Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Ransomware Operation. Show all posts

German Investigators Successfully Trace Suspects Within Tor Network

 

Tor is a network overlay designed to enable anonymous browsing and data exchange over the internet. While the "darknet" promises freedom from surveillance, determined agencies can sometimes breach its complex layers to uncover the true identities of individuals.

According to the German news source Tagesschau, local law enforcement recently arrested four individuals in connection with a ransomware operation and the hosting of child sex abuse material (CSAM) on servers hidden within Tor. These suspects used Tor to conceal their activities, but authorities managed to track and apprehend them.

Investigators employed a technique known as a "timing analysis" attack, which involved monitoring Tor nodes over an extended period. By analyzing connections between darknet servers and local internet sources, they were able to identify the suspects. This case highlights that law enforcement agencies are actively surveilling hidden servers on the Tor network.

During the investigation, authorities took control of a Tor address linked to a ransomware group, redirecting its traffic to a page that blocked access to stolen, encrypted files. Through timing analysis, they eventually identified "Andres G," a key individual behind an .onion site known as "Boystown."

While details about the timing analysis technique remain limited, developers from the Tor Project pointed out that one of the suspects was using an outdated version of Ricochet, a decentralized Tor-based messaging app. This version lacked protection against timing analysis, leaving the user vulnerable to a guard discovery attack. A new version, Ricochet-Refresh, has since been released to address these privacy concerns.

Tor developers also emphasized that users can only access Onion services from within the Tor network, making exit node monitoring irrelevant. The Tor network itself has continued to expand, with over 2,000 new exit nodes becoming operational in recent years. These exit nodes are the final point of connection before users access the clearnet.

A Tor developer commented, "While many questions remain unanswered, one thing is certain: Tor users can still rely on Tor Browser to browse the web securely and anonymously."

LockBit Ransomware: Covertly Evolving Towards Next-Gen Threats Amid Takedown Efforts

 

In a significant development, law enforcement dismantled the infrastructure of LockBit ransomware earlier this week, uncovering the clandestine work on a next-generation file encryption malware. Referred to as LockBit-NG-Dev, this emerging threat, likely the precursor to LockBit 4.0, was revealed through a collaborative effort between the UK's National Crime Agency and cybersecurity firm Trend Micro. 

In a departure from its predecessors built in C/C++, LockBit-NG-Dev is a work-in-progress developed in .NET, compiled with CoreRT, and packed with MPRESS. This strategic shift was brought to light as Trend Micro analyzed a sample of the latest LockBit variant capable of operating across multiple systems, indicating a more sophisticated approach to infection. 

Despite lacking some features present in previous versions, such as self-propagation on compromised networks and printing ransom notes on victims' printers, LockBit-NG-Dev appears to be in its final development stages, providing the most anticipated functionalities. Trend Micro's technical analysis reveals the encryptor's support for three encryption modes (using AES+RSA) – "fast," "intermittent," and "full." It includes a custom file or directory exclusion and the ability to randomize file naming to complicate restoration efforts. 

Notably, the malware features a self-delete mechanism that overwrites LockBit's own file contents with null bytes. The discovery of LockBit-NG-Dev is a significant setback for LockBit operators, following law enforcement's Operation Cronos. Even if the gang still controls backup servers, the exposure of the new encryptor's source code poses a formidable challenge for the cybercriminal business. Restoring operations becomes a daunting task when security researchers have knowledge of the encrypting malware's source code. 

This revelation emphasizes the ongoing battle between law enforcement and cybercriminals, underscoring the need for continued vigilance and collaboration to address evolving threats in the ransomware landscape. 

In conclusion, the revelation of LockBit ransomware secretly building a next-gen encryptor serves as a stark reminder of the persistent and adaptive nature of cyber threats. As organizations and cybersecurity professionals work to stay ahead of evolving ransomware tactics, the need for proactive defenses, continuous threat intelligence sharing, and a collective, global response has never been more critical. LockBit's covert evolution reinforces the urgency of fortifying cybersecurity measures to protect against the ever-changing landscape of sophisticated cyber threats.

Florida Circuit Court Targeted in Attack by ALPHV Ransomware Group

 

The ALPHV, also known as BlackCat, ransomware group has asserted responsibility for a recent assault on state courts in Northwest Florida, falling under the jurisdiction of the First Judicial Circuit. 

The attackers claim to have obtained sensitive information such as Social Security numbers and CVs of employees, including judges. It's a common tactic for ransomware groups to threaten the public release of stolen data as leverage for negotiations.

The presence of the Florida First Judicial Circuit's data leak page on ALPHV's website suggests that the court has either not engaged in talks with the ransomware group or has firmly refused to meet their demands. 

