Search This Blog
Powered by Blogger.

Blog Archive

Labels

About Me

Load More
Trendy Right Now

Popular Posts

Showing posts with label Maze Ransomware. Show all posts
REvil
Cyber Threats Data Breach DoppelPaymer Egregor Lockean Maze Ransomware Network Threats RaaS Ransomware REvil

Lockean Multi-ransomware Hitting French Companies--CERT-FR

 

France’s Computer Emergency Response Team (CERT-FR) professionals identified details about the tools and tactics used by a ransomware affiliate group, named Lockean. Over the past two years, the cyber group is targeting French companies continuously. Reportedly, at least eight French companies’ suffered data breaches on a large scale. The group steals data and executes malware from multiple ransomware-as-a-service (RaaS) operations. 

According to the data, the companies that have been victimized by this group are the transportation logistics firm Gefco, the newspaper Ouest-France and the pharmaceutical groups Fareva and Pierre Fabre, among a few others. 

“Based on incidents reported to the ANSSI and their commonalities, investigations were carried out by the Agency to confirm the existence of a single cybercriminal group responsible for these incidents, understand its modus operandi and distinguish its techniques, tactics, and procedures (TTPs…” 

“…First observed in June 2020, this group named Lockean is thought to have affiliated with several Ransomware-as-a-Service (RaaS) including DoppelPaymer, Maze, Prolock, Egregor, and Sodinokibi. Lockean has a propensity to target French entities under a Big Game Hunting rationale), reads the report published by CERT-FR.” 

In 2020, Lockean was spotted for the very first time when the group targeted a French manufacturing company and executed DoppelPaymer ransomware on the network. Around June 2020 and March 2021, Lockean compromised at least seven more companies’ networks with various ransomware families including big names like Maze, Egregor, REvil, and ProLock. 

In most of the attacks, the hackers gained initial access to the victim network through Qbot/QakBot malware and post-exploitative tool CobaltStrike. Qbot/QakBot is a banking trojan that changed its role to spread other malware into the system, including ransomware strains ProLock, DoppelPaymer, and Egregor, CERT-FR officials said. 

The cybercriminal group had used the Emotet distribution service in 2020 and TA551 in 2020 and 2021 to distribute QakBot via phishing email. Additionally, the group used multiple tools for data exfiltration including AdFind, BITSAdmin, and BloodHound, and the RClone.
Read more »
US
Cyber Security Maze Ransomware Ransomware Ransomware attack US

Ransomware Hits US Defense Contractor BlueForce

A ransomware attack hit U.S defense contractor Blueforce, says Hatching Triage sample, and a Conti ransomware chat. Ransomware in the Hatching Triage page consisted of a ransom threat likely to be from an attacker who hit the victim with Conti Ransomware strain. Tech Target's sister website LMagIT found the sample which was sent to SearchSecurity. 

The note said that all the victim's files were encoded by CONTI ransomware, attacker told the victim to google about if he weren't aware of what the strain is, and said that all information has been encrypted with the software and couldn't be restored by any method unless the victims contact the team directly. 

If the victim tried anything suspicious with recovery software, the attacker warned that all files will get damaged, and told the victim to continue at his own risk. "Conti ransomware was first reported in mid-2020, and like many other modern ransomware families, it extorts victims by not only encrypting data but threatening to publish it, too. Recent Conti victims include several London schools, as well as fashion retailer FatFace. It was also a member of the Maze ransomware cartel when it was active," said SearchSecurity. The threat also included a .onion link and a standard URL to an active chat between a negotiator from Blueforce and Conti actor. 

Blueforce is Virginia-based which builds nexus between the Department of State (DoS) and Department of Defense (DoD) via a sophisticated mix of interagency, international development expertise, and cross-functional defense. The conversation dates back to April 9, actor enquired if the target was willing to negotiate. After about 2 weeks, the victim replied with a request saying all the files were encrypted and to help. 

The attacker asked the victim for identification, Blueforce responded last week, asked for the following procedure, and also enquired whether any data was encrypted. According to SearchSecurity "the threat actor responded in the affirmative and demanded 17 bitcoins (worth nearly $969,000 as of this writing). In addition, the response included a list and data pack of files to verify that Conti had breached the company and exfiltrated data. The chat has not been updated since."

