Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Ransomware Groups. Show all posts

Hackers Threaten to Leak South Africa’s Private Financial Data, Demand R1.1 Billion Ransom


In a recent cyber threat, hackers have threatened to release all of South Africa’s private financial data unless TransUnion and Experian, the two biggest consumer credit reporting companies in the country, agree to pay ransom of R1.1 billion.  

The companies – TransUnion and Experian – were the ones that were hit by the cybercrime attack. 

According to Times Live, the hackers, the Brazil-based N4ughtySecTU Group, who had previously breached TransUnion's security and firewalls, claimed to have successfully evaded the safeguards of the company once again, following which they stole the data.  

Apparently, the hackers have demanded $30m [about R565m] from TransUnion and $30m from Experian.

The hackers, in a message sent to the managers and directors of the impacted companies, stated: “Ensure your response teams contact us on Session [a private communication platform] for payment instructions.”

While acknowledging the demands, TransUnion and Experian refuted the group's allegations of an ongoing hack on their systems.

“Following recent media coverage, TransUnion South Africa confirms it is aware of a financial demand from a threat actor asserting they have accessed TransUnion South Africa’s data. We have found no evidence that our systems have been inappropriately accessed or that any data has been exfiltrated,” TransUnion said.

“We’ve likewise seen no change to our operations and systems in South Africa related in any way to this claim. We are continuing to monitor closely. We treat matters regarding our information security seriously, and data security remains our top priority,” they continued. 

Not the First Attempt to Hack

Previously, in March 2022, N4ughtysecTU claimed responsibility for targeting TransUnion in their ransomware campaign. 

TransUnion South Africa later confirmed the hack, confirming that at least 3 million individuals were affected.  

Apparently, the threat actors gained access to the personal data of over 54 million people, which included information about their dates of birth, ID numbers, gender, marital status, and other sensitive facts. 

Experian also suffered a data breach in August 2020, reported by the South African Banking Risk Centre (SABRIC). The data breach compromised the personal information of around 24 million individuals and several business entities to a fraudster. 

Karabo Phungula, an Experian data fraudster, was given a 15-year prison sentence in March by the Specialized Commercial Crimes Court for obtaining the dataset under false pretence.   

Ransomware Groups are Using PR Charm Tactic to Put Pressure on Victims to Pay Ransom


Recently, ransomware groups have been increasingly adopting newer tactics, one of them being the transparent, quasi-corporate strategy with the media, with the benefits of building pressure on the victims to pay ransom. 

According to a report, released this week by Sophos X-Ops, ransomware groups like Royal, the Play and RansomHouse were seen engaging with journalists. This partnership is dubious, however advantageous to both the parties: hackers expose their victims or, in some high-profile cases, amend the record, while reporters receive scoops directly from primary (but untrustworthy) sources.

According to Christopher Budd, director of threat intelligence for Sophos X-Ops, "This shows that they're true hackers[…]Now they're trying to hack the information sphere, as well as the technical sphere."

Cybercriminals in Corporate Clothing

These days, ransomware organizations provide channels for direct connection that are not limited to victims. In addition to the typical "Contact Us" forms and PR-focused Telegram channels, useful resources and FAQs are available to support them.

The ultimate idea is: that by broadcasting their deeds in the news, these threat actors put public pressure on the victims, further pressurizing their suppliers, customers, etc. 

The threat actors often imply this idea in ransom notes. For example, Sophos recently analyzed a ransom note published by the Royal ransomware group, stating how "anyone on the internet from darknet criminals ... journalists ... and even your employees will be able to see your internal documentation" if the ransom deadline was not achieved. 

Attackers Playing Analysts

However, not all ransomware groups are joining hands with the media with the same humour. Groups like Clop ransomware and LockBit interacted more antagonistically with the outside world.

And while it appears petty or posturing at times, these conflicts are occasionally handled professionally.

For instance, in response to initial reports containing purportedly incorrect information about the MGM attack, ALPHV published a 1,300-word statement. 

Budd says, "In trying to assert their authority and take their claim, they actually published what amounts to threat research — the type of stuff that security companies do. And they provided some fairly objective, detailed technical explanation about the actions they had taken."

He notes that the ALPHV statement felt like something a security firm would publish. He observed that ransomware groups are “consciously adopting some of the principles” that security companies use daily.

US Health Dept Urges Hospitals to Patch Critical ‘Citrix Bleed’ Vulnerability


This week, the US Department of Health and Human Services (HSS) has warned hospitals of the critical ‘Citrix Bleed’ Netscaler vulnerability that has been exploited by threat actors in cyberattacks.

