Search This Blog
Powered by Blogger.

Blog Archive

Labels

About Me

Load More
Trendy Right Now

Popular Posts

Showing posts with label Encrypted Files. Show all posts
Ransomwares
Cyber Security Data Exfiltration Double extortion Encrypted Files Play ransomware PlayCrypt Ransomware attack Ransomwares

Play Ransomware: A Rising Global Cybersecurity Threat

 


Play ransomware, also known as Balloonfly or PlayCrypt, has become a significant cybersecurity threat since its emergence in June 2022. Responsible for over 300 global attacks, this ransomware employs a double extortion model — stealing sensitive data before encrypting files and appending them with the ".PLAY" extension. 

Victims are pressured to pay ransoms to recover their data and prevent its public release, making Play ransomware particularly dangerous for organizations worldwide. 

Recent investigations have revealed possible connections between Play ransomware and the North Korean-linked Andariel group. Research by cybersecurity firm AhnLab suggests that Andariel utilizes malware like Sliver and DTrack for reconnaissance and data theft prior to deploying ransomware attacks. The group's history with advanced ransomware strains such as SHATTEREDGLASS and Maui highlights the increasing sophistication of Play ransomware operations. Exploitation of Security Vulnerabilities Play ransomware exploits vulnerabilities in widely used systems to gain unauthorized access. Notable targets include:
  • ProxyNotShell (CVE-2022-41040, CVE-2022-41082): Flaws in Microsoft Exchange Server exploited for initial network infiltration.
  • FortiOS Vulnerabilities (CVE-2020-12812, CVE-2018-13379): Security gaps in Fortinet products leveraged for unauthorized access.
By exploiting these vulnerabilities and using compromised credentials, attackers can bypass detection and establish control over targeted networks. 
  
Play Ransomware Attack Lifecycle 
 
Play ransomware operators follow a structured, multi-phase attack methodology:
  • Reconnaissance: Tools like NetScan and AdFind are used to map networks and gather critical system information.
  • Privilege Escalation: Attackers employ scripts such as WinPEAS to exploit vulnerabilities and obtain administrative privileges.
  • Credential Theft: Tools like Mimikatz extract sensitive login information, enabling deeper network penetration.
  • Persistence and Lateral Movement: Remote access tools like AnyDesk and proxy utilities like Plink are used to maintain control and spread malware. Additional tools, such as Cobalt Strike and PsExec, facilitate lateral movement across networks.
  • Defense Evasion: Security programs are disabled using tools like Process Hacker to avoid detection.
  • Data Exfiltration: Files are compressed with WinRAR and transferred using WinSCP before encryption begins.
  • File Encryption and Ransom Demand: Files are encrypted and appended with the ".PLAY" extension. Victims receive a ransom note titled "ReadMe.txt", providing negotiation instructions and a Tor link for secure communication.
Mitigation Strategies Against Play Ransomware 
 
Organizations can reduce the risk of Play ransomware attacks by adopting proactive cybersecurity measures, including:
  • Patch Management: Regularly updating and patching known system vulnerabilities.
  • Advanced Security Protocols: Implementing robust endpoint detection and response (EDR) solutions.
  • Access Control: Strengthening authentication methods and restricting privileged access.
  • Employee Awareness: Conducting cybersecurity training to recognize phishing and social engineering attacks.
  • Data Backup: Maintaining secure, offline backups to enable data recovery without paying ransom demands.
Play ransomware exemplifies the growing complexity and impact of modern cyber threats. Its sophisticated attack methods, exploitation of known vulnerabilities, and suspected collaboration with nation-state actors make it a serious global concern. Proactive cybersecurity strategies and heightened vigilance are essential to protect organizations from this evolving threat.
Read more »
User Privacy
Backups Encrypted Files FBI Malicious actor Malicious Threat malware Multi-Factor Authentication (MFA) Ransomware Attacks. User Privacy

FBI Warns of Rising Dual Ransomware Attacks

Dual ransomware attacks have become a new, alarming trend in a digital environment replete with cyber threats. Using this smart strategy, criminals target an institution twice, multiplying the potential harm and raising the ransom demands. The FBI's most recent findings have shed insight on the seriousness of this developing threat.

According to the FBI, these attacks have surged in recent months, leaving organizations scrambling to bolster their cybersecurity measures. Special Agent Scott Smith, who leads the FBI’s Cyber Division, warns, "Dual ransomware attacks are a game-changer. They represent a significant escalation in the tactics employed by cybercriminals."

