Search This Blog
Powered by Blogger.

Blog Archive

Labels

About Me

Load More
Trendy Right Now

Popular Posts

Showing posts with label Double extortion. Show all posts
Qilin Ransomware
Cyber Attacks Data Theft Double extortion Media Firm Qilin Ransomware

Qilin Ransomware Outfit Claims Credit for Lee Enterprises Breach

 

The Lee Enterprises attack that caused disruptions on February 3 has been linked to the Qilin ransomware group, which has released samples of data they claim were stolen from the enterprise. The ransomware actors have now threatened to release all of the allegedly stolen material unless a ransom demand is fulfilled.

The US-based media firm Lee Enterprises owns and runs 350 magazines, 77 daily newspapers, digital media platforms, and marketing services. The company's internet viewership reaches tens of millions each month, and its main concentration is local news and advertising.

In a report with the Securities and Exchange Commission (SEC) earlier this month, the company disclosed that it was subjected to a cyberattack on February 3, 2025, resulting in major operational disruption. Threat analysts discovered that the outage created serious issues, including lost access to internal systems and cloud storage, as well as non-functioning corporate VPNs.

A week later, Lee Enterprises filed a new statement with the SEC, stating that the attackers "encrypted critical applications and exfiltrated certain files," implying that they had been targeted by ransomware. 

Earlier this week, Qilin ransomware added Lee Enterprises to its dark web extortion site, publishing samples of allegedly stolen data such as government ID scans, non-disclosure agreements, financial spreadsheets, contracts/agreements, and other private papers reportedly stolen from the company. 

Evolution of Qilin ransomware

Despite not being one of the most active ransomware groups, Qilin has advanced significantly since being introduced in August 2022 under the alias "Agenda.”

In the years that followed, the cybercriminals claimed hundreds of victims, with prominent examples including automotive manufacturer Yangfeng, Australia's Court Services Victoria, and many major NHS hospitals in London. 

In terms of technical evolution, Qilin delivered a Linux (VMware ESXi) variation in December 2023, began deploying a custom Chrome credentials stealer in August 2024, and launched a Rust-based data locker with stronger encryption and better evasion in October. 

Microsoft released a report last year claiming that the infamous members of the hacking group known as "Scattered Spider" had started using the Qilin ransomware in their attacks.
Read more »
Ransomwares
Cyber Security Data Exfiltration Double extortion Encrypted Files Play ransomware PlayCrypt Ransomware attack Ransomwares

Play Ransomware: A Rising Global Cybersecurity Threat

 


Play ransomware, also known as Balloonfly or PlayCrypt, has become a significant cybersecurity threat since its emergence in June 2022. Responsible for over 300 global attacks, this ransomware employs a double extortion model — stealing sensitive data before encrypting files and appending them with the ".PLAY" extension. 

Victims are pressured to pay ransoms to recover their data and prevent its public release, making Play ransomware particularly dangerous for organizations worldwide. 

Recent investigations have revealed possible connections between Play ransomware and the North Korean-linked Andariel group. Research by cybersecurity firm AhnLab suggests that Andariel utilizes malware like Sliver and DTrack for reconnaissance and data theft prior to deploying ransomware attacks. The group's history with advanced ransomware strains such as SHATTEREDGLASS and Maui highlights the increasing sophistication of Play ransomware operations. Exploitation of Security Vulnerabilities Play ransomware exploits vulnerabilities in widely used systems to gain unauthorized access. Notable targets include:
  • ProxyNotShell (CVE-2022-41040, CVE-2022-41082): Flaws in Microsoft Exchange Server exploited for initial network infiltration.
  • FortiOS Vulnerabilities (CVE-2020-12812, CVE-2018-13379): Security gaps in Fortinet products leveraged for unauthorized access.
By exploiting these vulnerabilities and using compromised credentials, attackers can bypass detection and establish control over targeted networks. 
  
