Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Ransomeware. Show all posts

FBI and Allies Dismantle Dispossessor Ransomware Network

 

The FBI announced on Monday that it has taken down the servers and websites used by the Radar/Dispossessor ransomware group. This action was part of a global investigation involving the U.K.'s National Crime Agency, the Bamberg Public Prosecutor's Office, and the Bavarian State Criminal Police Office (BLKA). Law enforcement agencies seized several servers and websites, including three in the U.S., three in the U.K., 18 in Germany, and nine domains, some of which included radar[.]tld, dispossessor[.]com, and cybertube[.]video. These sites were used by the group to carry out their attacks. 

Since August 2023, the Dispossessor group, led by a hacker known as "Brain," has been targeting small to mid-sized businesses around the world. The FBI identified 43 victims across various countries, including the U.S., Argentina, Australia, India, and Germany. 

The ransomware gang gained access to company networks by exploiting security weaknesses like outdated software, weak passwords, and a lack of multi-factor authentication. Once inside, they stole data and then used ransomware to lock the companies out of their own systems by encrypting their files. 
If the companies didn’t contact them, the criminals would reach out to other people in the company to pressure them into paying, sometimes sharing stolen files through fake video platforms. The FBI is urging past victims or those targeted by this group to share any information they have by contacting the Internet Crime Complaint Center or calling 1-800-CALL-FBI. 

When Dispossessor first appeared, they acted as an extortion group, reposting old data stolen during previous ransomware attacks by a group called LockBit. They claimed to be affiliates of LockBit and even tried to sell stolen data on hacking forums. 

As of June 2024, Dispossessor began using a ransomware tool leaked from LockBit 3.0 to carry out their own attacks. In the past year, law enforcement has been actively cracking down on various cybercrimes, including cryptocurrency scams, malware development, phishing attacks, and other ransomware operations. They have also targeted and disrupted other ransomware groups like ALPHV/Blackcat, LockerGoga, MegaCortex, and Hive.

Healthcare in Crosshairs: ALPHV/Blackcat Ransomware Threat Escalates, FBI Issues Warning

 

In a joint advisory, the FBI, CISA, and HHS have issued a stark warning to healthcare organizations in the United States about the heightened risk of targeted ALPHV/Blackcat ransomware attacks. This cautionary announcement follows a series of alerts dating back to April 2022 and underscores the severity of the threat posed by the BlackCat cybercrime gang, suspected to be a rebrand of infamous ransomware groups DarkSide and BlackMatter. 

The advisory highlights that ALPHV Blackcat affiliates have shown a notable focus on the healthcare sector. The FBI, in particular, has linked BlackCat to over 60 breaches within its first four months of activity, accumulating a staggering $300 million in ransoms from over 1,000 victims up until September 2023. Recent developments indicate a shift in BlackCat's targeting strategy, with the healthcare sector becoming a prime victim since mid-December 2023. This shift aligns with an administrator's call for affiliates to target hospitals following operational actions against the group and its infrastructure earlier that month. 

Notably, the warning coincides with a cyberattack on UnitedHealth Group subsidiary Optum, affecting Change Healthcare, a crucial payment exchange platform in the U.S. healthcare system. Although not confirmed, the attack has been linked to the BlackCat ransomware group, and sources suggest the threat actors exploited the ScreenConnect auth bypass vulnerability (CVE-2024-1709) for initial access. 

The joint advisory emphasizes the critical need for healthcare organizations, considered part of the nation's critical infrastructure, to implement robust mitigation measures against Blackcat ransomware and data extortion incidents. Authorities urge these entities to bolster cybersecurity safeguards, specifically tailored to counteract prevalent tactics, techniques, and procedures commonly employed in the Healthcare and Public Health (HPH) sector. This development underscores the evolving nature of cyber threats, especially within the healthcare landscape, and the necessity for proactive measures to safeguard sensitive patient data and critical infrastructure. 

The FBI, CISA, and HHS have shared indicators of compromise to assist organizations in identifying potential threats, emphasizing the importance of collaboration to combat the persistent and evolving threat posed by ransomware groups like BlackCat. As the healthcare sector grapples with escalating cyber risks, the advisory serves as a stark reminder of the urgent need for comprehensive cybersecurity measures, including timely patching of vulnerabilities and robust incident response plans. Organizations are encouraged to stay vigilant, collaborate with cybersecurity agencies, and prioritize the security of their networks and systems to mitigate the impact of ransomware attacks. 

The U.S. State Department's substantial rewards for information leading to the identification or location of BlackCat gang leaders underscore the severity of the threat and the government's commitment to dismantling these cybercriminal operations. In this high-stakes environment, the healthcare industry must remain resilient, continually adapting to emerging threats, and fortifying its defenses against ransomware attacks.

