Search This Blog
Powered by Blogger.

Blog Archive

Labels

About Me

Load More
Trendy Right Now

Popular Posts

Showing posts with label Ransom Payment. Show all posts
Technology
Critical Infrastructure Ransom Payment Ransomware Sophos Technology

How Ransomware is Draining Resources from Critical Infrastructure

How Ransomware is Draining Resources from Critical Infrastructure

The Rising Cost of Ransomware Attacks on Critical Infrastructure

The costs of ransomware attacks on critical national infrastructure (CNI) firms have soared over the last year.

According to Sophos' newest numbers, which were revealed today, the typical ransom payment increased to $2.54 million, more than 41 times last year's total of $62,500. The mean payment for 2024 is considerably greater, at $3.225 million, representing a less dramatic 6-fold rise.

IT, technology, and telecoms were the least likely to pay large sums to hackers, with an average payment of $330,000, but lower education and federal government organizations reported the highest average payments of $6.6 million.

The figures are based solely on ransomware victims who were willing to reveal the specifics of their mistakes, thus they do not provide the full picture.

The Escalating Financial Burden

Only 86 of the 275 CNI organizations surveyed provided statistics on ransom payments. There's a significant risk that the results would be distorted if all of the CNI ransomware victims polled were completely upfront with their information.

Costs to recover from ransomware attacks have also increased dramatically since the researchers' findings last year, with some CNI industries' costs quadrupling to a median average of $3 million per event.

The Impact on Critical Infrastructure

According to the report, only one in every five people were able to recover in a week or less, down from 41 percent the previous year and 50 percent the year before that. The percentage of victims who take more than a month to recuperate has also increased to 55%, up from 36% last year. 

Sophos stated in its analysis that this could be due to attacks getting more sophisticated and complicated, requiring more work from the IT team to effectively repair all of the damage caused by the crimes. However, the vendor's global field CTO, Chester Wisniewski, believes the industries should reevaluate their propensity to pay ransoms.

Read more »
Ransom Payment
Crypto Extortion Threats Cyber Attacks Data Theft Gaming Publisher Ransom Payment

Cyber Criminals Seek $2 Million in Bitcoin After Siphoning Insomniac Games Data

 

The Rhysida hacker group is believed to have carried out a cyberattack against Insomniac Games and is now demanding a ransom, starting at 50 Bitcoin, or more than $2 million. Sony, which owns the Spider-Man 2 and Ratchet & Clank franchises, is actively investigating the incident. 

“We are aware of reports that Insomniac Games has been the victim of a cyber security attack. We are currently investigating this situation,” Sony stated. “We have no reason to believe that any other SIE or Sony divisions have been impacted.”

Rhysida hackers have given Insomniac a week to respond to their demands, but the alleged cyber attackers have already started auctioning off the data to the highest bidder, starting at 50 BTC.

"With only 7 days to go, seize the opportunity to bid on exclusive, one-of-a-kind, and impressive data," the hackers wrote on their leak site. "Open your wallets and prepare to purchase exclusive data."

"We only sell to one person, no resale, and you will be the exclusive owner!" The Rhyisda group has also been held accountable for breaches at a UK hospital and the British Library this year.

Back in 2021, Insomniac initially revealed their Wolverine game. However, it's not the first game to experience a cyberattack leading to leaks of the game. 

Around ninety-nine bits of Grand Theft Auto 6's content were leaked by hackers to Rockstar Games in 2022. Later, Rockstar Games confirmed the attack, and the teenage hacker was found guilty in August in the United Kingdom of fraud and extortion among other charges. 

This year has also seen hackers steal data from Sony. According to SecurityWeek, Sony acknowledged in October that hackers known as RansomedVC had infiltrated all of Sony's computer systems and announced plans to sell stolen items. 

A cybersecurity firm estimated that the Sony hack may have affected over 62 million users, but the number of people affected by the Insomniac hack is presently unknown.
Read more »
Russian Gang
Cyber Attacks Extortion Group Ransom Payment Ransomware Russian Gang

Black Basta's Ransom Money Surpasses $100 million in Less Than Two Years

 

Researchers have discovered that since the Black Basta ransomware gang first surfaced early last year, victims of its double-extortion attacks have paid the gang more than $100 million. With the haul, which included taking over $1 million from at least 17 victims and $9 million from one victim, the Russian-affiliated gang is now among the highest-ranking ransomware operators. 

