professors were on spring break. Wireless connections, Blackboard instruction, single sign-on websites, VPN, Jabber, Qualtrics, Banner Document Management, and Chrome River were among the systems taken down by the attack, and many of them remained down when the student paper reported its story two weeks ago. 

The report came a day after North Carolina A&T appeared on a darknet site that ALPHV uses to name and shame victims in an attempt to persuade them to pay a hefty ransom. ALPHV, also known as Black Cat, is a newcomer to the ransomware-as-a-service sector, in which a core group of developers collaborates with affiliates to infect victims and split any proceeds. 

ALPHV has been characterised by some of its members as a successor to the BlackMatter and REvil ransomware gangs, and experts from security firm Kaspersky released evidence on Thursday that supported up that claim. ALPHV/Black Cat is using an exfiltration technique that was previously only used by BlackMatter, according to Kaspersky, and represents a fresh data point connecting BlackCat with past BlackMatter activities. Earlier, BlackMatter collected data via the Fendr tool before encrypting it on the victim's server. 

Kaspersky researchers wrote, “In the past, BlackMatter prioritized collection of sensitive information with Fendr to successfully support their double coercion scheme, just as BlackCat is now doing, and it demonstrates a practical but brazen example of malware re-use to execute their multi-layered blackmail. The modification of this reused tool demonstrates a more sophisticated planning and development regimen for adapting requirements to target environments, characteristic of a more effective and experienced criminal program.” 

The ALPHV ransomware is uncommon, according to Kaspersky, because it is coded in the Rust programming language. Another peculiarity is that each ransomware executable is written individually for the targeted enterprise, frequently just hours before the infiltration, using previously gathered login credentials hardcoded into the binary. 

Kaspersky researchers discovered two AlPHV breaches, one on a cloud hosting provider in the Middle East and the other against an oil, gas, mining, and construction corporation in South America, according to a blog post published on Thursday. The use of Fendr was discovered by Kaspersky following the second event. ALPHV has also been blamed for breaches at two German energy providers and the luxury fashion label Moncler.

A&T is the seventh US university or college to be hit by the ransomware so far this year, according to Brett Callow, a security analyst at security firm Emsisoft. Callow also said that at least eight school districts have also been hit, disrupting operations at as many as 214 schools.

Exmatter: A New Data Exfiltration Tool Used in Attacks

 

Security researchers have identified a new data exfiltration tool aimed to help ransomware groups using the BlackMatter variant steals information faster. The custom tool is the third of its sort discovered, according to the Symantec Threat Hunter team, following the development of the Ryuk Stealer tool and the LockBit-linked StealBit. It's called "Exmatter," and it's meant to steal specific file types from specific directories before uploading them to a site controlled by BlackMatter attackers. 

This method of narrowing down data sources to only those considered most profitable or business-critical is intended to speed up the entire exfiltration process, presumably, so threat actors may finish their attack stages before being interrupted.

Exmatter is obfuscated and compiled as a.NET executable. When run, it looks for the strings "nownd" and "-nownd" in the command line arguments. If either is detected, it uses the "ShowWindow" API like ShowWindow(Process.GetCurrentProcess().MainWindowHandle, 0) to try to conceal its own window. It also excludes files with attributes like FileAttributes.System, FileAttributes.Temporary, and FileAttributes.Directory, as well as files with fewer than 1,024 bytes in size. 

Multiple versions of Exmatter have been discovered, implying that the attackers have continued to improve the tool in order to exfiltrate a large number of high-value data in as little time as possible. 

The directory "C:Program FilesWindows Defender Advanced Threat ProtectionClassificationConfiguration" on the exclusion list has been replaced with "C:Program FilesWindows Defender Advanced Threat Protection" in a second variant. The file types ".xlsm" and ".zip" have been added to the list of acceptable files. A WebDav client was added to a third version of the note. According to the code structure, SFTP is still the preferred protocol, with WebDav serving as a backup. 

BlackMatter is tied to the Coreid cybercriminal organization, which was previously responsible for the Darkside malware. It has been one of the most active targeted ransomware operators in recent months, and its tools have been utilized in a number of high-profile attacks, including the May 2021 Darkside attack on Colonial Pipeline, which disrupted petroleum supply to the US East Coast. Coreid uses a RaaS approach, collaborating with affiliates to carry out ransomware operations and then takes a cut of the profits.

“Like most ransomware actors, attacks linked to Coreid steal victims’ data and the group then threatens to publish it to further pressure victims into paying the ransom demand,” Symantec concluded. “Whether Exmatter is the creation of Coreid itself or one of its affiliates remains to be seen, but its development suggests that data theft and extortion continues to be a core focus of the group.”

Olympus Suffers Second Cyberattack in 2021

 

Olympus, a Japanese tech giant, disclosed that it was hit by a cyberattack that forced it to take down its IT systems in the United States, Canada, and Latin America. 

Olympus is a company founded in 1919 being a technology leader in the medical sector that develops cutting-edge opto-digital products, life science, and consumer electronics products. On October 12, Olympus announced on its website that it is investigating a potential cybersecurity incident discovered on October 10 and currently working with the utmost priority to fix this issue.  

The company stated, "Upon detection of suspicious activity, we immediately mobilized a specialized response team including forensics experts, and we are currently working with the highest priority to resolve this issue." 

"As part of the investigation and containment, we have suspended affected systems and have informed the relevant external partners. The current results of our investigation indicate the incident was contained to the Americas with no known impact to other regions." 

The firm did not state whether or not the customer or corporate data was obtained or stolen as a result of the "potential cybersecurity incident," but added that it would share updated information on the assault as soon as it becomes available. 

Olympus added, "We are working with appropriate third parties on this situation and will continue to take all necessary measures to serve our customers and business partners in a secure way. Protecting our customers and partners and maintaining their trust in us is our highest priority." 

According to an Olympus spokesman, the firm discovered no indication of data loss during an ongoing investigation into this occurrence. 

This incident comes after the ransomware assault on Olympus' EMEA (Europe, Middle East, and Africa) IT infrastructure in early September. Although Olympus did not disclose the identities of the attackers, ransom notes discovered on damaged computers showed that BlackMatter ransomware operators orchestrated the attack. 

The identical ransom notes directed victims to a Tor website previously used by the BlackMatter group to connect with its victims. Although Olympus did not provide many specifics about the nature of the attack that impacted its Americas IT systems, ransomware groups are notorious for carrying out their operations on weekends and holidays in order to minimize detection. 

In an August joint alert, the FBI and CISA stated that they had "observed an increase in highly impactful ransomware attacks occurring on holidays and weekends—when offices are normally closed—in the United States, as recently as the Fourth of July holiday in 2021."