On Thursday, the department’s security team, Health Sector Cybersecurity Coordination Center (HC3), issued an alert where it urged all U.S. healthcare businesses to protect their NetScaler ADC and NetScaler Gateway equipment from ransomware gang invasions.

"The Citrix Bleed vulnerability is being actively exploited, and HC3 strongly urges organizations to upgrade to prevent further damage against the Healthcare and Public Health (HPH) sector. This alert contains information on attack detection and mitigation of the vulnerability,” the alert read.

"HC3 strongly encourages users and administrators to review these recommended actions and upgrade their devices to prevent serious damage to the HPH sector."

Prior to the aforementioned warning, Citrix had already issued two warnings urging admins to patch their appliances in priority. It also urged administrators to terminate all open and persistent sessions. Moreover, in order to stop hackers from obtaining authentication tokens even after the security upgrades have as well been installed.

Thousands of Servers Exposed, Many Already Breached

Cybersecurity professional Kevin Beaumont has been monitoring and analyzing cyberattacks against a variety of targets throughout the globe, such as Boeing, DP World, Allen & Overy, and the Industrial and Commercial Bank of China (ICBC), and he discovered that these targets were probably all compromised through the use of Citrix Bleed exploits. 

On Friday, Beaumont revealed that the U.S.-based managed service provider (MSP) experienced a ransomware attack by a threat group, that has exploited a Citrix Bleed vulnerability a week earlier. 

The MSP continues to work on securing its susceptible Netscaler appliances, which may leave its clients' networks and data open to additional intrusions.

The vulnerability was fixed by Citrix in early October, but Mandiant subsequently discovered that it has been actively exploited as a zero-day since at least late August of 2023. 

AssetNote, an external attack surface management company, on October 25, released a CVE-2023-4966 proof-of-concept exploit explaining how session tokens can be accessed by cybercriminals from Citrix appliances that has not been patched. 

According to Japan-based threat researcher Yukata Sejiyama, over 10,000 Citrix servers – many of which belonged to some important organizations globally – were still susceptible to Citrix Bleed attacks more than a month after the critical flaw was patched.

"This urgent warning by HC3 signifies the seriousness to the Citrix Bleed vulnerability and the urgent need to deploy the existing Citrix patches and upgrades to secure our systems," said John Riggi, a cybersecurity and risk advisor for the American Hospital Association, a healthcare industry trade group that represents 5,000 hospitals and healthcare providers across the U.S.

According to Riggi, this case also highlights the ferocity with which ‘foreign ransomware gangs,’ (majorly the Russian-speaking groups), continue to attack medical facilities and other healthcare institutions. Ransomware attacks interrupt and delay health care delivery, placing patient lives in danger.  

RWVP: CISA Shares Vulnerabilities and Misconfigurations Targeted by Ransomware Groups


The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has recently revealed an insight into the misconfigurations and security vulnerabilities exploited by ransomware groups, in order to help critical infrastructure companies tackle their attacks. 

This information is part of a Ransomware Vulnerability Warning Pilot (RVWP) program conducted by CISA, which shows concern over the ransomware devices discovered on the networks of critical infrastructure organizations. 

To date, RVWP has discovered and identified over 800 vulnerable systems with internet-accessible vulnerabilities that are often targeted by different ransomware activities.  

CISA stated that "Ransomware has disrupted critical services, businesses, and communities worldwide and many of these incidents are perpetrated by ransomware actors using known common vulnerabilities and exposures (CVE) (i.e., vulnerabilities)." 

"However, many organizations may be unaware that a vulnerability used by ransomware threat actors is present on their network[…]Now, all organizations have access to this information in our known exploited vulnerabilities (KEV) catalog as we added a column titled, 'known to be used in ransomware campaigns.' Furthermore, CISA has developed a second new RVWP resource that serves as a companion list of misconfigurations and weaknesses known to be used in ransomware campaigns," CISA added.

RVWP is a component of a much larger effort that was initiated in response to the growing ransomware threat to critical infrastructure that first surfaced almost two years ago with a wave of cyberattacks targeting key infrastructure companies and U.S. government organizations, including Colonial Pipeline, JBS Foods, and Kaseya.

In June 2021, CISA broadened its horizon by launching the Ransomware Readiness Assessment (RRA), a component of its Cyber Security Evaluation Tool (CSET), whose goal is to help companies analyze and evaluate their preparedness in order to mitigate the risks and tackle from potential ransomware attacks. 

By August 2021, CISA also made recommendations to help vulnerable public and commercial sector organizations stop data breaches brought on by ransomware incidents.

In addition, CISA further formed an alliance with the business sector to defend vital US infrastructure against ransomware and other online dangers. All federal agencies and businesses who joined the cooperation have a collective response strategy embodied in this collaborative initiative, the Cyber Defense Collaborative.  