Play Ransomware Attack Lifecycle 
 
Play ransomware operators follow a structured, multi-phase attack methodology:
  • Reconnaissance: Tools like NetScan and AdFind are used to map networks and gather critical system information.
  • Privilege Escalation: Attackers employ scripts such as WinPEAS to exploit vulnerabilities and obtain administrative privileges.
  • Credential Theft: Tools like Mimikatz extract sensitive login information, enabling deeper network penetration.
  • Persistence and Lateral Movement: Remote access tools like AnyDesk and proxy utilities like Plink are used to maintain control and spread malware. Additional tools, such as Cobalt Strike and PsExec, facilitate lateral movement across networks.
  • Defense Evasion: Security programs are disabled using tools like Process Hacker to avoid detection.
  • Data Exfiltration: Files are compressed with WinRAR and transferred using WinSCP before encryption begins.
  • File Encryption and Ransom Demand: Files are encrypted and appended with the ".PLAY" extension. Victims receive a ransom note titled "ReadMe.txt", providing negotiation instructions and a Tor link for secure communication.
Mitigation Strategies Against Play Ransomware 
 
Organizations can reduce the risk of Play ransomware attacks by adopting proactive cybersecurity measures, including:
  • Patch Management: Regularly updating and patching known system vulnerabilities.
  • Advanced Security Protocols: Implementing robust endpoint detection and response (EDR) solutions.
  • Access Control: Strengthening authentication methods and restricting privileged access.
  • Employee Awareness: Conducting cybersecurity training to recognize phishing and social engineering attacks.
  • Data Backup: Maintaining secure, offline backups to enable data recovery without paying ransom demands.
Play ransomware exemplifies the growing complexity and impact of modern cyber threats. Its sophisticated attack methods, exploitation of known vulnerabilities, and suspected collaboration with nation-state actors make it a serious global concern. Proactive cybersecurity strategies and heightened vigilance are essential to protect organizations from this evolving threat.
Read more »
Rhysida
Cyber Attacks Dark Web Double extortion Ransomware Rhysida

Hackers Steal 6 Terabytes Data, Sells on Dark Web

Hackers Steal 6 Terabytes Data, Sells on Dark Web

The City of Columbus faces a major cybersecurity threat due to a hacking group Rhysida’s claims of stealing a massive 6.5 terabytes of sensitive information. The data heist happened after a ransomware attack on July 18 that forced the city to close down various online operations. 

Ransomware attack 

Mayor Andrew Ginther acknowledged the attack but didn’t disclose the group and the type of data compromised, only saying the attack came from an ‘established and sophisticated threat actor operating overseas.” 

Although the IT department was able to stop the hackers from encrypting the data, the hackers still got the most of it. Claiming responsibility for the attack, Rhysida is auctioning the stolen data on a dark website for sale. 

Hackers ask for Bitcoin as ransom

The ransom demand is 30 Bitcoin, which comes to around $1.9 million. The data for sale includes databases and city video camera access. The hackers promise buyers full ownership, and reselling is not allowed. In earlier attacks, if Rhysida couldn't find a buyer, they just leaked the data publicly. 

The mayor’s office is currently mute about the ongoing investigation. However, they have taken measures to save impacted employees by providing Experian credit monitoring services. The safety step extends to the whole city, judge employees, and Franklin County Municipal Court clerk. 

The mayor stressed that the threat actors’ main goal was to churn out as much money as possible, and the city is improving its cybersecurity infrastructure to avoid future attacks.

Use of Double Extortion 

According to experts, Rhysdia’s action aligns with a strategy called “double extortion.” It suggests the threat actors extracted the sensitive data before starting the encryption process. Even after the city stopped the encryption, Rhysida may still have important data. However, experts also said that Rhysida has a history of exaggerating the volume of stolen data they have claimed.

At present, the city is working to limit the crisis, the Columbus city residents await more updates and hope for an answer that prevents their sensitive data. 

“Even before the auction, some city employees were already falling victim to compromised data. Brian Steel, president of the local branch of the Fraternal Order of Police, confirmed to NBC4 that at least 12 Columbus police officers had their bank accounts hacked. However, there’s no evidence to connect this as a direct symptom of Rhysida’s attack,” reports NBC4. 

Read more »
ransomware attacks
Crypto Extortion Threats cryptocurrency Cyber Attacks Double extortion RaaS Ransomware ransomware attacks

Ransomware Gangs are Evolving: Cryptocurrency Flaws Could be Their Next Target


Dallas City Government, in May 2023, faced a ransomware attack which resulted in the temporary halt in their operations which included hearings, trial and jury duty and the closure of the Dallas Municipal Court Building. 

The attack further impacted police activities, as overstretched resources made it more difficult to implement initiatives like summer youth programs. Threats to publish private information, court cases, prisoner identities, and official papers were made by the criminals.

