Search This Blog
Powered by Blogger.

Blog Archive

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label Ransomware group. Show all posts
Threat Landscape
Cyber Security CyberVolk Ransomware group Threat Landscape

CyberVolk Ransomware: A Rising Threat to Global Cybersecurity

 

The Indian hacker outfit CyberVolk, which is a relatively new player in the cybercrime arena, has made headlines with its sophisticated ransomware. CyberVolk Ransomware, discovered in July 2024, has quickly gained attention for its sophisticated features and quick progress. 

The group's most concerning weapon, ‘CyberVolk Ransomware,’ was recently analysed by ThreatMon and is gaining attention from cybersecurity experts due to its sophisticated capabilities and expanding nature. 

CyberVolk debuted in the shadows of the dark web, where it soon established a reputation through a series of successful attacks. The gang, which specialises in a wide range of cybercrimes such as DDoS assaults, data breaches, and website defacements, is known for its aggressive nature, with official accounts on platforms such as Telegram and X. 

Initially, CyberVolk Ransomware encrypted victims' files using the AES method. However, a VirusTotal leak exposed the ransomware's internal workings, leading the attackers to create a far more sophisticated version. This enhanced variant included better cryptographic algorithms like ChaCha20-Poly1305, AES, and even quantum-resistant technology. The changes make it nearly impossible to decrypt without paying the ransom, even for individuals who have quantum computing resources. 

ThreatMon's technical review of CyberVolk Ransomware uncovers numerous unique and concerning features. For example, when executed, the ransomware disables access to vital system utilities such as Task Manager, preventing users from terminating the encryption process. The ransomware encrypts entire data in minutes before approaching the victim with a $1,000 ransom demand. Victims are also given a strict deadline: failure to pay within five hours would result in the permanent loss of their data. 

Previous reports said that CyberVolk Ransomware only brought in $2,632, but in the last few months, their earnings have increased dramatically. According to ThreatMon, the group has made over $20,000 through ransomware assaults, indicating an alarming rise in the financial impact of its operations. 

The ransomware outfit poses a serious threat to both individuals and enterprises. It is an imminent threat because of its capacity to proliferate like a worm and its advanced evasion and encryption methods. However, the presence of vulnerabilities in its structure offers hope for effective countermeasures. 

To mitigate the threat of ransomware attacks, cybersecurity specialists suggest regular software updates, robust backup strategies, and cybersecurity hygiene education for employees.
Read more »
US Court
Cyber Crime DOJ Extortion Group Ransomware group US Authorities US Court

US Authorities Charge Alleged Key Member of Russian Karakurt Ransomware Outfit

 

The U.S. Department of Justice (DOJ) released a statement this week charging a member of a Russian cybercrime group with financial fraud, extortion, and money laundering in a U.S. court. The 33-year-old Moscow-based Latvian national Deniss Zolotarjovs was extradited to the United States earlier this month after being detained by Georgian authorities in December 2023.

Court records indicate that Zolotarjovs is linked with the ransomware outfit Karakurt, which exfiltrates victim data and holds it hostage until a cryptocurrency ransom is paid. The gang runs an auction portal and leak site where they identify the victim companies and allow users to download stolen data. The group has demanded ransom in Bitcoin ranging from $25,000 to $13 million. 

Previous findings suggest that Karakurt was related to the now-defunct ransomware gang Conti. Researchers believe Karakurt was a side project of the group behind Conti, allowing them to monetise data stolen during attacks when organisations were able to halt the ransomware encryption process. Zolotarjovs allegedly used the alias "Sforza_cesarini" and was an active member of Karakurt. 

He is suspected of engaging with other members, laundering cryptocurrency, and exploiting the group's victims. According to the DOJ, he is the first alleged member of the organisation to be arrested and extradited to the United States. According to court records, Zolotarjovs is involved in attacks on at least six undisclosed US companies. 

Karakurt stole "a large volume of private client data" in one attack in 2021, which included lab results, medical information, Social Security numbers that matched names, addresses, dates of birth, and home addresses. The company negotiated a ransom payment of $250,000 down from Karakurt's initial demand of about $650,000. 

In addition to carrying out open-source research to find phone numbers, emails, or other accounts through which victims could be contacted and pressured to either pay a ransom or re-enter a chat with the ransomware group, Zolotarjovs was probably in charge of negotiating Karakurt's "cold case extortions." 

“Some of the chats indicated that Sforza’s efforts to revive cold cases were successful in extracting ransom payments,” court documents noted.
Read more »
ransomware tactics
Cyber Extortion Cyber Threats Cybersecurity data exfiltration. logistics industry LukaLocker ransomware Malware attacks manufacturing sector phone call intimidation Ransomware group ransomware tactics

This New Ransomware Group Uses Phone Calls to Pressure Victims

 



Researchers have identified a new ransomware group called Volcano Demon, responsible for at least two successful attacks in the past two weeks. Tim West, an analyst at cybersecurity firm Halcyon, revealed that the group targeted companies in the manufacturing and logistics industries. However, further details about the targets were not disclosed.

Unlike typical ransomware groups, Volcano Demon does not have a public leaks website. Instead, they use phone calls to intimidate and negotiate payments with leadership at the victim organizations. These calls, often threatening, originate from unidentified numbers.

Before making the calls, the hackers encrypt files on the victims' systems using previously unknown LukaLocker ransomware and leave a ransom note. The note threatens to inform clients and partners about the attack and sell data to scammers if the ransom is not paid.

Volcano Demon uses a double extortion technique, exfiltrating data to command-and-control (C2) services before encrypting it. They successfully locked Windows workstations and servers by exploiting common administrative credentials from the network. Tracking Volcano Demon has proven difficult due to their practice of clearing log files on targeted machines, which hampers comprehensive forensic evaluation.