ConnectWise ScreenConnect Vulnerability: Navigating the Breach Risk

 

ConnectWise ScreenConnect, a widely-used remote access software, is facing a critical vulnerability that could expose sensitive data and allow the deployment of malicious code. Described as an authentication bypass flaw, the severity-rated vulnerability poses a significant risk to more than a million small to medium-sized businesses that rely on ConnectWise's remote access technology. 

The flaw was initially reported to ConnectWise on February 13, with the company publicly disclosing details on February 19. The vulnerability enables attackers to bypass authentication, potentially leading to the remote theft of confidential data or the injection of malware into vulnerable servers. While ConnectWise initially stated there was no indication of public exploitation, recent updates confirm compromised accounts and active exploitation. 

ConnectWise has not disclosed the exact number of affected customers, but it has seen "limited reports" of suspected intrusions. Approximately 80% of customer environments are cloud-based and were automatically patched within 48 hours. However, concerns persist, with cybersecurity firm Huntress reporting active exploitation and signs of threat actors moving towards more targeted post-exploitation and persistence mechanisms. 

ConnectWise spokesperson Amanda Lee declined to comment on the number of affected customers but emphasized that there has been no reported data exfiltration. However, the situation is serious, with cybersecurity experts warning of potential widespread ransomware attacks given the extensive reach of ConnectWise's software. Florida-based ConnectWise provides remote access technology to more than a million small to medium-sized businesses. 

The vulnerability, actively exploited by threat actors, poses a significant risk to the security of these businesses. Cybersecurity company Huntress reported early signs of threat actors deploying Cobalt Strike beacons and installing a ScreenConnect client onto affected servers. ConnectWise has released patches for the actively exploited vulnerability and is urging on-premise ScreenConnect users to apply the fix immediately. 

Additionally, the company has addressed another vulnerability affecting its remote desktop software, for which there is no evidence of exploitation. The incident comes in the wake of warnings from U.S. government agencies. These agencies observed a "widespread cyber campaign" involving the malicious use of legitimate remote monitoring and management (RMM) software, including ConnectWise SecureConnect. 

The current vulnerability adds to concerns about the security of remote access solutions, following recent incidents involving AnyDesk, which had to reset passwords and revoke certificates due to evidence of compromised production systems. ConnectWise is actively working to address the vulnerability, but the situation remains critical. 

The potential for a large-scale ransomware free-for-all underscores the importance of swift action and heightened cybersecurity measures to protect businesses from the evolving threat landscape. Businesses relying on remote access solutions must prioritize security to mitigate the risks associated with vulnerabilities in widely-used software platforms.

Exploring the Spike in Data Breaches in 2023

 

In 2023, there has been a significant surge in data breaches, raising concerns globally. The upswing in cyber incidents can be attributed to various factors, reflecting the intricate dynamics of our digital age. 

Firstly, the rapid pace of digital transformation across industries has created an expansive attack surface. The interconnected systems, cloud services, and IoT devices have inadvertently provided cyber criminals with more opportunities to exploit vulnerabilities. 

Coupled with this, the sophistication of cyber threats has increased. Threat actors are now utilizing advanced techniques such as ransomware, zero-day exploits, and social engineering tactics, outpacing traditional cybersecurity measures. 

Many organizations still grapple with inadequate cybersecurity postures. The failure to implement robust security measures, conduct regular updates, and provide comprehensive employee training leaves entities vulnerable to a wide array of cyber attacks. 

The vulnerabilities within supply chains have also become apparent. Cybercriminals often exploit weak links in supply chains, targeting smaller partners or third-party vendors with less stringent cybersecurity measures as gateways to larger targets. 

Insider threats, whether intentional or unintentional, are significant contributors to data breaches. Employees with access to sensitive information may inadvertently compromise data security through human error, or malicious insiders may intentionally exploit their positions for personal gain. 

Despite the growing awareness of cybersecurity threats, some organizations continue to underinvest in cybersecurity measures. Limited budgets, competing priorities, and a lack of cybersecurity awareness at the executive level can result in insufficient resources being allocated to protect against evolving cyber threats. 

Ransomware attacks have become more prevalent and sophisticated. The profitability of ransomware attacks, coupled with the difficulty of tracing cryptocurrency payments, incentivizes cybercriminals to target a wide range of organizations, from small businesses to critical infrastructure. 

Global geopolitical tensions can spill over into cyberspace, leading to an increase in state-sponsored cyber attacks. Nation-state actors may engage in cyber espionage, targeting critical infrastructure, government institutions, or private businesses, contributing to the overall spike in data breaches. 