Read more »
Ryuk Ransomware
Blockchain Cyber Crime Maze Ransomware Ransomware group Ryuk Ransomware

Maze/Egregor Ransomware Earned over $75 Million

 

Researchers at Analyst1 have noticed that the Maze/Egregor ransomware cartel has made at least $75 million in ransom payments to date. This figure is the base of their estimations, as the maximum could be conceivably more since not every victim has disclosed paying to the threat actor. While the group is crippled presently, it is the one that began numerous innovations in the ransomware space. 

“We believe this figure to be much more significant, but we can only assess the publicly acknowledged ransom payments. Many victims never publicly report when they pay a ransom,” security firm Analyst1 said in a 58-page report published this week. 

Analyst1's discoveries are in accordance with a similar report from blockchain analysis firm Chainalysis, which listed the Maze group as the third most profitable ransomware operation — behind Ryuk and Doppelpaymer. 

The now-dead ransomware Maze group was a pioneer in its times. Started in mid-2019, the group was closed down for obscure reasons before the end of last year however resurrected as Egregor ransomware. The greater part of the code, working mechanism, and different clues call attention to that Egregor is the new Maze group. The group dealt with a purported RaaS (Ransomware-as-a-Service), permitting other cybercrime actors to lease admittance to their ransomware strain. These clients, likewise called affiliates, would penetrate organizations and send the Maze groups ransomware as an approach to encrypt files and extort payments.

But, while there were a lot of ransomware groups working on similar RaaS plans, the Maze group became famous by making a “leak site” where they'd regularly list organizations they infected, which was a novelty at that point, in December 2019. 

This branding change didn't influence the group's prosperity. Indeed, both Maze and Egregor positioned as the second and third most active RaaS services on the market, representing almost a fourth of all victims recorded on leak sites a year ago. As per Analyst1's report published for the current week, this heightened period of activity additionally converted into money-related benefits, based on transactions the company was able to track on public blockchains. 

However, this achievement additionally drew attention from law enforcement, which started putting hefty assets into researching and finding the group. Right now, the Maze/Egregor group is on a hiatus, having stopped activities after French and Ukrainian authorities captured three of their members in mid-February, including a member from its core team.
Read more »
Maze Ransomware
Cyber Crime cybercriminals Emsisoft Maze Ransomware

Maze Ransomware: Exfiltration and Extortion

 

New research by New Zealand organization Emsisoft has discovered that a cyber-blackmail tactic initially debuted by ransomware gang MAZE has been adopted by over a dozen other criminal cyber gangs. Initially observed in May of 2019, the maze was a prominent part of consistent, yet unremarkable, extortion campaigns. However, as of late a sizable uptick have been seen in Maze campaigns, including numerous prominent, high-profile attacks. The attackers behind Maze have previously claimed credit for assaults on both Allied Financial just as well as the City of Pensacola Florida. 

The globally renowned security software organization, Emsisoft declared a ransomware crisis in the last month of 2019. Their most recent ransomware report shows that this specific sort of malware has hugely affected the United States in 2020. Emsisoft threat analyst Brett Callow described the numbers in "The State of Ransomware in the US: Report and Statistics 2020" as "pretty grim." 

At least 2,354 US governments, medical services offices, and schools were affected by ransomware last year, including 113 federal, state, and municipal governments and agencies, 560 healthcare facilities, and 1,681 schools, universities, and colleges. Researchers noticed that the assaults caused huge, and in some cases perilous, disturbance: ambulances carrying emergency patients had to be redirected, cancer treatments were deferred, lab test results were difficult to reach, clinic workers were furloughed and 911 services were interfered with. 

In 2020, MAZE turned into the first ransomware group to be observed exfiltrating information from its victims and utilizing the threat of publication as extra leverage to coerce payment. As per a November report by Coveware, some ransomware gangs that exfiltrate information don't erase it, even in the wake of accepting a ransom from their victims. Coveware noticed REvil (Sodinokibi) requesting a second ransom payment for stolen information it had just been paid to delete.

