Search This Blog
Powered by Blogger.

Blog Archive

Labels

About Me

Load More
Trendy Right Now

Popular Posts

Showing posts with label Extortion. Show all posts
RIBridges
brain cipher Data Breach Extortion Rhode Island RIBridges

RIBridges Data Breach: Sensitive Information of Rhode Islanders Exposed

 



The RIBridges system, a very important tool for Rhode Island's social services, has become the latest victim of a ransomware attack, resulting in the leak of personal data belonging to hundreds of thousands of residents. This breach, orchestrated by the Brain Cipher ransomware group, has raised serious concerns about the security of systems handling sensitive information.


What is RIBridges?

RIBridges is the vital system for Rhode Island that runs social support programs, such as access to health care, food assistance, childcare, and more. Much of the private data in this compromise was made vulnerable to exploitation.  


Timeline of the Incident

1. First Warning: On December 5, Deloitte, the vendor responsible for RIBridges, warned Rhode Island officials that there may have been a security breach. 

2. Confirmation of Breach: By December 10, it was confirmed that hackers had indeed accessed the system. The hackers even published screenshots of the stolen file directories on Deloitte's screen.

3. Action Taken: Confirmation of presence of harmful code led to system shut down to minimize damage, and this occurred on December 13. 

 

What Data Was Leaked?

Last week, a group known as Brain Cipher began to leak their stolen files on the dark web. It claims to have included names, addresses, birth dates, Social Security numbers, and banking details of people. The list contained both adults and minors. Other reports also suggest that some file folders contained database backups and system archives. 


Implications for Rhode Island Residents

This breach has potentially exposed around 650,000 individuals to identity theft and fraud. Governor Dan McKee has advised residents to take immediate steps to protect their data. This includes freezing credit reports, monitoring accounts for unusual activity, and staying cautious of phishing attempts that may exploit the stolen information.  

The Brain Cipher ransomware group, operating since mid-2024, is known to use advanced encryption tools and a data leak website to extort victims. Its operations were first brought to public attention after attacking Indonesia's temporary National Data Center. In that attack, it used a modified version of a leaked codebase for an encryptor to breach RIBridges.

Although the data leak site from the gang remains inaccessible, reportedly as a result of a distributed denial-of-service attack, their negotiation page on Tor remains active. It appears they are still pushing the victims or perhaps even looking for further extortions.  


What's Being Done?

The IT teams in state work to comprehend the full effect of the breach and to secure the system. Residents are advised to stay vigilant and to take proactive steps to prevent these risks caused by the leakage of such data. This attack calls out the increased risk of ransomware and an increased need for cybersecurity measures in securing crucial public systems and sensitive information on individuals.




Read more »
Victim
Cyber Security Cybersecurity Data Breach Encryption Extortion Healthcare HHS Ransomware Ransomware attack Trinity Victim

New Trinity Ransomware Strain Targets U.S. Healthcare, Federal Officials Warn

 

A new ransomware strain, known as Trinity, has reportedly compromised at least one healthcare organization in the U.S., according to a recent report from federal authorities.

The U.S. Department of Health and Human Services (HHS) issued a warning on Friday, alerting hospitals about the serious threat posed by the ransomware group. They highlighted that Trinity’s methods make it a "notable risk" to both the U.S. healthcare and public health sectors.

HHS's Health Sector Cybersecurity Coordination Center confirmed that one U.S. healthcare entity has recently fallen victim to the Trinity ransomware, which was first detected around May 2024.

To date, seven victims of Trinity ransomware have been identified, including two healthcare providers—one in the U.K. and another in the U.S. The latter, a gastroenterology services provider, lost 330 GB of data. While the facility remains unnamed, it has been listed on Trinity’s data leak site and is currently facing technical disruptions, including limited phone access.

Additionally, researchers have found another case involving a dental group based in New Jersey.