Blockchain analytics startup Elliptic and cyber insurance provider Corvus claimed in a joint research post published on November 29 that Black Basta had targeted at least 329 organisations and had received payments totaling at least $107 million from over 90 victims. The researchers said that based on the number of victims in the 2022–2023 period, the gang was the fourth most active strain of ransomware. 

“It should be noted that these figures are a lower bound – there are likely to be other ransom payments made to Black Basta that our analysis is yet to identify – particularly relating to recent victims,” the researchers explained. 

In June, the Cybersecurity and Infrastructure Security Agency (CISA) released an advisory stating that LockBit, a "prolific" rival gang, had received $91 million from victims in the United States between early 2020 and mid-2023, which puts the group's earnings into perspective. This year, Black Basta has taken down major victims such as ABB, a Swiss technology company, Capita, a British outsourcing company, and Dish Network. 

The gang is thought to have split off from the Conti Group, a notorious ransomware operator that disbanded last year. It employs double-extortion techniques, stealing confidential information from victims, encrypting their networks, and threatening to release the data if a ransom isn't paid. Qakbot malware was frequently used to spread the Black Basta ransomware. 

According to the Elliptic and Corvus report, Qakbot's botnet was taken down by authorities in August, which could account for the notable decline in Black Basta attacks in the second half of the year. Elliptic researchers discovered links between Black Basta and Qakbot on the Bitcoin blockchain, with parts of ransoms paid to Black Basta being transferred to Qakbot wallets. 

“These transactions indicate that approximately 10% of the ransom amount was forwarded on to Qakbot, in cases where they were involved in providing access to the victim,” the researchers added. “Our analysis of Black Basta’s crypto transactions also provides new evidence of their links to Conti Group. In particular, we have traced Bitcoin worth several million dollars from Conti-linked wallets to those associated with the Black Basta operator.”
Read more »
Sophos report
Cyber Attacks cybercriminals Cybersecurity Ransom Payment Ransomware recovery cost Retail Industry security measures Sophos report

Report: Retailers Face Challenges in Coping with Ransomware Attacks

 

In a disconcerting revelation, a recently released report suggests that retailers are finding themselves increasingly outmatched in the ongoing battle against ransomware operators. Conducted by cybersecurity experts Sophos, the survey enlisted the perspectives of 3,000 IT and cybersecurity leaders from small and medium-sized businesses (SMBs) and enterprises worldwide, with a particular focus on 355 respondents hailing from the retail sector. 

The findings are rather sobering, indicating that a mere 26% of retailers were successful in thwarting a ransomware attack before succumbing to having their valuable data encrypted. This figure represents a noticeable decline from the preceding year's 28%, and even more starkly from the 34% recorded two years prior.

Chester Wisniewski, the Director of Global Field CTO at Sophos, sounds a cautionary note, deeming the survey a resounding wake-up call for organizations within the retail industry. His message is clear: retailers must urgently fortify their security measures in the face of the escalating ransomware threat.

The report also sheds light on the protracted recovery process faced by victims who opt to meet the ransom demand. Among those who acquiesced, the median recovery cost, excluding the ransom payment itself, surged to four times that of those with a functional backup, reaching a staggering $3 million compared to $750,000. 

Approximately 43% of victims opted to pay the ransom, prompting Wisniewski to caution against shortcuts, underscoring the imperative of rebuilding systems to prevent cybercriminals from reaping the rewards of their malicious activities.

While there is a glimmer of optimism for retailers in the report - the percentage of firms targeted by ransomware threats dropped from 77% to 69% compared to the previous year - the recovery times have taken a hit. The proportion of companies able to recover in less than a day dwindled from 15% to a mere 9%, while those grappling with recovery periods exceeding a month increased from 17% to 21%.

Ransomware, as the report highlights, typically gains entry through the actions of unwitting employees, such as downloading malware or inadvertently providing attackers access to crucial endpoints. 

Consequently, the report underscores the critical importance of comprehensive employee education regarding the perils of cyberattacks. In addition to fostering employee awareness, safeguarding against ransomware necessitates strategic measures such as regular backups of critical systems and data, coupled with the implementation of robust endpoint protection services. The call to action is clear - retailers must fortify their cybersecurity defenses comprehensively to navigate the evolving threat landscape successfully.
Read more »
Ransomware attack
Cyber Attacks Incident response MGM Resort Ransom Payment Ransomware attack

Cyberattack Responses at MGM and Caesars Required Brutal Actions

 

Twin assaults on MGM Resorts and Caesars Entertainment have offered an unusual perspective at what happens when two comparable organisations, under similar attack by the same threat actor, use divergent incident response techniques. 