One may think that cyberattack on city government would be a headline news, however, this year has seen a number of such instances that any mere attack is just another common topic of discussion. A notable exception was the vulnerability exploitation of a Moveit file transfer app in May and June 2023 that led to data theft from hundreds of organizations across the world, including British Airways, the BBC and the chemist chain Boots. 

Apparently, over the past years the ransom payments have doubled to US$1.5 million, with the big-profit organizations paying the highest price. A British cybersecurity company called Sophos discovered that the average ransomware payment increased from US$812,000 the year before. At US$2.1 million, the average payment made by UK organizations in 2023 was considerably greater than the global average.

While ten years ago this was no more than a theoretical possibility and niche threat, but ransomware has now gained a wide acknowledgment as a major threat and challenge to modern society. Its rapid evolution, which has fueled crime and done enormous harm has raised serious concerns. 

The "business model" for ransomware has evolved as, for example, malware attack vectors, negotiation tactics, and criminal enterprise structure have all advanced.

Criminals are now expected to adapt to their strategies and cause digital catastrophe for years to come. In order to combat the long-term threat, it is crucial to examine the ransomware threat and anticipate these strategies.

What is Ransomware?

In various settings, the term "ransomware" can refer to a variety of concepts. At Columbia University, Adam Young and Mordechai "Moti" Yung revealed the fundamental structure of a ransomware assault in 1996, which is as follows: 

Criminals get past the victim's cybersecurity defenses (either by using strategies like phishing emails or an insider/rogue employee). Once the victim's defenses have been breached, the thieves release the ransomware. Which has as its primary purpose locking the victim out of their data by encrypting their files with a private key, which is conceptualized as a lengthy string of characters. The perpetrator now starts the third stage of an attack by requesting a ransom for the private key.

Here, we are discussing some of the most popular developments of ransomware attacks one may want stay cautious about: 

Off-the-shelf and Double Extortion 

Ransomware-as-a-service's advent was a significant development. This phrase refers to markets on the dark web where criminals can buy and utilize "off-the-shelf" ransomware without the need for sophisticated computer knowledge, and the ransomware providers get a part of the profits.

According to research, the dark web serves as the "unregulated Wild West of the internet" and provides criminals with a secure environment in which to exchange unlawful goods and services. It is freely accessible, and there is a thriving worldwide underground economy there thanks to anonymization technologies and digital currencies. The European Union Agency for Law Enforcement estimates that just in the first nine months of 2019, there was spending of US$1 billion.

With ransomware as a service (RaaS), the entry hurdle for would-be cybercriminals was decreased in terms of both cost and expertise. In the RaaS model, vendors that create the malware provide competence, although the attackers themselves may be only moderately experienced.

Crypto Extortion Threats 

In the newer developments in ransomware attacks, attackers are now progressively finding new tactics for extortion. One of the highly discussed techniques include the cryptocurrency-specific variations, and the “consensus mechanisms” used within them.

Consensus mechanism refers to a technique used to achieve consensus, trust, and security across a decentralized computer network.

In particular, cryptocurrencies are progressively validating transactions through a so-called "proof-of-stake" consensus method, in which investors stake substantial amounts of money. These stakes are open to ransomware extortion by criminals.

Until now, crypto has relied on a so-called “proof-of-work” consensus mechanism where the authorization of transactions include solving a complicated math problem (the work) to authorize transactions. This strategy is not long-term viable since it leads to unnecessary large-scale energy use and duplication of effort.

A "proof-of-stake" consensus method is the alternative, which is increasingly becoming a reality. In this case, validators who have staked money and receive compensation for validating transactions approve transactions. A financial stake takes the place of the role played by ineffective work. While this solves the energy issue, it also means that substantial sums of staked money are required to validate crypto-transactions.

Read more »
Vulnerabilities and Exploits
Double extortion Encryption MFA Ransomware Attacks. RDP Remote Desktop Protocol Two Factor Authentication Unauthorized access Vulnerabilities and Exploits

Rapid Ransomware Dwell Time and Persistent RDP Vulnerabilities

The dwell period of ransomware hackers has decreased to just 5 days, a noteworthy trend in the constantly changing world of cyber dangers that demands prompt response. The urgent necessity for stronger cybersecurity measures is highlighted by the quick infiltration and encryption timeframe as well as the ongoing use of Remote Desktop Protocol (RDP).