West mentioned that the hackers, who spoke with a heavy accent, call very frequently, almost daily in some cases. However, the origin of the callers remains unclear as no recordings are available.

It is uncertain whether Volcano Demon operates independently or as an affiliate of a known ransomware group. Halcyon has not yet identified any such links.

Ransomware operators continue to evolve, with new threat actors emerging and targeting various industries. In May 2024, researchers identified a criminal gang named Arcus Media, operating a ransomware-as-a-service model and targeting victims in the U.S., U.K., India, and Brazil. Another group, Space Bears, appeared in April, quickly gaining notoriety for their corporate-themed data leak site and affiliations with the Phobos ransomware-as-a-service group. Researchers suggest that these groups may be more organized and funded than previously anticipated.
Read more »
SpaceX
Data Breach Data Leak Ransomware group SpaceX

SpaceX Data Breach: Hunters International Publishes Alleged Stolen Data

 

Elon Musk's aerospace manufacturing and space transport services firm, SpaceX, is believed to have experienced a cybersecurity incident involving a data breach with Hunters International, an infamous hacker group that allegedly released samples of the SpaceX data breach.

The data breach at SpaceX seems to have compromised relatively old data, and Hunters International is using name-dropping as a way of extortion. Interestingly, SpaceX experienced a prior data breach in early 2023 that was linked to the LockBit ransomware group, using the identical samples. 

The hacker group shared samples and databases allegedly related to SpaceX, including access to 149.9 GB of data. This database, which was originally linked to the initial SpaceX data breach prompted by LockBit, was traced back to a third-party source in SpaceX's supply chain, specifically a manufacturing contractor in Texas. 

LockBit allegedly took control of 3,000 drawings or schematics confirmed by SpaceX engineers after compromising the vendor's systems.

In March 2023, the LockBit Ransomware group breached a third-party manufacturing contractor in Texas, which was part of SpaceX's supply chain, taking 3,000 authorised drawings and schematics developed by SpaceX engineers. 

LockBit wrote SpaceX CEO Elon Musk directly, threatening to sell the stolen designs if the ransom was not paid within a week. The gang's brazen approach was intended to profit from the sensitive data, regardless of the vendor's response. Despite fears about compromised national security and the possibility of identity theft, SpaceX hasn't confirmed the hack, leaving the claims unresolved.

This breach, along with the reemergence of published data from previous instances, emphasises the ongoing threat of cyberattacks on critical infrastructure. It highlights the critical necessity for strong cybersecurity measures to protect against such breaches, as the consequences go beyond financial loss and have broader security concerns.

The return of data from last year's SpaceX data breach has raised serious concerns. This recurrence jeopardises millions of people's personal and financial security, putting them at risk of identity theft and fraud. Notably, despite the breach being first reported last year and now resurfacing, SpaceX has yet to confirm the incident, making the claims unconfirmed.
Read more »
Ransomware group
Cyber Attacks DragonForce DragonForce Ransomware Group Ohio Lottery Ransomware attack Ransomware group

DragonForce Ransomware Gang Prompts Ohio Lottery to Shut Down


On 25 December 2023, the Ohio Lottery faced a major cyberattack, as a result, they had to shut down some crucial systems related to the undisclosed internal application. 

The threat actors behind the breach are the DragonForce ransomware group. 

While the investigation in regards to the breach is ongoing, the company confirms to its customers that its gaming systems are fully functional. The gaming system is still operational, although some services have suffered. At Super Retailers, prize cashing above $599 and mobile cashing are temporarily unavailable. 

The winning numbers for the KENO, Lucky One, and EZPLAY Progressive Jackpots can be found at any Ohio Lottery Retailer; they are unavailable on the internet or mobile app.

In its press release, the lottery states: "On December 24, 2023, the Ohio Lottery experienced a cybersecurity incident impacting some of its internal applications and immediately began work to mitigate the issue. The state's internal investigation is ongoing. We apologize for the inconvenience and are working as quickly as possible to restore all services."

What must the Customers do?

The company has requested customers to check the Ohio Lottery website and mobile app for winning numbers at this time.  WKYC informs that prizes up to $599 can be claimed at any Ohio Lottery Retailer, while prizes over $600 need to be sent by mail to the Ohio Lottery Central Office or using the online claim form. 

Ransomware Gang Claims Responsibility

While Ohio Lottery did not confirm who was behind the cyberattack, a ransomware group called DragonForce claimed responsibility. 

According to a report by BleepingComputer, the threat group claims that they have encrypted devices and accessed sensitive data like Social Security Numbers and the date of birth of affected customers. 

According to the DragonForce gang, over 3,000,000 lottery customers' names, addresses, emails, winning amounts, Social Security numbers, and dates of birth are among the data that have been hacked. The weight of the released data—more than 600 gigabytes—raises questions regarding the scope of the hack. 

DragonForce: A New Competitor in the Ransomware Arena

Despite being a relatively young ransomware gang, the DragonForce gang's methods and data leak website suggest a rather experienced extortion organization. As law enforcement steps up their efforts to combat ransomware activities, new organizations like DragonForce are coming into action, which raises the issue of rebranding within the threat landscape. 

In a similar case, the official Facebook page of the Philippines lottery system was recently hacked by anonymous hackers. The witnesses reported that threat actors were apparently spamming the website page with nude photos. This prompted the Philippine Charity Sweepstakes Office (PSCO) to shut down the page for the time being, during which the Cybercrime Investigation and Coordinating Center (CICC) will conduct its investigation.   

