Search This Blog
Powered by Blogger.

Blog Archive

Labels

About Me

Load More
Trendy Right Now

Popular Posts

Showing posts with label RansomHub. Show all posts
TOX
Cyber Attacks CyberCrime CyberThreat DDoS DradonForce Meta's dominance RAMP RansomHub Ransomware Nerwork Rasnowmare attacks TOX

DragonForce Asserts Dominance Over RansomHub Ransomware Network

 


A series of targeted attacks involving DragonForce, a ransomware group that has reportedly been operating in the Middle East and North Africa region (MENA) are reported to have been launched against companies in the Kingdom of Saudi Arabia (KSA) amidst the escalating cyber threats throughout the region. A significant incident involving a real estate and construction company based in Riyadh, which underscored the group's commitment to targeting high-value targets within critical sectors, was one of the most significant incidents involving the group. 

In the recent past, there has been an increase in the sophistication of cyberattacks targeting major companies and vital infrastructure around the region, resulting in this recent development. In addition to demonstrating the increasing capabilities of threat actors such as DragonForce, this breach also emphasizes the need to maintain enhanced vigilance and preparedness among cybersecurity professionals and law enforcement agencies within the Kingdom of Saudi Arabia and its surrounding countries. 

Experts are anticipating that as the group's tactics continue to be effective, they will expand beyond MENA in terms of geographic scale. This incident has wider implications than just the immediate victims. As a cautionary marker of the rapidly evolving threat landscape, this incident serves as a warning of the threats that may threaten global digital security systems in the future. 

Cyble, a cybersecurity firm, has confirmed that a threat actor known as DragonForce recently posted a message on the RAMP cybercrime forum announcing a new “project.” This announcement was later mirrored on DragonForce's onion-based data leak site (DLS), marking the beginning of a new operational infrastructure for DragonForce. A part of this initiative was the introduction of two new onion domains that DragonForce launched, both protected by CAPTCHA verification, which aligned with the group's traditional Tor-based deployment practices. 

Interestingly, both of these sites are prominently branded and emblazoned with RansomHub, a group that specializes in ransomware. While it is still unclear whether DragonForce has seized control of RansomHub in the past or has just infiltrated its systems, Cyble has observed that RansomHub's onion site has been unavailable since March 31. As a result of this prolonged downtime, there has been considerable speculation within the cyber security community as to whether DragonForce may be planning to acquire or hostilely take over the RansomHub infrastructure. 

In addition to this development, DragonForce recently formally announced its plans to expand its ransomware-as-a-service operations, which are aligned with DragonForce's broader strategy of expanding the company's ransomware-as-a-service operations. As part of this initiative, the group introduced an affiliate-based model in which third-party actors—or “franchisees”—can operate under DragonForce brand names. 

As part of the new model, affiliates will reportedly be provided with comprehensive backend support, which includes anti-DDoS defences, advanced encryption protocols, and specialized toolkits that allow them to manage infections across a range of environments, including ESXi, NAS, BSD, and Windows. A significant investment is being made into infrastructure to attract and empower partners, thereby enhancing the group's reach and impact as a whole. This is a deliberate attempt by the group to streamline operations and present a more organized and business-like ransomware platform to victims by including features like encryption status monitoring and persistent communication mechanisms. 

Despite the uncertainty that surrounds RansomHub's future, it is currently possible that it will become fully absorbed under the DragonForce brand or continue to operate independently, but current indicators suggest that a possible consolidation within the ransomware ecosystem may result in increased sophistication and coordination among cybercriminals. 

Despite the increased competition in the ransomware-as-a-service (RaaS) market, DragonForce is positioning itself as a prominent player by offering its affiliates one of the most attractive commission structures on the dark web. This aggressive profit-sharing model aims to attract skilled cybercriminals in an attempt to build an affiliate network that is loyal, results-driven and enables partners to keep up to 80% of ransom payments successfully extorted from victims. A key component of DragonForce's communication strategy is TOX, a Tor-based instant messaging platform that serves as the main channel for communicating with both victims and affiliates as well as serving as a secure, secure means of communicating. 

In addition to providing the public key to the group, RAMP, an underground forum used by ransomware operators and access brokers, is also available to anyone interested in further securing these exchanges. This persistent presence on the platform, especially a forum visit traced back to February 24, 2025, indicates a sustained effort by them to maintain visibility and engagement within the key cybercriminal community. In addition to serving as a recruitment hub, the DragonForce affiliate network is also highlighted in advertisements displayed on RAMP as one of the most reliable networks within the dark web. With support for multiple platforms, including Windows, Linux, and ESXi, the ransomware framework is marketed as a robust system that can deliver consistent payouts while offering extensive back-end support. 