In some cases, lax regulatory compliance and enforcement contribute to the rise in data breaches. Organizations may neglect to implement necessary security measures or fail to report breaches promptly due to lenient regulatory frameworks. 

The surge in data breaches in 2023 is a complex issue with multiple contributing factors. Addressing this challenge requires a comprehensive and proactive approach to cybersecurity that considers technological, human, and systemic vulnerabilities. As organizations and governments grapple with these multifaceted issues, the need for strengthened cybersecurity measures, improved regulatory frameworks, and heightened global cooperation becomes increasingly evident.

Uncovered: Clop Ransomware's Lengthy Zero-Day Testing on the MOVEit Platform

 


Security experts have uncovered shocking evidence that the notorious Clop ransomware group has been spending extensive amounts of time testing zero-day vulnerabilities on the popular MOVEit platform since 2021, according to recent reports. This study has raised a lot of concerns about cybersecurity systems' vulnerability. For this reason, affected organizations and security agencies have taken urgent action to prevent these vulnerabilities. In light of this discovery, it only highlights the fact that ransomware attacks are becoming increasingly sophisticated. The need for robust defense measures to mitigate various types of cyber threats is critical. 

There is now close work collaboration between authorities and the parties affected by the breach to investigate this incident and develop appropriate countermeasures. 

A recent Clop data theft attack aimed at weak MOVEit Transfer instances was examined, and it was discovered that the technique employed by the group to deploy the recently revealed LemurLoot web shell can be matched with the technique used by the gang to target weak MOVEit Transfer instances. Using logs from some affected clients' networks, they determined which clients were affected. 

As a result of a joint advisory issued by the U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) regarding the active exploitation of a recently discovered critical vulnerability in Progress Software's MOVEit Transfer application, ransomware is now being dropped on the internet. 

Kroll researchers performed a forensic review of the exploit carried out by the Clop cybergang in July 2021. They determined that they may have experimented with the now-patched file transfer vulnerability (CVE-2023-34362) that month. 

BBC, British Airways, Boots, a UK drugstore chain and the Halifax provincial government are some of the organizations that have reported that their data was exfiltrated by the group at the end of last month as well as payroll company Zellis. There was a breach of employee data by three organizations, Vodafone, BBC, and Boots, which used Zellis' services to store employee data. 

The Russian-backed Clop organization, also known as Lace Tempest, TA505, and FIN11, has claimed responsibility for attacks that exploited Fortra’s GoAnywhere Managed File Transfer solution by exploiting a zero-day vulnerability. Over 130 organizations have been targeted and over one million patients' data has been compromised as a result. 

It has been reported that the MOVEit Transfer SQL injection vulnerability exploit on Wednesday was similar to a 2020-21 campaign in which the group installed a DEWMODE web shell on Accellion FTA servers in a joint advisory issued by the Federal Bureau of Investigation and the Cybersecurity and Infrastructure Security Agency. 

It has also been discovered that threat actors were testing methods for gathering and extracting sensitive data from compromised MOVEit Transfer servers as far back as April of 2022. These methods were probably using automated tools and these methods may have been used to gain access to servers. 

It is possible that actors tested access to organizations using automated means and pulled back information from MOVEit Transfer servers. This was in the weeks leading up to last month's attacks. This is in addition to the 2022 activity. They also did this to determine which organizations they were accessing using information obtained from the MOVEit Transfer servers. 

During the malicious activity, it appeared that specific MOVEit Transfer users' Organization IDs ("Org IDs") were being exfiltrated, which in turn would have allowed Clop to determine which organizations to access. 

It has been reported on Clop's website that it has claimed responsibility for the MOVEit attacks and that victims are invited to contact it until July 14 if they do not wish that their names be posted on the site. Because a ransom deal would not guarantee that the stolen data would remain secure, the company has offered examples of data that has been exfiltrated and data that has been publicly published as part of an unresolvable ransom deal. 

In a LinkedIn post, Charles Carmakal, CEO of Mandiant Consulting, expressed surprise at the number of victims MOVEit has provided. Carmakal characterized MOVEit as "overwhelming.".

Dish Network Blames Ransomware for Ongoing Outage

Dish, a satellite television provider in the United States, has confirmed that a ransomware attack is responsible for an ongoing service outage. The company also warned that the malicious actors have also exfiltrated data from its systems during the breach. 

The outage, which has persisted for several days and was initially attributed to "internal systems issues," affects Dish's primary website, mobile applications, customer support systems, as well as the firm's Sling TV streaming and wireless services. 

The threat actors behind the breach compromised the company’s internal systems. “It is possible the investigation will reveal that the extracted data includes personal information,” Dish says. 

In a public filing released on Tuesday, the company acknowledged that the cause of the outage was a cybersecurity incident. The company has informed law enforcement authorities about the situation. 

