Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Ransomware Threat. Show all posts

Hackers Warn of Further Attacks on KADOKAWA, Claim Ongoing Access to Servers

 

KADOKAWA is on high alert for potential cyberattacks from the Russian hacker group Black Suit after failed negotiations aimed at resolving a previous major cyber incident. Black Suit, known for its ransomware operations, has warned of further attacks following KADOKAWA's refusal to pay an $8 million ransom (around 1.1 billion yen).

In a recent update to Kyodo News, the hackers disclosed that discussions with the company had broken down.

“We demanded $8 million, but KADOKAWA did not comply,” Black Suit stated, cautioning that the company “will face the same problem repeatedly” as they still have access to KADOKAWA’s systems.

Cybersecurity specialist Katsuji Okamoto from Trend Micro commented on the matter, stressing the severity of the threat.

“Even if this is a bluff, KADOKAWA must reassess its systems and prepare for the worst. Black Suit is notorious for their persistence and thorough execution of attacks, typically carrying them out from start to finish independently.”

KADOKAWA, however, has chosen not to disclose specific details about the incident, citing an active police investigation.

“This is a matter under police investigation, and we cannot comment,” a company spokesperson said.

The company initially reported the cyberattack in early June, noting disruptions across multiple websites and services. Since then, KADOKAWA has provided regular updates on its progress in system restoration and investigation efforts.

On June 27, 2024, Black Suit reportedly revealed the full scale of the breach, claiming they had stolen 1.5 terabytes of sensitive data, including business plans, user information, contracts, and financial records.

The group alleged they exploited vulnerabilities within KADOKAWA’s network infrastructure, gaining access to a “control center” that enabled them to encrypt the entire network, impacting subsidiaries like Dwango and NicoNico.

They threatened to release the stolen data if the ransom was not paid by July 1, 2024.

As of August 5, KADOKAWA confirmed a data leak affecting 254,241 individuals, following an investigation by third-party experts.

Vendor Reliance and M&A Surge Contribute to Heightened Ransomware Threat

 


In 2024, threat actors are likely to evolve tactics to exploit the consolidation of businesses and technologies. The mid-year 2024 cyber risk report released by Resilience Group indicates that mergers and acquisitions (M&As) are becoming more popular as well as the trend of increased reliance on major software vendors, allowing threat actors to take advantage of new opportunities. 

A growing number of threat actors are exploiting business consolidations and technological advancements to launch widespread ransomware attacks, which means organizations need to rethink the way they address new vulnerabilities if they want to remain secure and resilient in the future. As a result of mergers and acquisitions (M&A) and an increased reliance on key software vendors, cyber security firm Resilience has found that there is a record number of potential points of failure for hackers to exploit, which has resulted in the most damaging cyber incidents of the last year, resulting in an unprecedented number of potential points of failure. 

According to the latest statistics, ransomware is the leading cause of financial losses around the world. Using the 'business and technology consolidation' as an opportunity to benefit from the consolidation of business and technology, threat actors have evolved their tactics in 2024 according to Resilience, a leading provider of cyber risk solutions which published its Midyear Cyber Risk Report 2024. 

Due to the increased integration of software vendors into the marketplace as well as the reliance on a single point of failure, threat actors have been able to unleash widespread ransomware campaigns by exploiting disparities between the many vendors. During the past year, we have witnessed some of the most disruptive cyberattacks possibly in the history of mankind, many of which involved heavily interconnected systems or recently acquired companies, which had devastating effects—even causing a range of economic sectors to undergo disruptions. 

As part of the Midyear 2024 Cyber Risk Report, released today by Resilience, Resilience has analyzed trends in hacking activity, as well as industry responses to hacking, based on data from our Threat Intelligence team and insurance claims portfolio. As noted in Resilience's report, threat actors have evolved their tactics to take advantage of the increased consolidation of businesses and technology, which has increased ransomware campaigns when compared to the previous year. 

There have been increasingly more campaigns targeting interconnected systems and newly acquired companies, posing substantial risks to a variety of economic sectors due to the exposure. Moreover, the report stated that 35% of all claims made since the beginning of 2023 were due to breaches or ransom attacks caused by third parties. By 2024, there is an expectation that this percentage will rise to 40% and is expected to continue on its upward trajectory. 

A recent study by Resilience explained that technology consolidation, in which industries rely on one or a few companies for critical platform services, has proved to have catastrophic consequences downstream when a single vendor is breached, wrote Marykate Broderick for Resilience. Besides the ransomware itself, impacted organizations may also have to pay significant income losses due to business interruptions, as well as ransom payments in addition to the possibility of finding themselves liable for ransoms." 

Based on the results of the Claims Data for the year 2024, the manufacturing and construction industries have been reported to have had the highest growth in the number of claims made. The number of manufacturing damage claims surged by 41.7% in 2024, compared to 15.2% in 2023, and the number of construction damage claims also increased by 6.1% within the same time frame. 

This quarter, Resilience, revealed that the majority of claims have been filed at the company due to several ransomware attacks, as well as exploits of two zero-day vulnerabilities that were found in the PanOS operating system during the first quarter of 2024. Ransomware, a crypto-currency attack, that took place in February on Change Healthcare, greatly impacted the company's billing and care authorization systems, along with the company's overall operations as a whole. Due to the attack, the US healthcare system has been hit by wide-ranging disruptions affecting hospitals and pharmacies all over the country.

It took UnitedHealth Group, the parent company of Change Healthcare, a considerable amount of time and effort to thoroughly recover and rebuild the affected platforms from scratch to restore service to the patients. In June 2024, CDK Global, a company that provides cloud-based software for automobile dealerships, suffered from a ransomware attack, which resulted in significant disruptions to the company's operations. 

There are approximately 15,000 car dealerships across the US that have been forced to turn their IT systems off, and some have also decided to revert to manual processes to keep the business operating. As a result of the attack, which is believed to be the work of the BlackSuit ransomware group, severe economic consequences have also been brought on to the company, with estimates of around 100,000 vehicle sales being affected. Recently, the Federal Bureau of Investigation (FBI), a unit of the United States Department of Justice, confirmed that it had successfully disrupted a criminal ransomware group that was known as "Radar" or "Dispossessor." 