As of January 20th, 2025, the most recent affiliate-related announcements have been posted, but the associated PGP encryption key has been generated since September 2024, further demonstrating the organization's systematic approach to security. A prior operational leak involved sensitive affiliate-facing URLs that were used for extortion from victims. DragonForce underwent significant internal reforms after this. Among these reforms was the implementation of a new vetting process that requires prospective affiliates to provide verifiable evidence of victim access, such as data volume metrics and file trees, to justify their eligibility. 

Essentially, this shift was meant to ensure that only committed and capable individuals could be onboarded, which would lead to improved operational security and integrity for the organization. Furthermore, DragonForce offers a variety of premium services to vetted affiliates, including call services, which allow direct pressure to be applied to victims, as well as advanced decryption capabilities that can be used on NTLM and Kerberos hashes. A lot of these services are especially useful when access brokers are trying to navigate post-compromise stages in environments like Active Directory that are complex. 

It is important to remember that DragonForce ransomware is an independent entity and should not be confused with the Malaysian hacktivist group that operates under the same name. This group has been known for defacing websites and launching DDoS attacks, among other things. While the two organizations share a name, they are completely different in their motivations, structures, and methods, and they are not known to be affiliated with each other. 

As ongoing speculation continues regarding the nature of a potential alliance between RansomHub and DragonForce continues to surface, Cyble reports that this latest development closely follows DragonForce's announcement of a significant expansion of its ransomware service (RaaS) operations on March 18. The DragonForce Ransomware Cartel, as part of this strategic shift, introduced the franchise-style affiliate program, whereby partners can operate and launch their own ransomware campaigns under the umbrella of DragonForce Ransomware Cartel. 

Affiliates can take advantage of this model because it allows them to maintain a high degree of operational independence while still being overseen by a central management team. Backend support is provided in a comprehensive way to all participants, including dedicated admin and client panels as well as secure data hosting environments and a resilient, always-on infrastructure that is secured with anti-DDoS mechanisms that keep the system running smoothly. This structure is designed to maintain the group's overarching operational standards as well as balance affiliate autonomy with consistency and control. 

It is worth noting that DragonForce has also introduced a series of advanced technical upgrades to its ransomware payloads targeted at ESXi, NAS, BSD, and Windows platforms along with its structural expansion. In addition, several sophisticated features have been added to the security system, including real-time encryption tracking, detached execution processes, persistent user interface messages to reinforce ransom demands, and better recovery protocols to reduce disruption. In addition, the group developed the two-pass header protection technology to enhance the cryptographic robustness of the encryption engine by using external entropy sources. This technique is also integrated with the BearSSL AES-CTR encryption protocol to enhance its cryptography. 

In addition to the technological and infrastructure advances made by DragonForce, Cyble points out that DragonForce's commitment to scale its operations at a very high level of professionalism will be reflected in these advancements. By creating a more refined and affiliate-focused ransomware ecosystem, the company hopes to attract experienced cybercriminals to collaborate with them. During the past year, DragonForce has continued to grow as a more structured and formidable player within the ransomware-as-a-service ecosystem. 

However, its recent activities indicate a broader shift in cybercriminal activity, characterized by a shift towards increasing sophistication, strategic alliances, and operational maturity in the cybercriminal underground. The apparent takeover or alignment of RansomHub with the company and the dramatic advancements in infrastructure and technology, along with the emergence of a series of threats, highlight the urgent need for the cybersecurity stakeholders to reevaluate threat models and strengthen their defensive positions. 

The most effective way for organizations, particularly those in critical sectors and high-risk regions, is to implement proactive threat intelligence strategies, enforce stringent access controls, and seriously prioritize incident response preparedness in order to counter evolving threats. With a digital landscape in which adversaries adopt business-like approaches to cause greater impact, only a cohesive and anticipatory security approach can prove robust in the face of the rising tide of cyber-extortion, which is becoming more organized and sophisticated by the day.
Read more »
Ransomwares
Akira Ransomware Cyber Security Cyber Threats LockBit Malware Attack malware prevention Malwares RansomHub Ransomwares

2024’s Most Dangerous Malware: A Wake-Up Call for Cybersecurity

 

OpenText, a leader in cybersecurity insights, has released its eagerly awaited “Nastiest Malware of 2024” list, highlighting some of the most destructive and adaptive cyber threats of the year. The list illustrates how ransomware and other malicious software continue to evolve, particularly regarding their impact on critical infrastructure. As cybercriminals refine their tactics, the need to strengthen cybersecurity measures has become increasingly urgent. Organizations around the globe are projected to boost their cybersecurity spending by 14.3% in 2024, raising total investments to over $215 billion, which reflects the magnitude of the challenges posed by these threats. 