Read more »
South Korea
Andariel Data Breach Hacker group Military Data North Korea North Korean Hackers Ransomware group South Korea

Seoul Police Reveals: North Korean Hackers Stole South Korean Anti-Aircraft Data


South Korea: Seoul police have charged Andariel, a North Korea-based hacker group for stealing critical defense secrets from South Korea’s defense companies. Allegedly, the laundering ransomware is redirected to North Korea. One of the 1.2 terabytes of data the hackers took was information on sophisticated anti-aircraft weaponry.  

According to the Seoul Metropolitan Police Agency, the hacker group utilized servers that they had rented from a domestic server rental company to hack into dozens of South Korean organizations, including defense companies. Also, the ransomware campaign acquired ransoms from a number of private sector victim firms. 

Earlier this year, the law enforcement agency and the FBI jointly conducted an investigation to determine the scope of Andariel's hacking operations. This was prompted by reports from certain South Korean corporations regarding security problems that were believed to be the result of "a decline in corporate trust." 

Andariel Hacker Group 

In an investigation regarding the origin of Andariel, it was found that it is a subgroup of the Lazarus Group. The group has stolen up to 1.2 terabytes of data from South Korean enterprises and demanded 470 million won ($357,000) in Bitcoin as ransom from three domestic and international organizations.  

According to a study conducted by Mandiant, it was revealed that Andariel is operated by the North Korean intelligence organization Reconnaissance General Bureau, which gathers intelligence for the regime's advantage by mainly targeting international enterprises, governmental organizations, defense companies, and financial services infrastructure. 

Apparently, the ransomware group is also involved in cybercrime activities to raise funds for conducting its operation, using specially designed tools like the Maui ransomware and DTrack malware to target global businesses. In February, South Korea imposed sanctions on Andariel and other hacking groups operating in North Korea for engaging in illicit cyber operations to fund the dictatorial regime's nuclear and missile development projects.  

The threat actor has used a number of domestic and foreign crypto exchanges, like Bithumb and Binance, to launder the acquired ransom. Till now, a sum of 630,000 yuan ($89,000) has been transferred to China's K Bank in Liaoning Province. The hackers proceeded to redirect the laundered money from the K Bank branch to a location close to the North Korea-China border. 

Seoul police noted that they have seized the domestic servers and virtual asset exchange used by Andariel to conduct their campaigns. Also, the owner of the account, that was used in transferring the ransom, has been detained. 

"The Security Investigation Support Department of the Seoul Metropolitan Police Agency is actively conducting joint investigations with related agencies such as the U.S. FBI regarding the overseas attacks, victims and people involved in this incident, while continuing to investigate additional cases of damage and the possibility of similar hacking attempts," the agency said.

The police have warned businesses of the threat actor and have advised them to boost their cybersecurity and update security software to the latest versions. It has also been advised to organizations to encrypt any critical data, in order to mitigate any future attack. 

Moreover, police are planning to investigate server rental companies to verify their subscribers’ identities and to ensure that the servers have not been used in any cybercrime activity.  

Read more »
Royal Ransomware
Advisory BlackSuit BleepingComputer CISA Cyber Attacks FBI ransomware attacks Ransomware group Royal Ransomware

FBI and CISA Reveals: ‘Royal’ Ransomware Group Targeted 350 Victims for $275 Million


In a joint advisory, the FBI and CISA have revealed a network breach conducted by the ‘Royal ransomware gang’ that has targeted nearly 350 organizations globally since 2022. 

Giving further details of the original advisory published in March, in the information acquired during the FBI investigation, the agencies noted that the ransomware campaign was connected to ransom demands totalling more than $275 million.

"Since September 2022, Royal has targeted over 350 known victims worldwide and ransomware demands have exceeded 275 million USD," the advisory reads.

"Royal conducts data exfiltration and extortion prior to encryption and then publishes victim data to a leak site if a ransom is not paid. Phishing emails are among the most successful vectors for initial access by Royal threat actors."

In March, the two agencies shared their initial indicators of an apparent compromise, along with a list of tactics, methods, and procedures (TTPs), in order to assist defenders in identifying and thwarting attempts to deploy Royal ransomware payloads onto their networks.

The Department of Health and Human Services (HHS) security team discovered in December 2022 that the ransomware operation was responsible for several attacks against U.S. healthcare organizations. This led to the release of the joint advisory.

Royal to BlackSuit

The advisory update also states that BlackSuit ransomware shares several coding traits with Royal, suggesting that Royal may be planning a rebranding campaign and/or a spinoff variation.

While it was anticipated that the Royal ransomware operation would rebrand in May, during the course of the BlackSuit ransomware operation, the rebranding never happened. 

According to a report published by BleepingCompter in June, the Royal ransomware gang was apparently testing a new BlackSuit encryptor, similar to the operation’s conventional encryptor. 

At the time, Partner and Head of Research and Development at RedSense – Yelisey Bohuslavskiy believed that this experiment did not in fact go well.

However, since then, Royal was able to rebrand into BlackSuit and restructure into a more centralized business, following the same blueprint as Team 2 (Conti2) when they were a member of the Conti syndicate.

"In September 2023, Royal accomplished a full rebrand into BlackSuit, most likely entirely dismantling their Royal infrastructure. Moreover, according to the primary source intel, Royal has also accomplished a broader reorganization during the rebrand, making the group structure more corporate and more similar to their Conti2 origins," said Yelisey Bohuslavskiy.  

Read more »
Sony Data Breach
Cyber Attacks Infection time LockBit Ransomware ransomware attacks Ransomware group Sony Data Breach

Time Taken by Ransomware to Infect Systems Witnesses a Significant Drop


The amount of time it will take for a threat actor to completely infect the targeted system with ransomware has decreased significantly over the past 12 months. 

According to a report published by The Register, the average dwell time — the interval between the start of an assault and the deployment of ransomware — was 5.5 days in 2021 and 4.5 days in 2022. The dwell duration was less than 24 hours last year, but less this year. Ransomware was even distributed within five hours after first access in 10% of cases, according to Secureworks' annual State of the Threat Report.