Maze ransomware doesn't simply demand payment for a decryptor however exfiltrates victim information and threatens to leak it publicly if the target doesn’t pay up. This “double whammy” heaps on yet more strain to persuade the victim to cave into the cybercriminals' demand. The onus presently is on organizations to ensure they have a trusted security arrangement demonstrated to forestall ransomware from executing in the first place, as restoration of data from a backup won't save them.
Read more »
Ransomware
malware Malware Attack Maze Ransomware Ransomware

Factories have become a major target for malware attacks

In the third quarter, the industry was attacked by various hacker groups - including RTM and TinyScouts, as well as ransomware operators. For example, according to Positive Technologies, the operators of the Maze ransomware program conducted a successful attack on Hoa Sen Group, the largest manufacturer of steel sheets in Vietnam. During the attack, personal data of employees, internal correspondence and other confidential information were stolen.

"This year, the vast majority of criminal groups switched to working with encryption programs since attackers realized that they can earn no less than in the case of a successful attack on a Bank, and technical execution is much easier," explained Anastasiya Tikhonova, head of APT Research at Group-IB.

According to her, more groups and partner programs have joined the "big game hunt”. 

"The size of the ransom has also increased significantly: cryptolocker operators often ask for several million dollars, and sometimes even several tens of millions. For example, the OldGremlin group, consisting of Russian-speaking hackers, actively attacks exclusively Russian companies: banks, industrial enterprises, medical organizations and software developers," explained Tikhonova.

The expert believes that one of the weakest links in the information security chain is still a person. "There are examples when an operator of a large industrial enterprise got bored, wanted to listen to music, and plugged a 3G modem directly into the USB port of the SCADA control and monitoring system.. And how many "trusted laptops” were there that employees brought from a business trip", concluded Tikhonova.

The expert believes that the danger of using Internet of things devices (IoT) is that it is problematic for advanced engineers to determine the fact of compromise. Target systems are assembled from a fairly large number of devices, and it is almost impossible to monitor and respond to possible security events and threats without additional solutions and human resources.

Read more »
Ransomware Attacks.
Data Breach Maze Ransomware Ransomware Ransomware Attacks.

Cognizant Reveals Employees Data Compromised by Maze Ransomware


Leading IT services company, Cognizant was hit by a Maze Ransomware attack earlier in April this year that made headlines for its severity as the company confirmed undergoing a loss of $50-$70 million in their revenues. In the wake of the ransomware attack, Cognizant issued an email advisory alerting its clients to be extra secure by disconnecting themselves for as long as the incident persists.

Cognizant is one of the global leading IT services company headquartered in New Jersey (US). It started in 1994 as a service provider to Dun & Bradstreet companies worldwide; later in 1998, it became independent when D&B split into three, and one group of companies came under Cognizant corporation. Since then, the company has grown leaps and bounds making a name for its consulting and operation services in the industry.

The threat actors involved carried out the attack somewhere between 9-11 April, during this period of three days when the company was facing service disruptions, the operators mined a considerable amount of unencrypted data that included credit card details, tax identification numbers, social security numbers, passport data, and driving license information of the employees.

While giving further insights into the security incident, Cognizant said in its SEC filing, “Based on the investigation to date, we believe the attack principally impacted certain of our systems and data.”

“The attack resulted in unauthorized access to certain data and caused significant disruption to our business. This included the disabling of some of our systems and disruption caused by our taking certain other internal systems and networks offline as a precautionary measure."

“The attack compounded the challenges we face in enabling work-from-home arrangements during the COVID-19 pandemic and resulted in setbacks and delays to such efforts,” the filing read.

“The impact to clients and their responses to the security incident have varied,” the company added.
Read more »
Ransomware Attacks.
ChaCha ransomware Cybersecurity Data Stolen Maze Ransomware Ransomware Attacks.

Conduent's European Operations Hit by Maze Ransomware, Data Stolen


Conduent, a business process outsourcing organization confirms that their European operations were crippled by a ransomware attack on Friday, in an immediate response to the attack the IT services giant was able to restore most of the affected systems within eight hours of the incident.

The security software company, Emsisoft and cybersecurity research and threat intelligence firm Bad Packets, expressed a large probability of Conduent been attacked by Maze ransomware.