LockBit claimed the title of the most dangerous malware of the year. This ransomware-as-a-service (RaaS) entity has demonstrated its ability to evade law enforcement efforts, including those from the FBI. Its ongoing attacks on critical infrastructure showcase its resilience and technical prowess. According to the FBI, LockBit was responsible for 175 reported attacks on essential systems in 2023 alone. The group’s bold ambition to target one million businesses emphasizes its threat level and solidifies its position in the ransomware landscape. 

Akira, a relatively new player, has rapidly gained infamy for its aggressive tactics. This ransomware has been particularly active in industries such as healthcare, manufacturing, and finance, using advanced encryption methods to cause significant disruption. Its retro-inspired branding contrasts sharply with its destructive potential, making it a popular choice among cybercriminal affiliates. 

Meanwhile, RansomHub, which may have connections to the infamous Black Cat (ALPHV) group, has made headlines with its high-profile attacks, including a daring strike on Planned Parenthood that compromised sensitive patient data. 

Other significant threats include Dark Angels, recognized for its precision-targeted attacks on Fortune 50 companies, and Play Ransomware, which takes advantage of vulnerabilities in FortiOS systems and RDP servers. Redline Stealer, while not technically ransomware, this type of threat significantly endangers organizations by focusing on stealing credentials and sensitive information. Each of these threats illustrates how cybercriminals are continually pushing the limits, employing advanced tactics to stay ahead of defenses. 

Muhi Majzoub, OpenText’s EVP and Chief Product Officer, notes that the increase in ransomware targeting critical infrastructure highlights the growing risks to national security and public safety. At the same time, the heightened emphasis on cybersecurity investments is a positive indication that organizations are recognizing these threats. However, the ability of ransomware groups to adapt remains a significant worry, as these criminals continue to leverage new technologies, including artificial intelligence, to create more sophisticated attacks. 

The findings from this year reveal a harsh truth: while progress in cybersecurity is being made, the rapid pace of innovation in malware development poses an ongoing challenge. As companies enhance their vigilance and dedicate more resources to protect vital systems, the battle against cyber threats is far from finished. The changing nature of these attacks requires ongoing adaptation, collaboration, and investment to protect the essential services that support modern society.
Read more »
Security
AI Business Cyber Security India Mallox RansomHub Ransomware Security

India Faces Rising Ransomware Threat Amid Digital Growth

 


India, with rapid digital growth and reliance on technology, is in the hit list of cybercriminals. As one of the world's biggest economies, the country poses a distinct digital threat that cyber-crooks might exploit due to security holes in businesses, institutions, and personal users.

India recently saw a 51 percent surge in ransomware attacks in 2023 according to the Indian Computer Emergency Response Team, or CERT-In. Small and medium-sized businesses have been an especially vulnerable target, with more than 300 small banks being forced to close briefly in July after falling prey to a ransomware attack. For millions of Indians using digital banking for daily purchases and payments, such glitches underscore the need for further improvement in cybersecurity measures. A report from Kaspersky shows that 53% of SMBs operating in India have experienced the incidents of ransomware up till now this year, with more than 559 million cases being reported over just two months, starting from April and May this year.

Cyber Thugs are not only locking computers in businesses but extending attacks to individuals, even if it is personal electronic gadgets, stealing sensitive and highly confidential information. A well-organised group of attacks in the wave includes Mallox, RansomHub, LockBit, Kill Security, and ARCrypter. Such entities take advantage of Indian infrastructure weaknesses and focus on ransomware-as-a-service platforms that support Microsoft SQL databases. Recovery costs for affected organisations usually exceeded ₹11 crore and averaged ₹40 crore per incident in India, according to estimates for 2023. The financial sector, in particular the National Payment Corporation of India (NPCI), has been attacked very dearly, and it is crystal clear that there is an imperative need to strengthen the digital financial framework of India.

Cyber Defence Through AI

Indian organisations are now employing AI to fortify their digital defence. AI-based tools process enormous data in real time and report anomalies much more speedily than any manual system. From financial to healthcare sectors, high-security risks make AI become more integral in cybersecurity strategies in the sector. Lenovo's recent AI-enabled security initiatives exemplify how the technology has become mainstream with 71% of retailers in India adopting or planning to adopt AI-powered security.

As India pushes forward on its digital agenda, the threat of ransomware cannot be taken lightly. It will require intimate collaboration between government and private entities, investment in education in AI and cybersecurity, as well as creating safer environments for digital existence. For this, the government Cyber Commando initiative promises forward movement, but collective endeavours will be crucial to safeguarding India's burgeoning digital economy.