It is interesting to note that the cybersecurity industry has become much better at spotting the activity that occurs before a ransomware outbreak, which is one of the factors contributing to this dramatic decrease in infection time. Because of this, Secureworks explains, "threat actors are focusing on simpler and quicker to implement operations, rather than big, multi-site enterprise-wide encryption events that are significantly more complex."

Also, this year has witnessed a considerable increase in the number of ransomware victims and data leaks due to the significant emergence of "several new and very active threat groups." Attacks are therefore occurring more frequently and in greater numbers.

The ransomware groups are now majorly utilizing three vectors to try and infect targeted systems. The first is known as scan-and-exploit, which looks for exploitable flaws in a system. When detected, stolen credentials are also exploited, and phishing emails are used to try to deceive people into giving attackers access to secure systems quickly.

Currently, Sony is one of the most recent high-profile victims of ransomware gang, but the company did not yet reveal the extent to which its systems are affected or data stolen. Another ransomware attack was recently witnessed in a Danish cloud-hosting company that compromised most of its customer data. Furthermore, a case came to light when the LockBit ransomware gang stole data from 8.9 million dental insurance customers earlier this year. 

However, on a positive note, the FBI was able to take down the renowned Qakbot botnet, which was revealed to be in charge of 700,000 compromised machines and was utilized in numerous ransomware assaults.  

Read more »
Ransomware group
Cyber Attacks Gookee ransomware HelloKitty HelloKitty ransomware Ransomware group

Threat Actor Release HelloKitty Ransomware Source Code on Hacking Forum

A threat actor recently posted the entire source code for the first version of the HelloKitty ransomware on Russian-language hacking forum, while claiming to be working on a new, more potent encryptor.

Security expert 3xp0rt initially noticed the leak when he saw threat actor kapuchin0 distributing the "first branch" of the HelloKitty ransomware encryptor.

While the source code was released by someone with the username kapuchino, the threat actor was also seen using the alias ‘Gookee.’

Gookee has previously been linked by security researchers with malware and hacking activity, where the threat actors were attempting to acquire access of Sony Network Japan in 2020. The attack was a Ransomware-as-a-Service (RaaS) operation, dubbed as ‘Gookee Ransomware,’ which was putting malware source code for sale on an underground forum.

According to 3cport, kapuchin0/Gookee is the developer of the HelloKitty ransomware, who claims to be developing, “a new product and much more interesting than Lockbit.”

The leaked hellokitty.zip archive include the HelloKitty encryptor and decryptor, as well as the NTRUEncrypt library that this variant of the ransomware utilizes to encrypt files, are built using a Microsoft Visual Studio solution.

Furthermore, ransomware expert Micheal Gillespie confirms that the leaks codes are in fact the real source code for HelloKitty, used initially when their ransomware operation launched in 2020.

What is HelloKitty Ransomware Operation?

HelloKitty is a human-operated ransomware operation that first came to light in November 2020 after its victims posted about it on the BleepingComputer forums. The FBI later released a PIN (private industry notification) on the group in January 2021. 

The ransomware group is known for conducting corporate network hacks, stealing data, and encrypting systems. In double-extortion machines, when threat actors promise to release data if a ransom is not paid, the encrypted files and stolen data are then used as leverage.

HelloKitty is known for a number of attacks and has been utilized by other ransomware operations. One of the most high-profile attack conducted by HelloKitty is the one on CD Product Red executed in February 2021. Threat actors claimed to have stolen the source code for Cyberpunk 2077, Witcher 3, Gwent, and other games during this attack, which they said were sold later.  

Read more »
Sony Group Corporation
Data Breach RansomedVC Ransomware group Sony Sony Data Breach Sony Group Corporation

RasomedVC: Ransomware Group Claims to Have Breached Sony’s Computer Systems


A newly discovered ransomware group, RansomedVC confirmed to have exploited the computer systems of entertainment giant Sony. Apparently, the announcement was made in a dark web portal.

The announcement states that Sony’s data is for sale: “Sony Group Corporation, formerly Tokyo Telecommunications Engineering Corporation, and Sony Corporation, is a Japanese multinational conglomerate corporation headquartered in Minato, Tokyo, Japan.

"We have successfully compromised [sic] all of Sony systems. We won't ransom them! we will sell the data. due to Sony not wanting to pay. DATA IS FOR SALE.”

Since Sony has not yet commented on the claim, they may still be false or perhaps more likely, exaggerated. 

However, if RansomedVC's claims are true, Sony seems to have not yet caved to their demands.

Sony will join a rather long list of game and entertainment companies that have had data stolen or ransomed if it confirms the breach. Due to the high value and high visibility of their intellectual property, gaming companies are frequent targets for theft and extortion.

Capcom and Ubisoft were notable victims in 2020, and CD PROJEKT RED, the company behind Cyberpunk 2077 and Witcher 3, was a victim in 2021— the same year that Electronic Arts had its source code for FIFA 21 stolen. In 2022, Rockstar Games experienced a significant breach by the short-lived Lapsus$ gang, while Bandai Namco came under a ransomware attack.

In case the claims are true, Sony’s customers must take measures in order to safeguard their data. While the information on the matter is still vague, here we are mentioning specific measures in case a customer is suffering a data breach or potential ransomware attack:

  • Block potential forms of entries: Establish a strategy for swiftly correcting internet-facing system vulnerabilities; stop or harden VPNs and RDP remote access; and utilize endpoint security software to identify malware and exploits that spread ransomware. 
  • Detect intrusions: By segmenting networks and carefully allocating access privileges, you can make it more difficult for intruders to function inside your company. To spot anomalous activity before an assault happens, use MDR or EDR.
  • Install endpoint detection and response software: Malwarebytes EDR, for example, can detect ransomware using a variety of detection methods and perform ransomware rollbacks to restore corrupted system data. 
  • Create offsite and offline backups.