One high-profile incident detailed in a report by Tech Monitor involved a multinational corporation falling victim to a dual ransomware attack. The first attack infiltrated the company's network, encrypting critical files and crippling operations. Just as the organization was working to recover, a second attack hit, targeting backup systems and leaving the company with no option but to negotiate with the criminals.

The Register’s report further emphasizes the severity of this threat. It reveals that criminal organizations are becoming increasingly organized and resourceful, collaborating across borders to execute these attacks. The report quotes cybersecurity expert Dr. Emily Chen, who states, "Dual ransomware attacks signify a new level of sophistication among cyber criminals. It's no longer a matter of if an organization will be targeted, but when."

The implications of dual ransomware attacks are far-reaching. Not only do they result in financial losses from ransoms paid, but they also lead to significant operational disruptions and damage to an organization's reputation. Moreover, the psychological toll on employees can be immense, as they grapple with the stress and uncertainty of such attacks.

To mitigate the risks posed by dual ransomware attacks, organizations must adopt a multi-layered approach to cybersecurity. This includes regular employee training, robust threat intelligence programs, and the implementation of advanced security technologies. Additionally, maintaining up-to-date backups and a well-defined incident response plan can be crucial in the event of an attack.

Ransomware attacks that involve two different strains of malware are becoming more common, a clear indication that cybercriminals are becoming more sophisticated and organized. Businesses must take the lead in bolstering their cybersecurity defenses. A proactive and adaptable strategy is essential to safeguarding sensitive data and maintaining operational resilience in the ever-changing cyberwarfare landscape.

Read more »
VPN
Cyber Crime Dark Web Email Frauds Encrypted Files Retail Industry Security Guidelines User Privacy VPN

Ways in Which Online Merchants Scam Customers

When attempting to unsubscribe from an email newsletter that the user never subscribed to, one discovers a jumble of text—some of it practically grayed out—at the bottom of the message, making it virtually impossible to find an 'unsubscribe' link? A 'dark pattern' is a kind of internet design that serves to 'deceive, insinuate, and obfuscate,' as seen in that example.

The web has traditionally been rife with shady activities, from viruses to scams. Harry Brignull, a UX specialist, did not turn shedding light on the deceptive internet strategies even the most well-known brands employ until 2010. Harry coined strategies such as the moniker 'dark patterns' to emphasize how detrimental they may be to the victim's mental and financial health.

According to a Which poll, 45% of respondents said that dark patterns made them feel tricked or annoyed, and 13% said that they had been persuaded to spend more money than they had intended. According to the U.S. Federal Trade Commission, consumers end up spending 20% more money when ticket prices are not disclosed upfront. Additionally, a website's dark designs can persuade you to divulge more information than users are comfortable with.

Ways that internet shopping might lure you into splurging:
  • Free delivery minimums
  • Email reassurance
  • Advertisements with retargeting
  • Discounted loyalty programs
  • Discounts for new clients
  • Discounts dependent on subscription
Dark patterns include tricky questions, adding unwanted items to your online shopping cart, and coercing you into disclosing sensitive information. The world's most popular internet retailer, Amazon, is the one deceiving consumers the most. It employs 11 of the 12 identified forms of dark patterns listed above, some of which have sparked inquiries from the FTC and EU regulators. On the other hand, Walmart, probably Amazon's biggest rival, employs just four.

Even though some expenses might be necessary, being aware of the strategies that merchants employ to increase your purchase will prevent you from falling for them. You must have encrypted internet service to receive highly relevant adverts from businesses, that monitor your online activity across multiple websites. VPN offers the highest level of encryption. Your online activities are all susceptible to being recorded and examined by interested parties without Internet privacy protection.


Read more »
Windows Users
Antivirus System Data Breach Encrypted Files Fortinet Illegal Software Ransomware Attacks. Secret Keys Windows Windows Users

Using Blatant Code, a New Nokoyawa Variant Sneaks up on Peers

 

Nokoyawa is a new malware for Windows that first appeared early this year. The first samples gathered by FortiGuard researchers were constructed in February 2022 and contain significant coding similarities with Karma ransomware that can be traced back to Nemty via a long series of variants. 

NOKOYAWA is a ransomware-type piece of malware that the research team discovered and sampled from VirusTotal. It's made to encrypt data and then demands payment to decode it. 