Read more »
Ransomware
Automobiles Cyber Security Kawasaki RaaS RansomHub Ransomware

Kawasaki Ransomware Attack: 500 GB Alleged Data Leaked, RansomHub Claims

Kawasaki Ransomware Attack: 500 GB Alleged Data Leaked, RansomHub Claims

In a recent ransomware attack that hit Kawasaki Motors Europe (KME), the company has confirmed that it suffered the breach causing major service disruptions as threat actors threatened to leak the data. 

“At the start of September, Kawasaki Motors Europe (KME) was the subject of a cyberattack which, although not successful, resulted in the company’s servers being temporarily isolated until a strategic recovery plan was initiated later on the same day," KME said in a statement.

RansomHub Behind Leak

RansomHub, an infamous Ransomware-as-a-Service (RaaS) has leaked 478GB of data which the group claims belongs to the KME website,  after the attack. Important business documents were exposed- dealership details, internal communications, banking records, and financial info.

Threat actors posted the exposed data on their extortion site on the dark net, suggesting that KME didn’t agree to pay the ransom demanded by RanHub.

RansomHub has become popular after its creation in February 2024, it is now one of the most efficient RaaS groups, it was responsible for 75 ransom attacks in Q2 of 2024. RansomHub’s victims include high-level targets like Planned Parenthood and Change Healthcare.

To warn about the attacks, the US Cybersecurity and Infrastructure Agency (CISA) issued an advisory, highlighting indicators of compromise (IoC) to combat the threat of potential targets.

Rising Ransom Demands 

With a significant increase in the number of RaaS, the ransom demand trend is also rising. A threat actor demands a shocking $1.5 million in return for a victim’s stolen data. In 2023, the ransomware number was a mere $200,000, which shows the dominance of ransomware groups and the harm they cause to an organization. 

How to Combat Ransomware Attacks?

Adopting a proactive cybersecurity plan can help a business address future threats and take measures to mitigate risks, reducing the threat of future attacks. 

A strong incident response plan can reduce the impact of a ransomware breach. It should have a framework for a plan of action for a possible attack, this can include a data recovery process, legal aspects, and communication protocols. 

Human error is one of the leading causes of breach, but employee training and awareness helps to identify threats and respond accordingly. 

Read more »
Stolen Data
ALPHV/BlackCat Automotive Industry Cyber Attacks Dark Web Data Leak Ramsomware RansomHub RansomHub ransomware Stolen Data

Kawasaki Motors Europe Targeted by RansomHub Ransomware Attack

 

Kawasaki Motors Europe has been targeted by a ransomware attack orchestrated by the RansomHub gang, causing significant disruption to its services. The company, responsible for distributing and selling Kawasaki’s motorcycles across Europe, swiftly responded by isolating its servers to contain the threat. IT teams collaborated with external cybersecurity experts to analyze and cleanse systems of any lingering malware. Kawasaki aims to have 90% of its server infrastructure back online shortly, ensuring that business operations, including dealerships and supply chains, remain unaffected. 

The RansomHub group, a rising cybercriminal organization, claimed responsibility for the attack and added Kawasaki to its extortion portal on the dark web. According to the threat group, 487 GB of data was stolen, and they threatened to leak this information if their demands weren’t met. The data theft’s scope, particularly whether it includes sensitive customer details, remains unclear. Despite these developments, Kawasaki has not commented on the situation or responded to inquiries from cybersecurity analysts and reporters. 

RansomHub has gained significant traction in recent months, filling the void left by the now-defunct BlackCat/ALPHV ransomware operation. This has resulted in a surge of attacks against high-profile organizations, with RansomHub’s affiliates targeting critical sectors such as healthcare, retail, and manufacturing. The group’s growing notoriety was highlighted in a joint advisory issued by the FBI, CISA, and the Department of Health and Human Services, which reported over 200 victims of the ransomware group in the U.S. alone since February. The attack on Kawasaki emphasizes the evolving threat posed by ransomware groups and the importance of proactive cybersecurity measures. 

For businesses like Kawasaki, robust security protocols, regular updates, and swift incident response are critical in mitigating the risk of data breaches. The company’s efforts to cleanse infected servers highlight the importance of collaboration between internal IT teams and external cybersecurity experts in recovering from attacks. To protect against future breaches, organizations must invest in advanced threat detection technologies, ensure comprehensive patch management, and prioritize employee cybersecurity training. 