About RanomedVC 

RansomedVC initially came to light by Malwarebytes researchers in August 2023. Apparently, the ransomware group had mentioned the details of nine of its victims on its dark website. The threat to report victims for General Data Protection Regulation (GDPR) violations is the only deviation it makes from the typical cut-and-paste criminality of ransomware gangs. While it obviously is not what it claims to be—a "digital tax for peace"—it does call itself that. This has been said multiple times before, and each time it is merely a money grab.  

Read more »
Shell
CIOp MOVEit Attacks cybercrime gang Data Breach MFT MoveIt Hack Ransomware attack Ransomware group Shell

Shell Confirms MOVEit-based Hack After the Threat Group Leaks Data


The CIOp ransomware gang has targeted a zero-day vulnerability in the MOVEit managed file transfer (MFT) product, acquiring data of at least 130 companies that had been utilizing the solution. At least 15 million people are thought to have been affected as of now.

CIOp , the Russia-based cybercrime gang has now started to expose its victim organizations that have refused to negotiate with its demands. Apparently, the victims’ names have been exposed on its leak website, will Shell being the first company to be revealed.

Following the leak, Shell confirmed being affected by the MOVEit attack. In a statement published on Wednesday, the company clarified that the MFT software was “used by a small number of Shell employees and customers.”

“Some personal information relating to employees of the BG Group has been accessed without authorization,” it added.

Shell confirmed the incident only after the Cl0p hacking gang disclosed files allegedly taken from the company. The fact that the group made 23 archive files with the label "part1" public may indicate that they have access to more information.

Following this discloser, the ransomware gang added that they did so since the company refused to negotiate.

However, it is yet not particularly clear of what information has been compromised. Although, the firm confirmed to have informed the affected victims.

Moreover, toll-free phone numbers have been made available to employees in in Malaysia, South Africa, Singapore, Philippines, UK, Canada, Australia, Oman, Indonesia, Kazakhstan, and Netherlands. Thus, indicating that the affected individuals are more likely to be from these countries.

Since no file-encrypting software was used in the attack, Shell noted that "this was not a ransomware event" and that there is no proof that any other IT systems were impacted.

It is worth mentioning that this was not the first time that Shell has been targeted by the CIOs group, since in 2020 the threat actors targeted the company’s Accellion file transfer service. The company noted that during this hack the hackers stole their personal and corporate data.

Some of the other notable companies targeted by the latest MOVEit exploit includes Siemens Energy, Schneider Electric, UCLA, and EY.

It has also been confirmed by some government organizations that they as well were impacted by the hack, while the ransomware group claims to have deleted all the data acquired from such entities.  

Read more »
VMware Carbon Black
8Base 8Base Ransomware Cyber Attacks MalwareBytes Phobos RansomHouse Ransomware Ransomware group VMware Carbon Black

8Base Ransomware: Researchers Raise Concerns Over its Increased Activities


The 8Base ransomware has well maintained its covert presence, avoiding detection for over a year. Although, a recent investigation into the ransomware revealed a significant rise in its operation during the period of May and June. It has been made clear that the ransomware group has been active since at least March 2022. The threat group labels itself as “simple pentesters,” indicating a basic level of proficiency in penetration testing.

Details of the 8Base

According to a research conducted by Malwarebytes and NCC Group, as of May, the ransomware group may have been linked with a total of whopping 67 attacks. Among these cyber incidents, around half of the manufacturing, construction, and business services industries together account for around half of the affected firms. The targeted firms are primarily located in the United States and Brazil, indicating a geographic focus by the threat group. 

June saw a significant surge in ransomware activities. The fact that the offenders used a dual extortion tactic raised the stakes for their victims is notable.

A list of 35 victims who have been identified has so far been on the 8Base-affiliated dark web extortion site. There have even been occasions where up to six companies have fallen victim to the ransomware operators' nefarious activities at once on specific days.

According to the VMware Carbon Black team, based on its recent activities, and its similarities of ransom notes and content on leak sites along with identical FAQ pages, 8Base could as well be a rebranding of the popular ‘RansomHouse’ ransomware group. RansomHouse, however flexibly promotes its partnership, while 8Base does not.

It is also noteworthy that a Phobos ransomware sample was also discovered by the VMware researchers, that was utilizing the “.8base” file extension, indicating the 8Base could well be the successor of or utilizing the existing ransomware strain.

The researchers concluded that the efficient operations conducted by the 8Base ransomware group may continue to group, which could be an onset of a mature organization. However, it has not yet been made clear whether the group is based on Phobos or RansomHouse.

As for now, there are speculations on 8Base's use of various ransomware strains, whether it be in earlier iterations or as a fundamental component of its typical mode of operation. However, it is commonly known that this organization is very active, with a concentration on smaller firms as a significant target.  

Read more »
Toronto-area Police
Cyber Attacks FBI Hacking Group Hive Hive Ransomware Ransomware group Toronto-area Police

Here is How Toronto-area Police Force Helped Take Down a Russian-linked Hacking Group


The Toronto police force has recently been explanatory on how it ended up getting involved with the international attempt on legally hack Hive, one of most ruthless ransomware groups in the world. 

The contributions made by the Peel Regional Police are one of the reasons why Canadian flag is among the icons displayed on what was the dark website for the Russian-linked ransomware group Hive, along with the logos of the U.S. Department of Justice, the FBI, and a variety of police forces around the globe. 

According to Detective Const. Karim Hussain in an interview with CTV News Toronto, Peel's detectives got engaged early when a local firm contacted them in 2021 claiming that their systems were down and a text message on their desktops revealed a ransom note. 