Both parties in this case were the victims of a cyberattack called Scattered Spider /ALPHV. Caesars was able to resume operations very soon after engaging in a fast negotiation with the cyber attackers and paying a $15 million ransom demand. 

However, MGM firmly refused to pay and only recently declared that its operations had resumed after more than 10 days of operational downtime at its hotels and casinos, costing the company tens of millions of dollars in lost income. 

Although it may be tempting to judge which strategy was superior, experts believe that any direct comparison of the Caesars and MGM responses to the incident is oversimplified. 

As an example, Rob T. Lee, chief curriculum director and faculty lead at SANS Institute, emphasises that the fundamental idea behind incident response is to strive to make the "least worst decision." And this is typically a difficult choice with both favourable and unfavourable (some would say harsh) consequences.

He explains, "many business decisions can go into that. Only once an incident is over can you see different paths that could have led to different or at least worse outcomes. There is no 'win' in these situations, only decisions that can prevent it from worsening."

Caesars or MGM: Who was right? It's complex 

One of those difficult decisions incident responders are pressed to make under pressure is whether or not to pay a ransom after a hack. It is commonly known that paying a ransom does not ensure data security or system restoration.

Even worse, it encourages more attacks by establishing a market for these cybercrimes. Business risk decisions, however, don't always boil down to black-and-white choices of right or wrong, and expediency is always a factor.

"Caesars' more rapid recovery post-ransom might give the impression they made a better decision," stated Callie Guenther, senior manager of cyber threat research at Critical Start. "From a business continuity perspective, their decision to pay might seem effective." 

The chief security scientist of Delinea and advisory CISO Joseph Carson argues that there are other issues at play. Companies that deliberate over their choices may come to the conclusion that forgoing payment makes more sense. 

According to his observations, organisations only have a four-day opportunity to reach a compromise with ransomware threat actors before views on both sides harden. After that, ransomware attackers often lose patience and enterprise security teams tend to grow entrenched in their positions. 

Another factor to consider is the cost of recovery. If recovery is unsettling but only costs a few million dollars, it may be a better option than an eight-figure extortion payment, Carson added.
Read more »
Victims
data security malware Ransom Ransom Payment Ransomware Safety Victims

Ransomware Profits Shrink, as Victims Refuse to Pay

 

As per data from blockchain analysis firm Chainalysis, ransomware revenue for 2022 has dropped from $765.6 million to at least $456.8 million, representing a -40.3% year-over-year drop. The number of attacks is as high as it has ever been, but the number of victims who refuse to pay the ransom has increased as well. 

Working with Coveware, Chainalysis has observed a significant decrease in the number of ransomware victims willing to pay: 76% in 2019, but only 41% in 2022. According to Chainalysis, this is a "highly encouraging" trend that is likely influenced by a variety of factors. 

Ransomware victims have realized that even if they pay the ransom, there is no guarantee that their data will be handed back or that the ransomware actor will delete the "stolen" files instead of selling them on the dark web. But since the public perception of the ransomware phenomenon has matured, data leaks no longer pose the same risks to brand reputation as they did in previous years.

Companies and government agencies, which are the primary targets of modern ransomware operations, have also improved their backup strategies, making data recovery a much cleaner and easier process than it was only a few years ago.

Insurance companies are also much less likely to permit their customers to use an insurance payout to satisfy a ransom demand. Eventually, because many ransomware operations are based in Russia, victims who choose to pay may face harsh legal consequences as a result of the country's economic sanctions following the invasion of Ukraine.

Despite the fact that victims are not paying as much as they used to, the ransomware industry is far from dead: in 2022, the average lifespan of file-encrypting-malware strains has dropped from 153 days to just 70 days year on year. The "Conti" ransomware operation ended, while other ransomware-as-a-service (raas) operations, such as Royal, Play, and BlackBasta, went live. At the end of 2022, LockBit, Hive, Cuba, BlackCat, and Ragna were still in business (and still demanding ransom payments).


Read more »
User Security
Cyber Attacks Data Encryption Extortion Scheme Ransom Payment ransomware attacks User Security

Ransomware Gangs are Starting to Forego Encryption

 

Criminal organisations are now employing a new strategy to ensure ransomware payouts: they skip the step of encrypting target companies' systems and instead go straight to demanding the ransom payment for the company's valuable data.

Malicious hackers are constantly looking for less-flashy but still effective ways to continue their ransomware attacks as law enforcement's focus on the problem grows.