However, as of now, the company reported that the effects of the attack continue to disrupt its “internal communications, customer call centers, and internet sites.” 

Additionally, the company has provided some details on how they are managing the situation. They are working to manage and contain the effects of the attack, assess the extent of the damage, and address any issues caused by the attack.

The company is also worried about the attack's potential impact on its employees, customers, business, financials, and operations. Following the matter, the company further reported that the threat actors have stolen some data from their computer systems, which could include personal credentials. 

Presently, it remains uncertain whether this data belongs to Dish's customers, employees, or both, and the extent of the data theft is also unknown. Dish has a big network, it serves 10 million customers through its satellite TV, streaming, and other services. 

The company on its website reported that “as a result of this incident, many of our customers are having trouble reaching our service desks, accessing their accounts, and making payments we’re making progress on the customer service front every day, including ramping up our call capacity, but it will take a little time before things are fully restored." 

The company stated that they are still evaluating the damage caused by the cyber-attack. However, their services, including Dish, Sling, and wireless and data networks, are running without issues.

Finland’s Most-Wanted Hacker Nabbed in France

Julius “Zeekill” Kivimäki, a 25-year-old Finnish man who has been apprehended on Friday by French police is suspected of breaching the patient records of more than 33,000 psychotherapy clients and leaking therapy notes for more than 22,000 patients online in Finland. 

Zeekill convicted of committing tens of thousands of cybercrime is a well-known cyber-criminal  According to Finland's National Bureau of Investigation, he had been running from police since October 2022, when he failed to show up in court and Finland issued an international arrest warrant for him.  

According to the officials, in late October 2022, Kivimäki was charged and arrested in absentia for attempting to extort money from the Vastaamo Psychotherapy Center. The NBI announced in November that the Helsinki District Court remanded Kivimäki in absentia last October and he was also added to Europol's "most wanted" list.  

However, he denied being involved in Vastaamo's data breach. Additionally, the National Bureau of Investigation (NBI) said that the Finnish officials are working and investigating closely with their French counterparts about Kivimäki's extradition.  

Vastaamo was the major data breach in November 2018 and March 2019, in which the sensitive credentials of around 30,000 patients were compromised, and then money was extorted from the victim organizations as well as its clients. 

However, when the Vastaamo refused to pay ransom money, then the threat actor started sending threatening emails to targeted individuals to publish their therapy notes unless a ransom worth 500 euros was paid. Nevertheless, the hacker got little success in its mission. 

“Among those who grabbed a copy of the database was Antti Kurittu, a team lead at Nixu Corporation and a former criminal investigator. In 2013, Kurittu worked on an investigation involving Kivimäki’s use of the Zbot botnet, among other activities Kivimäki engaged in as a member of the hacker group Hack the Planet (HTP)...,” Kurittu said. “…It was a huge opsec [operational security] fail, because they had a lot of stuff in there — including the user’s private SSH folder and a lot of known hosts that we could take a very good look at declining to discuss specifics of the evidence investigators seized. There were also other projects and databases.” 

MegaCortex Rasomware Attack: Victims Can Now Restore Stolen Files For Free


Cybersecurity company, Bitdefender, has launched a new tool that would help victims of MegaCortex ransomware unlock their files, offering a sigh of relief to those whose files had been locked for years following the cyberattack.  

MegaCortex Ransomware

The MegaCortex ransomware first came to light in January 2019. It included many interesting characteristics, such as utilizing signed executables as a part of the payload, and the malware's developer was additionally offered security consulting services. 

The ransomware used both automated and manual components in order to attack as many targeted victims as possible. 

Moreover, MegaCortex ransomware may be employing networks that have already been infiltrated in an initial attack using Emotet and Qakbot malware to target businesses rather than individual consumers. 

According to The Malware Wiki, MegaCortex used AES encryption to encrypt user files. The only way to regain access to protected data is through a private key, which victims would need to buy from the hackers, according to a readme file that came with infections. 

The MegaCortex ransomware attack was capable of information theft, file encryption as well disabling usage capability. According to an estimate by TechCrunch, MegaCortex may have infected as many as 1,800 companies around the globe, including a number of “high profile” targets. Although it has been indicated that the figure is likely to be far higher. 

Later, in October 2021, law enforcement detained 12 suspected of being involved in more than 1,800 ransomware assaults in 71 different nations. Police reportedly spent months searching through the data gathered during the arrests, according to TechCrunch. In the end, they discovered individual decryption keys that were utilised to produce and disseminate a program in September of last year to decode files encrypted by the LockerGoga ransomware. 

