Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Data Encrypting Malware. Show all posts

Key Group Ransomware: Free Decryptor Released

A free decryptor to tackle the infamous Key Group ransomware has been launched, making a huge contribution to the fight against cybercrime. This finding represents a win for cybersecurity professionals and victims alike, offering some hope to those who have been affected by this harmful program.

The ransomware known as Key Group has been making news for all the wrong reasons by encrypting data and demanding large ransom payments from victims. However, a recent development has provided some solace. Organizations and security professionals have teamed up to create a decryptor that can free users from the grip of this digital threat.

The Key Group ransomware, like many others of its kind, infiltrates computer systems, encrypts data, and demands a ransom for the decryption key. These attacks have wreaked havoc on individuals and organizations, causing data loss and financial distress. Victims were left with two grim choices: pay the ransom and hope for a decryption key, or suffer the loss of valuable data.

The release of this free decryptor is a game-changer in the battle against cybercriminals. It allows victims to regain access to their data without succumbing to the demands of the attackers. This development underscores the importance of collaboration within the cybersecurity community. Researchers, analysts, and organizations came together to reverse-engineer the ransomware and develop a tool capable of undoing its malicious work.

Notably, this free decryptor is a testament to the relentless efforts of cybersecurity professionals who work tirelessly to protect individuals and businesses from the perils of the digital world. Their commitment to innovation and the pursuit of solutions to emerging threats is commendable.

While the release of a free decryptor is undoubtedly a significant step forward, it should also serve as a reminder of the importance of proactive cybersecurity measures. Prevention is often the best defense against ransomware attacks. Regularly updating software, implementing robust security protocols, and educating users about phishing and malware are crucial steps in reducing the risk of falling victim to such attacks.


Free Decrypter Released for the TargetCompany Ransomware

 

Good news for the TargetCompany victims, Czech cybersecurity software firm Avast has recently released a free decryptor tool that will facilitate victims of the TargetCompany (Tohnici) ransomware in recovering files without paying the ransom demand. 

Initially discovered in June 2021, the Tohnici ransomware group has wreaked havoc on its victims ––companies and consumers alike, despite being one of the smaller ransomware gangs that are active presently. 

The Czech cybersecurity has confirmed that it has created the app, called a decrypter after one of its customers was breached by the ransomware attack and needed a way to recover their files. However, the organization has warned its customers that the free utilities (decryptor tools) are limited; the features can only be used to recover encrypted files “under certain circumstances.” 

The firm further said that the victims who want to recover their files should keep in mind that the process of recovering files is resource-intensive and time-consuming too. 

“During password cracking, all your available processor cores will spend most of their computing power to find the decryption password. The cracking process may take a large amount of time, up to tens of hours...,” Avast said. "...On the final wizard page, you can opt-in whether you want to backup encrypted files. These backups may help if anything goes wrong during the decryption process.” 

In order to bring the decrypter tool, Avast reported to the press that it has reverse-engineered the TargetCompany ransomware, and its novel encryption scheme has been made up of a mix between the ChaCha20, AES-128, and Curve25519 algorithms. 

If you are the victim of the TargetCompany ransomware attack, you can recover your files without paying anything. Just download the decryption tool from Avast’s servers (64-bit or 32-bit) and both servers will work for versions of the TargetCompany ransomware that encrypted files with the architek, brg, exploit, and mallox file extensions.

Managed.com Hosting Provider Hit by REvil Ransomware, $500K Ransom Demand


Managed hosting provider Managed.com has temporarily taken down all its servers and web hosting systems offline including clients' websites in response to a REvil ransomware attack that compromised public-facing web hosting systems. 
 
The threat actors behind the security incident that took place on Monday, 16th November are not known yet, however, the company said that it is involved with law enforcement agencies to investigate the matter and restore the services as securely as possible. As of now, it remains unclear if the attackers have stolen any data before the encryption of devices. 
 
Initially, the web hosting service refrained from revealing any details about the incident and posted an update claiming 'unscheduled maintenance' as the reason for the service interruption. However, later on, the company disclosed that it had encountered a ransomware attack that affected their systems and files containing critical data. 
 
In a status update, Managed.com said, "November 17, 2020 – On Nov.16, the Managed.com environment was attacked by a coordinated ransomware campaign. To ensure the integrity of our customers’ data, the limited number of impacted sites were immediately taken offline. Upon further investigation and out of an abundance of caution, we took down our entire system to ensure further customer sites were not compromised. Our Technology and Information Security teams are working diligently to eliminate the threat and restore our customers to full capacity. Our first priority is the safety and security of your data. We are working directly with law enforcement agencies to identify the entities involved in this attack. As more information is available, we will communicate directly with you." 
 
"Upon further investigation and out of an abundance of caution, we took down our entire system to ensure further customer sites were not compromised. Our Technology and Information Security teams are working diligently to eliminate the threat and restore our customers to full capacity. Our first priority is the safety and security of your data. We are working directly with law enforcement agencies to identify the entities involved in this attack,” the service further told in a statement. 
 
According to multiple sources, REvil, a ransomware-as-a-service infamously known for carrying out large attacks previously has demanded a $500,000 ransom in Monero to receive a decryption key. REvil has attacked big names like Kenneth Cole, Travelex, Brown-Forman, GSMLaw and SeaChange in the past.

Also known as Sodinokibi ransomware, REvil was first spotted in April 2019, it attacks Windows PCs to encrypt all the files on local drives (besides those enlisted in their configuration file) and leaves a ransom note on affected systems with instructions to get the files decrypted in turn of the demanded ransom.

LockBit Ransomware Emerging as a Dangerous Threat to Corporate Networks


LockBit, a relatively new Ransomware that was first identified performing targeted attacks by Northwave Security in September 2019 veiled as.ABCD virus. The threat actors behind the ransomware were observed to be leveraging brute-force tactics and evasion-based techniques to infect computers and encrypt files until the victim pays the ransom.