FortiGuard Labs has seen versions constructed to run only on 64-bit Windows, unlike its precursor Karma, which runs on both 32-bit and 64-bit Windows. For customized executions, Nokoyawa provides many command-line options: help, network, document, and Encrypt a single file using the path and dir dirPath. 

Nokoyawa encrypts all local disks and volumes by default if no argument is provided. The "-help" argument is intriguing because it shows that the ransomware creators and the operators who deploy and execute the malware on affected PCs are two independent teams. Nokoyawa encrypts files that do not end in.exe,.dll, or.lnk extensions using multiple threads for speed and efficiency. Furthermore, by verifying the hash of its names with a list of hardcoded hashes, some folders, and their subdirectories are prohibited from encryption.

Nokoyawa produces a fresh ephemeral keypair (victim file keys) for each file before encrypting it. A 64-byte shared secret is produced with Elliptic-Curve Diffie-Hellmann using the victim file's private key and the threat actors' "master" public key (ECDH). For encrypting the contents of each file, the first 32 bytes of this secret key are used as a Salsa20 key, together with the hardcoded nonce 'lvcelvce.' 

RURansom, A1tft, Kashima, and pEaKyBlNdEr are just a few of the ransomware programs that have been looked into. The encryption algorithms they utilize (symmetric or asymmetric) and the ransom size are two key variations between malicious applications of this type. The magnitude of the requested sum can vary dramatically depending on the intended victim. 

How does ransomware get into my system? 

The majority of the additional code was taken exactly from publicly available sources, including the source of the now-defunct Babuk ransomware leaked in September 2021, according to FortiGuard Labs experts. 

Malware including ransomware is spread using phishing and social engineering techniques. Malicious software is frequently disguised as or integrated with legitimate files. 

The email addresses were eliminated and were replaced with directions to contact the ransomware authors using a TOR browser and a.onion URL. When you're at the Onion URL, you'll be taken to a page with an online chatbox where you can chat with the operators, negotiate and pay the ransom. 

Researchers from FortiGuard Labs detected a dialogue between a potential victim and the ransomware operator. The threat actors offer free decryption of up to three files based on this chat history to demonstrate that they can decrypt the victim's files.

The ransom amount, in this case, a whopping 1,500,000 (likely in USD), is displayed on the "Instructions" page and can be paid in either BTC (Bitcoin) or XMR(Monero). The operators claim to deliver the tool to decrypt the victim's files after payment.

Given the rising professionalism of certain ransomware efforts, this TOR website could be an attempt to better "branding" or a technique to delegate ransom discussions to a separate team. Surprisingly, the ransom note contains the following content. "Contact us to strike a deal or we'll publish your black s**t to the media," the message says, implying that the victim's data was stolen during the infection.

Drive-by (stealthy and deceptive) downloads, spam email (malicious files attached to or compromised websites linked in emails/messages), untrustworthy download channels (e.g., peer-to-peer sharing networks, unofficial and freeware sites, etc.), illegal software activation ("cracking") tools, online scams, and fake updates are among the most common distribution methods. 

How can we defend from ransomware?

It is strongly advised you only use legitimate and trusted download sources. Furthermore, all apps must be activated and updated through tools given by genuine providers, as third-party tools may infect the system. 

Experts also recommend against opening attachments or links received in questionable emails or messages, as they may contain malware. It is critical to install and maintain a reliable anti-virus program. 

Regular system scans and threats/issues must be removed using security software. If the machine has already been infected with NOKOYAWA, we recommend using Combo Cleaner Antivirus for Windows to automatically remove it.
Read more »
RaaS
Conti Ransomware Cyber Attacks Dark Web Emotet Encrypted Files Microsoft Qakbot RaaS

Costa Rica's New Government is Under Attack by a Conti Ransomware Gang

 

The Conti ransomware organization, which has hacked some Costa Rican government computer systems, has increased its threat, claiming that its ultimate goal is to overthrow the government. The Russian-speaking Conti gang tried to intensify the pressure to pay a ransom by boosting its demand to $20 million, perhaps capitalizing on the fact that President Rodrigo Chaves had just been in office for a week. 

"We are aiming to overthrow the government by a cyber attack, and we have already demonstrated all of our strength and power," the group stated on its official website. "In your government, we have insiders. We're also attempting to obtain access to your other systems, and you have no choice but to pay us." Chaves said the organization had infiltrated up to 27 institutions at various levels of government, declaring that the country was "at war" with the Conti ransomware gang but giving no indication that the ransom would be paid. 