Free Decryptor Built by Bitdefender 

The free decryptor is being deployed by Bitdefender and the EU’s initiative ‘No More Ransom’ in cooperation with the Zürich Cantonal Police, the Zürich Public Prosecutor’s Office, and Europol. 

The authorities announced in September that 12 culprits have been detained in connection with the Dharma, LockerGoga, and MegaCortex ransomware families. 

The arrests at the time, according to a statement from Zürich's prosecutor, enabled investigators to collect numerous private keys used by the ransomware gang, which would allow victims to restore data that had been previously encrypted using the LockerGaga or MegaCortex virus. A decryptor for LockerGoga was made available by BitDefender last year. 

The cybersecurity company has recently confirmed that the free MegaCortex decryptor is now being made available. The tool will work to unlock files that were encrypted by MegaCortex ransomware and all its variants. It is available to download from Bitdefender and through No More Ransom’s decryption tools portal, which is, in fact, home to 136 other free tools for 165 ransomware variants such as Babuk, DarkSide, Gandcrab, and REvil.  

JSWorm: A Notorious Ransomware

 

The ransomware threat environment has been shifting over the last few years. Following the major ransomware outbreaks of 2017, such as WannaCry, NotPetya, and Bad Rabbit, many ransomware actors have switched to the covert yet the lucrative strategy of "big-game hunting." The news of ransomware triggering a service interruption at a multinational enterprise has become commonplace. 

Since the discovery of JSWorm ransomware in 2019, numerous variants have gained popularity under various names such as Nemty, Nefilim, Offwhite, and others. As part of each “rebranded” edition, several versions were released that changed various aspects of the code, renamed file extensions, cryptographic schemes, and encryption keys. 

JSWorm is a ransomware variant of the GusCrypter malware family. Its purpose is to extort money from victims by encrypting all personal data and requesting a ransom for the decryption key. It's a member of the GusCrypter clan. JSWorm is typically transmitted via spam email attachments. 

The malware also leaves a ransom note, JSWORM-DECRYPT.html, instructing victims to contact criminals via the NIGER1253@COCK.LI email address if they want their data back. Since JSWorm belongs to a well-known ransomware family, it's possible that the encryption will be permanent. 

Although JSWorm ransomware does not encrypt system files, it does modify your system in other ways. As a result of the altered Windows Registry values, ransomware is launched every time the user restarts the device. These modifications, however, are made after the encryption and ransom demand have been completed. 

JSWorm was available as a public RaaS from its inception in 2019 until the first half of 2020, and it was observed spreading through the RIG exploit kit, the Trik botnet, fake payment websites, and spam campaigns. The public RaaS was closed in the first half of 2020, and the operators turned to big-game hunting. An initial intrusion was discovered thanks to the use of weak server-side applications (Citrix ADC) and insecure RDP access. 

The files are encrypted with a 256-bit key using a custom modification of the Blowfish cypher. The key is generated by concatenating the strings user name, system MAC address, and volume serial number at the start of the programme execution. The content of each of the victim's files is encrypted using a custom version of Blowfish. The encryption is limited to 100,000 bytes, most likely to speed up the encryption of large files. The initial data is overwritten by the encrypted data.

Resurgence in Ransomware Being Driven By a Surge of New Malware Families


A US based cyber security firm through its most recent threat report observed a 118% increase in new Ransomware strains basically in the first quarter of 2019 as compared with the last of 2018. It believes that the resurgence in ransomware is being driven by a flood of new malware families that are regularly more focused on.

The firm discovered that attackers were targeting the governments and organizations which were followed by companies in the financial, chemical, defence and education sectors. Their information corresponded with an ever expanding number of ransomware attacks standing out as truly newsworthy, especially US governments and urban communities, very much like the Texas Ransomware attack.

This new spate of ransomware attacks is said to have been a move away from 'spray and pray' ransomware strategies, in such targeted attacks, spear phishing – sending vindictive emails from an "apparently trusted person"  – is progressively being utilized to gain initial access 68% of the time.

Attackers are likewise said to have been utilizing unknown email services to oversee the ransomware crusades. The most widely recognized groups of ransomware during this period are known to be Dharma (otherwise called Crysis), GrandCrab and Ryuk.

In any case, McAfee, made some amazing disclosures also, first the cyber security firm found that culprits are turning to various attack approaches with regards to coin mining malware, like the CookieMiner malware focusing on Apple users.

Furthermore, also, it found an average of 504 'new threats per minute' in the first quarter of 2019 and noticed that more than 2.2 billion stolen account credentials were made accessible on the cybercriminal underground during the same period.

Its discoveries depend on the information accumulated from its Global Threat Intelligence cloud,, which comprises of over a billion sensors checking for different sorts of cyber dangers around the globe.