The dwell time, which measures how long an unauthorized actor stays within a hacked system before launching a cyberattack, has substantially lowered to just 5 days, according to a report by BleepingComputer. This is a considerable decrease from the prior average of 18 days, indicating that threat actors are getting better at quickly entering target networks and deploying their destructive payloads.

The report also highlights the persistent use of Remote Desktop Protocol (RDP) as a primary entry point for ransomware attacks. Despite numerous warnings and documented vulnerabilities, RDP remains widely used due to its convenience in enabling remote access. Security experts have long cautioned against RDP's risks, emphasizing its susceptibility to brute force attacks and the potential for unauthorized entry.

A study by Sophos echoes these concerns, revealing that RDP-related attacks remain a prevalent threat vector. Cybercriminals exploit misconfigured RDP services and weak passwords to gain unauthorized access to systems, making them ripe targets for ransomware deployment. The consequences of such attacks can be devastating, leading to data breaches, operational disruptions, and substantial financial losses.

The widespread reliance on RDP is concerning, given the increasing sophistication of ransomware attacks. Attackers are employing various tactics, such as double extortion, where they not only encrypt sensitive data but also threaten to leak it unless a ransom is paid. This creates a multifaceted dilemma for organizations, forcing them to not only recover their systems but also mitigate potential reputational damage.

The security community has also discovered new RDP-related vulnerabilities, according to The Hacker News. These flaws include things like unreliable encryption, a lack of two-factor authentication, and vulnerability to 'pass-the-hash' attacks. The critical need for businesses to review their remote access policies and make investments in safer substitutes is further highlighted by these fundamental shortcomings.

Organizations must take a multifaceted approach to improve their cybersecurity defenses in order to counter these expanding threats. This entails putting in place tight access controls, enforcing strict password guidelines, and routinely patching and updating systems. Ransomware attacks can be considerably reduced with the use of more secure remote access technologies in place of RDP and thorough employee training.

Read more »
VoIP
Data Breach DDOS Attacks Double extortion Encryption Firewall GitHub Lorenz Ransomware VoIP

Lorenz Ransomware: Network Breach via VoIP

A ransomware group has been spotted adopting a unique initial-access technique to infiltrate commercial phone systems using voice-over-IP (VoIP) devices before switching to corporate networks to carry out double-extortion operations.

The anonymous organization was affected by the Lorenz ransomware strain, according to a team at Arctic Wolf. 

Lorenz Ransomware 

The Lorenz encryptor is similar to the ones employed by a prior ransomware operation known as ThunderCrypt, according to Michael Gillespie of ID Ransomware.

This gang is also known for providing access to its targets' private systems to other hackers along with the material that has been stolen prior to encryption in order to lure its victims into paying a ransom.

After leaking the stolen material as password-protected RAR archives if ransoms are not paid, Lorenz also divulges the password to open the leaked archives, giving the general public access to the files.

VoIP Threats

According to Arctic Wolf researchers, Lorenz used the bug to gain a reverse shell, and the group then used Chisel, a Golang-based rapid TCP/UDP tunnel that is transmitted through HTTP, as a tunneling tool to infiltrate the corporate environment. According to the GitHub page, "the tool is mostly useful for going through firewalls."

The attacks demonstrate a shift by threat actors toward using 'lesser recognized or monitored assets' to gain access to networks and engage in additional criminal behavior, the researchers further told. 

CrowdStrike published a blog post about the Mitel vulnerability and a possible ransomware attack attempt using the same CVE back in June. Since then, Mitel has patched this crucial zero-day flaw and recommended all users do the same. After providing a remediation script for vulnerable MiVoice Connect versions in April, Mitel resolved the problem by delivering security updates in the first half of June 2022.

The hackers then shifted into the network using the free source TCP tunneling application Chisel. Following initial access, the group waited for over a month before moving laterally, using FileZilla to exfiltrate data, and encrypting ESXi systems with BitLocker and Lorenz ransomware.

Considering that Mitel Voice-over-IP (VoIP) brands are used by businesses in crucial industries around the world including government agencies and that over 19,000 devices are currently vulnerable to attacks over the Internet, according to security expert Kevin Beaumont, this is a significant addition to the gang's toolkit.

Threat actors have used record-breaking DDoS amplification assaults to exploit further security holes affecting Mitel devices. Since at least December 2020, the Lorenz ransomware group has been focusing on enterprises all across the world, extorting hundreds of thousands of dollars from each victim.