With cybercriminal groups like RansomHub becoming increasingly organized and opportunistic, adopting a layered defense strategy is vital for reducing exposure to such attacks. Kawasaki’s situation serves as a reminder of the growing challenges organizations face in safeguarding sensitive data from evolving cyber threats and the need for constant vigilance in a rapidly changing digital landscape.
Read more »
Techhnology
Kaspersky Malicious Payload Phishing Attacks RansomHub Ransomware Techhnology

RansomHub Ransomware: Exploiting Trusted Tools to Evade Detection

RansomHub Ransomware: Exploiting Trusted Tools to Evade Detection

Ransomware groups continue to innovate and adapt their tactics to bypass security measures. One such group, RansomHub, reported by Malwarebytes, has recently garnered attention for its sophisticated approach to disabling Endpoint Detection and Response (EDR) systems. By leveraging Kaspersky’s TDSSKiller, a legitimate rootkit removal tool, RansomHub has managed to execute its malicious payloads undetected, posing a significant threat to organizations worldwide.

The Rise of RansomHub

RansomHub is a relatively new player in the ransomware scene, but it has quickly made a name for itself with its advanced techniques and targeted attacks. Unlike traditional ransomware groups that rely on brute force methods or simple phishing campaigns, RansomHub employs a more nuanced strategy. By using legitimate software tools in unexpected ways, they can evade detection and maximize the impact of their attacks.

The Role of Kaspersky’s TDSSKiller

Kaspersky’s TDSSKiller is a well-known tool in the cybersecurity community, designed to detect and remove rootkits from infected systems. Rootkits are a type of malware that can hide the presence of other malicious software, making them particularly dangerous. TDSSKiller is widely trusted and used by security professionals to clean compromised systems.

However, RansomHub has found a way to exploit this tool for malicious purposes. By incorporating TDSSKiller into their attack chain, they can disable EDR software that would otherwise detect and block their ransomware. This tactic is particularly insidious because it uses a trusted tool to carry out malicious actions, making it harder for security teams to identify and respond to the threat.

The Attack Chain

RansomHub’s attack chain typically begins with a phishing email or a compromised website that delivers the initial payload. Once the ransomware is on the target system, it uses a variety of techniques to escalate privileges and gain control over the machine. This is where TDSSKiller comes into play.

By running TDSSKiller, the ransomware can disable EDR software and other security measures that would normally detect and block the attack. With these defenses out of the way, RansomHub can then proceed to encrypt the victim’s files and demand a ransom for their release. In some cases, they also use a credential-harvesting tool called LaZagne to extract sensitive information, further increasing the pressure on the victim to pay the ransom.

Threats Posed by Tools

The use of legitimate tools like TDSSKiller in ransomware attacks highlights a significant challenge for the cybersecurity community. Traditional security measures are often designed to detect and block known malware and suspicious behavior. However, when attackers use trusted tools unexpectedly, these measures can be less effective.

This tactic also underscores the importance of a multi-layered approach to cybersecurity. Relying solely on EDR software or other endpoint protection measures is no longer sufficient. Organizations must implement a comprehensive security strategy that includes network monitoring, threat intelligence, and user education to detect and respond to these advanced threats.

Read more »
RansomHub
Cyber campaign Cyberattackers CyberCrime cybercriminals Cybersecurity CyberThreat NoName Hackers Ransomaware RansomHub

NoName Hackers Use RansomHub in Recent Cyber Campaigns

 


Despite active attacks by gangs such as the NoName ransomware group, which has targeted small and medium-sized businesses worldwide for the past three years, the group has continued to grow by using custom malware and evolving its attack methods. A recent link pointing to NoName has led to the conclusion that the group is no longer independent, but is now affiliated with RansomHub. As a result of this development, cyber security levels worldwide are in danger, especially for small and medium-sized businesses. 

A new affiliate has now joined extortion group RansomHub, an up-and-coming online criminal extortion group, and its main claim to fame so far has been impersonating LockBit ransomware-as-a-service, which is based out of the Netherlands. It has been well-documented that NoName exploits vulnerabilities that date back many years. 

Over the last three years, it has been well documented that the NoName ransomware gang, also known as CosmicBeetle, has been creating waves worldwide by targeting small and medium-sized businesses. Recent observations have shown that the gang is making use of a new type of malware called RansomHub to carry out its crimes. For gaining access to networks, the gang uses a variety of custom tools, including those from the Spacecolon malware family, which it acquired from cybercriminals. 

A number of the tools that are used to distribute these tools use brute force methods to deploy them and exploit known vulnerabilities such as EternalBlue (CVE-2017-0144) and ZeroLogon (CVE-2020-1473). In recent attacks, the NoName gang has been using the ScRansom ransomware to encrypt documents and digital files, replacing the Scarab encryptor that it had previously used. Additionally, the gang has already begun experimenting with the leaked LockBit 3.0 ransomware builder, creating a similar site for leaking data and issuing similar ransom notes based on the design of the released code. 