Raj Samani, McAfee fellow and chief scientist, stresses on the fact that the impact of these threats is very real and added further that “It’s important to recognise that the numbers, highlighting increases or decreases of certain types of attacks, only tell a fraction of the story. Every infection is another business dealing with outages, or a consumer-facing major fraud. And we must not forget that for every cyber-attack, there is a human cost.”

Attackers demand $2.5 million for Texas Ransomeware




The cybercriminals who attacked multiple Texas local governments with file-encrypting malware via compromising service provider's network.

The attackers demanded a ransom of $2.5 million for decrypting the entire local government files, the mayor of a municipality says.

The Department of Information Resources (DIR) has announced that a total of 22 victims has been established, while all of them were attacked by a single party.

However, the names of all the victim municipalities have not been disclosed, whereas two municipalities have announced the hit publicly.

In a statement released by the city of Borger, "Based on the current state of the forensic investigation, it appears that no customer credit card or other personal information on the City of Borger’s systems have been compromised in this attack. No further information about the origins of the attack will be released until the completion of the investigation,"

Keene is another city affected by this ransomware attack. Both of the administration right now can not process card payments or utility disconnections.

The city will inform its citizen as soon as they restart business and financial services, press release. 

New MegaCortex ransomware targeting corporate networks

A new strain of ransomware called MegaCortex has been found targeting attacks against entities in the US, Canada, France, Netherlands, Ireland, and Italy. The ransomware uses both automated as well as manual components in an effort to infect as many victims as possible. It uses a complicated chain of events with some infections beginning with stolen credentials for domain controllers inside target networks.

The ransomware was reported by UK cyber-security firm Sophos after it detected a spike in ransomware attacks at the end of last week.

According to security researchers at Sophos, the cybercriminals operating the ransomware appear to be fans of the movie Matrix, as the ransom note “reads like it was written in the voice and cadence of Lawrence Fishburne’s character, Morpheus.”

The ransomware first began popping up in January. The ransomware has a few interesting attributes, including its use of a signed executable as part of the payload, and an offer of security consulting services from the malware author. Researchers said the ransomware often is present on networks that already are infected with the Emotet and Qakbot malware, but are not sure whether those tools are part of the delivery chain for MegaCortex.

Sophos said the ransomware appears to have been designed to target large enterprise networks as part of carefully planned targeted intrusions --in a tactic that is known as "big-game hunting."

“The malware also employs the use of a long batch file to terminate running programs and kill a large number of services, many of which appear to be related to security or protection, which is becoming a common theme among current-generation ransomware families,” Sophos researcher Andrew Brandt said in a report.

Ransomware, for the most part, targets individuals rather than enterprise networks. That has mainly to do with individuals being relatively easier targets than corporate machines, but some attackers have begun to move up the food chain. Corporate ransomware infections can be much more profitable and efficient, with larger payouts for criminals who can compromise an organization rather than dozens or hundreds of individual victims. MegaCortex seems to be part of that trend, targeting enterprises with a mix of techniques.

London hackers may be behind ransomware attack on Lucknow hotel

In a first-of-its-kind ransomware attack in Lucknow, cybercriminals breached and blocked the computer system of The Piccadily, a five-star hotel in the capital of Uttar Pradesh, and demanded a ransom to allow data access. Ransomware is a malware unleashed into the system by a hacker that blocks access to owners till ransom is paid.

The hotel management lodged an FIR with the cyber cell of police and also roped in private cyber detectives to probe the crime and suggest a remedy.

The hotel’s finance controller in Alambagh, Jitendra Kumar Singh, lodged an FIR on March 9, stating the staff at the hotel was unable to access the computer system on February 27 around 11:45 pm when they were updating monthly business data. This was followed by screen pop-ups which read — Oops, your important files are encrypted. The staff initially ignored the pop-ups and rebooted the system following which it crashed. Later, the hotel management engaged a software engineer to track down the malfunction after which it came to light the system has been hit by ransomware.

Nodal officer of the cyber cell deputy superintendent of police (DySP) Abhay Mishra said the case happens to be first of its kind of ransomware attack in the city. The demand for ransom in such cases are also made through ‘Bitcoin’, he said. “They are investigating into the matter, but are yet to make any breakthrough,” Singh told TOI. The staff initially ignored the pop-ups and rebooted the system following which it crashed.

The cyber cell of Lucknow police believes the ransomware attack could have been made from London. Sleuths of the cyber cell made these claims after authorities of the Piccadily said they had been getting frequent phone calls from London-based number after the attack.

Singh said, “We received for calls from the same number a day after the attack. The callers inquired about the ransomware attack and asked about the progress in the case. Later, they also agreed to offer assistance.”