An operation by the FBI's Cleveland division was instrumental in dismantling the key infrastructure linked to the group, including servers in the United States, United Kingdom, and Germany, in response to the investigation. In addition to several criminal domains being taken offline as part of the crackdown, the FBI executed the operation in collaboration with international partners. These partners included the UK’s National Crime Agency and law enforcement agencies in Germany. This coordinated effort underscores the increasing severity and sophistication of ransomware attacks, which have escalated as cybercriminals continue to demand larger ransoms each year. 

Bayer emphasized the need for business leaders to be prepared for the growing ransomware threat landscape, which he described as increasingly treacherous. He advised that by conceptualizing these attacks as inevitable rather than remote possibilities, organizations can better prepare by investing in cybersecurity personnel, processes, and technology. Such proactive measures will enable businesses to recover more quickly from attacks, minimizing disruption to their operations.

New Ransomware Threat: Hunters International Deploys SharpRhino RAT

 

In a troubling development for cybersecurity professionals, the Hunters International ransomware group has introduced a sophisticated new remote access trojan (RAT) called SharpRhino. This C#-based malware is specifically designed to target IT workers and breach corporate networks through a multi-stage attack process. The malware’s primary functions include achieving initial infection, elevating privileges on compromised systems, executing PowerShell commands, and ultimately deploying a ransomware payload. 

Recent findings from Quorum Cyber researchers reveal that SharpRhino is distributed via a malicious site masquerading as Angry IP Scanner, a legitimate networking tool widely used by IT professionals. The deceptive website uses typosquatting techniques to lure unsuspecting users into downloading the malware. This approach highlights a new tactic by Hunters International, aiming to exploit the trust IT workers place in well-known tools. The SharpRhino RAT operates through a digitally signed 32-bit installer named ‘ipscan-3.9.1-setup.exe.’ 

This installer contains a self-extracting, password-protected 7z archive filled with additional files necessary for the malware’s execution. Upon installation, SharpRhino modifies the Windows registry to ensure persistence on the compromised system and creates a shortcut to Microsoft.AnyKey.exe, which is normally a Microsoft Visual Studio binary but is abused here for malicious purposes. Additionally, the installer drops a file named ‘LogUpdate.bat,’ which executes PowerShell scripts to run the malware stealthily. To facilitate command and control (C2) operations, SharpRhino creates two directories: ‘C:\ProgramData\Microsoft: WindowsUpdater24’ and ‘LogUpdateWindows.’ 

These directories are used to manage communication between the malware and its operators. SharpRhino also includes hardcoded commands such as ‘delay’ to set the timer for the next POST request and ‘exit’ to terminate communication. This enables the malware to execute various dangerous actions, including launching PowerShell commands. For instance, Quorum Cyber researchers demonstrated the malware’s capability by launching the Windows calculator. Hunters International, which began operations in late 2023, has been associated with several high-profile ransomware attacks. Notable victims include U.S. Navy contractor Austal USA, Japanese optics giant Hoya, Integris Health, and the Fred Hutch Cancer Center. 

In 2024 alone, the group has claimed responsibility for 134 ransomware attacks, ranking it among the top ten most active ransomware operators globally. The deployment of SharpRhino through a fake website underscores Hunters International’s strategic focus on IT professionals, leveraging their reliance on familiar software to infiltrate corporate networks. To protect against such threats, users should exercise caution with search results and sponsored links, use ad blockers, and verify the authenticity of download sources. Implementing robust backup plans, network segmentation, and keeping software up-to-date are essential measures to mitigate the risk of ransomware attacks.

California's Major Trial Court Falls Victim to Ransomware Attack

 


It has been reported that the computer system at the largest trial court in this country has been infected by ransomware, causing the system to crash. Superior Court officials said they were investigating the incident. As soon as the court learned that the computer network systems had been hacked, the systems were disabled, and they are expected to remain down until the weekend at the very least. 

Following the statement, a preliminary investigation revealed no evidence that the user's data had been compromised in any way. According to officials with the Superior Court of Los Angeles County, the nation's largest trial court was closed Monday as a ransomware attack shut down its computer system late last week, resulting in a shutdown of its library and many other departments. 

As soon as the court became aware of the cyberattack early Friday morning, its computer network was disabled, and the system remained offline throughout the weekend due to the attack. There will be no courthouse operations on Monday, despite reports that the county's 36 courthouses will all remain open to the public on Friday. According to a statement released by the FBI on Friday morning, officials do not believe the cyberattack related to the faulty CrowdStrike software update that has disrupted airlines, hospitals, and governments worldwide is related to the security breach. 

Once the court was made aware of the attack, all computer systems connected to its computer network were disabled. An initial investigation has revealed no evidence that the data of users has been compromised, according to the statement released by the company. KCAL, the CNN affiliate based in Los Angeles, reported Monday that the judicial system continues to be closed as it tries to recover. 

As the largest court system in the United States that serves a broad range of services to more than 10 million residents in 36 courthouses, the Superior Court of Los Angeles County is the largest unified court system in the country. The number of cases filed in 2022 is expected to reach nearly 1.2 million, and there will be almost 2,200 jury trials. According to the Presiding Judge Samantha P. Jessner, "The Court has been experiencing a cyber-attack which has resulted in almost all of our network systems being shut down. 

Companies have contained the damage to their network, ensured data integrity and confidentiality, and ensured future network stability and security" during an unprecedented cyber-attack on Friday. The court has reopened all 36 courthouses tomorrow, July 23, following the tireless dedication of the staff and security experts required to assist in restoring the court to full operation," according to a statement published on the court's website. Court users need to be aware that there will be delays and potential impacts due to limitations in functionality.

Understanding Qilin Ransomware: Threats, Origins, and Impacts on Healthcare

 

Qilin, also known as Agenda, is a ransomware-as-a-service operation that collaborates with affiliates to encrypt and exfiltrate data from hacked organizations, demanding a ransom in return. 