HHS noted similarities between Trinity and two other ransomware groups—2023Lock and Venus—hinting at potential collaboration between these cybercriminals.

Trinity ransomware mirrors other known operations by exploiting common vulnerabilities to extract data and extort victims.

After installation, the ransomware gathers system information, such as available processors and drives, to escalate its attack. Operators then scan for weaknesses to spread the ransomware within the network.

The files encrypted by the attack are marked with the “trinitylock” extension, and victims receive a ransom note demanding payment within 24 hours, with threats of data exposure if they fail to comply.

At present, there is no available decryption tool for Trinity, leaving victims with few options, according to the HHS advisory.

The attackers operate two websites: one to assist those who pay the ransom with decryption, and another that displays stolen data to extort victims further.

Federal officials have discovered code similarities between the Trinity and Venus ransomware strains, noting identical encryption methods and naming schemes, which suggest a close link between them. Trinity also shares features with 2023Lock, including identical ransom notes and code, implying it could be an updated variant.

Cybersecurity researchers have also pointed out that Trinity may be a rebranded version of both Venus and 2023Lock. According to Allan Liska of Recorded Future, Trinity is "not a highly advanced strain of ransomware," and the attackers do not appear particularly sophisticated.

HHS emphasized that the potential collaboration between these threat actors could enhance the complexity and impact of future ransomware attacks.

Previous HHS warnings have covered other ransomware groups such as Royal, Cuba, Venus, Lorenz, and Hive.

Despite heightened law enforcement efforts, ransomware attacks persist, with operations continuing to generate significant revenue—approximately $450 million in the first half of 2024 alone.

The healthcare sector has been particularly affected by these attacks, causing severe disruptions. Just last week, a Texas hospital, the only level 1 trauma center in a 400-mile radius, had to reduce services and turn away ambulances due to a ransomware incident.

As of Friday, the hospital reported restored phone services, with only a limited number of ambulances being redirected to other facilities.
Read more »
Threat Landscape
Cyber Crime Data Leak Extortion Ransomware Threat Landscape

BlackByte Ransomware Outfit is Targeting More Orgs Than Previously Known

 

Researchers from Cisco have discovered that the BlackByte ransomware group is only disclosing a small portion of its successful attacks on its leak site this year. Talos, the company's cybersecurity department, believes the gang is creating extortion posts for only 20% to 30% of its successful attacks. 

The study of the ransomware outfit's leak site shows it posted 41 victims in 2023 but only three so far in 2024. BlackByte has been extremely active this year, but it's unclear why the group hasn't posted any further leaks. 

BlackByte has carried out high-profile assaults on local governments in Newburgh, New York, and Augusta, Georgia, as well as organisations such as the San Francisco 49ers and Yamaha. 

Researchers from Cisco Talos claimed that their involvement in a number of recent incident response investigations showed how quickly the organisation is evolving and how often it leads the way in exploiting vulnerabilities such as CVE-2024-37085, an ESXi software problem that Microsoft brought to light last month.

“Talos IR observed the threat actor leveraging this vulnerability, which initially received limited attention from the security community, within days of its publication,” the researchers stated. “This highlights the speed with which ransomware groups like BlackByte can adapt their [tactics, techniques and procedures] to incorporate newly disclosed vulnerabilities, and the level of time and effort put into identifying potential avenues for advancing an attack.” 

The analysts believe the ransomware-as-a-service (RaaS) gang is an offshoot of the now-defunct Conti operation, which appeared in late 2021. According to Cisco Talos, BlackByte has a history of searching for and exploiting public-facing vulnerabilities. However, the RaaS model's flexibility "allows threat actors to quickly counter new defensive strategies developed by cybersecurity experts by iterating and updating its tooling.” 

Callie Guenther, a Critical Start cyberthreat researcher, stated that the exploitation of CVE-2024-37085 was notable since it targeted VMware ESXi hypervisors, which allow servers to operate many virtual machines and efficiently distribute computing resources. The focus on ESXi hypervisors by Ransomware outfits such as BlackByte is especially troubling because the technology is often vital for firms' IT infrastructure and critical business applications.

