Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label GandCrab. Show all posts

French Authorities Have Detained a Suspect in Case of Money Laundering of €19 Million

 

This week, French authorities apprehended a suspect under suspicion of laundering more than €19 million ($21.4 million) in ransomware extortion payouts. 

Law enforcement agencies have not revealed the accused's name, which has only been recognized as a person from the Vaucluse area in southeast France, and neither the title of the ransomware organization with which he worked. 

The detention this week follows as law enforcement agencies throughout the world have started to collaborate and crackdown on ransomware activities following years of recurrent attacks, most of which have disrupted government agencies and private sector organizations on many occasions. 

This year has seen several crackdowns targeting ransomware gangs, including: 

  • February – The arrest of Egregor/Maze members in Ukraine. 

According to French radio station France Inter, participants of the Egregor ransomware cartel were apprehended in Ukraine. The existence of a law enforcement activity was already verified by sources in the threat intelligence community. The Egregor gang, reportedly began operations in September 2020, follows a Ransomware-as-a-Service (RaaS) strategy. They rent ransomware strain access, but they depend on some other cybercrime gangs to organize attacks into corporate networks and distribute the file-encrypting ransomware. 

  • March – The arrest of a GandCrab affiliate in South Korea. 

The arrest of a 20-year-old accused on allegations of spreading and infecting victims with the GandCrab ransomware was announced by South Korean national police. The accused, whose identity has not been revealed, was a client of the GandCrab Ransomware-as-a-Service (RaaS) cybercrime organization. Police described the suspect as an associate — or a distributor — who operated by obtaining copies of the GandCrab ransomware and spreading them via email to victims around South Korea. 

  • June – The arrest of a group of Ukrainian money launderers who worked with the Clop gang.

Representatives of the Clop ransomware gang, who were apprehended in Ukraine as part of an international law enforcement operation, also provided money-laundering facilities to other cybercrime organizations. The group was involved in both cyber-attacks and "a high-risk exchanger" that laundered funds for the Clop ransomware gang and other criminal groups, according to cryptocurrency exchange portal Binance. 

  • September – Sanctions against Suex, a Russian crypto-exchange used to process ransomware 

Suex, a cryptocurrency exchange incorporated in the Czech Republic but managed by Russia, was sanctioned by the US Treasury. According to a blockchain analysis company, Suex has assisted ransomware and other cybercrime organizations in laundering more than $160 million in stolen assets. Suex has aided in the processing of ransom payments to gangs like Conti, Ryuk, and Maze.

  • October – The arrest of 12 suspects behind the LockerGoga ransomware. 

According to Europol, twelve members of a ransomware cell were apprehended in Ukraine and Switzerland. The accused are suspected of orchestrating the ransomware attack that damaged Norsk Hydro in 2019, the organization was linked to 1,800 ransomware assaults in 71 countries.

  • November – The arrest of a REvil affiliate in Ukraine for the Kaseya attack. 

The US Department of Justice charged a 22-year-old Ukrainian national with coordinating the ransomware assaults against Kaseya servers on July 4th of this year.

  • December – The arrest of a Canadian citizen for the attack against an Alaskan healthcare provider. 

Since 2018, Canadian authorities had jailed an Ottawa resident on suspicion of organizing ransomware attacks on commercial companies and government agencies in Canada and the United States.

REvil/Sodinokibi Ransomware Specifically Targeting Food and Beverages Organizations



REvil, also known as Sodinokibi ransomware was first spotted in April 2019, it attacks Windows PCs to encrypt all the files on local drives (besides those enlisted in their configuration file) and leaves a ransom note on affected systems with instructions to get the files decrypted in turn of the demanded ransom. It shares a similar code as GandCrab ransomware and is said to be distributed by the authors of the aforementioned ransomware which saw a steep decline in its activity with the arrival of REvil. The claim regarding similarity was based on observations made by experts that point towards an identical set of techniques used in attacks, similar countries targeted, and the language.

The ransomware strain exploits an Oracle WebLogic vulnerability to elevate privileges and in order to generate and propagate encryption keys; REvil makes use of an Elliptic-curve Diffie Hellman key exchange algorithm. Let’s take a look at its latest activities.

As per sources, the ransomware tries not to attack systems belonging to Iran, Russia other countries that were once a part of the Soviet Union. However, it has affected a number of organizations across various other regions. In the year 2020, REvil attackers have limited their infection to North American and Western European organizations, targeting National Eating Disorders Association, Agromart Group, etc, and Atlas Cars, Plaza Collection, etc respectively.

The ransomware operators have developed a special interest in the manufacturing sector; food and beverage distributing businesses have seen an unprecedented number of ransomware attacks lately. The top targets from the industry include Harvest Food Distributers, Brown Forman Daniel’s, Sherwood Food Distributers, and Lion. Other industries that were heavily targeted by REvil range from media, retail, entertainment, health, IT, transport, real estate, government, energy, and non-profit.

How does it operate?

REvil begins with exploiting the CVE-2018-8453 vulnerability and proceeds to eliminate resource conflicts by terminating blacklist processes before the process of encryption. It wipes the contents of blacklisted folders and then encrypts files on local storage devices and network shares, finally exfiltrating basic host information.

Initially, REvil was noticed to be attacking businesses by exploiting vulnerabilities, But, since the past year, the operators have started employing common infection vectors namely phishing and exploit kits.