Progressive Leasing Cyberattack: Sensitive Data Stolen

Progressive Leasing, a well-known company that specializes in product leasing, has unexpectedly become the victim of a devastating cyberattack that has resulted in the unauthorized collection of private data. The breach has prompted significant worry among its stakeholders and consumers, which the corporation revealed in an official statement. 

According to reports, the attack was carried out by a sophisticated ransomware group. The group, known for its aggressive tactics, managed to infiltrate the company's systems, gaining unauthorized access to a trove of confidential data. Progressive Leasing has since taken immediate action to contain the breach and enlisted cybersecurity experts' help to investigate the incident. 

According to the company's official statement: 

“Progressive Leasing recently experienced a cybersecurity incident affecting certain Progressive Leasing systems. Promptly after detecting the incident, we engaged leading third-party cybersecurity experts and launched an investigation. We also notified law enforcement. Our team is working diligently alongside our cybersecurity experts and with law enforcement to investigate and respond to this incident. Importantly, there has been no major operational impact to any of Progressive Leasing’s services as a result of this incident, and PROG Holdings’ other subsidiaries have not been impacted. The investigation into the incident, including identification of the data involved, remains ongoing.” 

The stolen information reportedly includes customers' details, financial records, and proprietary business data. This breach poses a significant threat to the privacy of individuals but also raises concerns about potential misuse of the company's internal information. 

The incident has prompted Progressive Leasing to reinforce its cybersecurity measures and invest in advanced protective technologies. The company is also working closely with law enforcement agencies to track down and hold the responsible parties accountable. 

Customers of Progressive Leasing are advised to remain vigilant and monitor their accounts for any suspicious activity. Additionally, the company has set up a dedicated helpline and support team to assist affected individuals in navigating this challenging situation. 

This incident is a sobering reminder of the vital importance of strong cybersecurity measures in the current digital environment. Companies need to be on the lookout for emerging security dangers and invest in cutting-edge security processes as they grow in sophistication and scope. Neglecting cybersecurity can have disastrous repercussions on both the targeted firm and the people whose sensitive information is in danger. 

Progressive Leasing's steadfast response in the wake of this assault highlights the company's dedication to safeguarding its clients' data. Businesses from all sectors are being strongly cautioned by this occurrence to address cybersecurity in an environment where connectivity is growing.

How Much Will Each Stolen Client SSN Cost You Now That You Have Been Pwned?


Following the theft from its systems of more than 447,000 patient names, Social Security numbers, and private medical information, a Florida healthcare organization has resolved a class-action lawsuit. 

Orlando Family physicians, which has 10 clinics in central Florida, has agreed to pay affected patients who submit a claim by July 1 a reimbursement and provide them two years of free credit monitoring. Patients may earn up to $225 or, for those whose SSNs were stolen, up to $7,500 depending on what kind of private information the thieves obtained. 

However, as part of the compensation, the physician organization denies any responsibility for the data heist. 

Court records reveal that the crime took place in April 2021 after thieves used a phishing scam to access the email accounts of four employees. As per Orlando Family Physicians, it “immediately” took the necessary steps, containing the intrusion and hires a “leading” security shop to determine the scope of intrusion. 

The health group, a few months later, published a notice on its website and sent letter to victims whose private information was compromised. The data apparently includes names, demographic information, health information, including diagnosis, medical record numbers, patient account numbers, passport numbers, providers and prescriptions; health insurance details, including legacy Medicare beneficiary numbers generated from the person's Social Security number or other subscriber identification number. 

However, according to the physician group “, the available forensic evidence indicates that the unauthorized person’s purpose was to commit financial fraud against OFP and not to obtain personal information about the affected individuals.” 

Moreover, OFP reported to the US Department of Health and Human Services, saying it potentially affected 447,426 individuals. 

Is Your PII Worth $250, or $75k? 

After the attorneys take their cut, of course, those hundreds of thousands of people whose personal information most certainly ended up for sale on a hacking forum are now eligible for a compensation. The settlement's overall sum is still undisclosed. 

There are two groups within the class that stand to gain monetarily. The first group, individuals who incurred out-of-pocket costs as a result of the theft, may file a claim for up to $225 in duly substantiated costs. This covers any expenses incurred while freezing or unfreezing credit reports, paying for credit monitoring services, or contacting banks about the occurrence, including notary, fax, mailing, copying, mileage, and long-distance phone costs. 

The victims can also file a claim for a time limit of up to three hours, compromised due to the security breach at the rate of $25 per hour. 

The second category consists of victims whose Social Security numbers were taken. These people are eligible to file claims for up to $7,500 for confirmed instances of identity theft, fabricated tax returns, or other forms of fraud that can be linked back to the initial hack. They as well can claim up to eight hours of lost time at $25 per hour. 