Typically, a ransomware attack begins with the installation of malware that encrypts files onto a company's networks, followed by the appearance of a ransom note on each screen.

By concentrating only on data extortion, hackers can launch their attacks more quickly and without the need for encryption tools, which can occasionally go down in the middle of an attack. 

According to Drew Schmitt, a principal threat analyst at GuidePoint Security, law enforcement is also more interested in looking into attacks that use encryption because it results in more damage.

Schmitt added that businesses that have strong endpoint security tools, firewalls, ongoing monitoring, and security plans that restrict employees' access to internal files will be the most successful at thwarting ransomware attacks.

Security leaders must know how to lessen the effects of a ransomware attack. Here are a few of our suggestions: 

  • Keep encrypted backups of your data offline and make sure that your team consistently performs backups. Additionally, your team should prioritise restoring all crucial systems and data first and routinely test backups to determine how long data restoration efforts will take. 
  • Make it a company-wide rule that no device should be used to store corporate data locally. Unlike data stored in the cloud, if a device is infected, you risk losing all locally stored data. 
  • To prevent ransomware from spreading to other network devices, immediately isolate the infected device.
  • If at all possible, determine the type of ransomware used and/or the threat actors who carried out the attack to see if a decryption key may already be in existence. Engage an external incident response provider with digital forensics capabilities to lead the charge if you lack the expertise to carry out this investigation internally. 
  • Your team should have the relevant source code or executables backed up in addition to system images (or escrowed, have a licence agreement to obtain, etc.) so that you don't lose the application code entirely if the ransomware infection affects it. 
Read more »
WordPress Plugin
Cyber Attacks Ransom Attack Ransom Payment Ransomware WordPress WordPress Plugin

WordPress Sites Hacked in Fake Ransomware Attacks

 

A new wave of cyberattacks began late last week, hacking over 300 WordPress sites and displaying fraudulent encryption notifications in an attempt to mislead site owners into paying 0.1 bitcoin for recovery. 

These ransom requests include a countdown timer in order to create a feeling of urgency and perhaps terrify a web administrator into paying the ransom. While the 0.1 bitcoin ($6,069.23) ransom demand is little in contrast to what is seen in high-profile ransomware operations, it may still be a significant sum for many website owners. 

Sucuri, a cybersecurity firm hired by one of the victims to conduct incident response, identified these attacks. The researchers revealed that the websites had not been encrypted, but rather that the threat actors had altered an installed WordPress plugin to show a ransom message and countdown when the page was accessed. 

In addition to presenting a ransom note, the plugin would change the 'post status' of all WordPress blog entries to 'null,' leading them to become unpublished. As a result, the cyber actors developed a simple but strong illusion that gave the impression that the site had been encrypted. 

The site was restored to its usual state after deleting the plugin and running a command to republish the posts and pages. Sucuri discovered that the first place where the actor's IP address showed in the network traffic records was the wp-admin panel. This suggests that the infiltrators gained access to the site as administrators, either by brute-forcing the password or by obtaining stolen credentials from dark web markets. 

This was not an isolated attack, but rather part of a larger campaign, giving legitimacy to the second scenario. Sucuri discovered a plugin called Directorist, which is a tool for creating online company directory listings on websites. 

Sucuri has identified around 291 websites hit by this attack, with a Google search revealing a mix of cleaned-up and still-displaying ransom letters. All of the sites BleepingComputer found in search results utilise the same Bitcoin address, 3BkiGYFh6QtjtNCPNNjGwszoqqCka2SDEc, which has not received any ransom payments. 

Safeguarding against website encryptions

Sucuri recommends the following security procedures to keep WordPress sites safe from hackers: • Review the site's admin users, delete any fraudulent accounts, and update/change any wp-admin passwords. 
  • Protect the wp-admin administrator page. 
  • Modify the passwords for all other access points (database, FTP, cPanel, etc). 
  • Protect your website using a firewall. 
  • Adhere to dependable backup techniques that will make restoration simple in the event of a genuine encryption incident. 
Because WordPress is frequently targeted by threat actors, it is also critical to ensure that all of your installed plugins are up to date. 

BleepingComputer was notified about a recent fix for the Directorist plugin, which addressed an issue that enabled low-privilege users to run arbitrary code. While Sucuri's analysis does not identify the plugin as an infiltration point, the presence of this vulnerability makes sense in the context of the specific assault. 

This also implies that eradicating the virus and restoring the site would not prevent the attackers from striking again as long as the Directorist plugin is still in an older, vulnerable version.
Read more »
Subscribe to: Posts (Atom)