Windows Security Warning- Ransomware is Rapidly Growing and Got Difficult to Guard Against




Security experts are predicting an unusual rise in ransomware attacks and a strategic change in the cybercrime ecosystem which is directed to evade detection and fail the existing defense mechanisms against it. As the ransomware attacks will expand in scale with a heightened influence, few dominant players currently present are expected to disperse themselves into multiple smaller ones.

Ransomware infects the victim's computer by locking down the hard drive and encrypting the data present onto the system, then the attacker asks the victim to pay the demanded ransom in due time and if the victim fails to do so, the data is gone forever. The virus spreads across infected networks via a worm and encrypts several machines in a row. After an in-depth analysis of various 'Windows security threats' such as coin miners, file-less malware, ransomware, PUAs, banking Trojans, Global cybersecurity company, Bitdefender concluded that out of all, the threat posed by ransomware is growing rapidly. Reportedly, it has grown 74 percent, year on year. GandCrab had been one of the most prevalent and sophisticated ransomware since its arrival in 2018, it kept on strengthening its defense and upgrading its delivery methods to bypass detections. After its death, ransomware experienced its first and indeed a steep fall in the cybercrime ecosystem in terms of severity of a particular threat. However, a new birth means several new players will enter the scene and might hit the security layers even harder than GandCrab, experts have the potential candidates under the radar. One such threat is being anticipated from 'Sodinokibi (aka REvil or Sodin)'.

The upsurge in ransomware attacks in 2019 has led the U.S. Cybersecurity and Infrastructure Security Agency (CISA) to declare that it was nearing to qualify as a "large-scale cyber event." According to an August 2019 publication, ransomware "has rapidly emerged as the most visible cybersecurity risk playing out across our nation's networks."

"The fall of GandCrab, which dominated the ransomware market with a share of over 50 percent, has left a power vacuum that various spinoffs are quickly filling. This fragmentation can only mean the ransomware market will become more powerful and more resilient against combined efforts by law enforcement and the cybersecurity industry to dismantle it," the report reads.

Free Scheme, 'The No More Ransom Project' Saving Thousands from Ransomware Attacks


A free scheme known as, 'The No More Ransom project' which was founded by Europol, police in the Netherlands, and McAfee is recorded to have prevented cyber-attack victims from paying heavy ransoms and assisted over 200,000 people in saving approximately $108m (£86m).

Along with advice and recommendations, the project delivers software which is configured to recover computer files that get encrypted during ransomware attacks.

With the introduction of 14 new tools in the year 2019 itself, the project having over 150 global partners can now decrypt a total of 109 variants of infection.

Referencing from the explanation given by, Steven Wilson, head of Europol's European Cybercrime Centre (EC3), “When we take a close look at ransomware, we see how easy a device can be infected in a matter of seconds. A wrong click and databases, pictures and a life of memories can disappear forever. No More Ransom brings hope to the victims, a real window of opportunity, but also delivers a clear message to the criminals: the international community stands together with a common goal, operational successes are and will continue to bring the offenders to justice.”

The project made determined and successful efforts to take down various ransomware campaigns including  GandCrab, which is amongst one of the most hostile ransomware campaigns of all time.

GandCrab continued making headlines in 2018 and in 2019, the cyber world saw an upsurge in the number of ransomware attacks targeting large organizations.

Commenting on the matter, Mr. Woser told BBC, "Projects like No More Ransom have been crucial when it comes to fighting ransomware on a global level, with pretty much all major parties cooperating on a global and daily basis, sharing intel[igence] in real-time - except for the US.

"The US should consider the success of the No More Ransom Project to be a call to action.

"Better cooperation between the private sector and law enforcement could result in fewer ransom demands being paid.

"That would make cyber-crime less profitable and, consequently, reduce the financial incentive for groups to commit cyber-crime."




Authors of GandCrab Ransomware Terminating their Operations after Making $2 Billion in Ransom Payments



The operators of Gandcrab ransomware are continuously maintaining and developing the ransomware and have released five different variants with no major difference between any two versions and the ransomware is known to be extra secured as it uses the “.bit” top-level domain which is not sanctioned by ICANN.

Gandcrab was distributed via various vectors that include exploit kits, spam mail, affiliated malware campaign and other social engineering methods. Along with plenty of malicious spam emails, attackers resort to ‘GrandSoft’ and ‘RIG’, two of the most popular exploit kits in order to distribute GandCrab. These spam emails are configured to befool users and make them download a script which further will download the ransomware and execute it.

Researchers have found that Gandcrab authors have made over $2billion from ransom payments, averaging around 2.5 million dollars per week. As per the observations made by David Montenegro and Damian, the owners of the ransomware told that they are to put their operations to an end now, after earning huge chunks of money (more than 150 million dollars a year) and cashing it out through legitimate sources.

The operators have discontinued the promotions of the ransomware and asked the concerned affiliates to terminate the distribution of the ransomware within the next 20 days. They have also asked the victims to pay the ransom; otherwise, the key will be deleted. However, it’s still a matter of question that whether the keys will be released after the authors shut down their operations.

Although, ransomware has been a constant threat in the field of cybersecurity for a long time but now it’s even deadlier due to the efforts invested by the threat actors in its development. Users are advised to stay equipped with products like ‘Acronis True Image 2019’ in order to stay protected against such ransomware attacks.