The settlement comes as ransomware gangs and other cybercriminals intensify their attacks on hospitals and other healthcare organizations, and the lawyers have responded by bringing numerous class-action cases. 

The aforementioned class-action lawsuit is proposed following an intrusion in February, wherein the BlackCat malware infiltrated one of the Lehigh Valley Health Network physician’s networks, stole sensitive health records belonging to more than 75,000 people, including pictures of patients receiving radiation oncology treatment, and then demanded a ransom to decrypt the files and stop it from posting the records online.  

Nvidia Confirms Company Data Was Stolen in a Breach

 

Last week Chipmaker company Nvidia witnessed a cyberattack that breached its network. The company has confirmed that the intruders got access to proprietary information data and employee login data. 
As the breach came to light last week, the organization attributed the security breach to a threat group called "Lapsus$".

“We are aware that the threat actor took employee credentials and some Nvidia proprietary information from our systems and has begun leaking it online,” the company said in a statement. 

However, as of now, Nvidia didn’t produce any specific details of the stolen data. Meanwhile, LAPSUS$, the alleged culprit, has claimed that it has looted 1TB of data, including files related to the hardware and software belonging to the organization. Following the incident, Lapsus$ started demanding ransom in cryptocurrency in order to prevent the data from being published online. However, Nvidia has not confirmed its stance or response to the demands made by the hackers. 

The primary purpose of a ransomware attack is to encrypt the victim's credentials and threaten to permanently delete it unless a ransom is paid, often in Bitcoin due to the relative anonymity that cryptocurrency provides. Additionally, the threat groups use Ransomware attacks to steal the victim’s data and then threaten to release sensitive details in public unless certain demands are met. Either way, it amounts to extortion. 

According to the sources, the organization did not confirm technical details yet, therefore, it is difficult to confirm anything as of present. However, as a matter of concern, the information related to the attack continues to trickle out. For instance, some of the leaked data contain references to future GPU architectures, including Blackwell. Also, an anonymous source has apparently sent what they claim is proof of stolen DLSS source code to the folks at TechPowerUp. 

"We are investigating an incident. Our business and commercial activities continue uninterrupted. We are still working to evaluate the nature and scope of the event and don’t have any additional information to share at this time," NVIDIA initially said.

Ransomware Groups are Enlisting Breached Individuals to Persuade Firms to Pay Up

 

According to recent reports, attackers are utilising stolen data to contact individuals who have been compromised in the attack (through social media, email, or phone). These direct contact strategies are being used by ransomware gangs as additional leverage to get victims to pay up. They call employees or customers whose data was compromised in the attack and urge them to persuade the victim to pay up, threatening them with the release of their personal information if they do not. 

NBC News featured a story on a parent whose child attended a school run by a district that was the target of a ransomware attack. The attackers emailed the parent, asking him to put pressure on the district to pay up, or else all of the exfiltrated materials, including information on him and his son, will be posted on the dark web. 

According to the person interviewed by NBC, the district did not notify parents or many staff members that they had been the victims of an attack, at least not before the assailants established contact with them. The attackers exploit whatever contact information they can obtain, such as employee directories or customer databases, to identify individuals to pressure. 

Allen ISD was the victim of a cyberattack in September 2021 and was afterward the target of attempted extortion by the perpetrators. Allen ISD, located roughly 30 miles north of Dallas, Texas, educates nearly 22,000 K-12 students. Following consultation with external cybersecurity experts, school administrators decided to refuse to pay the hackers' demands, even telling local media that there was no indication that data had been exfiltrated. Despite the fact that the ransomware gang claimed to have collected personal information from district children, families, and staff and sought to extort millions of dollars from Allen ISD. 

Another strategy used by ransomware attackers is to contact employees at a firm during the reconnaissance stages of an assault to see if they can bypass the infiltration stages by exploiting an insider threat. Insider threats are one of a few non-digital threats that have plagued businesses of all sizes to date. 

Insider threats represent a quarter of the eight main cybersecurity risks that significantly affect the corporate and public sectors, according to the Osterman Research white paper White Hat, Black Hat, and the Emergence of the Gray Hat: The True Costs of Cybercrime. 

According to a new survey conducted by identity protection firm Hitachi ID Systems, 65% of surveyed IT and security executives or their staff had been contacted to aid in ransomware cyberattacks. This marks a 17% increase over a similar survey conducted a year ago. The attackers used email and social media to contact employees in the majority of cases, while phone calls accounted for 27% of their approach efforts, a direct and brazen method of communication.