“The adoption of the CVE-2024-37085 vulnerability by BlackByte signals an understanding of the value in targeting these systems, as they offer a high return on investment for the attackers in terms of potential ransom payouts,” she added.
Read more »
SIM card cloning
BSNL data breach cyberattack on BSNL dark web forum Data Breach Extortion Identity Theft kiberphant0m sensitive user information SIM card cloning

BSNL Reportedly Suffers Major Data Breach: Sensitive User Information at Risk

 

Bharat Sanchar Nigam Limited (BSNL) has reportedly experienced a significant data breach, with the responsible threat actor claiming to have acquired sensitive user and operational data. The government-owned telecom provider's servers were attacked, resulting in the hackers obtaining SIM card details, home location register data, and critical security keys. This stolen data could potentially be used for criminal activities such as SIM card cloning, identity theft, and extortion.

According to a report by digital risk management firm Athenian Tech, cited by News18, the cyberattack was carried out by a threat actor using the dark web forum username “kiberphant0m”. It remains unclear if the attack was executed by an individual or a group of hackers.

The report states that approximately 278GB of data from BSNL's telecom operations was compromised. This data includes not only user information but also server snapshots that could be exploited for further attacks, posing severe security risks. The threat actor claims to have obtained critical details such as International Mobile Subscriber Identity (IMSI) numbers, SIM card details, PIN codes, authentication keys, and snapshots of BSNL's SOLARIS servers.

The hacker has reportedly offered the stolen data for sale at $5,000 (roughly Rs. 4.18 lakh). Discussions on the dark web forum suggest potential misuse of the data for activities like SIM cloning, identity theft, and extortion.

Kanishk Gaur, CEO of Athenian Tech, explained that while the specific vulnerabilities exploited by “kiberphant0m” are not publicly disclosed, access to critical systems such as the Home Location Register (HLR) and SOLARIS server snapshots indicates a deep penetration. This likely involved exploiting software vulnerabilities or sophisticated social engineering techniques. The server snapshots suggest possible exploitation of known vulnerabilities within BSNL's server infrastructure, highlighting the need for rigorous patch management and security updates.

The alleged data breach poses a serious threat to millions of BSNL users whose sensitive information may have been compromised. Notably, BSNL experienced a similar data breach in December 2023. Gadgets 360 has reached out to BSNL for a comment and will update the story once a response is received.
Read more »
Online fraud
Bengaluru Cyber bullying Cyber Crime Extortion Goa Online fraud

Bengaluru Man Arrested for Exploiting Woman in Online Interview

 



Panaji: In a disturbing cybercrime case, the Goa Cyber Crime Police arrested a Bengaluru resident, Mohan Raj V, for allegedly cyberbullying and extorting a woman from Goa. The arrest was made on Saturday after a strategic operation by the police team.

The case began when the victim, a woman from Goa, filed a complaint with the cyber crime police. She reported that the accused had posted a fake job advertisement for a position at a foreign bank. Responding to the advertisement, the woman was contacted via a chatting app by the accused, who arranged an online interview. During the video call, individuals posing as company representatives coerced the woman into undressing. They recorded the video and took screenshots, which were later used to blackmail her.

According to the complaint, the accused demanded sexual favours in exchange for deleting the compromising material. Over the past two months, he persistently harassed the woman, threatening to make the videos and pictures public if she did not comply. He also demanded that she meet him in Bengaluru.

Following the complaint, the police, led by Superintendent of Police Rahul Gupta, devised a plan to apprehend the accused. A team, including the victim, travelled to Bengaluru and laid a trap. After extensive efforts and a lengthy chase, the accused was caught when he arrived to meet the victim. The police recovered the chats and videos from the accused's phone, which will be sent for a cyber forensic examination.