Despite its name deriving from a mythical Chinese creature that combines features of a dragon and a horned beast, the Qilin ransomware group is linked to Russia. Qilin has been active since October 2022, when it first posted about a victim on its darknet leak site. Since then, its activities have increased, affecting notable organizations such as the street newspaper The Big Issue, automotive parts giant Yanfeng, and the Australian court service. 

Recently, Qilin made headlines following a ransomware attack against Synnovis, a firm involved in blood testing and transfusions. This attack led to an emergency "critical incident" being declared at several London hospitals, with Qilin threatening to release stolen data unless a ransom is paid. Reports suggest that Qilin is demanding a substantial ransom of $50 million from Synnovis for the decryption tools and a promise not to publish the data. 

However, in media interviews, the group claimed that the attack was not financially motivated but a protest against the British government's involvement in an unspecified war. This claim is dubious given Qilin's history of targeting various businesses and healthcare organizations without prior political motivations. The high ransom demand likely reflects the significant disruption caused to the hospitals and their patients, rather than any genuine political agenda. 

Healthcare organizations and hospitals are frequent targets of ransomware attacks due to their complex IT systems and limited budgets. The consequences of such attacks are severe, as they can disrupt critical medical services. Ransomware groups view these entities as "soft targets," hoping to extract payments due to the urgent need to restore services. To protect against Qilin and similar ransomware threats, organizations should implement several key measures.

These include making secure offsite backups, using up-to-date security solutions, and applying the latest security patches to guard against vulnerabilities. Network segmentation can restrict an attacker's ability to move laterally within an organization. Using strong, unique passwords and enabling multi-factor authentication can protect sensitive data and accounts. Encrypting sensitive data and disabling unnecessary functionalities can further reduce the attack surface. 

Educating staff about cyber risks and attack methods is also crucial in maintaining organizational security. By taking these precautions, organizations can reduce the risk of falling victim to ransomware groups like Qilin, ensuring they are better prepared to defend against such malicious activities.

The High Cost of Ransomware: Change Healthcare’s $22 Million Payout and Its Aftermath

Change Healthcare’s $22 Million Payout and Its Aftermath

A Costly Decision: The $22 Million Ransom

When Change Healthcare paid $22 million in March to a ransomware gang that had devastated the company as well as hundreds of hospitals, medical practices, and pharmacies throughout the US, the cybersecurity industry warned that Change's extortion payment would only fuel a vicious cycle. 

It appeared that rewarding hackers who had carried out a merciless act of sabotage against the US health-care system with one of the largest ransomware payments in history would stimulate a new wave of attacks on similarly vulnerable victims. The wave has arrived.

This decision came after a crippling cyberattack that not only brought the company to its knees but also impacted hundreds of hospitals, medical practices, and pharmacies nationwide.

The ransomware attack on Change Healthcare was not just another statistic; it was a ruthless act of sabotage against the US healthcare system. The payment made by Change Healthcare is one of the largest ransomware payouts in history and has raised serious concerns about the implications of such actions.

Cybersecurity Warnings Ignored: The Ripple Effect

Cybersecurity experts have long warned against paying ransoms to cybercriminals. The rationale is straightforward: meeting hackers’ demands fuels a vicious cycle, encouraging them to continue their nefarious activities with the knowledge that their tactics are effective. In the case of Change Healthcare, this warning was not heeded, and the consequences were immediate and alarming.

Record-breaking Surge in Healthcare Cyberattacks

According to cybersecurity firm Recorded Future, there was a record-breaking spike in medical-targeted ransomware incidents following Change Healthcare’s payout. A total of 44 health-care-related cyberattacks were reported in just one month after the incident came to light—the most ever recorded in such a short span. This surge serves as a grim reminder of the potential fallout from capitulating to cybercriminals’ demands.

Why Healthcare is a Prime Target for Ransomware

The healthcare sector has become an increasingly attractive target for ransomware gangs. The reason is twofold: healthcare organizations often possess sensitive patient data, and they operate under the pressure of needing to maintain uninterrupted services. This combination makes them more likely to pay ransoms quickly to restore operations and protect patient privacy.

The aftermath of Change Healthcare’s payment is a testament to the broader implications of ransomware attacks on critical infrastructure. It’s not just about the immediate financial loss; it’s about the long-term impact on trust and security in an industry that is integral to public well-being.

Drop in ransomware payment, 2024 Q1 sees a record low of 28%

 

Ransomware actors have encountered a rocky start in 2024, as indicated by statistics from cybersecurity firm Coveware. Companies are increasingly refusing to acquiesce to extortion demands, resulting in a record low of only 28% of companies paying ransom in the first quarter of the year. This figure marks a notable decrease from the 29% reported in the previous quarter of 2023. Coveware's data underscores a consistent trend since early 2019, showing a diminishing rate of ransom payments. 

The decline in ransom payments can be attributed to several factors. Organizations are implementing more sophisticated protective measures to fortify their defenses against ransomware attacks. Additionally, mounting legal pressure discourages companies from capitulating to cybercriminals' financial demands. Moreover, ransomware operators frequently breach promises not to disclose or sell stolen data even after receiving payment, further eroding trust in the extortion process. 

Despite the decrease in the payment rate, the overall amount paid to ransomware actors has surged to unprecedented levels. According to a report by Chainalysis, ransomware payments reached a staggering $1.1 billion in the previous year. This surge in payments is fueled by ransomware gangs targeting a larger number of organizations and demanding higher ransom amounts to prevent the exposure of stolen data and provide victims with decryption keys. 

In the first quarter of 2024, Coveware reports a significant 32% quarter-over-quarter drop in the average ransom payment, which now stands at $381,980. Conversely, the median ransom payment has seen a 25% quarter-over-quarter increase, reaching $250,000. This simultaneous decrease in the average and rise in the median ransom payments suggest a shift towards more moderate ransom demands, with fewer high-value targets succumbing to extortion. Examining the initial infiltration methods used by ransomware operators reveals a rising number of cases where the method is unknown, accounting for nearly half of all reported cases in the first quarter of 2024. 

Among the identified methods, remote access and vulnerability exploitation play a significant role, with certain CVE flaws being widely exploited by ransomware operators. The recent disruption of the LockBit operation by the FBI has had a profound impact on the ransomware landscape, reflected in Coveware's attack statistics. This law enforcement action has not only disrupted major ransomware gangs but has also led to payment disputes and exit scams, such as those witnessed with BlackCat/ALPHV. 