US Cyber Command Together with NSA and FBI has Started Taking Direct Action Against International Ransomware Gangs

 

General Paul M. Nakasone, the commander of US Cyber Command, stated at the latest national security incident that the organization has commenced taking direct action targeting multinational ransomware organizations as part of a much bigger campaign to reduce attacks on American businesses and infrastructures. 

During his speech at the Reagan National Defense Forum, a gathering of national security experts conducted on Saturday, the General highlighted that the department is working in conjunction with the NSA, FBI, and other federal organizations. 

Following the event, he told The New York Times that Cyber Command's current aim is to "understand the adversary and their insights better than we've ever understood them before." 

The nation's cyberspace defense authorities began a campaign targetting ransomware threats from organized criminal rings around nine months ago, long before high-profile cases such as the Colonial Pipeline closure demonstrated how badly ransomware assaults might impair national and international infrastructure. 

Whereas the General was tight-lipped about the specifics of currently underway and former counter-operations, prior reports indicated that Cyber Command was involved in both punitive actions, including those targeting Russian ransomware group REevil, and restoration efforts, such as those implemented by federal agencies following the Colonial Pipeline mishap. The latter resulted in the DOJ seizing and recovering the "majority" of the ransom paid to the DarkSide ransomware group. 

All such efforts are part of a greater effort called for by a presidential executive order signed in May of this year. The 2021 legislation mandated a broad governmental transition to security measures such as mandatory two-factor authentication, zero-trust principles, and the establishment of a new Cybersecurity Safety Review Board. 

At a recent presentation, the Chief of Cyber Command emphasized the need for "speed, agility, and unity of effort". He stated that all these three criteria were critical in confronting threats, regardless of whether they originated from nation-states, proxies, or independent criminal organizations. In the future, Nakasone hopes to see a federal push for a "whole-of-government effort." 

Diplomatic outreach activities, as well as an extended and globalized focus on defending critical infrastructure resources, are seen as critical steps towards saving the nation from ransomware cyberattacks as well as other cyber invasions, according to the General.

FBI: Ransomware Targets Firms During Mergers and Acquisitions

 

The FBI cautions that ransomware groups are targeting companies in "time-sensitive financial events" such as corporate mergers and acquisitions in order to extort their victims. 

The FBI stated in a private industry notice issued on Monday that ransomware operators would utilize financial information gathered before assaults as leverage to compel victims to pay ransom demands. 

The federal law enforcement agency stated further, "The FBI assesses ransomware actors are very likely using significant financial events, such as mergers and acquisitions, to target and leverage victim companies for ransomware infections." 

"During the initial reconnaissance phase, cybercriminals identify non-publicly available information, which they threaten to release or use as leverage during the extortion to entice victims to comply with ransom demands. Impending events that could affect a victim's stock value, such as announcements, mergers, and acquisitions, encourage ransomware actors to target a network or adjust their timeline for extortion where access is established." 

For example, last year, the REvil (Sodinokibi) ransomware gang stated that they were considering introducing an auto-email script that would notify stock exchanges, such as NASDAQ, that firms had been affected by ransomware, potentially affecting their stock price. REvil is also looking into stolen data after breaching firms' systems to identify destructive material that may be used to force victims to pay ransoms.

More recently, DarkSide malware declared that it will share insider information about firms operating on the NASDAQ or other stock exchanges with traders looking to short the stock price for a quick profit. The FBI also highlighted numerous examples of ransomware gangs targeting susceptible firms using inside or public information about active merger or acquisition negotiations: 
  • In early 2020, a ransomware actor using the moniker "Unknown" made a post on the Russian hacking forum "Exploit" that encouraged using the NASDAQ stock exchange to influence the extortion process. Following this posting, unidentified ransomware actors negotiating payment with a victim during a March 2020 ransomware event stated, "We have also noticed that you have stocks. If you will not engage us for negotiation we will leak your data to the nasdaq and we will see what's gonna (sic) happen with your stocks." 
  • Between March and July 2020, at least three publicly traded US companies actively involved in mergers and acquisitions were victims of ransomware during their respective negotiations. Of the three pending mergers, two of the three were under private negotiations. 
  • A November 2020 technical analysis of Pyxie RAT, a remote access trojan that often precedes Defray777/RansomEXX ransomware infections, identified several keyword searches on a victim's network indicating an interest in the victim's current and near-future stock share price. These keywords included 10-q1, 10-sb2, n-csr3, nasdaq, marketwired, and newswire. 
  • In April 2021, Darkside ransomware4 actors posted a message on their blog site to show their interest in impacting a victim's share price. The message stated, "Now our team and partners encrypt many companies that are trading on NASDAQ and other stock exchanges. If the company refuses to pay, we are ready to provide information before the publication, so that it would be possible to earn in the reduction price of shares. Write to us in 'Contact Us' and we will provide you with detailed information." 
As per the FBI, paying a ransom to ransomware groups is not encouraged and should be avoided by organizations since there's no certainty doing so would safeguard them against data leaks or future assaults. Paying ransoms encourages the crooks behind ransomware operations to target even more victims and encourages other cybercrime groups to follow their lead and join them in unlawful activities. 

