Search This Blog
Powered by Blogger.

Blog Archive

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label Ransomware threats. Show all posts
Ransomware threats
Cyber Attacks FBI LockBit 3.0 LockBit cyberattack Ransomware Ransomware threats

FBI Reveals 7,000 Decryption Keys to Combat LockBit Ransomware

 

In a major development against cybercrime, the US Federal Bureau of Investigation (FBI) has disclosed the recovery of over 7,000 decryption keys to assist victims of the notorious LockBit ransomware gang. This revelation follows a disruptive international law enforcement operation against LockBit earlier this year. In February 2024, an international law enforcement effort, codenamed Operation Cronos, targeted LockBit’s infrastructure. 

This operation led to the takedown of LockBit’s data leak website and the seizure of 34 servers containing extensive data on the gang’s activities. Investigators uncovered more than 2,500 decryption keys from these servers, which the FBI is now offering to victims. The data gathered also facilitated the development of a free decryption tool for the LockBit 3.0 Black Ransomware. 

LockBit's Global Impact 

LockBit operates a ransomware-as-a-service model, providing tools to a network of affiliates who carry out cyberattacks globally. By 2022, LockBit had become the most deployed ransomware variant worldwide, causing billions of dollars in damages to victims, according to Bryan Vorndran, the FBI’s cyber assistant director. 

Further he said, “These LockBit scams run the way local thugs used to demand ‘protection money’ from storefront businesses. LockBit affiliates steal and encrypt data, demanding payment for its return. Even if the ransom is paid, victims are often subjected to further extortion as the criminals retain copies of the data and may demand additional payments to prevent its release online. 

FBI's Assistance to Victims 

The FBI is proactively reaching out to known LockBit victims, encouraging those affected to visit the Internet Crime Complaint Center. While the recovered decryption keys enable victims to regain access to their data, Vorndran cautioned that this does not prevent LockBit from potentially selling or releasing the data in the future.
“When companies are extorted and choose to pay to prevent the leak of data, you are paying to prevent the release of data right now—not in the future,” he said. 

Continued Threat 

The fight against ransomware is marked by ongoing challenges. Despite the significant strides made with Operation Cronos, the threat from LockBit remains. In 2022, authorities arrested LockBit associate Mikhail Vasiliev, who received a four-year prison sentence in March 2024. 

Additionally, last month, authorities identified the elusive LockBit leader as 31-year-old Russian national Yuryevich Khoroshev. Vorndran's warning underscores the persistent threat: “Even if you get the data back from the criminals, you should assume it may one day be released, or you may one day be extorted again for the same data.”
Read more »
Windows BitLocker
BitLocker encryption Cyber Security Cybersecurity malware protection Ransomware attack Ransomware threats ShrinkLocker ransomware Windows BitLocker

New ShrinkLocker Ransomware Exploits BitLocker to Encrypt Files

 

The new ransomware strain, ShrinkLocker, is creating significant concerns by using Windows BitLocker to encrypt corporate systems through the creation of new boot partitions.

ShrinkLocker, named for its method of creating a boot volume by shrinking available non-boot partitions, has been targeting government entities and companies in the vaccine and manufacturing sectors.

Using BitLocker to encrypt computers isn't new. Previously, threat actors have used this security feature to encrypt 100TB of data on 40 servers at a Belgian hospital and to target a Moscow-based meat producer and distributor. In September 2022, Microsoft warned about an Iranian state-sponsored attacker using BitLocker to encrypt systems running Windows 10, Windows 11, or Windows Server 2016 and newer.

Kaspersky reports that ShrinkLocker includes previously unreported features designed to maximize damage. Written in Visual Basic Scripting (VBScript), ShrinkLocker detects the specific Windows version on the target machine using Windows Management Instrumentation (WMI) and proceeds only if certain conditions, like the current domain matching the target and the OS version being newer than Vista, are met. If not, ShrinkLocker deletes itself.