 Furthermore, these law enforcement operations have eroded the confidence of ransomware affiliates in ransomware-as-a-service (RaaS) operators, prompting many affiliates to operate independently. Some affiliates have even opted to exit cybercrime altogether, fearing the increased risk of legal consequences and the potential loss of income. Amidst these developments, one ransomware strain stands out as particularly active: Akira. 

This strain has remained the most active ransomware in terms of attacks launched in the first quarter of the year, maintaining its position for nine consecutive months. According to the FBI, Akira is responsible for breaches in at least 250 organizations and has amassed $42 million in ransom payments. Implementing robust protective measures, staying informed about emerging threats, and fostering collaboration with law enforcement agencies are essential strategies for mitigating the risks posed by ransomware attacks and safeguarding sensitive data from malicious actors.

Data Breach Alert: 3TB of NHS Scotland Data Held Ransom by Cyber Threat

 


A ransomware group targeting a small group of patients has published clinical data related to a small number of those patients on the internet that the Dumfries and Galloway Health Board is aware of. In the meantime, three terabytes of data are also alleged to have been stolen thanks to a security breach that occurred at the National Health Service (NHS) in Scotland, by the INC Ransom extortion gang. 

 As a result of a ransomware attack in a regional branch, NHS Scotland says it has been able to contain the malware, preventing the infection from spreading to other branches and the entire organisation. A group of cybercriminals called INC Ransom claimed responsibility for the attack on NHS Scotland this week, claiming they stole three terabytes (TB) of data and leaked a limited number of sensitive documents as part of the attack. 

Earlier this month, NHS Dumfries and Galloway announced a serious cyberattack that resulted in their hospital being shut down. INC Ransom was offering samples of files that contained medical evaluations, psychological reports, and other sensitive information regarding patients and doctors in accompanying its warning posted on its extortion website. 

Despite the rumours that such a compromise had already been reached, the Scottish government made sure to emphasize that only the NHS Dumfries and Galloway regional health board was affected by this new agreement. Several days later, NHS Dumfries and Galloway officials revealed that during a breach of security two weeks ago, large quantities of personally identifiable information had been accessed, stolen, and exfiltrated, resulting in a large number of people's details being misused. 

As of July 2023, the INC Ransom operation has gained a lot of attention, targeting both government organizations as well as private businesses to extort their data for ransom. Education, healthcare and government institutions, as well as industrial entities like Yamaha Motor Corporation, are among those that suffer losses from this attack. As the attack was likely to have occurred around March 15, reports emerged that a cybersecurity incident was affecting NHS Scotland services. 

There were several sample documents published yesterday by the threat actor in a blog post, including medical assessments, analysis results, and psychological reports on doctors and patients with sensitive details. Throughout its history, INC has shown no restraint in its process of choosing the types of victims it is willing to target, either. 

There have been several incidents of ransomware spreading across the healthcare industry, education, as well as charities. This is something that has happened in its short time on the ransomware scene. The fact remains, though, that very few cybercriminals exercise that level of restraint in the current day and age. Due to the critical nature of healthcare and the fact that it provides several essential services, cybercriminals and ransomware baddies continue to target it. 

There is a chance that there will be a ransom paid if disruptions can be caused, allowing for patients to be cared for with full capability if a ransom is paid. ALPHV/BlackCat was credited by the media with blaming Change Healthcare for a potentially devastating attack spread across a period of weeks across February and March of this year, which knocked out services for weeks on end.

In February, Romania experienced a significant ransomware incident affecting over 100 facilities, highlighting the persistent targeting of healthcare by cybercriminals. This incident is one of numerous examples underscoring the sector's vulnerability to such threats. The United States has responded to this challenge by introducing initiatives like the Advanced Research Projects Agency for Health (ARPA-H) within DARPA. 

This addition to a two-year cash-for-ideas competition aims to discover methods for securing code in critical infrastructure, including healthcare systems. Last summer, the announcement of the Artificial Intelligence Cyber Challenge (AICC) further demonstrated efforts to combat cyber threats. Teams participating in this challenge are tasked with developing autonomous tools to detect code issues in software used by vital organizations like hospitals and water treatment facilities—both prime targets for cybercrime.

ARPA-H has allocated $20 million towards the AIxCC, emphasizing its commitment to safeguarding healthcare from devastating attacks. Such attacks, exemplified by incidents like the one on Change Healthcare, underscore the urgent need for enhanced cybersecurity measures to prevent disruptions that could jeopardize patient care.

Zeppelin2 Ransomware: An Emerging Menace in the Dark Web Ecosystem

 

In a recent update from an underground online forum, a user is actively promoting the sale of Zeppelin2 ransomware, providing both its source code and a cracked version of its builder tool. This malicious software, known for its destructive capabilities, has garnered the attention of cybersecurity experts and law enforcement agencies globally.

The forum post asserts that the user successfully breached the security measures of the Zeppelin2 builder tool, originally designed for data encryption. The post includes screenshots of the source code, shedding light on the intricate details of the build process and revealing that the ransomware is programmed in Delphi.

The Zeppelin2 ransomware builder tool, being promoted by the threat actor, showcases various features, such as file settings, ransom notes, IP logging, startup commands, task killers, and auto-unlocking busy files. The threat actor underscores the ransomware's capability to comprehensively encrypt files, rendering data recovery impossible without a unique private key held by the attackers.

Upon completing the encryption process, victims are presented with a ransom note declaring the encryption of all their files. The note instructs victims to contact the attackers via email and offers a method for testing the legitimacy of the decryptor by sending a non-valuable file.

Reports indicate that Zeppelin2 ransomware demands ransom payments in Bitcoin, with extortion amounts ranging from several thousand dollars to over a million dollars. The Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) have jointly issued a cybersecurity advisory to address the Zeppelin2 threat.

Zeppelin2, employed by threat actors since 2019 and continuing at least until June 2022, targets various sectors through its ransomware-as-a-service (RaaS) model. These sectors include defense contractors, educational institutions, manufacturers, technology companies, and notably, organizations in the healthcare and medical industries.