A cybersecurity company called ESET has been tracking the activities of the NoName gang since 2023, which is almost four years ago. Even though ScRansom is less sophisticated than other ransomware threats, but still poses a significant threat to the operating system, it has been observed to develop and become more sophisticated over time. Several aspects of ScRansom are complex, including AES-CTR-128 encryption and RSA-1024 decryption, causing problems when decrypting the files sometimes. It has been reported that victims received multiple decryption keys but are still unable to recover all the files they lost. ScRansom allows attackers to take advantage of different speed modes for partial encryption, allowing them flexibility. 

A 'ERASE' mode can be also operated to replace the contents of the file with a constant value, thereby ensuring that the contents cannot be recovered. With ScRansom, file encryption is possible across all drives and the operator can decide what file extensions to encrypt, and what folders they want to encrypt. ScRansom kills several processes and services on the Windows host before the encryptor fires. These include Windows Defender, the Volume Shadow Copy service, SVCHost, RDPclip, and LSASS, as well as processes related to VMware tools. There are several encryption schemes used by ScRansom to protect the public key, and one of them is AES-CTR-128 which is combined with RSA-1024 to generate an extra AES key for security reasons. 

As a result of the multi-step process, there are times when errors occur in this process that can lead to the failure of the decryption process. As a result of executing the ransomware on the same device a second time, or in a network with multiple systems running different versions of the virus, new sets of unique keys will be generated for every victim, making the entire decryption process rather difficult to perform. Furthermore, in addition to brute force attacks that are used by the NoName gang to gain access to networks, several other vulnerabilities are exploited by them that are common in SMB environments. CVE-2017-0144 (also known as EternalBlue), CVE-2023-27532 (a vulnerability in Veeam Backup & Replication), CVE-2021-42278 and CVE-2021-42287 (AD privilege escalation vulnerabilities) through noPac, CVE-2022-42475 (a vulnerability in FortiOS SSL-VPN), and CVE-2020-1472 (also known as Zerologon) are some of the vulnerabilities. 

With ScRansom's file encryption capabilities, it can encrypt files on all types of drives, including fixed, remote, removable, and cloud storage, and allows users to personalize the list of file extensions they wish to encrypt. When ESET researchers were investigating a ransomware attack that began with a failed ScRansom deployment in early June, they discovered that the threat actor executed on the same machine less than a week later. 

The EDR killer tool, which provides privilege escalation and the ability to disable security agents by deploying legitimate and vulnerable drivers on targeted computers, was a tool that was released by RansomHub shortly after. The compromised computer was ransomware-encrypted two days later, on June 10, by the hackers who used the RansomHub ransomware. There was an interesting way of extracting the EDR killer described by the researchers, one that was characteristic of CosmicBeetle rather than RansomHub's affiliates. 
 
It was noted that there has been no leak in the past of the RansomHub code and its builder, so ESET researchers were "pretty confident" that CosmicBeetle was enrolled as a new RansomHub affiliate. Even though ESET does not claim to have any affiliation with RansomHub, they do state that the Ransom Encrypter is being actively developed by their engineers.
Read more »
RansomHub
cyber attack Data Halliburton organisations RansomHub

Halliburton Hit by Cyberattack, Data Stolen


 

Halliburton, one of the world’s largest energy companies, has confirmed that it was the victim of a cyberattack. Hackers infiltrated the company’s systems and stole sensitive information. The attack occurred last week, and Halliburton is still determining the extent of the data that was taken.

In a recent filing with government regulators, Halliburton acknowledged the breach but has yet to disclose the full details of what was stolen. The company is currently investigating the incident and deciding what legal notifications are required. In response to the attack, Halliburton took certain systems offline as a precaution and is working to restore normal operations, especially for its oil and fracking businesses. 

When approached for additional comments, company spokesperson Amina Rivera declined to elaborate further, stating that Halliburton would not provide more information beyond what was mentioned in its official filing.

Although Halliburton has not officially confirmed it, there are signs that the cyberattack may have been part of a ransomware campaign. TechCrunch obtained a ransom note related to the incident, which claims that hackers encrypted Halliburton’s files and stole sensitive data. A group known as RansomHub is believed to be behind the attack. This gang is notorious for carrying out similar cyberattacks, using stolen data as leverage to demand ransom payments. 

RansomHub typically publishes stolen files on its dark web platform when victims refuse to pay. So far, Halliburton has not been listed as one of RansomHub’s victims, but this could change if negotiations fail. RansomHub has been responsible for over 210 attacks since its rise to prominence earlier this year, and it has targeted other large organisations, including Change Healthcare.