If the target meets the requirements, the malware uses the Windows diskpart utility to shrink each non-boot partition by 100MB, creating new primary volumes from the unallocated space. Kaspersky researchers noted that on Windows 2008 and 2012, ShrinkLocker saves the boot files along with the index of other volumes. The resize operations are carried out with different code on other Windows OS versions.

ShrinkLocker then uses the BCDEdit command-line tool to reinstall boot files on the new partitions. Additionally, it modifies registry entries to disable remote desktop connections and enable BitLocker encryption on hosts without a Trusted Platform Module (TPM), a security chip.

Dynamic malware analysis by Kaspersky confirmed the following registry changes made by ShrinkLocker:

- fDenyTSConnections = 1: disables RDP connections
- scforceoption = 1: enforces smart card authentication
- UseAdvancedStartup = 1: requires BitLocker PIN for pre-boot authentication
- EnableBDEWithNoTPM = 1: allows BitLocker without a compatible TPM chip
- UseTPM = 2: uses TPM if available
- UseTPMPIN = 2: requires a startup PIN with TPM if available
- UseTPMKey = 2: uses a startup key with TPM if available
- UseTPMKeyPIN = 2: uses a startup key and PIN with TPM if available
- EnableNonTPM = 1: allows BitLocker without a TPM chip, requiring a password or startup key on a USB flash drive
- UsePartialEncryptionKey = 2: requires a startup key with TPM
- UsePIN = 2: requires a startup PIN with TPM

The threat actor behind ShrinkLocker does not drop a ransom note but instead provides a contact email address within the label of the new boot partitions. This label is only visible through a recovery environment or diagnostic tools, making it easy to miss. After encrypting the drives, the attacker deletes the BitLocker protectors, such as TPM, PIN, startup key, password, recovery password, and recovery key, preventing the victim from recovering BitLocker’s encryption key, which is sent to the attacker.

The encryption key is a 64-character string generated by combining numbers, special characters, and the holoalphabetic sentence "The quick brown fox jumps over the lazy dog." This key is transmitted via the TryCloudflare tool, a legitimate service for experimenting with Cloudflare’s Tunnel without adding a site to Cloudflare’s DNS.

In the final stage, ShrinkLocker forces a system shutdown, leaving the user with locked drives and no BitLocker recovery options. BitLocker’s custom message feature, which could display an extortion message, is not used, suggesting these attacks may be more destructive than financially motivated.

Kaspersky discovered multiple ShrinkLocker variants used against government entities and organizations in the steel and vaccine manufacturing sectors in Mexico, Indonesia, and Jordan.

Cristian Souza, an incident response specialist at Kaspersky, advises companies using BitLocker to securely store recovery keys, maintain regular offline backups, use a properly configured Endpoint Protection Platform (EPP) to detect BitLocker abuse, enable minimal user privileges, and monitor network traffic and script executions.
Read more »
University Hack
Bitfinex Cyber Attacks Data Safety Data Theft Hackers Ransom Demands Ransomware threats University Hack

Assessing F Society's Latest Ransomware Targets: Are They at Risk?

 

In recent developments, the F Society ransomware group has once again made headlines by listing four additional victims on its leak site. The alleged targets include Bitfinex, Coinmoma, Rutgers University, and SBC Global Net. Bitfinex, a renowned cryptocurrency exchange platform, and Coinmoma, offering cryptocurrency-related data, are among the victims. 

Rutgers University, one of the oldest universities in the US, and SBC Global Net, an email service once provided by SBC Communications, are also allegedly affected. While the attacks are yet to be officially confirmed, the ransomware group has provided unique descriptions for each victim, along with links to sample data obtained from the attacks. 

Bitfinex was reportedly targeted with the theft of 2.5 TB of information and personal details of 400K users. Rutgers University faced an alleged theft of 1 TB of data, with the specific type of information not disclosed. Coinmoma was claimed to have sensitive data, including user information and transaction histories, compromised, with a file size of 2TB and 210k user records. 

Similarly, SBC Global Net was stated to have unauthorized access, leading to the theft of personal user details, with a file size of 1 TB. Despite these claims, no ransom amount has been publicly mentioned, and the victims are given seven days to comply with the demands, failing which the obtained data will be leaked. 

