Search This Blog
Powered by Blogger.

Blog Archive

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label Ransom note. Show all posts
Ransomware
Breach Cyber Attacks CyberCrime Cybersecurity Data Hacking Insider Threat Ransom note Ransomware

Cybercriminals Entice Insiders with Ransomware Recruitment Ads

 

Cybercriminals are adopting a new strategy in their ransomware demands—embedding advertisements to recruit insiders willing to leak company data.

Threat intelligence researchers at GroupSense recently shared their findings with Dark Reading, highlighting this emerging tactic. According to their analysis, ransomware groups such as Sarcoma and DoNex—believed to be impersonating LockBit—have started incorporating these recruitment messages into their ransom notes.

A typical ransom note includes standard details about the company’s compromised state, data breaches, and backup destruction. However, deeper into the message, these groups introduce an unusual proposition:

"If you help us find this company's dirty laundry you will be rewarded. You can tell your friends about us. If you or your friend hates his boss, write to us and we will make him cry and the real hero will get a reward from us."

In another instance, the ransom note offers financial incentives:

"Would you like to earn millions of dollars $$$? Our company acquires access to networks of various companies, as well as insider information that can help you steal the most valuable data of any company. You can provide us accounting data for the access to any company, for example, login and password to RDP, VP, corporate email, etc."

The note then instructs interested individuals on how to install malicious software on their workplace systems, with communication facilitated via Tox messenger to maintain anonymity.

Kurtis Minder, CEO and founder of GroupSense, stated that while his team regularly examines ransom notes during incident response, the inclusion of these “pseudo advertisements” is a recent development.

"I've been asking my team and kind of speculating as to why this would be a good place to put an advertisement," said Minder. "I don't know the right answer, but obviously these notes do get passed around." He further noted that cybercriminals often experiment with new tactics, and once one group adopts an approach, others tend to follow suit.

For anyone tempted to respond to these offers, Minder warns of the significant risks involved: "These folks have no accountability, so there's no guarantee you would get paid anything. You trying to capitalize on this is pretty risky from an outcome perspective."

GroupSense continues to analyze past ransomware communications for any early signs of this trend. Minder anticipates discovering more instances of these ads in upcoming investigations.
Read more »
Windows
Conti data security Escal Hack Data Linux LockBit malware Ransom note Ransomware Sfile STOP Windows

SFile (Escal) Ransomware Modified for Linux Attacks

 

The SFile ransomware, also known as Escal, has been ported to work and encrypt data on Linux-based operating systems by its developers. 

Attacks with this new Linux edition were discovered late last year, according to a report published last week by Chinese security firm Rising, which was substantiated by The Record with MalwareHunterTeam, one of the developers of the ID-Ransomware project. 

In February 2020, the SFile (Escal) ransomware was first observed in assaults. The first versions were exclusively designed to encrypt Windows systems. The ransomware has been deployed in targeted assaults against corporate and government networks for the previous two years. 

SFile is typically used in these attacks to encrypt data and leave a ransom note instructing victims to contact the attackers via one of three emails and negotiate a ransom for the decryption key. 

A SFile Linux variation was discovered late last year, following a typical trend in the ransomware ecosystem where groups have developed Linux versions of their payloads, with an encryption strategy identical to its original Windows variant but with a few modifications. 

The option to encrypt data depending on a time range, according to MalwareHunterTeam, was the most intriguing of these—as a way to encrypt current files, which may be more important for some victims and are often not included in recent backups. However, the SFile ransomware is one of the few instances where the victim's name appears in the extension appended to each encrypted file. 

Several Chinese firms were among the most recent victims of SFile assaults. According to the Rising report, one of these victims was Chinese IT business Nuctech, which was sanctioned by the US in late 2020 for giving air travel passenger information to the Chinese government—the company's name was identified in encrypted files in a sample discovered by Rising researchers. 

Despite the presence of a Linux variant, the number of SFile attacks is still limited in comparison to the operation of more well-known ransomware families like Conti, LockBit, Grief, and STOP.
Read more »
Websites
Corporate Data Exfiltration Data Extortion Data Hacking Double extortion malware Night Sky Ransom Ransom note Ransomware Tor Site Websites

Night Sky: New Ransomware Targeting Corporate Networks

 

The new year has brought with it new ransomware named 'Night Sky,' which targets corporate networks and steals data in double-extortion attacks. 

The Night Sky operation began on December 27th, according to MalwareHunterTeam, which was the first to identify the new ransomware. The ransomware has since published the data of two victims. 

One of the victims got an initial ransom demand of $800,000 in exchange for a decryptor and the promise that the stolen material would not be made public. 

How Night Sky encrypts devices

A sample of the Night Sky ransomware seen by BleepingComputer has a personalised ransom note and hardcoded login credentials to access the victim's negotiation page. 

When the ransomware is activated, it encrypts all files except those with the.dll or.exe file extensions. The ransomware will not encrypt the following files or folders: 
AppData
Boot
Windows
Windows.old
Tor Browser
Internet Explorer
Google
Opera
Opera Software
Mozilla
Mozilla Firefox
$Recycle.Bin
ProgramData
All Users
autorun.inf
boot.ini
bootfont.bin
bootsect.bak
bootmgr
bootmgr.efi
bootmgfw.efi
desktop.ini
iconcache.db
ntldr
ntuser.dat
ntuser.dat.log
ntuser.ini
thumbs.db
Program Files
Program Files (x86)
#recycle

Night Sky appends the.nightsky extension to encrypted file names while encrypting them. A ransom letter named NightSkyReadMe.hta is included in each folder, and it provides details about what was stolen, contact emails, and hardcoded passwords to the victim's negotiation page. 

Instead of communicating with victims through a Tor site, Night Sky employs email addresses and a transparent website that runs Rocket.Chat. The credentials are used to access the Rocket.Chat URL specified in the ransom note. 

Double extortion tactic: 

Before encrypting devices on the network, ransomware operations frequently grab unencrypted data from victims. Threat actors then utilize the stolen data in a "double-extortion" scheme, threatening to leak the information unless a ransom is paid. 

Night Sky built a Tor data leak site to leak the data of victims, which now contains two victims, one from Bangladesh and the other from Japan. While there hasn't been much activity with the new Night Sky ransomware operation, one should keep a watch on it as we enter the new year.
Read more »
Subscribe to: Posts (Atom)