Halliburton, with around 48,000 employees spread across various countries, is a major player in the global energy industry. In the past, the company gained notoriety due to its role in the Deepwater Horizon oil spill disaster in 2010, for which it paid over $1 billion in fines.

The recent cyberattack is expected to have financial repercussions for the company, though the exact costs are yet to be determined. In 2023, Halliburton reported $23 billion in revenue, with CEO Jeff Miller earning $19 million in total compensation. Halliburton has noted that it will continue to bear costs related to the cyberattack as they work on restoring systems and resolving the situation.

As the investigation unfolds, much of Halliburton’s online services remain down, and the company is assessing the full impact of the breach. Halliburton has been tight-lipped about its cybersecurity efforts, declining to provide information on who is currently overseeing their response.

This attack is a reminder of how large corporations remain vulnerable to cyber threats. Halliburton's situation underscores the importance of investing in strong cybersecurity measures to safeguard sensitive data and avoid disruptions in critical operations. The company will likely provide more updates as it works to recover from this breach.


Read more »
Sensitive Information
Data Breach Hacking Attack Healthcare Breach HIPAA RansomHub Security Operations Sensitive Information

Florida Medical Lab Data Breach Exposes 300,000 Individuals’ Sensitive Information

 

Florida-based medical laboratory, American Clinical Solutions (ACS), recently experienced a significant data breach that exposed the sensitive information of approximately 300,000 individuals. The hacking incident, attributed to the criminal group RansomHub, resulted in the theft of 700 gigabytes of data, which has since been published on the dark web. The exposed data includes Social Security numbers, addresses, drug test results, medical records, insurance information, and other highly sensitive personal details. 

ACS specializes in patient testing for both prescription and illicit narcotics, offering its services to healthcare providers. On July 24, ACS reported the breach to the U.S. Department of Health and Human Services’ Office for Civil Rights. The stolen data encompasses lab testing results from January 2016 until May 2024, the period during which the hacking incident allegedly occurred. Privacy attorney David Holtzman, from the consulting firm HITprivacy LLC, expressed concerns over the nature of the exposed information, highlighting the potential for reputational harm, financial compromise, and extortion due to the sensitivity of drug testing data. 

Despite the severity of the breach, ACS has not yet issued a public statement about the incident on its website, nor has it responded to requests for further details. This lack of communication has raised concerns among legal and regulatory experts, who warn that failing to alert patients about the breach may compound the potential harm. Holtzman emphasized the importance of transparency in such situations, suggesting that the absence of a breach notification may prompt investigations by HHS or state attorneys general to determine whether ACS has complied with the Health Insurance Portability and Accountability Act (HIPAA) and other relevant state laws. 

The delay in notifying affected individuals may stem from various factors, including the possibility that law enforcement advised ACS to wait or that the total number of impacted individuals has not yet been determined. Regulatory attorney Rachel Rose pointed out that drug testing data, while not subject to the stringent federal 42 CFR Part 2 privacy regulations that govern substance disorder treatment facilities, is still considered highly sensitive. Rose compared the compromised information to reproductive health records, mental health records, and data related to diseases like AIDS. 

RansomHub, the group behind the attack, has rapidly gained notoriety within the cybersecurity community since its emergence in February. The gang has claimed responsibility for several major hacks across the healthcare sector, including a June attack on the drugstore chain Rite Aid, which compromised the data of 2.2 million individuals. Security firm Rapid7 recently identified RansomHub as one of the most notable new ransomware groups, underscoring the growing threat it poses to organizations worldwide.
Read more »
Sophos report
BYOVD Attack Cyber Attacks EDR GitHub Malware Attack RansomHub Sophos Sophos report

RansomHub Deploys EDRKillShifter Malware to Disable Endpoint Detection Using BYOVD Attacks

 

Sophos security researchers have identified a new malware, dubbed EDRKillShifter, used by the RansomHub ransomware group to disable Endpoint Detection and Response (EDR) systems in attacks leveraging Bring Your Own Vulnerable Driver (BYOVD) techniques. This method involves deploying a legitimate but vulnerable driver on a target device to gain escalated privileges, disable security measures, and take control of the system. 

The technique has gained popularity among various threat actors, including both financially motivated ransomware groups and state-sponsored hackers. The EDRKillShifter malware was discovered during an investigation of a ransomware incident in May 2024. The attackers tried to use this tool to disable Sophos protection on a targeted computer but were unsuccessful due to the endpoint agent’s CryptoGuard feature, which prevented the ransomware executable from running. Sophos’ investigation revealed two different malware samples, both exploiting vulnerable drivers with proof-of-concept code available on GitHub. These drivers include RentDrv2 and ThreatFireMonitor, the latter being part of an obsolete system-monitoring package. 