“We had one of the first cases in Canada of Hive ransomware[…]It was the first to market. At the time we started gathering evidence, Hive was a fairly new ransomware group. Everything we brought to the table was interesting because no one had seen it before,” he says. 

The attributes of the Hive case were similar to numerous other high-profile incidents, like a hospital in Louisiana where threat actors had accessed data of around 270,000 patients, and a Ohio hospital that was attacked and made them incapable of accepting new patients even during the massive surge of COVID-19. 

Those were only a few of the more than 1,500 attacks throughout the globe that had the digital traces of Hive, an organization whose associates, according to authorities, have made $150 million since 2021 as they demand money from companies in exchange for access to their data or system. 

The attacks are carried out via a "ransomware as a service" (RaaS) model, in which a small group of individuals create malicious software and then distribute it to numerous users, allowing them to quickly scale up their attacks before the security flaws they exploit are addressed. 

“You have an overarching group that provides everything down to the infrastructure, to lesser-capable cyber criminals, and they provide them the tools to conduct the hack,” Hussain said. 

The case brought the RCMP, the FBI, the police from France, Germany, Norway, and Lithuania together with Peel Police and other agencies dealing with Hive's impact. 

In retaliation, the group took over Hive's website earlier this year and replaced it with a landing page with the logos of numerous investigative agencies. “Simply put, using lawful means, we hacked the hackers,” said U.S. Deputy Attorney General Lisa Monaco in a press conference in January. 

Adding to this, she says that the police had found and then openly disseminated decryptor keys that may aid anyone who had been assaulted in independently recovering their data or liberating their systems. 

According to Christopher Wray, director of the FBI, these actions have prevented around $130 million in ransom from being paid. “This cut off the gas that is fueling Hive’s fire,” Wray said. 

According to Hussain, the inquiry is still ongoing as the prevalence of ransomware grows. Ransomware assaults made up 11% of all cyber security incidents in 2021, according to Statistics Canada. 

“There’s no end in sight to cybercrime right now,” Hussain said.  

Read more »
US Department Of Justice
Cyber Crime DOJ FBI Hive Hive Ransomware Ransomware Ransomware group US Department Of Justice

DOJ Reveals: FBI Hacked Hive Ransomware Gang


The U.S. Department of Justice (DOJ) recently confirmed that the FBI has infiltrated the activities of a popular cyber-crime gang, covertly disrupting their hacking attacks for more than six months. 

According to DOJ, FBI gained deep access to the Hive ransomware group in the late July 2022. The infiltration prevented them from blackmailing $130 million in emancipate bills from more than 300 organizations. 

The files of victims are encrypted by ransomware gangs using malicious software, locking them up and rendering them unavailable unless a ransom is paid to obtain a decryption key. 

It is being estimated that Hive and its affiliates have accumulated over $100 from more than 1,500 victims that included hospitals, school districts, financial companies and critical infrastructure, in more than 80 countries across the globe. 

The FBI revealed that it has collaborated with the local law enforcement agencies to help victims recover from the attack, including the UK's National Crime Agency, which claims to have given around 50 UK organizations decryptor keys to overcome the breaches. 

On Thursday, the US announced that it had put an end to the operation by disabling Hive's websites and communication systems with the aid of police forces in Germany and Netherlands. 

Attorney General Merrick Garland stated that "Last night, the Justice Department dismantled an international ransomware network responsible for extorting and attempting to extort hundreds of millions of dollars from victims in the United States and around the world." 

While the Equity Division had not yet been used to capture any individual connected to Hive attacks, a senior official suggested that such releases might happen soon. 

In regards to the infiltrations, Deputy Attorney General Lisa O Monaco said, "simply put, using lawful means, we hacked the hackers." 

Moreover, the DOJ says it would pursue those behind the Hive until they were brought to justice. 

"A good covert operation can degrade confidence in operational security and inject suspicion among actors,” Mandiant Threat Intelligence head John Hultquist said. "Until the group is arrested, they will never truly be gone. They will have to reconstitute, which takes time, but I'll bet they reappear in time."    

Read more »
Ukraine-Russia Conflict
Cyber Attacks Data Leak Ransomware group Ukraine-Russia Conflict

Conti Ransomware Assault Continues Despite the Recent Breach

 

The notorious ransomware group Conti has continued its assaults on businesses despite the exposure of the group’s operations earlier this year. 

Researchers from Secureworks state that the Conti ransomware gang, tracked as a Russia-based threat actor Gold Ulrick, is the second most prevalent group in the ransomware landscape, responsible for 19% of all assaults in the three months between October and December 2021. 

Conti is one of the most prolific ransomware groups of the last year along with LockBit 2.0, PYSA, and Hive, and has blocked hospital, corporate, and government agency networks while demanding ransom for sharing the decryption key as part of their name-and-shame scheme. 

After the ransomware gang sided with Russia in February to invade Ukraine, an anonymous pro-Ukraine hacktivist under the Twitter handle ContiLeaks released the malware source code, credentials, chat logs, and operational workflows. 

"The chats reveal a mature cybercrime ecosystem with multiple threat groups that often collaborate and support each other," Secureworks said in a report published in March. Groups include Gold Blackburn (TrickBot and Diavol), Gold Crestwood (Emotet), Gold Mystic (LockBit), and Gold Swathmore (IcedID). 

According to Secureworks researchers, Conti has targeted more than 100 organizations in March after the ransomware gang claimed that half of their victims pay ransoms averaging $700,000. More than 30 new victims have already been published on the Conti website in April. 

Recent attacks targeted wind turbine giant Nordex, industrial components provider Parker Hannifin, and cookware and bakeware distribution giant Meyer Corporation. The group has also taken responsibility for a highly disruptive attack on Costa Rican government systems. 

