Search This Blog
Powered by Blogger.

Blog Archive

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label Ransomware. Show all posts
ransomware builder
BreachForums Cyber Security Cybersecurity Dark Web Ethical Hacking good hacker hacking back honeypot strategy Penetration Testing Ransomware ransomware builder

Security Researcher Outsmarts Hackers with Fake Ransomware Tool

 

The debate surrounding the ethics and practicality of "hacking back" remains a heated topic within the cybersecurity community. When organizations face cyberattacks, is retaliating against the attacker a viable option? While opinions differ, one fact remains clear: breaking the law is breaking the law, regardless of intent.

However, in a fascinating case of strategic ingenuity rather than retaliation, a security researcher and penetration tester successfully infiltrated a notorious dark web criminal marketplace. This was less an act of hacking back and more a bold example of preemptive defense.

Quoting American philosopher Robert Maynard Pirsig, Cristian Cornea, the researcher at the heart of this operation, opened his riveting Medium post with, “Boredom always precedes a period of great creativity.” Inspired by these words, Cornea devised a clever honeypot strategy to target potential ransomware hackers frequenting the BreachForums marketplace on the dark web.

His plan revolved around creating a fake ransomware tool called the "Jinn Ransomware Builder," designed to lure cybercriminals. This supposed tool offered features to help bad actors deploy ransomware attacks. In reality, it was a honeypot—an elaborate trap with some real functionalities but embedded with hardcoded and backdoored command-and-control callbacks.

“Jinn Ransomware Builder is actually a honeypot,” Cornea explained, “but some of the features presented above are real.” For instance, the tool could initiate a remote connection and open a process with a server-hosted “CmD.eXE” executable. Other features, such as multi-language support and AES encryption, were merely designed to make the tool appear more authentic and appealing to malicious actors.

Cornea emphasized that his actions were performed within a controlled and simulated environment, ensuring no laws were broken. “I strictly discourage anyone else from executing such actions themselves,” he warned. He stressed the importance of staying on the ethical side of hacking, noting that the line between good and bad hacking is dangerously thin.

This operation highlights the creativity and strategic thinking ethical hackers use to combat cybercrime, reinforcing that innovation and legality must go hand in hand.
Read more »
Ransomware
Business Cyber Crime Finance Sector Identity Theft Ransomware

Ransomware Gangs Target Weekends and Holidays for Maximum Impact

 


A new report by cybersecurity firm Semperis reveals that ransomware gangs are increasingly launching attacks during weekends and holidays when organisations are less equipped to respond. The study found that 86 percent of ransomware incidents occurred during off-peak times as companies often scale back their security operations centre (SOC) staffing. While most organisations claim to run 24/7 SOCs, 85% admit to reducing staff by up to half on weekends and holidays, leaving critical systems more exposed. According to Dan Lattimer, an area vice president at Semperis, many organisations cannot afford the high cost of maintaining full SOC coverage each day. He noted, for example, that some organisations assume they are less exposed to risk during weekends because fewer employees are online to fall prey to phishing attacks. Others perceive their exposure being low because they have never had a threat in the past, further reducing the monitoring effort.


Why Cybercriminals Prefer Off-Peak Hours

Attackers leverage these openings to elevate the chances of their success. Performing attacks during weekends or holidays gives them a relatively longer timeframe to conduct an operation secretly so they can encrypt files and steal sensitive information with little hope of interfering soon. According to Lattimer, this tactic increases the chances of receiving ransom money because the organisations are willing to regain control at any critical downtime.

The report also showed that finance and manufacturing were among the most often targeted sectors, with 78 percent and 75 percent of organisations in the respective sectors reporting attacks on weekends or holidays. Furthermore, 63 percent of respondents said the ransomware related to major corporate events such as mergers or layoffs, which often cause additional diversion for IT teams. 


Identity Security Lapses Continue

Another concerning result of the report is that too many companies feel too confident about their identity security. While 81% said to have sufficient defences against identity-related attacks, 83% experienced successful ransomware incidents in the past year. This discrepancy is largely due to lack of budget and resources to properly protect identity systems like AD, a part of core infrastructure.

Semperis noted that without proper funding for identity threat detection and response (ITDR), many organisations are leaving themselves open to attacks. Around 40% of companies either lacked the resources or were unsure about their ability to secure these systems. 


Takeaway

SEMPERIS 2024 RANSOMWARE HOLIDAY RISK REPORT states that businesses must immediately address the vulnerability of weekends. Strengthening cybersecurity measures over holidays, investing in such robust identity protection, and maintaining consistent monitoring can help mitigate such growing risks for organisations. Cybercrime has become so dynamic, and hence organisations must adapt constantly to stay one step ahead.