The malware’s loader execution process follows a three-step procedure. Initially, the attacker launches the EDRKillShifter binary with a password string to decrypt and execute an embedded resource named BIN in memory. This code then unpacks and executes the final payload, which installs and exploits a vulnerable driver to elevate privileges and disable active EDR processes. Once the driver is loaded, the malware creates a service and enters an endless loop that continuously monitors and terminates processes matching names on a hardcoded target list. Interestingly, the EDRKillShifter variants discovered were compiled on computers with Russian localization, and they exploit legitimate but vulnerable drivers, using modified proof-of-concept exploits found on GitHub. 

Sophos suspects that the attackers adapted portions of these proofs-of-concept and ported the code to the Go programming language. To mitigate such threats, Sophos advises enabling tamper protection in endpoint security products, separating user and admin privileges to prevent the loading of vulnerable drivers, and keeping systems updated. Notably, Microsoft continually de-certifies signed drivers known to have been misused in previous attacks. Last year, Sophos identified another EDR-disabling malware, AuKill, which similarly exploited a vulnerable Process Explorer driver in Medusa Locker and LockBit ransomware attacks.
Read more »
Ransomware
Italy malware RansomHouse RansomHub Ransomware

RansomHub and RansomHouse: Unmasking the Culprits Behind Italy’s Attacks

RansomHub and RansomHouse: Unmasking the Culprits Behind Italy’s Attacks

Hackers have claimed responsibility for three major cyberattacks in Italy in the last 24 hours. The RansomHub and RansomHouse gangs allegedly carried out the ransomware assaults in Italy. RansomHub targeted the websites of Cloud Europe and Mangimi Fusco, while RansomHouse claimed responsibility for conducting a cyberattack against Francesco Parisi.

Italy's Ransomware Attacks

Cloud Europe is a Tier IV carrier-neutral data center based in Rome's Tecnopolo Tiburtino. According to the company's website, it specializes in data center architecture and management, focusing on security and service continuity. The company creates, hosts, and operates modular infrastructure for data centers in both the private and public sectors.

The Attacks

1. Cloud Europe: On June 29, 2024, RansomHub claimed responsibility for infiltrating the servers of Cloud Europe, a prominent Tier IV certified data center in Rome. The attackers allegedly encrypted the servers and exfiltrated 70 terabytes of data. Among the stolen information were 541.41 gigabytes of sensitive data, including client records, financial documents, and proprietary software.

2. Mangimi Fusco: The same day, RansomHub targeted Mangimi Fusco, an animal food manufacturer. The group claimed to have stolen 490 gigabytes of confidential data, including client files, budget details, and payroll information. However, as of now, Mangini Fusco’s website shows no signs of the reported attack, leaving room for skepticism.

3. Francesco Parisi: RansomHouse, another hacking collective, breached the website of Francesco Parisi, a group specializing in freight forwarding and shipping services. The attack occurred on May 29, 2024, and resulted in the theft of 150 gigabytes of company data. Francesco Parisi has acknowledged the breach and is working to restore normalcy while enhancing its cybersecurity defenses.

The Implications

These attacks raise critical questions about the state of cybersecurity readiness among Italian businesses:

Vulnerabilities: Despite advancements in security protocols, organizations remain vulnerable to sophisticated attacks. The ability of threat actors to infiltrate well-established data centers and corporate websites highlights the need for continuous vigilance.

Data Privacy: The stolen data contains sensitive information that could be exploited for financial gain or used maliciously. Companies must prioritize data privacy and invest in robust encryption, access controls, and incident response plans.

Business Continuity: When ransomware strikes, business operations grind to a halt. Cloud Europe’s experience serves as a stark reminder that even data centers, designed to ensure continuity, are not immune. Organizations must have contingency plans to minimize disruptions.

How to Stay Safe?

To safeguard against ransomware and other cyber threats, companies should consider the following strategies:

  • Regular Backups: Frequent backups of critical data are essential. These backups should be stored securely and tested periodically to ensure their integrity.
  • Employee Training: Human error often opens the door to cyberattacks. Regular training sessions can educate employees about phishing emails, suspicious links, and safe online practices.
  • Multi-Factor Authentication (MFA): Implementing MFA adds an extra layer of security, making it harder for unauthorized individuals to gain access.
  • Incident Response Plans: Organizations should develop comprehensive incident response plans that outline steps to take during a breach. Swift action can minimize damage and prevent data loss.

Read more »
Subscribe to: Posts (Atom)