"If GOLD ULRICK operations continue at that pace, the group will continue to pose one of the most significant cybercrime threats to organizations globally," said SecureWorks. 

Meanwhile, technical monitoring of Emotet campaigns by Intel 471 between December 25, 2021, and March 25, 2022, revealed that more than a dozen Conti ransomware targets were in fact victims of Emotet malspam attacks, showing just how close the two operations are intertwined. 

"While not every instance of Emotet means that a ransomware attack is imminent, our research shows that there is a heightened chance of an attack if Emotet is spotted on organizations' systems," said Intel 471.
Read more »
User Security
Cyber Security Ransomware group U.S. Firms User Security

Multiple Similarities Identified in BlackMatter And BlackCat Ransomware

 

Cisco Talos researchers have spotted overlaps in the tactics, techniques, and procedures (TTPs) between BlackCat and BlackMatter, indicating a robust link strong connection between the two ransomware groups. 

According to the Cisco Talos findings, BlackCat first emerged on the ransomware-as-a-service (RaaS) scene in November 2021 and has since targeted several companies by exploiting vulnerabilities in the Windows system. It has been called out for being similar to BlackMatter, a short-lived ransomware family that originated from DarkSide, which made news by infiltrating the Colonial Pipeline system last year in a ransomware assault. 

In an interview with the cybersecurity firm Recorded Future last month, a BlackCat spokesperson dismissed rumors that it's a rebranding of BlackMatter while noting that it's made up of affiliates linked with other RaaS groups.

"In part, we are all connected to gandrevil [GandCrab / REvil], blackside [BlackMatter / DarkSide], mazegreggor [Maze / Egregor], lockbit, etc., because we are adverts (aka affiliates)," the unnamed representative stated.

"We borrowed their advantages and eliminated their disadvantages." "BlackCat seems to be a case of vertical business expansion," Cisco Talos researchers Tiago Pereira and Caitlin Huey said. "In essence, it's a way to control the upstream supply chain by making a service that is key to their business (the RaaS operator) better suited for their needs and adding another source of revenue."

In addition, researchers uncovered multiple similarities between a BlackMatter attack in September 2021 and that of a BlackCat attack in December 2021, including the tools and file names employed, as well as a domain used to provide persistent access to the target network.

This overlapping use of the same command-and-control address suggests that a BlackMatter affiliate was likely an early adopter — possibly in the first month of operation of BlackCat, with both the attacks taking more than two weeks to reach the encryption stage.

"As we have seen several times before, RaaS services come and go. Their affiliates, however, are likely to simply move on to a new service. And with them, many of the TTPs are likely to persist," the researchers added.

The best way to mitigate risks is by investing in the best antivirus software, allowing for peace of mind when conducting business or sending private information. So far, the BlackCat group has targeted U.S.-based companies more than 30% of the time, so enterprises in North America are advised to be ready in case they are the next subject of attack for the ransomware group.
Read more »
User Security
Automotive Supplier Data Breach Ransomware group User Security

Automotive Components Supplier Denso Targeted by Pandora Ransomware Group

 

Automotive component supplier Denso on Monday confirmed that its group company in Germany's network suffered a cyber-attack after the Pandora ransomware gang began leaking sensitive details allegedly stolen during the assault. 

Denso, one of the world's largest automotive components manufacturers firms is a global supplier of automotive components, including those developed for autonomous vehicle features, connectivity, and mobility services. The company's clients include Toyota, Honda, General Motors, and Ford. 

On March 10, the company detected unauthorized access using ransomware at DENSO Automotive Deutschland GmbH, a group firm responsible for managing sales and engineering in Germany, Denso spokesperson told Reuters. After the breach was detected, DENSO cut down the exposed system from the network and ensured that no other systems inside the facility were impacted. 

While the incident is under investigation, Denso says that there is "no impact" on other facilities and no disruption has been caused to production plants or manufacturing schedules. The company has not shared any details regarding the attackers, a cybercrime group named Pandora has taken credit for the attack, claiming to have stolen 1.4 Tb of data. 

“After detecting the unauthorized entry, Denso promptly lower off the community connection of units that obtained unauthorized entry and confirmed that there isn’t an impression on different Denso,” the company mentioned in a press release. "Denso would like to express its sincerest apologies for any concern or inconvenience resulting from this incident. Denso Group will once again strengthen security measures and work to prevent a recurrence."

In an effort to support their claims, the attackers released samples of the stolen datasets, as well as several images of documents. Based on the samples published by threat actors, tens of thousands of documents, spreadsheets, presentations, and images have been exposed, including many that reference customers and employees. 

It remains unclear how malicious actors secured access to the company’s network, but after Pandora took responsibility for the attack, one researcher claimed he alerted the company a couple of months ago that attackers had been selling access to its network. 

The Pandora ransomware seems to be new, but security expert pancak3 believes that it is a rebranding of the Rook ransomware due to code similarities and packers used by the operation. A sample of the Pandora ransomware was spotted on VirusTotal by Intezer as Rook, suggesting code similarities.
Read more »
RTM Group
Cyber Security Phishing Attack Ransomware Ransomware group RTM Group

The Potential Damage to Russia from Cybercrime in 2022 was Estimated at 2.2 Million Dollars

 

RTM Group experts believe that the damage from criminal actions using computer technology in Russia this year will continue to grow and may reach 165 billion rubles. 

The growth will be facilitated by the low level of cyber-literacy of the population, as well as people's desire to save money in conditions of rising prices and uncertainty.

In 2021, the total amount of damage from cybercrimes exceeded 150 billion rubles ($2 million). In total, 518 thousand cyber crimes were committed last year, which is almost 2 times more than in 2019. 