Cybercriminals disturbing air traffic




Travelling via air has always been the most preferred and fastest option available to us at any given time but have we ever given a thought whether it is the safest in every context technical and cyber?

Never mind the technical mishaps that happen when least expected the accidents that occur are rare but shocking and terrible but are we aware of the dangers related to flying in the light of cyber security?

As we probably are aware, cybercriminals are driven for the most part by their thirst for money and power—and disturbing the air traffic and airport regulation helps they satisfy it. While the dominant part of these cyber security occurrences result in data breaks, but: Attacks on this imperative framework could prompt significantly more inauspicious outcomes.

Associations like the ATO and EUROCONTROL deal with the air traffic across continents, connecting with business and military bodies to control the coordination and planning of air traffic in their assigned region. These associations work firmly together, as there are numerous intercontinental flights that move across from one area then onto the next they respond quite rapidly to such episodes.
These Aviation control organisations require immaculate correspondence to work legitimately, as they are essential to keeping up the normal stream of air traffic. 

Along these lines, their related frameworks are intensely computerized which makes them the primary targets for the said cyber-attacks.

However apart from Air Traffic there are a lot more factors as well that have a specific negative effect on the transportation service. Some of the major ones being terrorist attacks, ransomeware attacks, targeted cyber-attacks in addition to the budget concerns.

Terrorists have hijacked Aircrafts before, the most known incident being 9/11, where the terrorists infiltrated onto four different air crafts, disabled the pilots. Anyway these physical, in-person hijacks are the reason behind the broad safety measures that we all experience at each major air terminal.

Despite the fact that these hijackers don't need to be physically present to cause such immense harm. As exhibited before, air crafts can be hacked remotely and malware can contaminate computer frameworks in the air crafts as well.

What's more, similar to some other industry, we likewise find numerous ransomware victims in the avionics and air traffic sector. The most popular one being air and express freight carrier FedEx that surprisingly has been a ransomeware victim twice: once through their TNT division hit by NotPetya, and once in their own conveyance unit by WannaCry.

When turning towards targeted cyberattacks the most fitting precedent is that of the IT system of Boryspil International Airport, situated in the Ukraine, which purportedly incorporated the airport's air traffic regulation system. Because of rough relations among Ukraine and Russia, attribution immediately swerved to BlackEnergy, a Russian APT group considered responsible of numerous cyberattacks on the country.

Lastly, "Where budgets are concerned, cybersecurity is treated reactively instead of proactively.
In 2017, the Air Traffic Control Aviation (ATCA) published a white paper issuing this warning as in a 2016 report by the Ponemon Institute discovered that the associations did not budget for the technical, administrative, testing, and review activities that are important to appropriately operate a  secure framework.

Bearing these factors in mind while the physical security on airports have been increased fundamentally, it appears that the cyber security of this essential framework still needs a considerable amount of work and attention, particularly remembering the sheer number of cyber-attacks on the industry that have occurred over the most recent couple of years.

The excrement will undoubtedly hit the propeller if the air traffic and cargo enterprises yet again fail to incorporate cybersecurity in their financial plan and structure propositions for the coming year.

Malware Stealing Credentials via Office Documents



Recently the threat actors in charge of the AZORult malware released a refreshed variant with upgrades on both the stealer and the downloader functionalities. This was altogether done within a day after the new version had released a dark web user AZORult in a large Email campaign to circulate the Hermes ransomware.

The new campaign with the updated adaptation of AZORult is in charge of conveying thousands of messages focusing on North America with subjects, such as, "About a role" or "Job Application" and even contains the weaponized office document "firstname.surname_resume.doc” attached to it.




Researchers said, “The recent update to AZORult includes substantial upgrades to malware that was already well-established in both the email and web-based threat landscapes.”

Attackers have made use of the password-protected documents keeping in mind the end goal to avoid the antivirus detections. Once the client enters the password for documents, it requests to enable macros which thusly download the AZORult, and at that point it connects with the C&C server from the already infected machine and the C&C server responds with the XOR-encoded 3-byte key. 

Finally after exfiltrating stolen credentials from the infected machine, it additionally downloads the Hermes 2.1 ransomware.

Security analysts from Proofpoint even recognized the new version (3.2) of AZORult malware publicized in the underground forum with full changelog.