"I appeal to every Costa Rican to go to your government and organize rallies to demand that they pay us as soon as possible if your existing government is unable to fix the situation?" A different statement on Conti's dark web page stated, "Perhaps it's worth replacing." Over the weekend, the ransomware issued a warning that it will remove the decryption keys in a week, making it impossible for Costa Rica to restore access to the ransomware-encrypted files. 

The lethal April 19 attack prompted the new administration to proclaim a state of emergency, and the gang has exposed troves of data acquired from infected systems before encryption. Conti linked the attack to an affiliate actor nicknamed "UNC1756," a play on the name given to uncategorized threat groups by threat intelligence firm Mandiant. 

If it was any other ransomware gang, according to Aaron Turner, vice president of SaaS posture at Vectra, an AI cybersecurity firm, the threat would be unnoticeable. "However, because it's Conti, and Conti has publicly connected themselves with Putin's Russia's military activities, this threat should demand a second look," he said. 

He believes that if the US supports 'enemy' troops in Russia's neighborhood, there is a strong urge for retaliation. "Fortunately for Costa Rica, Conti isn't the most sophisticated gang of ransomware operators," he said. "Costa Rica is also lucky in that Russia's invasion of Ukraine went so badly that there are likely inadequate military forces on the other side of the planet to launch a combined cyberattack and conventional strike." While the prospect of overthrow is intriguing from an academic standpoint, Turner believes the chances of Conti orchestrating a coup are extremely remote. 

Affiliates are hacker organizations that rent access to pre-developed ransomware tools to coordinate assaults on corporate networks as part of the so-called ransomware-as-a-service (RaaS) gig economy, and then share the profits with the operators. Conti has continued to target companies all over the world after suffering a large data breach of its own earlier this year amid its public support for Russia in its current war against Ukraine. 

Conti is the "most prolific ransomware-associated cybercriminal activity organization operational today," according to Microsoft's security team, which records the cybercriminal gang under the cluster DEV-0193. "DEV-0193 has hired developers from other malware operations that have shut down for varied reasons, including legal actions. The addition of developers from Emotet, Qakbot, and IcedID to the DEV-0193 umbrella is very noteworthy." 

Conti is one of the most wanted cybercriminal gangs in the world, with the US State Department offering up to $10 million in incentives for any information leading to the identity of its senior members.
Read more »
Whatsapp Data
Cyber Attacks cybercriminals Encrypted Files Europe FIFA Private Data Trojan Whatsapp Data

Spanish FA Reported a Cyber Attack, Private Texts Seized

 

Police have been informed that the Royal Spanish Football Federation (RFEF) has witnessed a cyber attack. In recent months, top leaders of the union, particularly president Luis Rubiales, have had documents and information from private email accounts, private texts, and audio calls taken.

Headquartered in Las Rozas, La Ciudad del Ftbol, a community near Madrid, the Royal Spanish Football Federation is Spain's football regulating organization. The Spanish FA won the 2010 FIFA World Cup and two European Championships in a row as a result of these events. 

"It's likely this personally identifiable information, taken unlawfully and with clear criminal purpose, was provided to numerous media," the RFEF added. 

Before the publishing of the information, an unnamed journalist informed the RFEF claiming its media outlet had been provided access to illegally acquired material from an unknown source who communicated over an encrypted voice. 

"Through third parties, the media outlet in issue claimed to have obtained confidential contracts, private WhatsApp conversations, emails, and a variety of documents involving the RFEF management," the journalist told. "If accurate, it would be a crime of secret revelation and a breach of the people attacked's fundamental rights." 

The Spanish FA has condemned such "criminal and mafia" acts to all relevant organizations, as well as appointed a private firm to improve security and prevent future attacks.

Cyberattacks, like hacktivists, can be linked to cyber warfare or cyberterrorism. To put it another way, motivations can differ. And there are three basic types of motivations: criminal, political, and personal. Money theft, data theft, and company disruption are all options for criminally minded attackers.
Read more »
TrickBot
BazarLoader C&C Conti Ransomware cybercriminals Data Breach Encrypted Files Russian Hackers TrickBot

Data Stolen From Parker Hannifin was Leaked by the Conti Gang

 

Several gigabytes of data allegedly taken from US industrial components major Parker Hannifin have been leaked by a known Conti gang. Parker Hannifin is a motion and control technology business which specializes in precision-built solutions for the aerospace, mobile, and industrial industries. 