Read more »
vulnerabilities & exploits
D-Link NAS Ransomware vulnerabilities & exploits

D-Link Devices Face Cyber Attacks Following End-of-Life Announcement

 



Cybersecurity researchers have confirmed that the exploitation of D-Link NAS devices has been ongoing. Recently it was found to contain a critical flaw, for which the manufacturer is no longer offering support on such devices.


Critical Flaw and Discontinued Support


A critical security flaw, rated 9.2 on the severity scale, was found in various editions of D-Link NAS devices. This flaw may allow attackers to remotely execute malevolent commands that would place sensitive data stored on these systems at risk. However, D-Link announced that it will not release a patch for this issue as these devices have reached EOL status. Users are instead advised to update to newer products in order to continue protection.


Tens of Thousands of Devices Vulnerable


Researchers have discovered more than 60,000 vulnerable devices worldwide. The affected models include DNS-320 Version 1.00, DNS-320LW Version 1.01.0914.2012, DNS-325 Versions 1.01 and 1.02, and DNS-340L Version 1.08. While the above number of possible exploited devices is very large, so far only around 1,100 instances of exploitation were seen, according to a threat monitoring service called Shadowserver.


Active Exploitation Starts


Exploitation attempts for this vulnerability, tracked as CVE-2024-10914, were first sighted on November 12. According to the researchers at Shadowserver, attackers are taking advantage of a command injection vulnerability on the "/cgi-bin/account_mgr.cgi" endpoint of the affected devices. Though the exploitation of this flaw is relatively complex, a public exploit available does increase the risk for its users.

Shadowserver makes a big point of pulling these types of devices off the internet as their EOL status signifies D-Link will not be putting out any further updates or releases on these devices.


Why NAS Devices Are Attractive


For centralizing data storage, NAS devices make it possible for quite a few users and devices to access and share files, let alone back them up. They are highly used in homes and businesses for reliability, ease of use, and scalability. However, due to their nature as data hubs, they are great targets for cybercriminals-these criminals typically try to steal, encrypt, or delete valuable information, and one of the most commonly used tools is through ransomware attacks.


What Users Should Do


Thereby, the owners of affected D-Link NAS devices are advised to replace them with the supported versions. Disconnecting the affected devices from the internet would be one of the immediate steps to reduce the exposure.


Furthermore, users should keep their systems up to date and implement robust security measures in place for protecting data. For this reason, cyber threats evolve very fast, and only a vigilant user can save the sensitive information.



Read more »
TLS inspection
Cato Networks CVE exploits Cyber Security Cyber Threats Cybersecurity Data Privacy Penetration Testing Ransomware ransomware-as-a-service Shadow AI TLS inspection

Ransomware Gangs Actively Recruiting Pen Testers: Insights from Cato Networks' Q3 2024 Report

 

Cybercriminals are increasingly targeting penetration testers to join ransomware affiliate programs such as Apos, Lynx, and Rabbit Hole, according to Cato Network's Q3 2024 SASE Threat Report, published by its Cyber Threats Research Lab (CTRL).

The report highlights numerous Russian-language job advertisements uncovered through surveillance of discussions on the Russian Anonymous Marketplace (RAMP). Speaking at an event in Stuttgart, Germany, on November 12, Etay Maor, Chief Security Strategist at Cato Networks, explained:"Penetration testing is a term from the security side of things when we try to reach our own systems to see if there are any holes. Now, ransomware gangs are hiring people with the same level of expertise - not to secure systems, but to target systems."

He further noted, "There's a whole economy in the criminal underground just behind this area of ransomware."

The report details how ransomware operators aim to ensure the effectiveness of their attacks by recruiting skilled developers and testers. Maor emphasized the evolution of ransomware-as-a-service (RaaS), stating, "[Ransomware-as-a-service] is constantly evolving. I think they're going into much more details than before, especially in some of their recruitment."

Cato Networks' team discovered instances of ransomware tools being sold, such as locker source code priced at $45,000. Maor remarked:"The bar keeps going down in terms of how much it takes to be a criminal. In the past, cybercriminals may have needed to know how to program. Then in the early 2000s, you could buy viruses. Now you don't need to even buy them because [other cybercriminals] will do this for you."

AI's role in facilitating cybercrime was also noted as a factor lowering barriers to entry. The report flagged examples like a user under the name ‘eloncrypto’ offering a MAKOP ransomware builder, an offshoot of PHOBOS ransomware.

The report warns of the growing threat posed by Shadow AI—where organizations or employees use AI tools without proper governance. Of the AI applications monitored, Bodygram, Craiyon, Otter.ai, Writesonic, and Character.AI were among those flagged for security risks, primarily data privacy concerns.

Cato CTRL also identified critical gaps in Transport Layer Security (TLS) inspection. Only 45% of surveyed organizations utilized TLS inspection, and just 3% inspected all relevant sessions. This lapse allows attackers to leverage encrypted TLS traffic to evade detection.