LockBit enables attackers to move around a network after compromising it quickly; it exploits SMB, ARP tables, and PowerShell to proliferate the malware through an infected network.

The developers rely on third parties to spread the malware via any means the third party devises. After successfully infecting the network, the attacker redirects the victim to a payment site operated by them. The victim is then subjected to threats of data leak until the ransom is paid to the attackers.

Modus operandi of the attack

The attackers drop the payload that is hidden under the '.text' sections, evading conventional AV's mechanism from catching the file while running a scan in the disk, the file is compressed by the attackers with a unique format.

Upon being executed, the file runs a scan on the entire LAN network and attempts to establish a connection to the hosts via SMB port (445) to spread the infected file across the entire internal network.

Then in order to bypass the need for User Control, the command "C:\WINDOWS\SysWOW64\DllHost.exe /Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}" is run by an instance of SVCHOST.exe which is running by the process DLLhost.exe.

After that, the 'backup.exe' file executes the payload and encrypts most of the victim's files, changing their extensions to 'lockbit'. In the end, leaving a ransom note under the name 'Restore-My-Files.txt' in various folders on the host.

As per sources, the top targets of LockBit were located in the U.S., the U.K, China, India, Germany, France, and Indonesia. Experts suggest that users worldwide should strengthen their security defenses. It is also recommended to store the backups of important files separately so that it's hard to be accessed through a network.

Giving insights into a particular case, Patrick Van Looy, a cybersecurity specialist for Northwave, told BleepingComputer, "In this specific case it was a classic hit and run. After gaining access through brute-forcing the VPN, the attacker almost immediately launched the ransomware (which he could with the administrator account that he had access to). It was around 1:00 AM that the initial access took place, after which the ransomware was launched, and at around 4:00 AM the attacker logged off. This was the only interaction that we have observed."

New Malicious Program 'Nefilim' Threatens to Release Stolen User Data


Nefilim, a new malicious program that basically is ransomware that functions by encrypting files on affected systems, has become active in the cyber ecosystem since February 2020. After encryption of the files, it demands a ransom from the victims for the decryption of files, tools, and software. However, it is still unclear how the ransomware is being spread, sources reckon that it's distributed via susceptible Remote Desktop Services.

As per the head of SentinelLabs, Vitali Krimez and Michael Gillespie from ID Ransomware, the code employed in Nefilim resembles much that of Nemty's, another file-encrypting ransomware that steals user data by restricting access to documents and multimedia using the AES-256 algorithm. As to the speculations of security researchers, it is likely that the authors of the first ransomware have a role to play in Nefilim's creation and distribution. However, due to the uncertainty revolving around the operation source of the new ransomware, experts also point towards a possibility of the source code being somehow obtained by the new malicious actors to develop a new variant.

While the encryption is underway, all the affected files are added with ".NEFILIM" extension. For instance, a file previously named "xyz.png" would start appearing as "xyz.png.NEFILIM" after the encryption takes place. The completion of the process is followed by a ransom note being created on the infected user's desktop titled "NEFILIM-DECRYPT.txt", "A large amount of your private files have been extracted and is kept in a secure location. If you do not contact us in seven working days of the breach we will start leaking the data. After you contact us we will provide you proof that your files have been extracted." the note reads.

As per the sources, for money matters, Nefilim primarily pins its hopes on email communications instead of a Tor payment site after the removal of the Ransomware-as-a-Service (RaaS) component and it stands out as one major difference. According to the analysis carried out by Gillespie, it has been made clear that as of now there exists no way to retrieve files without paying the ransom because the ransomware is reported to be completely secure. As a result of that, victims are being threatened to pay the demanded amount within a week or else the data stolen will be exposed by the attackers.

Cyber security Team Identified Ransomware Utilized to Compromise City Power



Residents of Johannesburg using pre-paid electricity meters were not able to load the electricity purchased from City Power and were also unable to purchase further electricity due to a ransomware attack which compromised City Power's database.

Earlier, City Power said while the variant of ransomware utilized to carry out the attack remains unknown, they have the encrypted network, applications, and database being restored and rebuilt by their ICT department.

Easing off the customers, Isaac Mangena, the utility's spokesperson, said, "We want to assure residents of Johannesburg that City Power systems were able to proactively intercept this and managed to deal with it quicker."

"Customers should also not panic, as none of their details were compromised," Mangena assured.

On Friday, City Power announced that their cybersecurity team identified the variant of malware which temporarily paralyzed the city's computer systems.

Reportedly, the email systems took the hardest hit by the ransomware and were taking a while to recover and be functional again.

While giving updates, Mangena said “The virus samples have been taken to the external labs for analysis and testing,”

“Our IT technicians have also recovered and, in [a] few instances, reconstructed most of the systems,, applications, and data that was threatened, using backup files.”

Victims of the cyber power attack along with the customers, have been raging since the incident happened and encrypted the computer databases, applications and network.

City Power turned to external cyber security experts who worked in association with their team to tackle the issue.


Website of Chelyabinsk court hits by data-encrypting malware



Attackers hacked into the website of Arbitration court of Chelyabinsk( a federal subject of Russia, on the border of Europe and Asia) and infected the server with a data encrypting malware.

The malware encrypted the information and files on the server. This incident took place on 4th October. By 10th October, the experts have managed to restore the website from previously saved backup.

However, the court lost all the information that was published on their website for this year, as the last backup operation was done only in January. The online resources including news, charts, video of conferences, information about bureau and judicial appointments were irretrievably lost.

According to the local report, the court is still trying to recover the information using their own sources.  There is no detailed information about the malware variant used in the attack.

- Christina