The FBI, on the other hand, realises the harm a ransomware assault can do a firm, as executives may be compelled to contemplate paying a ransomware actor to safeguard shareholders, customers, or staff. The FBI highly advises that such events be reported to their local FBI field office.

Exmatter: A New Data Exfiltration Tool Used in Attacks

 

Security researchers have identified a new data exfiltration tool aimed to help ransomware groups using the BlackMatter variant steals information faster. The custom tool is the third of its sort discovered, according to the Symantec Threat Hunter team, following the development of the Ryuk Stealer tool and the LockBit-linked StealBit. It's called "Exmatter," and it's meant to steal specific file types from specific directories before uploading them to a site controlled by BlackMatter attackers. 

This method of narrowing down data sources to only those considered most profitable or business-critical is intended to speed up the entire exfiltration process, presumably, so threat actors may finish their attack stages before being interrupted.

Exmatter is obfuscated and compiled as a.NET executable. When run, it looks for the strings "nownd" and "-nownd" in the command line arguments. If either is detected, it uses the "ShowWindow" API like ShowWindow(Process.GetCurrentProcess().MainWindowHandle, 0) to try to conceal its own window. It also excludes files with attributes like FileAttributes.System, FileAttributes.Temporary, and FileAttributes.Directory, as well as files with fewer than 1,024 bytes in size. 

Multiple versions of Exmatter have been discovered, implying that the attackers have continued to improve the tool in order to exfiltrate a large number of high-value data in as little time as possible. 

The directory "C:Program FilesWindows Defender Advanced Threat ProtectionClassificationConfiguration" on the exclusion list has been replaced with "C:Program FilesWindows Defender Advanced Threat Protection" in a second variant. The file types ".xlsm" and ".zip" have been added to the list of acceptable files. A WebDav client was added to a third version of the note. According to the code structure, SFTP is still the preferred protocol, with WebDav serving as a backup. 

BlackMatter is tied to the Coreid cybercriminal organization, which was previously responsible for the Darkside malware. It has been one of the most active targeted ransomware operators in recent months, and its tools have been utilized in a number of high-profile attacks, including the May 2021 Darkside attack on Colonial Pipeline, which disrupted petroleum supply to the US East Coast. Coreid uses a RaaS approach, collaborating with affiliates to carry out ransomware operations and then takes a cut of the profits.

“Like most ransomware actors, attacks linked to Coreid steal victims’ data and the group then threatens to publish it to further pressure victims into paying the ransom demand,” Symantec concluded. “Whether Exmatter is the creation of Coreid itself or one of its affiliates remains to be seen, but its development suggests that data theft and extortion continues to be a core focus of the group.”

Babuk Ransomware Full Source Code Leaked On A Russia-Speaking Hacking Forum



The complete source code for the Babuk ransomware has been leaked by a threat actor on a Russian-speaking hacking forum, this week. It allows easy access to a sophisticated ransomware strain to competitors and threat actors planning to sneak into the ransomware realm with little effort. 

The full source code of Babuk ransomware posted on the hacking forum comprises all things that one would require for a functional ransomware executable. The leaked file contains "various Visual Studio Babuk ransomware projects for VMware ESXi, NAS, and Windows encryptors," as per Xiarch Security. The leak has been confirmed to be legitimate by various ransomware experts. Apparently, the leak also includes decryption keys for the gang's past victims. 

Babuk ransomware gang made certain changes into their operations as they announced they will longer encrypt information on networks, but will rather "get to you and take your data" they said on hacker-forum. "..we will notify you about it if you do not get in touch we make an announcement." They announced in advance that their source code will be publically available as Babuk changes direction and plans to shut down. "We will do something like open-source RaaS, everyone can make their own product based on our prouduct." They further told. 

In April, earlier this year, the Babuk group attacked Washington D.C police with a ransomware attack wherein they stole over 250 gigabytes of data from the Metropolitan Police Department of the District of Columbia (MPD). It included police reports, internal memos, and PII of confidential informants, and employees. Following the attack, the gang heavily criticized MPD for huge security gaps and threatened the law enforcement agency to publish the data if the ransom demand is not met. 

MPD acknowledged the unauthorized access on their server, and it started working with the FBI to investigate the matter. Meanwhile, the U.S. law enforcement agency reviewed the activity to determine the full impact of the attack. 

