Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Fendr tool. Show all posts

This Ransomware Sent North Carolina A&T University Rushing to Restore Services

 

Last month, North Carolina A&T State University, the country's largest historically black college, was hit by the ALPHV ransomware group, which forced university staff to rush to restore services. 

Melanie McLellan, an industrial system engineering student, told the school newspaper, The A&T Register “It’s affecting a lot of my classes, especially since I do take a couple of coding classes, my classes have been cancelled. They have been remote, I still haven’t been able to do my assignments.” 

According to the paper, the breach happened during the week of March 7th, when students and professors were on spring break. Wireless connections, Blackboard instruction, single sign-on websites, VPN, Jabber, Qualtrics, Banner Document Management, and Chrome River were among the systems taken down by the attack, and many of them remained down when the student paper reported its story two weeks ago. 

The report came a day after North Carolina A&T appeared on a darknet site that ALPHV uses to name and shame victims in an attempt to persuade them to pay a hefty ransom. ALPHV, also known as Black Cat, is a newcomer to the ransomware-as-a-service sector, in which a core group of developers collaborates with affiliates to infect victims and split any proceeds. 

ALPHV has been characterised by some of its members as a successor to the BlackMatter and REvil ransomware gangs, and experts from security firm Kaspersky released evidence on Thursday that supported up that claim. ALPHV/Black Cat is using an exfiltration technique that was previously only used by BlackMatter, according to Kaspersky, and represents a fresh data point connecting BlackCat with past BlackMatter activities. Earlier, BlackMatter collected data via the Fendr tool before encrypting it on the victim's server. 

Kaspersky researchers wrote, “In the past, BlackMatter prioritized collection of sensitive information with Fendr to successfully support their double coercion scheme, just as BlackCat is now doing, and it demonstrates a practical but brazen example of malware re-use to execute their multi-layered blackmail. The modification of this reused tool demonstrates a more sophisticated planning and development regimen for adapting requirements to target environments, characteristic of a more effective and experienced criminal program.” 

The ALPHV ransomware is uncommon, according to Kaspersky, because it is coded in the Rust programming language. Another peculiarity is that each ransomware executable is written individually for the targeted enterprise, frequently just hours before the infiltration, using previously gathered login credentials hardcoded into the binary. 

Kaspersky researchers discovered two AlPHV breaches, one on a cloud hosting provider in the Middle East and the other against an oil, gas, mining, and construction corporation in South America, according to a blog post published on Thursday. The use of Fendr was discovered by Kaspersky following the second event. ALPHV has also been blamed for breaches at two German energy providers and the luxury fashion label Moncler.

A&T is the seventh US university or college to be hit by the ransomware so far this year, according to Brett Callow, a security analyst at security firm Emsisoft. Callow also said that at least eight school districts have also been hit, disrupting operations at as many as 214 schools.