As of now, there have been no official responses from the victims, and the claims remain unverified. While the authenticity of F Society's claims is uncertain, Bitfinex had previously experienced a significant hacking incident in 2016. During this incident, approximately 119,754 bitcoins were stolen from the platform due to a breach, leading to unauthorized transactions. The stolen bitcoins were later recovered by law enforcement after a thorough investigation, marking one of the largest recoveries in the history of the US Department of Justice. 

However, the perpetrator behind the hack remains unidentified, although it is known that they attempted to cover their tracks using a data destruction tool. The previous security lapse experienced by Bitfinex highlights the importance of robust cybersecurity measures, especially in the realm of cryptocurrency exchanges. As cyber threats continue to evolve, organizations must prioritize the implementation of stringent security protocols to safeguard sensitive data and mitigate the risk of ransomware attacks.
 
Additionally, prompt response and collaboration with law enforcement agencies are essential in investigating such incidents and holding perpetrators accountable for their actions. The recent targeting of prominent entities by the F Society ransomware group underscores the persistent threat posed by cybercriminals. As organizations strive to fortify their defenses against such attacks, proactive measures and swift action are imperative to protect valuable assets and maintain trust among stakeholders in an increasingly digital landscape.
Read more »
Ransomware threats
Cyber Attacks Cybercime Cyberhackers data security Data Theft Ransom Demand Ransomware attack Ransomware threats

Ransomware Strikes St-Jerome Company: Everest Group Suspected

 

Les Miroirs St-Antoine Inc., a longstanding company in the St-Jérôme region, is grappling with the aftermath of an alleged ransomware attack orchestrated by the infamous Everest Group. Founded in 1956, Les Miroirs St-Antoine specializes in glazing and aluminum products for commercial, industrial, and institutional sectors. 

However, the tranquility of this family-owned business has been shattered by the looming threat of cybercrime. As of now, crucial details regarding the attack, such as the extent of the data breach, the level of data compromise, and the motive behind the attack, remain undisclosed by the ransomware group. 
Nevertheless, the Everest Group has issued a chilling ultimatum, demanding that Les Miroirs St-Antoine Inc. contact them within 24 hours, failing which, all stolen data will be made public. Since its emergence in December 2020, the Everest ransomware group has established itself as a formidable threat within the cybersecurity landscape. 

Operating primarily within Russian-speaking circles, the group has strategically targeted organizations spanning various industries and regions. Notable victims, including renowned entities such as NASA and the Brazilian Government, have fallen prey to the group's sophisticated data exfiltration tactics. What sets Everest ransomware apart is its ruthless demand for ransom, which extends beyond decrypting files to threatening the public release of stolen data. 

This coercive strategy places immense pressure on victims to meet the group's demands, amplifying the stakes of their cyberattacks. Moreover, the threat of double extortion, wherein stolen data is released to the public, exacerbates the company's predicament and underscores the severity of the situation. 

In response to the alleged ransomware attack, Les Miroirs St-Antoine Inc. must mobilize its cybersecurity resources to assess the extent of the breach and mitigate further damage. Collaboration with law enforcement agencies and cybersecurity experts is essential in identifying the perpetrators and holding them accountable for their actions. 

Furthermore, transparent communication with stakeholders, including customers, employees, and partners, is imperative to address concerns and reassure the community amidst the crisis. By prioritizing vigilance, preparedness, and proactive measures, Les Miroirs St-Antoine Inc. can navigate the challenges posed by cybercriminals and emerge stronger from this ordeal. 

