Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Egregor Ransomware Attacks. Show all posts

Crytek Confirms Data Theft After Egregor Ransomware Attack

 

German game developer and publisher Crytek has accepted that its encrypted systems containing customers’ private details were breached by a ransomware gang known as Egregor who later leaked the same on the dark website. 

Earlier this month, Crytek sent out breach notification letters to the victims of the ransomware attack in which it acknowledges the ransomware attack that occurred in October 2020. The letter was shared with BleepingComputer by one of the customers impacted in the incident. 

"We want to inform you that Crytek was the victim of a ransomware attack by some unknown cyber-criminals. Ransomware is a form of malware that encrypts files on the systems of the attacked company. During that attack certain data had been encrypted and stolen from our network. We took immediate action to prevent the encryption of our systems, further secure our environment, and initiate an internal and external investigation into the incident," Crytek said in a letter mailed to one of their customers impacted by the encryption breach.

The company tried to reassure impacted individuals by saying "the website itself was difficult to identify, so that in our estimation, only very few people will have taken note of it." In addition to this, the enterprise also wrote that considering the size of the leaked data, it would have taken too long to download it anyway, which would probably have been a significant obstacle for individuals that wanted to get a hold of the data. 

The company also believes that those who attempted downloading the leaked data were discouraged by the "huge risk" of compromising their systems with malware embedded in the leaked documents.

Crytek's attempts to downplay the seriousness of the data breach don't hold water because attackers who really wanted to get their hands on leaked data would use a virtual machine and downloader to safely open what they download. The stolen data leaked by Egregor on their data leak website contained files related to WarFace, the cancelled Arena of Fate MOBA game, and documents that included information about their network operations.

So far, Egregor has targeted many well-known companies and organizations around the world, such as Barnes and Noble, Kmart, Cencosud, Randstad, and Vancouver’s TransLink metro system. In February, many members of the Egregor ransomware group were captured in Ukraine during a coordinated operation between the French and Ukrainian authorities. This happened because French law enforcement was successful in detecting some ransom payments that were transmitted to some people residing in Ukraine.

Court of Justice of the State of Rio Grande do Sul, Brazil Hit by REvil Ransomware

 

REvil ransomware group on 28th April 2021, had attacked the Tribunal de Justiça do Estado do Rio Grande do Sul (Court of Justice of the State of Rio Grande do Sul) in Brazil, which compromised the staff data and also obligated the courts to disable their network. Also labeled as Sodinokibi, REvil is a private service for the ransomware-as-a-service operations which rose in 2019. 

The Tribunal de Justiça do estado do rio Grande do Sul (TJRS), is a legal framework of the Brazilian state of Rio Grande do Sul. The attack started on April 28th, after personnel unexpectedly found that they are not able to access any of their documentation and photographs anymore, and also that ransom notices were displayed on Windows. 

Relatively soon after the intrusion was started, the verified TJRS Twitter account alerted staff not to sign into local and remote TJ network systems. 

“The TJRS reports that it faces instability in computer systems. The systems security team advises internal users not to access computers remotely, nor to log into computers within TJ’s network,” tweeted the TJRS judicial system. 

A Brazilian security analyst named Brute Bee took a screenshot and shared it with the staff of Bleeping Computer including ransom notes and talked about the attack. These ransom notices are there for the REvil service as they were the ones responsible for the attack, which is also autonomously verified by Bleeping Computer. 

“Files of TJRS could've been lost forever unless backups are available! DDoS attacks are yet to come if its victims refuse to cooperate”, added Brute Bee. 

Bleeping Computer further added that the threat actors have demanded a $5,000,000 ransom for the REvil Ransomware project to decrypt documents and further not to leak any of their data. 

One individual characterized the incident as "horrible," and "the worst thing happened there," in an interpreted audio recording that has been exchanged with Bleeping Computer, and also the IT workers experienced a "hysterical stress attack" while they scrambled to restore thousands of computers. 

The Superior Court of Justice of Brazil was targeted by the RansomEXX ransomware community last November as well, which started encrypting computers in the center of conference call tribunals. At the very same moment, the domains of several other Federal government departments in Brazil went down, but whether they were shut down or were under attack wasn't visible.

US FBI Warned Organisations of the Egregor Ransomware Attacks

 

The US-based FBI (Federal Bureau of Investigation) has warned of the upcoming ransomware attack against the hospitals and private organizations. They initially gave an alert saying that there was a credible ransomware thread that may harm the hospitals and other private organizations. All of it was done in the wake of the increasing cyber-crime rate in the USA. As the situation worsened, they warned the organizations to stay alert with eyes wide open and patches ready. It noteworthy that since the FBI's warning, one or the other organizations has been becoming a victim of these attacks. 

Initially, the organizations witnessed some issues with their IT system, and then they started receiving some phishing emails from various sites. The suddenness of the events made the organizations trust the warning released by the FBI, as the Egregor's chaos unfolded. 

The Egregor ransomware attack targets the organization worldwide. The threat actors behind the operations hack into the networks of the organizations and steal sensitive data. Once the data is exfiltrated they encrypt all the files and then leave a ransomware note stating that, in case, the organization fails to pay the ransom within the given time, then the stolen data will not only be leaked but will also be distributed to the public by means of mass media. 

The aforesaid Egregor ransomware attack was seen in the threat landscape in September 2020, since then the Egregor gang have claimed to compromise over 150 organizations. They have also claimed to have leaked the data of two of the world’s biggest gaming giants, UBISOFT and CRYTEK. The obtained data of these two companies is posted on the ransomware gang dark web. The incident unfolded the two companies didn't pay the demanded ransom. Despite warnings by security experts, it's difficult to actively avoid falling prey to ransomware attacks, owing to the nature and modus-operandi of such threats. Besides UBISOFT and CRYTEK, other companies namely BARNES & NOBELS, CENOSUD, and METRO’s Vancouver’s agency Trans Link was also on the list. 

“The FBI assesses Egregor ransomware is operating as a Ransomware as a Service Model. In this model, multiple different individuals play a part in conducting a single intrusion and ransomware event. Because of the large number of actors involved in deploying Egregor, the tactics, techniques, and procedures (TTPs) used in its deployment can vary widely, creating significant challenges for defense and mitigation.” read the FBI's alert. “Egregor ransomware utilizes multiple mechanisms to compromise business networks, including targeting business network and employee personal accounts that share access with business networks or devices".

Such ransomware attacks are performed with the help of Phishing emails that may contain malicious attachments or exploits for the remote desktop protocol (RDP) or VPN's. It must be noted that following the release of the FBI's warning to the organizations – the threat actors have seemingly paced up in response to the FBI's action against them, making the entire picture clearer!