 What is a Maze ransomware attack?

The maze is a sophisticated strain of Windows ransomware that not only encrypts individual systems but also proliferate across the whole network of computers infecting each one of it. Typically, Maze attacks organizations around the globe and demand a ransom in cryptocurrency for a safe recovery of the data encrypted by the attackers.

It's the same variant of ransomware that attacked IT services company, Cognizant on April 18 – although the New-Jersey headquartered company chose not to share many details about the security incident, it said that its services were disrupted and internal security teams were taking active measures to contain the impact. Reportedly, some of the company's employees were locked out of the mail systems as a result of the attack.

In Conduent's case, the threat actors have posted online two zip files that appear to contain data regarding the company's services in Germany, as per the evaluations made by Emsisoft. The documents were published on a website that leaks Maze ransomware attacks.

The company's operations witnessed a disruption around 12:45 AM CET on Friday, May 29th. It was by 10.00 AM CET that morning – the systems were restored and functional again. Meanwhile, the ransomware was identified by the systems and was later addressed by their cybersecurity protocols.

While commenting on the matter, Cognizant CFO Karen McLoughlin said, "While we have restored the majority of our services and we are moving quickly to complete the investigation, it is likely that costs related to the ransomware attack will continue to negatively impact our financial results beyond Q2."

As per the statements released by Conduent to confirm the attack that happened last week, “Conduent's European operations experienced a service interruption on Friday, May 29, 2020."

"Our system identified ransomware, which was then addressed by our cybersecurity protocols. This interruption began at 12.45 AM CET on May 29th with systems mostly back in production again by 10.00 AM CET that morning, and all systems have since then been restored. This resulted in a partial interruption to the services that we provide to some clients. As our investigation continues, we have on-going internal and external security forensics and anti-virus teams reviewing and monitoring our European infrastructure"

However, Conduent did not answer the questions regarding the loss of the data and the researches carried out by two cybersecurity companies indicating the same.
Read more »
Ransomware
data auction malware Maze Ransomware Ransomware

Ransomwares evolving: Cybercriminals collaborating and auctioning data


Ransomware are soon becoming the most feared disease of cyber-world, started from simple encryption of the victim's computer and files, they have now evolved to stealing and selling data. But it's not limited to just that, now these stolen data will be auctioned off to the highest bidder if the ransom is not paid.


Sodinokibi/REvil group recently launched its auction website from its own blog. Their first debut was an auction of files retrieved (stolen) from a Canadian agriculture company whose ransom was not paid. The starting bid - $50,000 Monero cryptocurrency.

These auction websites are quite beneficial for these hackers, first by creating potential of monetization and second by putting additional pressure on the victims to pay up the ransom. Even governments and cybersecurity vendors spend millions for this kind of data, employing people to lurk the dark web for sensitive data on elite class. Now, they can directly buy this from these auction sites.

The REvil group was also rumored to sell files on pop singer Madonna which they hacked from entertainment law firm Grubman Shire Meiselas & Sacks.

Brett Callow, a threat analyst at Emsisoft says, “The auctions may be less about directly creating revenue than they are about upping the ante for future victims. Having their data published on an obscure site is bad enough, but the prospect of it being auctioned and sold to competitors or other criminal enterprises may chill companies to the bone and provide them with an additional incentive to meet the criminals’ demands.” 

He further thinks that soon other ransomware groups will follow REvil with their own auction schemes.

“REvil’s launch of [an] online auction was, in many ways, a logical and inevitable progression as ransomware groups constantly seek out new ways to monetize attacks and apply additional pressure to companies,” Callow said. “In the same way that other ransomware groups adopted [the Maze ransomware group’s] encrypt-and-exfiltrate strategy, it’s almost inevitable that other groups will also adopt REvil’s encrypt-exfiltrate-and-auction strategy.”

Joining Forces

Another tactic by these groups is joining forces, the idea of helping each other, and increasing their threat value. The infamous Maze ransomware has partnered with LockBit (not many financial details have been shared) and they even published LockBut's stolen data on their own data leak website.

Maze also announced that they are in talks with another ransomware group and may collaborate with a third ransomware operation.
Read more »
Subscribe to: Posts (Atom)