The investigation revealed that Mohan Raj V used VPN phone numbers to create fake Telegram accounts and post fraudulent job offers. He targeted women by promising high salary packages and conducting fake online interviews.

The accused has confessed to his crimes and has been booked under several sections of the Indian Penal Code, including section 354A (sexual harassment), section 384 (extortion), and relevant provisions of the Information Technology Act. The case is being further investigated by Police Inspector Deepak Pednekar.

SP Rahul Gupta urged the public to verify the authenticity of online job offers through local or cyber police stations before engaging with them. He also cautioned against complying with unethical online demands, no matter the promised benefits.

This case highlights the growing menace of cybercrime and the importance of vigilance in online interactions. The Goa Cyber Crime Police's successful operation furthers the cause for robust cyber security measures and public awareness to prevent such incidents.



Read more »
VPM
Child pornography Extortion Honeytrap malware VPM

Malware Author Lures Child Abusers Into Honeytrap to Extort Them

 

You rarely root for online criminals, but a new malware campaign targeting child exploiters does not make you feel awful about the victims. 

Since 2012, threat actors have developed a range of malware and ransomware that impersonate government agencies and earn affected Windows users that they are seeing CSAM. The software informs users that they must pay a "penalty" to keep their information from being transferred to law enforcement. 

One of the first "modern" ransomware operations, known as Anti-Child Porn Spam Protection or ACCDFISA, used this extortion strategy in conjunction with initially locking Windows systems and eventually encrypting files. 

Similar extortion techniques were used by cybersecurity researcher MalwareHunterTeam to share an executable malware sample named "CryptVPN" [VirusTotal] with BleepingComputer last week. This time, though, the malware creator is going after people who actively seek child pornography rather than innocent people. 

Security specialists investigated the malware and discovered that threat actors posed as UsenetClub, a subscription service that allows users to download films and images from Usenet with "uncensored" access.

Usenet is an online discussion platform that allows users to discuss different topics in "newsgroups" to which they have subscribed. While Usenet is used for valid discussion of a variety of topics, it is also a notorious source of child pornography.

Threat actors designed a fraudulent site pretending to be UsenetClub and offered three subscription tiers for the site's content. The first two were paid subscriptions, ranging from $69.99 per month to $279.99 annually. However, a third option claimed to allow free access if you install and employ the free "CryptVPN" software to access the site. 

Clicking the "Download & Install" button will download a CryptVPN.zip file from the website, which when unpacked will contain a Windows shortcut called "CLICK-HERE-TO-INSTALL". 

This file is a shortcut to the PowerShell.exe executable that downloads and saves the CryptVPN.exe executable to C:\Windows\Tasks.exe before executing it. The malware executable is packaged with UPX, however when unpacked, it contains a PDB string indicating that the creator titled the malware "PedoRansom". 

The malware does nothing uncharacteristic except change the target's wallpaper to an extortion demand and drop a ransom note named README.TXT on the desktop, which includes similar extortion demands. 

"You were searching for child exploitation and/or child sexual abuse material. You were stupid enough to get hacked," reads the extortion demand. "We have collected all your information, now you must pay us a ransom or your life is over.”

The extortion goes on to say that the victim must pay $500 to the bc1q4zfspf0s2gfmuu8h5k0679sxgxjkd7aj5e6qyl Bitcoin address within ten days or their identity will be leaked. Currently, this bitcoin address has only received roughly $86 in payments. 

Threat actors have long used "sextortion" strategies, such as sending bulk emails to a large number of people in an attempt to scare them into paying an extortion demand. 

These approaches worked very well at first, with spammers extorting more than $50,000 per week during the early operations. However, as time passes and the victims of these frauds become more aware, sextortion operations no longer yield the same money. 