UPD v3.2
[+] Added stealing of history from browsers (except IE and Edge)
[+] Added support for cryptocurrency wallets: Exodus, Jaxx, Mist, Ethereum, Electrum, Electrum-LTC
[+] Improved loader. Now supports unlimited links. In the admin panel, you can specify the rules for how the loader works. For example: if there are cookies or saved passwords from mysite.com, then download and run the file link[.]Com/soft.exe. Also, there is a rule “If there is data from cryptocurrency wallets” or “for all”
[+] Stealer can now use system proxies. If a proxy is installed on the system, but there is no connection through it, the stealer will try to connect directly (just in case)
[+] Reduced the load in the admin panel.
[+] Added to the admin panel a button for removing “dummies”, i.e. reports without useful information
[+] Added to the admin panel guest statistics
[+] Added to the admin panel a geobase

As indicated by the scientists, the malware campaign contains both the password stealer as well as the ransomware, which is astounding on the grounds that it is not so common to see both. Therefore, before causing a ransomware attack, the stealer would check for cryptocurrency wallets and steal the accreditations before the files are encrypted.

An Experimental Form of Android Malware Delivers a Banking Trojan, a Keylogger and Ransomware




An experimental form of Android malware, which was first considered to be an updated version of Lokibot, is known to convey a banking Trojan, a keylogger and ransomware to those most likely to succumb to it.

It is said to contain a couple of new features that the specialists are naming it as a yet another type of malware - MysteryBot.

The MysteryBot and the LokiBot are referred to share the same command as well as the control server which in this way shows an already established strong link between these two types of malware, with the potential that they've been produced by the same attacker.

"The enhanced overlay attacks also running on the latest Android versions combined with advanced keylogging and the potential under-development features will allow MysteryBot to harvest a broad set of personal identifiable information in order to perform fraud," wrote researchers.

While the MysteryBot is well equipped for performing various pernicious exercises, like making a phone call, stealing contact information, forwarding the incoming calls to another device, setting the keylogger, it is also capable of encoding the files possessed by the device and erases all contact information on the device.

It has the ability to effectively target Android versions 7 and 8 utilizing overlay screens intended to look like genuine bank websites, while numerous other Android malware families are focusing on attacking the older variants of the Google operating system.

Is additionally said to use a somewhat complex keylogging functionality that was never known and it supposedly employees two other banking Trojan's keylogging Module (CryEye and Anubis) to abuse the Android Accessibility service.

Be that as it may, notwithstanding a portion of the abilities of MysteryBot presently being underdeveloped, the malware is as yet a potential danger.


MysteryBot isn't at present widespread and is still being worked on, however it is recommended that the users ought to be careful about any applications they download which requests an over the top number of authorizations.

Ransomware Attack from Russian IP’s jeopardizes the Victims and Locks Their PC’s



A Newfound Ransomware by the name of Sigma is known to be spreading from Russia-based IP's with the assortment of social engineering procedures in order to jeopardize the victims and lock the contagion computer.

User's that were targeted on through the malignant SPAM Messages that contained a proclamation originated from the "United States District Court" with a pernicious attachment.


Presently the attackers utilizing the Email scam so as to make sure that the targeted victims perform the diverse malicious activities all the while manipulating the user by some emergency strings of dread and giving rise to the victim’s inquisitiveness.The Sigma Ransomware Attack directed from around 32 Russian based IP's and the attacker enlisted in the particular domain which is specifically utilized to perform different attacks.

The creators of the Malware utilized more obfuscation works by asking for the password to open the file and avoid the discovery.At first, the malignant documents required a password to open since it tricks the user to download the attachment that ought to be protected since the mail is originated from the court.

In the event that it finds that the Macros are turned off on the victim's machine then it further convinces the users to turn it on which contains malevolent VBScript.

Then, the VBScript will download the first Sigma Ransomware payload from the attack summon, control server and save it in the %TEMP% folder.Downloaded malware emulates as a legit svchost.exe process which assists in downloading an additional malware.

The Malware utilized a variety of obscurity strategy to conceal it and sidestep the discovery and it revokes itself on the off chance that it finds any virtual machine or sandboxes present.

 "Looking with malware so complex on the sides, social engineering traps and technical design is a challenge hard even for even security-mindful users," says Fatih Orhan, the Head of Comodo Threat Research Labs.

As indicated by the Comodo Research, uncommon to a portion of its ransomware relatives, Sigma does not act promptly but rather sneaks and makes secretive observations first. It makes a rundown of important documents, checks them and sends this incentive to its C&C server alongside other data 
about the victim's machine.

Likewise if the sigma Ransomware finds no files then it erases itself and it stops the infection in the event that it finds the country location of Russian Alliance or Ukraine. Later it associates with its order and control servers and builds up the Tor Connection and Sigma Ransomware begins to encode documents on the machine.

After the complete encryption, it will show the ransom notes of that contains the definite and detailed data of the attack and the request of the attack to the victims   to get in touch with them by means of sigmacs@protonmail.com and furthermore mentioning the infection ID.

Additionally, the attack demands the payoff sum through bitcoin and the cost will be settled in view of how instantly the victims contact to the attack.