The ransomware's modus operandi involves exploiting vulnerabilities such as remote desktop protocol (RDP) exploitation, SonicWall firewall vulnerabilities, and phishing campaigns to gain access to victim networks. Before deploying the Zeppelin2 ransomware, threat actors meticulously map and enumerate the victim's network, identifying critical data enclaves, including cloud storage and network backups.

Consistent with ransomware groups, Zeppelin2 operators exfiltrate sensitive corporate data with the intention of making it accessible to buyers or the public if the victim resists complying with their demands.

Of significance, the FBI has observed instances where Zeppelin2 actors execute their malware multiple times within a victim's network, generating different IDs or file extensions for each attack instance, necessitating multiple unique decryption keys.

Elastic Global Threat Report Discloses Rising Threat of Ransomware

 

The latest study has indicated that ransomware is becoming a more diverse and prevalent threat, making countering it a difficult and time-consuming process. Furthermore, practically every cloud infrastructure attack starts with credential theft.

"Highly prevalent" ransomware 

Having said that, the majority of malware identified is made up of a couple of "highly prevalent" ransomware families linked with off-the-shelf tools. BlackCat, Conti, Hive, Sodinokibi, and Stop have ascended to the top of the list as the most prominent ransomware families, accounting for more than four-fifths (81%) of all ransomware activity.

The majority of threat actors choose Cobalt Strike and Metasploit as off-the-shelf tools (5.7% of all signature events). These families account for over two thirds (68%) of all Windows infection attempts.

91% of malware signature incidents were found on Linux endpoints, with Windows accounting for the remaining 6%. Most threat actors hide in appliances, edge devices, and other extremely low visibility platforms in order to stay undetected. 

Cloud issues 

Elastic discovered that focusing on cloud-based solutions is a completely different beast. Businesses are increasingly moving from on-premises solutions, but they are sloppy, resulting in numerous misconfigurations, inadequate access restrictions, insecure credentials, and no functional principle of least privilege models. Threat actors are taking use of all of this to infiltrate environments and deploy malware. 

Security experts also detected defence evasion (38%), credential access (37%), and execution (21%), as the most common strategies linked to threat detection signals for Amazon Web Services. More than half (53%) of all credential access incidents involved compromised legitimate Microsoft Azure accounts. 

“Today’s threat landscape is truly borderless, as adversaries morph into criminal enterprises focused on monetizing their attack strategies,” stated Jake King, head of security intelligence and director of engineering at Elastic. 

“Open source, commodity malware, and the use of AI have lowered the barrier to entry for attackers, but we’re also seeing the rise of automated detection and response systems that enable all engineers to better defend their infrastructures. It’s a cat-and-mouse game, and our strongest weapons are vigilance and the continued investment in new defence technologies and strategies.”

Ransomware Attacks on the Small and Medium Businesses are on the Rise

 

The risk of being victimised by ransomware has grown over time. The frequency and sophistication of these attacks, which affects every industry, have both steadily increased. Additionally, when these attacks become more well-known among businesses, they search for fresh defenses against them. 

61 percent of all cyberattacks targeted small firms, according to a survey by Checkpoint. The report also notes that few small and medium-sized enterprises (SMBs) are aware that they are vulnerable to these internet risks just like the larger corporations. SMEs may strengthen their internet security by using the three steps Checkpoint has provided. 

Maintain IT equipment, and make routine repairs

Keeping your systems updated with the most recent software and security updates can prove to be extremely beneficial when it comes to safeguarding your organisation against any cyber-attacks. 

According to a recent report, 80% of all BYODs (bring your own devices) at a firm are not monitored, which presents a chance for hackers to exploit these unattended systems. Updates for tablets, smartphones, laptops, and PCs used for office work should be installed as soon as they are made available. This is one of the most crucial steps you can take to increase security. By ensuring that their operating systems, software, phones, and apps are set to update automatically, users can also prevent gaps in their security posture. 

Monitor the usage of hard drives and USB sticks

For at least part of the week, 40% of SMB employees must work remotely. The security of these gadgets must be controlled properly at all times, and that is the top responsibility of the company. Using an external USB drive or memory stick, workers frequently transfer files between teams or to different businesses.

The fact that one unsecured device is all it takes to compromise an entire network should not be overlooked. It is exceedingly challenging to trace the files that are stored on storage devices because they are shared publicly. The likelihood of a breach can be decreased by using endpoint protection measures, restricting access to physical ports, and only permitting the use of authorised sticks or memory cards. 

Avoid backing up data on the main server 

If you keep all of your company's data on the same server, there is a potential that a hacker may access it all in the event of an assault. Organizations should determine the critical information that is necessary for their operations and establish an entirely separate, off-site network backup. Employees will be able to access crucial files, allowing them to carry on with daily operations, and this will assist the company in recovering from a ransomware assault. 

Experts Warn Against Ransomware Hitting Government Organizations

Cyble Research Labs noticed an increase in ransomware incidents in the second quarter of 2022, few of these led a deep impact on the victims, like attack against the Costa Rican government which led to the countrywide crisis. 

Experts warn of ransomware operations targeting government organizations, finding 48 government organizations across 21 countries that suffered 13 ransomware attacks this year. Researchers at Cyble say that hacking groups have modified their strategies, going from enterprises to small states threatening to destabilize government operations. 

Small states become easy targets because of the low levels of critical infrastructure security due to low finances to protect them. 

The notorious ransomware group Conti began targeting the Costa Rican government in April 2022. "A similar attack was seen in May 2021, when the gang targeted Ireland’s publicly funded health care system and demanded a ransom of USD20 million. 

The timing could be a pure coincidence; however, Conti was seemingly trying the same tactics with Costa Rica, but this time on a larger scale, shortly after a change in government in the country," reads a Cyble post. 

After the Costa Rica incident, the Conti ransomware gang also attacked Peru. Other incidents of ransomware attacks were reported in Latin America, which includes Brazil and Peru governmental organizations. 

"Cyble Research Labs conducted research over vulnerable instances of the Peruvian government’s cyberinfrastructure and identified 21 instances from 11 ministerial websites with the most exploited CVEs from 2021," says Cyble. Experts also report sales on underground cybercrime platforms of data extraction from the server of government organizations. 