The breach occurred last week, prompting the Florida circuit court to announce an ongoing investigation into the cyberattack, which disrupted operations on October 2nd. A statement released by the court stated that this incident would have a significant impact on court operations across the Circuit, affecting courts in Escambia, Okaloosa, Santa Rosa, and Walton counties for an extended period. 

The Circuit is prioritizing essential court proceedings but has decided to cancel and reschedule other proceedings, along with suspending related operations for several days starting from October 2, 2023.

In the midst of the investigation, judges in the affected counties have been in contact with litigants and attorneys regarding their regularly scheduled hearings. 

Additionally, the court authorities confirmed that all facilities are operating without any disruptions. As of now, the court has not independently verified the ransomware attack claims made by the ALPHV gang.

The ALPHV ransomware operation, originally known as DarkSide, emerged in November 2021 and is believed to be a rebranding of DarkSide/BlackMatter. 

This group gained international notoriety after the Colonial Pipeline breach, drawing the attention of law enforcement agencies worldwide. After a rebranding to BlackMatter in July 2021, their activities abruptly halted in November 2021 when authorities seized their servers and security firm Emsisoft developed a decryptor exploiting a ransomware vulnerability. 

This ransomware operation is known for consistently targeting global enterprises and continuously refining their tactics.

In a recent incident, an affiliate known as Scattered Spider claimed responsibility for an attack on MGM Resorts, asserting to have encrypted over 100 ESXi hypervisors after the company declined ransom negotiations following the shutdown of internal infrastructure. 

As reported by BleepingComputer, ALPHV's ransomware attack on MGM Resorts resulted in losses of approximately $100 million, as well as the theft of its customers' personal information. The FBI issued a warning in April, highlighting the group's involvement in successful breaches of over 60 entities worldwide between November 2021 and March 2022.

Targeting Businesses Globally, the Medusa Ransomware Gang Gains Momentum

 

In 2023, a ransomware operation by the name of Medusa began to gain momentum. It targets corporate targets globally and demands a million-dollar ransom.

Starting in June 2021, the Medusa operation saw just a small number of victims and a low level of activity. However, the ransomware gang ramped up its operations in 2023 and established a "Medusa Blog" that allowed victims who declined to pay a ransom to have their data released. 

Last week, Medusa came under public scrutiny after claiming responsibility for an attack on the Minneapolis Public Schools (MPS) district and sharing a video of the data that was taken. 

Will the genuine Medusa rise up? 

Medusa is the name of several malware families, including the well-known MedusaLocker ransomware operation, an Android malware family, and a Mirai-based botnet with ransomware capabilities.

Owing to the family's popularly used name, there has been some ambiguous information about it, leading many people to believe it is the same as MedusaLocker. Yet, there are significant operational differences between the Medusa and MedusaLocker malware.

The MedusaLocker operation debuted in 2019 as a Ransomware-as-a-Service, with a large number of affiliates, a ransom note typically called How_to_back_files.html, and a wide range of file extensions for encrypted files. 

For negotiation, the MedusaLocker operation uses a Tor website at qd7pcafncosqfqu3ha6fcx4h6sr7tzwagzpcdcnytiw3b6varaeqv5yd.onion. 

However, the.MEDUSA static encrypted file extension and the !!!READ_ME_MEDUSA!!!.txt ransom notes have been used by the Medusa ransomware operation since its launch in June 2021. 

Using Windows devices to encrypt data 

Currently, it is unknown if BleepingComputer has a Medusa encryption programme for Linux; they have only been able to analyse the Windows version. The Windows encryptor will accept command-line arguments that let a threat actor control the encryption settings for files on the system. For instance, the ransomware will display a console and display status messages as it encrypts a device if the -v command line argument is used.

The Medusa ransomware terminates over 280 Windows services and processes for programmes that might stop files from being encrypted on a regular basis, without command line parameters. Windows services for database servers, backup servers, and security applications are among them. Then, in order to impede file recovery, the ransomware will erase Windows Shadow Volume Copies. 

Michael Gillespie, a ransomware expert, examined the encryptor as well and revealed to BleepingComputer that it encrypts files using AES-256 + RSA-2048 encryption with the BCrypt library. 

Like the majority of ransomware operations that target businesses, Medusa features a website called "Medusa Blog" that leaks data. The usage of this website is a part of the gang's double-extortion scheme, in which victims who decline to pay a ransom are given access to their data. 

A victim's data is not instantly made public when they are joined to the data leak. As an alternative, the threat actors offer the victims payment choices to delay the release of data, erase the data, or download the entire set of data. The cost of each of these choices varies. 

The ransom is demanded to increase the victim's stress and frighten them into paying a ransom. Regrettably, there are no documented flaws in the Medusa Ransomware encryption that allow victims to recover their files without paying.