The alleged ransomware attack targeting Les Miroirs St-Antoine Inc. serves as a poignant reminder of the ever-present threat posed by cybercriminals in today's digital landscape. As organizations strive to safeguard their assets and uphold the trust of their stakeholders, resilience, adaptability, and robust cybersecurity measures are paramount in thwarting malicious attacks and preserving business continuity.
Read more »
Ransomware threats
Automotive Industry Cyber Attacks Ransomware attack Ransomware threats

Automotive Industry Under Ransomware Attacks: Proactive Measures

 
Ransomware has become a highly profitable industry, with major players like Conti Ransomware and Evil Corp leading the way. Although these entities are not publicly traded and do not report earnings to regulatory bodies like the SEC, it is estimated that ransomware payments reached around $450 million in the first half of the previous year. Shockingly, cyber-attacks are so lucrative that North Korea reportedly derives 50% of its foreign currency from cyber theft, as reported by Nikkei Asia. 

In 2021, automotive companies faced the highest number of cyber-attacks within the manufacturing sector, making up approximately one-third of all attacks, as highlighted in an industrial threat research report by IBM. A prevalent tactic employed by cybercriminals involves targeting the supply chains of automotive manufacturers through vulnerabilities in third-party vendors. 

In the list of industries facing ransomware attacks, the automotive sector ranked eighth out of 35, indicating a moderate vulnerability compared to others like technology, logistics, and transportation. It is less susceptible than some industries but more so than municipal and legal services. A 2021 Gartner report revealed that 71% of automotive Chief Information Officers (CIOs) planned to increase efforts in cybersecurity and information security that year compared to 2020. 

Cybersecurity experts note that the automotive industry's enthusiastic adoption of digitalization and automation in its operations has significantly increased productivity. However, this shift has also made organizations more susceptible to cyber-attacks due to the expanded digital footprint. 

Let’s Understand How Automobile Companies Can Protect Their System

The first step in safeguarding a car manufacturing company's systems is to understand the potential security risks and threats to their equipment. As technology advances, many companies are linking their older systems to the internet to collaborate with outside vendors. While it might take time for businesses to get used to this new security approach, there's a positive trend in increased awareness, making the industry safer. 

To protect against large-scale ransomware attacks, the automotive sector needs to take a proactive stance in detecting and addressing risks in their manufacturing environment. This shift towards a more proactive security strategy is crucial for preventing potential cyber threats and ensuring the safety of the organization's systems.
Read more »
USA
cyber attack Cyber Threats Data Theft FBI Ransomware threats USA

FBI Investigating More than 100 Ransomware Variants

 

Ransomware attacks spread more quickly than most organizations can respond. The United States Federal Bureau of Investigation (FBI) is on a mission to investigate more than 100 different variants of ransomware, many of which have been used extensively in various cyberattack campaigns. 

Bryan Vorndran, assistant director of the FBI’s Cyber Division has explained his team’s efforts against the malware threats to the United States House Committee on the Judiciary in Washington. 

Following the incident, Bryan Vorndran said that “There is not a day that goes by without multiple FBI field offices responding to ransomware attacks. The ransomware threat is not new, and it has been one of the FBI’s top cybercriminal investigative priorities for some time, but we have seen ransomware attack reporting increase significantly in the past two years, and the impact of these attacks has grown to dangerous proportions, threatening our economic and national security.” 

According to new data published by the FBI this week, cyberattackers wreaked havoc across the U.S., resulting in a record-high number of cyber threat complaints. Describing the rise in ransomware attacks, Vorndran said that from 2019 to 2021, the number of ransomware complaints reported to the FBI’s Internet Crime Complaint Center (IC3) increased by 82%, with a 449% rise in ransom payments and more than 847,000 total complaints that corresponded with crimes had cost victims an estimated sum exceeding $6.9 billion. 

“Ransomware-as-a-service’ (when a developer sells or leases ransomware tools to criminal customers) has decreased the barrier to entry and technological savviness needed to carry out and benefit from these compromises and increased the number of criminals conducting ransomware campaigns,” noted Vorndran. 

Further, FBI Deputy Director Paul Abbate has said that the bureau’s cyber division is investigating and working harder than before against the surging cyber threats to protect people. 

He further said, “We can put a cyber-trained FBI agent on nearly any doorstep in this country within one hour, and we can accomplish the same in more than 70 countries in one day through our network of legal attachés and cyber assistants legal attachés.”
Read more »
Subscribe to: Posts (Atom)