It includes the Federal Court of Malaysia, the Ministry of Energy and Natural Resources, the Department of Management Services under the Malaysian Ministry of Personnel and Organizational Development, the Civil Service Commission of the Republic of Philippines, and the National Bank of Angola. Experts have highlighted the need for smaller states to strengthen their threat-finding capabilities and to implement quick response mechanisms to cyberattacks. 

Cyble says the importance to spend in capacity building to promote skilled manpower, promote awareness among users, and lessen the technology gap to mitigate their risk impact.

LAPSUS$ Group Targets SuperCare Health

 


SuperCare Health, a California-based respiratory care provider, has revealed a data breach that exposed the personal details of over 300,000 patients. Someone had access to specific systems between July 23 and July 27, 2021. By February 4, the company had assessed the scope of the data breach, learning the attackers had also acquired patient files including sensitive personal information such as:
  • Names, addresses, and birth dates.
  • A medical group or a hospital.
  • Along with health insurance details, a patient's account number and a medical record number are required. 
  • Data about one's health, such as diagnostic and treatment information. 
  • A small number of people's Social Security numbers and driver's license information were also revealed. 

"We have no reason to suspect any information was published, shared, or misused," according to SuperCare Health, but all possibly impacted patients should take extra security precautions to avoid identity theft and fraud. 

On March 25, the company notified all affected customers and implemented extra security steps to prevent the following breaches. The breach has affected 318,379 people, according to the US Department of Health and Human Services. Based on the number of people affected, this is presently among the top 50 healthcare breaches disclosed in the last two years. SuperCare Health further told, "We have reported the event to a Federal Bureau of Investigation and it will cooperate to help us identify and prosecute those involved." 

In the last several months, several healthcare institutions have revealed massive data breaches. Monongalia Health System (400,000 people affected), South Denver Cardiology Associates (287,000 people affected), Norwood Clinic (228,000 people affected), and Broward Health (228,000 people affected) are among the organizations on the list (1.3 million). 

Last week, the Health Department issued an advisory to healthcare groups, warning companies about the impact of a major cybercrime attack by the Lapsus$ cybercrime group. In recent months, the hackers have targeted Samsung, NVIDIA, Vodafone, Ubisoft, Globant, Microsoft, and Okta, among others. The organization takes information, often source code, and threatens to release it unless they are paid.

LAPSUS$ steals confidential information from organizations which have been hacked, then threatens to disclose or publish the information if the requested amount is not paid. The LAPSUS$ extortion ring, on the other hand, has abandoned the typical ransomware strategies of file encryption and computer lockout. 

According to the notice, the Health Department is aware of healthcare institutions which have been hacked as a result of the Okta attack; Okta has verified that more than 300 of its clients have been affected by the breach. In the light of the incident, Police in the United Kingdom have identified and charged several accused members of the Lapsus$ gang.

Theft of 54 million SA Records, as per TransUnion Linked to the Current Breach

 

Recently one of South Africa's main credit bureaus, TransUnion has been hacked, and the hackers are demanding $15 million in ransom. 

The compromised credit bureau revealed on Friday it had been hacked and had received a ransom demand which "will not be paid." By exploiting an authorised client's credentials, the hackers, dubbed N4aughtysecTU, acquired access to an "isolated server holding restricted data from our South African firm."

N4aughtysecTU told IT Web it had 4 terabytes of client data and had accessed 54 million records, including information from more than 200 businesses. It allegedly threatened to attack TransUnion's corporate clients unless the credit bureau paid it $15 million in Bitcoin (about R223 million). 

The breach affects many South Africans who have entered into credit agreements, regardless of loan size. Users automatically consent to the credit bureaus disclosing about credit and payment history when they sign into agreements with banks or other financial institutions, credit card providers, vehicle lenders, utilities, or other creditors. The fact that your account information and payment history will be submitted to credit reporting agencies is outlined in these agreements.

According to a statement on the TransUnion website: 
  • An isolated server containing limited information from our South African operations was impacted by the attack.
  • The team is working closely with other specialists to figure out what data was impacted. 
  • Consumer information, such as phone numbers, email addresses, and identity information, may be affected. 
People should not give out personal information such as passwords and PINs to strangers over the phone or over email, according to Sabric, and demands for personal information should be confirmed first.

Experian, a credit bureau, had a data breach in 2020, potentially exposing the personal information of 24 million South Africans. Alongside, a ransomware attack hit Debt-IN Consultants, a debt recovery partner to various South African financial sector companies, in 2021. It is estimated that over 1.4 million South Africans' personal information was fraudulently accessed from its systems.

Moreover, banks have also been targeted. Absa revealed a data breach in November 2020, and over a year and a half later, it is still identifying more compromised customers. 

One in Three Mid-Market UK Organizations Suffered from Attacker Outages in 2021

 

A third of mid-market UK organizations hit by cyberattacks in 2021 suffered breakdowns that knocked them offline for more than a day, a new research from cybersecurity firm Censornet revealed.

The survey discloses that more than one in five (21%) were forced to pay attackers to put an end to the attack, with the average pay-out amounting to £144,000 and 7% handing over more than £500,000. As a result, the primary demand for cybersecurity in 2022 was to see security vendors open up traditionally closed point products to enable an automated response to cyberattacks.

The report, which surveyed 200 IT decision-makers across the UK, covering ten different industries, found that ransomware was particularly problematic, as more workers work from home.

“For the UK mid-market, the cybersecurity situation is serious. The financial and reputational cost of cybercrime is rising, putting more pressure on overwhelmed professionals, who are tackling hundreds of alerts a day from siloed point products,” said Ed Macnair, CEO at Censornet. Organizations must work smarter, not harder. Only when security systems work seamlessly together, faster than humanly possible, will we see the needle begin to move in the right direction.”

Nearly half of mid-market organizations participating in the survey said they hadn’t purchased cybersecurity products specifically manufactured to guard against threats for hybrid and remote workers. As a result, 76% of organizations said they plan to invest in a cloud-based security platform that allows their security products to autonomously share security event data to better protect their organization. 