Post MPD attack, there are reports of strife within the group members of Babuk. The 'Admin' wished to leak the data stolen from the MPD attack for advertising, however, the other members were against the idea as they felt it was too much even for them (the bad guys). As a result, the group disintegrates and the initial 'Admin' went on to launch the 'Ramp' cybercrime forum while others began Babuk V2, where they continue carrying out ransomware attacks with little or no difference. After a while, the original admin accused his gang members of attempting to make his new site unusual by subjecting it to a series of DDoS attacks. 

"One of the developers for Babuk ransomware group, a 17 year old person from Russia, has been diagnosed with Stage-4 Lung Cancer. He has decided to leaked the ENTIRE Babuk source code for Windows, ESXI, NAS." A user going by the Twitter handle @vxunderground tweeted.

US Government Comes Up With A Plan to Restrict Cyberattacks

 

Ransomware attacks are at an all time high in the United States, hackers are disrupting computer systems administering crucial infrastructure and refuse to give access until the ransom is paid, generally in Bitcoin or other hard to track crypto currency (decentralised). Earlier this year, hackers cracked down one of the biggest agencies in US (Colonial Pipeline). 

In June 2021, hackers attacked a meat processing industry to shutdown nine beef plants. Cyberattacks on smaller organizations that include Baltimore City Government, Steamship Authority of Massachusetts, which get low attention, but hint towards a general scenerio of ransomware cybercrime. New York Times reports "The United States should also prohibit transactions with the American banking system by foreign banks that do not impose stricter regulations on cryptocurrency. Because access to the American financial market is vitally important to foreign banks, they, too, would have a strong incentive to comply." 

Biden government took some restrictive measures to limit the impact of these attacks. An executive order made Federal government to outline a plan for the issue. In a meeting held last week, President Biden requested leaders of Google, Apple and other organisations to come up with a plan for dealing with these attacks. However, this doesn't solve the issue root problem. Ransomware attacks happen because of monetary benefits. If it becomes hard for criminals to make profit out of these attacks, maybe they will decrease. By handling crypto currency with aggressive measures, government can limit its use for illegal purposes in anonymous payments. 

In case of ransomware attacks, hackers can seize a company's resources and assets, demand ransom safely, which lowers the risk factors. The U.S government can take some preventive measures, first being enforcement of regulations for crypto currency industry equal to regulate the traditional government industry. "Cryptocurrency exchanges, “kiosks” and trading “desks” are not complying with laws that target money laundering, financing of terrorism and suspicious-activity reporting, according to a recent report from the Institute for Security and Technology. Those laws ought to be enforced equally in the digital domain," reports the New York Times

Ahead of the Labor Day Holiday, the FBI and CISA Warn of Ransomware Risk Over Weekends and Holidays



Ahead of the Labour Day holiday coming about this weekend, CISA and the FBI have released joint advisory warning organizations of increased ransomware attack risk on weekends and holidays. 

Over the past few months, the government agencies have noticed a relative increase in 'highly destructive' ransomware attacks being launched by attackers on long weekends and holidays. Reportedly, these time frames – holidays, especially long weekends – are viewed as attractive time slots by cybercriminals to deploy ransomware due to a lower level of defense during weekends which maximizes the impact of infiltration. The physical absence of the personnel plays a significant role when the offices are normally closed. 

The FBI and CISA noted that the recent cyberattacks that crippled high-profile US entities were all scheduled by hackers over weekends. The cited case studies include recent attacks against JBS, Kaseya, and Colonial Pipeline. 

In May 2021, the DarkSide ransomware operators launched the Colonial Pipeline attack, around Mother's Day weekend. The data was stolen on May 06, 2021, and the malware attack occurred on May 07, 2021. 

In May 2021, the world's largest meat processing organization, JBS, experienced a cyberattack by the REvil ransomware group that disabled its beef and pork slaughterhouses. This attack took place on May 30, 2021 – leading into the Memorial Day public holiday. 

In July 2021 –  building on the weekend attack trend – Kaseya, a leading software provided to over 40,000 organizations, suffered a sophisticated cyberattack yet again by REvil ransomware. The attack was carried out on July 2nd, 2021 ahead of the Independence Day holiday in the United States on July 4th.  

"The FBI's Internet Crime Complaint Center, which provides the public with a trustworthy source for reporting information on cyber incidents, received 791,790 complaints about all types of internet crime -- a record number -- from the American public in 2020, with reported losses exceeding $4.1 billion," the advisory read.

The two agencies clarify that as of now there are no clear indications of a cyberattack that will take place around the oncoming 'Labour Day holiday', however, the alert warns that the threat actors have carried out increasingly damaging cyberattacks around holidays and weekends over the past several months. Therefore, the FBI and CISA urge the organizations to not lower their defenses while providing information on how to effectively combat the increasingly worsening threat of cyberattacks. They advised organizations to strengthen their security, minimize their exposure, and potentially "engage in preemptive threat hunting on their networks to search for signs of threat actors." 