Read more »
Ransomware Attacks.
Data Breach Double extortion Encryption Hive Ransomware Phishing Attacks Ransomware Attacks.

Damart Suffered a Hive Ransomware Attack

A cyberattack by the Hive ransomware gang has led to an extortion attempt worth $2 million against Damart, the French clothing firm with over 130 locations throughout the world. 

The company's operations have been interrupted and some of its systems have been encrypted since August 15. In order to keep discussions confidential, the hackers have chosen not to list the victim on their extortion website.

Damart has not yet started discussions with the cybercriminals but has reported the event to the national police, thus, it remains doubtful if Hive will be compensated.

The first indication of difficulty arose on August 15 when Damart posted a notice about unexpected maintenance on the home page of their online store.

Damart, a mail-order clothing company based in Bingley, West Yorkshire, has confirmed that there was an attempt to hack into their IT systems during that time. The firm stated that "They were quickly able to intercept the attempt with strong security protocols."

In addition, the website is presently unavailable because they have temporarily restricted several services that are offered to clients as a precaution. The business places a high focus on data and system security, and reassuringly, there is no proof that any client data has been adversely affected as of yet.

On August 24, it was revealed that 92 of Damart's stores had been affected by the disruption to its sales network, which was not functioning regularly. As a result, fewer purchases were accepted, and customer service was shut down.

The company made it clear that the hackers had successfully entered the Active Directory and had begun a sudden attack that led to the encryption of some of the systems.

According to Damart, the corporation took preventive measures by shutting down systems to prevent them from being encrypted, which impaired the services.

It is yet uncertain whether Hive was successful in stealing any data during the cyberattack. The gang, however, uses the double-extortion strategy and steals data before it is encrypted. This gives the hackers the ability to threaten the victim with a data breach in order to exert pressure on the victim to pay a ransom.

The situation is similar to how Ragnar Locker's cyberattack against LDLC last December played out. By their own accord, the assailants had been stopped before they could deliver their fatal blow and activate the encryption.

According to Valery Marchive's claim, the hackers are not eager for negotiations and anticipate that parent company Damartex would pay the whole ransom. Marchive was able to recover a leaked ransom note and published data on LeMagIT.
Read more »
VMware
Cyber Secuirty Cyber Security Darknet Double extortion Linux Ransomware Attacks. Russian Hacker VMware

ESXi , Linux, and Windows Systems at Risk From New Luna Ransomware

Luna is a brand-new ransomware family that was written in Rust, making it the third strain to do so after BlackCat and Hive, according to Kaspersky security researchers

The experts who examined the ransomware's command-line options believe that Luna is a reasonably straightforward ransomware program. 

Luna ransomware

This interesting encryption method combines x25519 with AES. The researchers discovered that the Linux and ESXi samples, which are compiled using the identical source code, differ only slightly from the Windows version.

Darknet forum advertisements for Luna imply that the ransomware is only meant to be used by affiliates who speak Russian. Due to spelling errors in the ransom note that are hard-coded into the malware, its main creators are also thought to be of Russian descent.

The Luna ransomware is also able to avoid automated static code analysis attempts by utilizing a cross-platform language.

"The source code used to compile the Windows version and the Linux and ESXi samples are identical. The remaining code is almost unchanged from the Windows version" the researchers added. Luna "confirms the trend for cross-platform ransomware," the researchers wrote, pointing out how hackers are able to target and strike at scale while avoiding static analysis, thanks to the platform flexibility of languages like Golang and Rust.

Nevertheless, considering that Luna is a recently identified criminal organization and its activities are still being constantly monitored, there is very little knowledge available regarding the victimology trends.

Black Basta

Researchers have also revealed information about the Black Basta ransomware group, which modified its software to target ESXi systems. By adding compatibility for VMware ESXi, various ransomware families, including LockBit, HelloKitty, BlackMatter, and REvil, hope to increase their potential targets.

The double-extortion attack model is used by Black Basta, a ransomware operation that has been operational since April 2022.

Researchers from Kaspersky said that operators had introduced a new feature that relies on launching the computer in safe mode before encrypting data and imitating Windows Services in order to maintain persistence.

Black Basta can avoid detection from a variety of endpoint security solutions by starting Windows in safe mode.




Read more »
Subscribe to: Posts (Atom)