In response to the challenges that organizations are facing, respondents indicated a clear need for fundamental change in the way cybersecurity is designed and run over the next year. 46% want security vendors to open up traditionally closed point products to enable an automated response to cyber threats.

Last week, Slovak cybersecurity firm ESET published a separate report revealing that London has the highest cybercrime rate in the UK, with 5,258 reports in total followed by the West Midlands at 1,242. Cumbria was the area with the lowest cybercrime, with only 174 reports, followed by Cleveland 194 and Dyfed-Powys 213. 

In its report, ESET researchers discovered an overall decline of 2.97% in cybercrime in 2021. The most common form of cybercrime for 2021 was social media and email hacking, which accounted for 53.1% of reports. This was followed by computer viruses, which accounted for 28% of reports.

Bridgestone USA Alleges to be Infiltrated by a LockBit Ransomware Cell

 

The LockBit ransomware gang claims to have infiltrated Bridgestone Americas' network and stolen data. It is an American subsidiary of Bridgestone Corporation, a Japanese tire, and automobile components manufacturer. It is a conglomerate of companies with more than 50 manufacturing locations and 55,000 people spread across America. If the corporation does not pay the ransom, Lock bit operators aim to reveal the private documents by March 15, 2022, 23:59. 

Bridgestone began an investigation into "a potential information security incident" on February 27, which was discovered in the morning hours of the same day. The incident remained unknown until recently when the LockBit ransomware gang claimed responsibility for the attack by adding Bridgestone Americas to its list of victims.

LockBit is one of the most active ransomware groups today, demanding significant sums of money in exchange for stolen data. According to a Kaspersky investigation, the ransomware gang utilizes LockBit, a self-spreading malware that uses tools like Windows Powershell and Server Message Block to proliferate throughout an enterprise. 

As per Dragos' study, the transportation and food and beverage industries were the second and third most targeted industries, respectively. LockBit is currently threatening Bridgestone with the release of their data.

The examination by the tire company indicated the attacker followed a "pattern of behavior" which is usual in ransomware assaults. Bridgestone went on to say the attacker had taken information from a small number of its systems and had threatened to make the stolen data public.

In a statement, the company said they are "committed to conducting a rapid and definitive inquiry to identify as swiftly as possible what precise data was obtained" from their environment. "The security of our teammates, customers, and partners' information is extremely important to Bridgestone."

Despite the fact that the LockBit ransomware gang has primarily targeted the industrial and manufacturing sectors, ransomware like the one utilized by the gang can still infect your PC.

To prevent ransomware criminals from getting into users' accounts, Kaspersky recommends using strong passwords and enabling multi-factor authentication. The antivirus firm also advised having system-wide backups in case data was lost due to malware infection. Additionally, keeping your system configurations up to date and following all security measures will help you avoid being a ransomware victim, saving you a lot of time and aggravation.

FBI Issued a Warning to U.S Firms Concerning Iranian Hackers

 

The FBI issues a warning concerning Iranian hackers, posing as radical right organization Proud Boys during the 2020 presidential election, have now broadened operations, launching cyberattacks against a variety of industry divisions and spreading propaganda hostile to Saudi Arabia. 

"Over time, as Iranian operators have evolved both the strategic priorities and tradecraft, the hackers have matured into more proficient malicious attackers being capable of performing a whole spectrum of operations," read a Microsoft report.

Ransomware works by encrypting a device's data and making it inaccessible until the hacker receives a ransom payment. 

In a recent alert, the FBI stated, in addition to its election-related operation, the Emennet malicious attacker has been engaged in "conventional cyber exploitation activity," targeting industries such as news, transportation, tourism, oil and petrochemicals, telecoms, and financial services. It has been using VPNs to launch attacks on websites operated by certain software applications, such as WordPress, which cybercriminals can exploit to launch hacks in countries other than the United States, Europe, and the Middle East. 

The hackers employed multiple free source and commercial tools in activities, including SQLmap, Acunetix, DefenseCode, Wappalyzer, Dnsdumpster, Netsparker, wpscan, and Shodan, to mask location. The threat actor picked possible victims during the discovery phase of the hacking operations by browsing the web for prominent corporations representing various sectors. For initial access, the hackers would try to locate flaws in the program. 

"In certain cases, the goal may have been to target a large assortment of networks/websites inside a specific sector rather than a specific target company. Emennet would also attempt to discover hosting/shared hosting services in other scenarios," according to the FBI. 

Users must keep personal anti-virus and anti-malware products up to date, patch obsolete software, and make use of reliable web hosting companies, according to the authorities. In any case, Iran's state-sponsored hacker organizations aren't the only ones who have exploited the BIG-IP flaw.

Endpoint Antivirus Detection Has Reached its Apex

 

Endpoint security is a term used to describe cybersecurity services provided to network endpoints, it included providing  Antivirus, email filtering, online filtering, and firewall services. Businesses rely on endpoint security to protect vital systems, intellectual property, customer details, employees, and visitors from ransomware, phishing, malware, and other threats. 

"While the total volume of cyberattacks decreased slightly, malware per device increased for the first period since the pandemic began," said Corey Nachreiner, CSO at WatchGuard. "Zero-day malware increased by only 3% to 67.2 percent in Q3 2021, and malware delivered via Transport Layer Security (TLS) increased from 31.6 percent to 47 percent." 

As consumers update to newer versions of Microsoft Windows and Office, cybercriminals are focused on fresh vulnerabilities — versions of Microsoft's widely used programs. CVE-2018-0802, which exploits a weakness in Microsoft Office's Equation Editor, cracked WatchGuard's top 10 entryway antivirus malware list in Q3, reaching number 6 after appearing on the widespread malware list.

In addition, two Windows software injectors (Win32/Heim.D and Win32/Heri) ranked first and sixth, on the most detected list. In Q3, the Americans were the focus of 64.5 percent of network attacks, compared to 15.5 percent for Europe and 15.5 percent for APAC (20 percent ). 