“Threat actors can be present on a victim network long before they lock down a system, alerting the victim to the ransomware attack. Threat actors often search through a network to find and compromise the most critical or lucrative targets. Many will exfiltrate large amounts of data. Threat hunting encompasses the following elements of understanding the IT environment by developing a baseline through a behavior-based analytics approach, evaluating data logs, and installing automated alerting systems.” The joint advisory further said.

FBI Told Congress That Ransomware Payments Shouldn't be Prohibited

 

After meeting with the business sector and cybersecurity experts, the Biden administration backed away from the concept of barring ransomware payments, according to a top cybersecurity official on Wednesday. At an Aspen Security Forum event, Anne Neuberger, deputy national security adviser for cyber and new technology, said, "Initially, I thought that was a good approach. We know that ransom payments are at the heart of this ecosystem.”

A top FBI official told US lawmakers in July that making ransom payments to cybercriminals illegal is not the best way to combat the danger of ransomware. According to Bryan Vorndran, assistant director of the FBI's cyber division, banning ransom payments could unwittingly open the door to more extortion by ransomware gangs. 

"If we ban ransom payments now, you're putting US companies in a position to face yet another extortion, which is being blackmailed for paying the ransom and not sharing that with authorities," Vorndran said at a Senate Judiciary Committee hearing on ransomware. 

The debate over whether or not ransomware payments should be illegal exemplifies the larger issue that policymakers have in trying to combat a crime that takes advantage of a victim's financial incentives. According to cybersecurity experts, paying in the hopes of rapidly fixing an issue is often more appealing than refusing to negotiate, having to recover data from backups, and risking the publishing of sensitive information online. 

“We heard loud and clear from many that the state of resilience is inadequate, and as such, if we banned ransom payments we would essentially drive even more of that activity underground and lose insight into it that will enable us to disrupt it,” Anne said. 

Work to gain transparency into cryptocurrency networks, which have become a popular method of payment for cybercriminals, is one of the disruptive attempts. The National Security Council, according to Neuberger, is working with other members of an interagency task force to review regulations and safeguards that would allow for improved payment monitoring. 

“Our driving goal is rapid tracing and really the strengthening of domestic and international virtual currency regulatory environments to enable that,” she said. “One big part of it is also building in those types of protections in the design of new virtual currencies and addressing that in a way that we can both have the innovation, and not have a broad illicit use that’s driving criminal activity.”

BlackMatter & Haron Targeting Firms with Revenue of $100 Million and More

 

Cybersecurity researchers from South Korean security firm S2W Labs have unearthed two new ransomware groups. A sample of the first group of malware — which is identifying itself as 'Haron', was first submitted to VirusTotal on July 19. 

According to S2W Lab, the layout, organization, and tactics used by Haron are almost identical to those for Avaddon, the ransomware group that went dark in June after sending a master decryption key to BleepingComputer that victims could use to recover their data.

Both groups are targeting high-profile organizations in order to maximize their profits. Haron also runs a “leak site” where it threatens to publish data stolen from companies who refuse to pay for decrypting their files. According to S2W Lab, the engine driving Haron ransomware is Thanos, a separate piece of ransomware that has been around since at least 2019.

Haron was developed using a recently published Thanos builder for the C# programming language. Avaddon, on the other hand, was written in C++. Jim Walter, a senior threat researcher at security firm SentinelOne, said in a text message that he spotted what appear to be similarities with Avaddon in a couple of samples he recently started analyzing. He said he would know more soon. 

The second ransomware newcomer goes by the name 'BlackMatter'. According to Flashpoint, BlackMatter threat actors registered an account on the Russian forums XSS and Exploit on July 19 and immediately followed up to an infected corporate network consisting of 500 to 15,000 hosts. He said he was trying to buy access. With annual revenues of over $100 million in the United States, Canada, Australia, and the United Kingdom, it may indicate the operation of large-scale ransomware.

“Actors have deposited 4 BTC (about US $ 150,000) into their escrow accounts, which shows the seriousness of threat actors when they deposit large amounts in forums. Black Matter does not openly state that they are ransomware collective operators. The language and goals of their posts clearly indicate that they are ransomware collective operators. But technically it doesn’t violate the rules of the forum,” FlashPoint researchers said in the report. 

The emergence of BlackMatter coincides with the disappearance of DarkSide and REvil in the wake of highly publicized incidents of Colonial Pipeline, JBS, and Kaseya — raising speculations that the groups may eventually rebrand and resurface under a new identity.