According to Yevgeny Tsarev, the manager of RTM Group, the number of successful cyber attacks in 2021 increased by one-third (+35%). And in 2022 the growth of cybercrime will continue and will reach at least 30% due to the development of social engineering schemes and the use of new technologies. By the end of the year, the total damage may exceed 165 billion rubles ($2.2 million). 

Phone calls to a potential victim have become the most common way of fraud, and viruses and phishing attacks are the most popular way of stealing funds. At the same time, RTM Group experts admit that only a small part of those who suffered from the actions of criminals goes to court as they realize that money can not be refunded anyway. 

Experts agreed that fraudsters will become even more active and the growth of cyberattacks will continue since the criminal procedure law is not currently adapted to this kind of crime. In addition, law enforcement agencies do not have enough qualified personnel to carry out investigations. 

According to experts, "people now live in a state of uncertainty of prospects on the one hand, and constantly rising prices on the other," which leads to a desire to save money. And this is abused by scammers in the mail, in social networks and by phone. 

In addition, according to Kaspersky Lab experts, ransomware hackers attacked 16 thousand Russian companies in 2021, while attacks are becoming less massive and more targeted. The company clarified that in 2021 alone, 49 new ransomware families and more than 14 thousand of their modifications were discovered around the world. Before encryption, hackers steal data from companies and threaten to release it to the public unless they are paid.
Read more »
Vodafone
Cyber Attacks Ransomware group Security Issues Vodafone

Vodafone Portugal Services were Disrupted due to a Cyberattack

 

Vodafone was the target of a network disruption that began on the night of February 7, 2022, as a result of an intentional and malicious cyberattack targeted at inflicting damage and disruption. As soon as the first indication of a network issue was noticed, Vodafone responded quickly to identify, contain, and restore services. This situation is affecting the provision of services based on data networks, such as 4G/5G networks, fixed voice, television, SMS, and voice/digital answering services. 

"We have already recovered mobile voice services and mobile data services are available exclusively on the 3G network almost throughout the country but, unfortunately, the size and severity of the criminal act to which we have been subjected implies for all other services a careful and prolonged recovery work involving multiple national, international teams and external partners," the company said in a statement. 

According to Vodafone Portugal CEO Mário Vaz, the attack affected millions of people, businesses, and public services such as ambulance services, fire departments, and hospitals. He stated that emergency services were prioritized in efforts to restore communications. He told reporters that whoever was behind the incident had not demanded a ransom. 

"The attack sought to make (Vodafone Portugal) inoperative," he said. He refused to go into detail about the company's and police's inquiry. According to the company, it delivers fiber services to 3.4 million Portuguese homes and businesses, and it has 4.7 million cellphone clients.

Vodafone said it is attempting to restore the remaining services with the assistance of local and international teams in what is presently the company's largest cybersecurity incident. The company also stated that it is cooperating with authorities to investigate the issue and that, based on existing evidence, no customer data appears to have been accessed or compromised. Despite the existence of various claims on the internet, Vodafone Portugal has not linked the ongoing situation to a ransomware attack. 

These rumors are currently making the rounds on the internet after a ransomware gang extorted Impresa and Cofina, two of Portugal's leading news media sites, over the past month. The Lapsus$ ransomware group, which was responsible for the two attacks, has not claimed responsibility for the Vodafone Portugal outage on any of its online accounts. 

When contacted through LinkedIn, a Vodafone Portugal employee stated that they were only aware of the technical disruption and were unaware of the company's press statement attributing the outage to a hack.
Read more »
Ransomware group
Cyber Attacks Media Firm Ransom Ransomware group

Lapsus$ Ransomware Gang Hacked Portugal's Largest Media Conglomerate

 

The Lapsus$ ransomware group has compromised and is actively extorting Impresa, Portugal's largest media conglomerate and owner of SIC and Expresso, the country's leading TV channel and a weekly newspaper, respectively. The attack occurred during the New Year's holiday and targeted the company's online IT server infrastructure. Impresa, Expresso, and all SIC TV channels' websites are presently offline. National airwave and cable TV broadcasts are unaffected, however, the attack has disabled SIC's internet streaming capability. 

Both the Expresso newspaper and the SIC TV station stated that they had reported the incident to the PJ criminal investigation police agency and the National Cybersecurity Centre (CNCS) and would file a complaint. The claimed hackers posted a message on the websites threatening to reveal internal data if the media firm did not pay a ransom. The message includes contact information for e-mail and Telegram. 

The Lapsus$ group claimed responsibility for the attack by displaying a ransom letter on all of Impresa's websites. In addition to a ransom demand, the message says that the organization has gained access to Impresa's Amazon Web Services account. When all of the sites were put into maintenance mode on Monday, Impresa workers looked to have regained control of this account, but the attackers promptly tweeted using Expresso's verified Twitter account to demonstrate that they still had access to company resources. 

Lino Santos, CNCS's coordinator, informed the Observador newspaper that this was the group's first attack in the country. In the meantime, both media outlets are disseminating news pieces via their social media networks. It was an "unprecedented attack on press freedom in the digital age," they said. 

The Impresa hack is among the most significant cybersecurity events in Portugal's history. Impresa is by far the largest media group in the country. According to September 2021 TV ratings, SIC and all of its secondary channels lead the TV market, while Expresso has the highest weekly periodical circulation numbers. Nonetheless, Impresa owns a slew of other media organizations and periodicals, all of which are likely to be impacted by the attack.

Before the Impresa attack, the Lapsus$ group hacked and ransomed the Ministry of Health of Brazil, as well as Claro and Embratel, two South American telecommunications firms. This is the second ransom attack on a media conglomerate during the holiday season, following the Ryuk gang's December 2018 attack on Tribune Publishing, owner of the Los Angeles Times.
Read more »
Subscribe to: Posts (Atom)