While this strategy is more innovative and will scare many individuals looking for this type of stuff, we doubt many people will pay the extortion demand.
Read more »
Websites
Attack Blackcat hackers Change Healthcare critical infrastructure providers Data Breach digital decryption keys Extortion Hospitals International law enforcement seizure Websites

Notorious Hacker Group Strikes US Pharmacies

In December, international law enforcement targeted a gang, leading to the seizure of various websites and digital decryption keys, as reported by Reuters. In response to this crackdown, the Blackcat hackers threatened to extort critical infrastructure providers and hospitals.

A recent attack on Change Healthcare, resulting in its parent company UnitedHealth Group disconnecting its systems to prevent further impact, has caused disruptions in prescription insurance claims, according to the American Pharmacists Association. This outage, which has persisted through Tuesday, is attributed to a notorious hacker group, as per a new report.

The outage at Change Healthcare, which handles payment management for UnitedHealth Group, was caused by a ransomware attack by hackers associated with Blackcat, also known as ALPHV, according to Reuters, citing anonymous sources. Blackcat has been involved in several recent high-profile data breaches, including attacks on Reddit, Caesars Entertainment, and MGM Resorts.

As a result of the breach, pharmacies nationwide are facing significant delays in processing customer prescriptions. Change Healthcare stated they are actively working to restore the affected environment and ensure system security.

UnitedHealth Group mentioned that most pharmacies have implemented workarounds to mitigate the impact of the outage on claim processing. The company expressed confidence that other data systems in its healthcare portfolio were unaffected by the breach.

While last week's breach was suspected to be "nation-state-associated," according to an SEC filing by UnitedHealth, it's uncertain if the group responsible was sponsored by foreign actors. Cybersecurity firms Mandiant and Palo Alto Networks, appointed by UnitedHealth, will lead the investigation into the breach.
Read more »
TrendMicro
Bitcoin Canti Conti CorvusInsurance Cyber Crime Cybersecurity Darkweb DigitalCurrency Elliptic Extortion Garantex Hackers Laundering Ransomware TrendMicro

Researchers: 'Black Basta' Group Rakes in Over $100 Million

 

A cyber extortion group believed to be an offshoot of the infamous Russian Conti hacker organization has reportedly amassed over $100 million since its emergence last year, according to a report published on Wednesday by digital currency tracking service Elliptic and Corvus Insurance.

The group, known as "Black Basta," has allegedly extorted at least $107 million in bitcoin, with a significant portion of the laundered ransom payments flowing to the sanctioned Russian cryptocurrency exchange Garantex, as revealed in the joint report. Attempts to contact Black Basta through its dark web site were unsuccessful. Garantex, which faced U.S. Treasury sanctions in April of the previous year, expressed support for global initiatives combatting cybercrime and urged information-sharing regarding the hackers' finances, pledging to block suspicious funds.

Elliptic co-founder Tom Robinson characterized Black Basta's substantial earnings as making it "one of the most profitable ransomware strains of all time." The researchers arrived at this figure by identifying known ransom payments linked to the group, tracing the laundering of digital currency, and discovering additional payments.

Robert McArdle, a cybercrime expert from security firm TrendMicro not involved in the report, deemed the reported Black Basta figure "certainly in a believable range for their operations."

The Elliptic-Corvus report also presented evidence linking Black Basta to the now-defunct Russian group "Canti." Conti, formerly a prominent ransomware gang, gained notoriety for coercing victims through data encryption, ransom demands, and threats to publish stolen information. 

The report suggests that individuals from Conti, following the dismantling of its leak site after Russia's invasion of Ukraine and the subsequent posting of U.S. bounties on its leadership, may have reorganized and rebranded, with Black Basta potentially being a manifestation of this restructuring.

"Conti was perhaps the most successful ransomware gang we've seen," remarked Robinson. The recent findings indicate that some individuals responsible for Conti's success might be replicating it with the Black Basta ransomware, he added.
Read more »
Subscribe to: Posts (Atom)