Following three-quarters of more than 20% increase, a reduction of 21% brought volumes back to Q1 levels. The top ten network attack signatures are responsible for the majority of attacks – The top 10 signatures were responsible for 81 percent of the 4,095,320 hits discovered by IPS in Q3. In fact, 'WEB Remote File Inclusion /etc/passwd' (1054837), which targets older, commonly used Microsoft Internet Information Services (IIS) web servers, was the only new signature in the top ten in Q3. One signature (1059160), a SQL injection, has remained at the top of the list since the second quarter of 2019. 

From application flaws to script-based living-off-the-land attacks, even those with modest skills may use scripting tools like PowerSploit and PowerWare, there were also 10% additional attack scripts than there were in all of 2020, a 666 percent raise over the previous year. 

In total, 5.6 million harmful domains were blocked in the third quarter, including many new malware domains attempting to install crypto mining software, key loggers, and wireless access trojans (RATs), as well as SharePoint sites harvesting Office365 login information. The number of blacklisted domains is down 23% from the past quarter, it is still several times greater than the level seen in Q4 2020.

Ransomware attacks reached 105 percent of 2020 output by the end of September, as expected after the previous quarter, and are on track to exceed 150 percent after the entire year of 2021 data is analyzed. 

According to WatchGuard's investigation, attackers operating with the REvil ransomware-as-a-service (RaaS) operation exploited three zero-day vulnerabilities in Kaseya VSA Remote Monitoring and Management (RMM) applications to deliver ransomware to more than 1,500 organizations and potentially millions of endpoints.

Log4j Attack Target SolarWinds and ZyXEL

 

According to reports published by Microsoft and Akamai, cybercriminals are targeting SolarWinds devices with the Log4Shell vulnerability, and ZyXEL is known to use the Log4j library in their software.

Attacks have been reported on SolarWinds and ZyXEL devices using the log4j library, according to Microsoft and Akamai reports. CVE-2021-35247 has been assigned to the vulnerability, which has been paired with a zero-day in the SolarWinds Serv-U file-sharing service.

According to Microsoft's Threat Intelligence Center (MSTIC), the SolarWinds vulnerability, dubbed CVE-2021-35247, is a data validation hole that might allow attackers to compose a query based on some data and send it across the network without sanitizing. 

Jonathan Bar-Or, a Microsoft security researcher, is credited with identifying the flaw, which affects Serv-U versions 15.2.5 and earlier. In Serv-U version 15.3, SolarWinds patched the vulnerability. "A closer look helped discover the feed Serv-U data and it generates an LDAP query using the user unsanitized input!" he claimed. Not only might this be included in log4j attacks but it also is used for LDAP injection. 

SolarWinds claimed in its advisory, the Serv-U online log-in screen for LDAP authentication is  permitting symbols that are not appropriately sanitized and it had modified the input method "to do further validation and sanitization." The attacker cannot log in to Serv-U, according to a SolarWinds official, and the Microsoft researcher is referring to failed attempts because Serv-U doesn't use Log4J code. 

The unverified remote code execution (RCE) vulnerability in Log4j – identified as CVE-2021-44228 – has also been repurposed to infect and assist in the dissemination of malware used for the Mirai botnet by targeting Zyxel networking equipment, according to Akamai researchers. When researchers intended to access the Java payload class, the LDAP server in which the exploit was located was no longer active. It's claimed that Zyxel was particularly singled out since published an article claiming to have been hit by the log4j flaw. 

The scenario surrounding the Log4Shell breach has remained unchanged since last month, and threat actors looking to get access to corporate networks continue to target and exploit the vulnerability. Threat actors including ransomware gangs, nation-state cyber-espionage groups, crypto-mining gangs, initial access brokers, and DDoS botnets have all been reported to have exploited the vulnerability in the past. Although the Apache Software Foundation has issued patches for the Log4j library, threats against applications using it are likely to persist because not all of these apps have published a set of security updates, abandoning many systems vulnerable and creating a breeding soil for exploitation that will last for years.

Security Professionals View Ransomware and Terrorism as Equal Threats

 

Venafi published the results of a global poll of over 1,500 IT security decision-makers, which showed that 60% of security professionals believe ransomware threats should be treated on par with terrorism. 

Following the attack on the Colonial Pipeline earlier this year, the US Department of Justice upgraded the threat level of ransomware. According to the report, just about a third of respondents have put in place basic security protections to break the ransomware kill chain. 

Other significant findings:
  • Over the last 12 months, 67 per cent of respondents from companies with more than 500 employees have suffered a ransomware assault, rising to 80 per cent for companies with 3,000-4,999 employees. 
  • Although 37% of respondents said they would pay the ransom, 57% said they would reconsider if they had to publicly publish the payment, as required by the Ransomware Disclosure Act, a bill introduced in the US Senate that would require corporations to reveal ransomware payments within 48 hours.
  • Despite the increased frequency of ransomware assaults, 77 percent of respondents are optimistic that the mechanisms they have in place would keep them safe from ransomware. IT decision makers in Australia have the most faith in their tools (88 percent), compared to 71 percent in the United States and 70 percent in Germany.
  • Paying a ransom is considered "morally wrong" by 22% of respondents. 
  • Seventeen per cent of those hacked admitted to paying the ransom, with Americans paying the highest (25 per cent) and Australian businesses paying the least (9 per cent). 

Many depend on traditional security controls to tackle ransomware threats 

Kevin Bocek, VP ecosystem and threat intelligence at Venafi stated, “The fact that most IT security professionals consider terrorism and ransomware to be comparable threats tells you everything you need to know; these attacks are indiscriminate, debilitating, and embarrassing.” 

“Unfortunately, our research shows that while most organizations are extremely concerned about ransomware, they also have a false sense of security about their ability to prevent these devastating attacks. Too many organizations say they rely on traditional security controls like VPNs and vulnerability scanning instead of modern security controls, like code signing, that are built-in to security and development processes.” 

According to the survey, most businesses do not employ security controls that disrupt the ransomware kill chain early in the attack cycle. Many ransomware attacks begin with phishing emails including a malicious attachment, yet only 21% of ransomware assaults restrict all macros in Microsoft Office documents. 

Only 28% of firms require all software to be digitally signed by their organization before employees are permitted to execute it, and only 18% utilize group policy to limit the usage of PowerShell.