The Fortune 250 business said in a legal statement on Tuesday, the compromise of its systems was discovered on March 14. Parker shut down several systems and initiated an inquiry after detecting the incident. Law enforcement has been alerted, and cybersecurity and legal specialists have been summoned to help. Although the investigation is ongoing, the company announced some data, including employee personal information, was accessed and taken. 

"Relying on the Company's early evaluation and currently available information, the incident has had no major financial or operational impact, and the Company does not think the incident will have a significant impact on its company, operations, or financial results," Parker stated. "The Company's business processes are fully operating, and it retains insurance, subject to penalties and policy limitations customary of its size and industry." 

While the company has not shared any additional details regarding the incident, cybersecurity experts have learned the infamous Conti gang has taken credit for the Parker breach. More than 5 GB of archive files supposedly comprising papers stolen from Parker have been leaked by the hacker group. However, this could only be a small percentage of the data they've obtained; as per the Conti website, only 3% of the data theft has been made public. Usually, hackers inform victims they must pay millions of dollars to restore encrypted files and avoid stolen information from being leaked. 

Conti ransomware is a very destructive malicious actor because of how quickly it encrypts data and transfers it to other computers. To gain remote access to the affected PCs, the organization is using phishing attempts to deploy the TrickBot and BazarLoader Trojans. The cyber-crime operation is said to be led by a Russian gang operating under the Wizard Spider moniker and members of Conti came out in support of Russia's invasion of Ukraine in February.

Conti data, such as malicious source code, chat logs, identities, email addresses, and C&C server details, have been disclosed by someone pretending to be a Ukrainian cybersecurity researcher. Conti works like any other business, with contractors, workers, and HR issues, as revealed by the released documents. Conti spent about $6 million on staff salaries, tools, and professional services in the previous year, according to a review conducted by crisis response firm BreachQuest.

Conti and other ransomware organizations continue to pose a threat to businesses and ordinary services, and measures should be taken to help prevent a severe cyberattack.
Read more »
Scamming
Apple cybercriminals Data Breach Encrypted Files Facebook Hong Kong Scamming

Customers  Threatened by a Data Breach at Hong Kong's Harbour Plaza Hotel

 

Hong Kong's privacy authority is looking into a hack against the Harbour Plaza hotel company, which revealed more than 1.2 million visitors' booking information. The investigation's goal is to learn more about what kind of private details were compromised. Customers have been warned to keep an eye out for any strange activity in their accounts and to be aware of any unexpected emails, calls, or messages in the meantime. 

"The impacted data was the information of visitors who remained within these hotels," the PCPD tells ISMG. "As the investigations into the cyberattack are ongoing," the PCPD told ISMG, declining to specify the type of hack, the threat actor involved, or the data compromised. 

According to Harbour Plaza's statement, the Hong Kong Police was also notified along with certain other relevant authorities. The company has hired an undisclosed third-party cybersecurity forensics agency to investigate and control the problem, as well as improve its security perimeter in the future. 

According to the company's FAQs about the data leak, those who are affected will be alerted. Customers should be "extra cautious against scamming or other attempted schemes," according to the hotel firm, which says "lodging reservation databases" were impacted. It indicates possible information such as a customer's name, email address, phone number, reservation, and stay details may have been hacked. 

Inquiry into the data leak at online retailer HKTVmall 

Separately, the PCPD is looking into a case involving HKTVmall, a well-known shopping and entertainment platform run by Hong Kong Technology Venture Co. Ltd. 

The security breach has endangered the personal details of a "small fraction" of HKTV Co. Ltd.'s 4.38 million registered customers, according to a statement made on Feb. 4. According to the notice, the connected server was in an "other Asian" country. 

According to the company, it promptly notified the Hong Kong Police or the PCPD, and hired two cybercrime firms on January 27 "to conduct an investigation and further enhance HKTVmall's server security measures." 

Customer data that may have been obtained by an unauthorized person, according to HKTVmall, includes:

  • Account names which have been registered.
  • Login passwords which are encrypted and masked.
  • Email addresses which have been registered and that can be contacted. 
  • Names of recipients, shipping addresses, and contact numbers for orders placed between December 2014 and September 2018.
  • Clients who have connected their HKTVmall account to a Facebook account or an Apple ID have the date of birth, official name, and email accounts for Facebook accounts and Apple IDs.
Read more »
Subscribe to: Posts (Atom)