In Q3 2024, Cato CTRL noted that 60% of CVE exploit attempts were blocked within TLS traffic. Prominent vulnerabilities targeted included Log4j, SolarWinds, and ConnectWise.

The report is based on the analysis of 1.46 trillion network flows across over 2,500 global customers between July and September 2024. It underscores the evolving tactics of ransomware gangs and the growing challenges organizations face in safeguarding their systems.
Read more »
Vulnerabilities and Exploits
CyberCrime Cybersecurity CyberThreat Frag Ransomware Ransomware VBR Veeam RCE Bug Vulnerabilities and Exploits

Veeam RCE Bug Now a Target for Frag Ransomware Operators

 


Recently, a critical VBR (Veeam Backup & Replication) security flaw was exploited by cyber thieves to distribute Frag ransomware along with the Akira and Fog ransomware attacks. Florian Hauser, a security researcher with Code White, has discovered that the vulnerability (tracked as CVE-2024-40711) is a result of the deserialization of untrusted data weakness that unauthenticated threat actors can abuse to gain remote code execution (RCE) on Veeam VBR servers by exploiting. 

Despite releasing a technical analysis of CVE-2024-40711 on September 9, Watchtower Labs delayed the release of a proof-of-concept exploit until September 15 to allow admins to take advantage of the security updates that Veeam released on September 4 for this vulnerability. 

According to Sophos researchers, ransomware operators are leveraging a critical vulnerability in Veeam Backup & Replication called CVE-2024-40711 to create rogue accounts and deploy malware to users in order to execute their attacks. On early September 2024, Veeam released security updates for the Service Provider Console, Veeam Backup & Replication, and Veeam One products to address several vulnerabilities that could undermine the security of their products.

The company fixed 18 issues with high or critical severity for these products. This September's security bulletin contains a critical, remote code execution (RCE) vulnerability tracked as CVE-2024-40711 that affects Veeam Backup & Replication (VBR), which has a CVSS v3.1 score of 9.8 (CVSS score of 10.4). A software product developed by the Veeam software company called Veeam Backup & Replication offers a comprehensive solution for data protection and disaster recovery. With this technology, companies are able to back up, restore, and replicate data across physical, virtual, and cloud environments at the same time. 

There is a vulnerability in the Linux kernel that allows unauthenticated remote code execution (RCE)." as stated in the advisory. The vulnerabilities were discovered by Florian Hauser, a researcher at CODE WHITE Gmbh who specializes in cybersecurity. In addition to Veeam Backup & Replication 12.1.2.172, earlier versions of version 12 are also affected by this flaw.  According to the Sophos X-Ops incident response team, the delay in releasing an exploit did not have much effect on the number of Akira and Fog ransomware attacks that were prevented. 

By exploiting the RCE vulnerability along with stolen credentials from the VPN gateway, the attackers were able to register rogue accounts on unpatched servers and exploit the RCE flaw. There was also a threat activity cluster, which was known as 'STAC 5881,' that was later found to have used exploits from CVE-2024-40711 to download Frag ransomware onto compromised networks, as a result of attacks that exploited CVE-2024-40711. 

According to Sean Gallagher, a principal threat researcher at Sophos X-Ops, the tactics associated with STAC 5881 were used again, this time, however, they led to the deployment of the previously undocumented 'Frag' ransomware which is now being referred to as Black Drop. There is a possibility that the threat actor exploited a vulnerability in the VEEAM component to gain access to the system, created a new account named 'point', and accessed the system from that account. As a result of this incident, a second account has also been created, known as 'point2'. 

Anew report by British cybersecurity company Agger Labs revealed that the Frag ransomware gang has made extensive use of Living Off The Land binaries (LOLBins), a type of software that is already installed on compromised computers and which is commonly known as Living Off The Land software (LOLBins). Defendants have a hard time detecting their activity due to the fact that this is difficult to detect. According to the Frag gang's playbook, the playbook of Akira and Fog operators is somewhat similar, as they often exploit vulnerabilities in unpatched backup and storage software and misconfigurations in the solutions that they deploy. This vulnerability has a high severity and can allow malicious actors to breach backup infrastructure if not patched. Veeam patched another high severity vulnerability in March 2023, CVE-2023-27532. There has been extensive use of this exploit in attacks linked to the financially motivated FIN7 threat group and in Cuba ransomware attacks that targeted companies and institutions critical to the American economy. 

Over 500,000 consumers worldwide rely on Veeam's products, including approximately 74% of all companies from the Global 2,000 list. Veeam reports that its products are used by over 550,000 customers worldwide. Agger Labs, a cybersecurity firm, also noted that tactics, techniques, and practices used by the threat actors behind Frag share many similarities to those used by Akira and Fog threat actors in their tactics, techniques, and practices. 

The main reason why Frag ransomware can remain stealthy is that it uses LOLBins, an approach that has been widely adopted by more traditional actors in the cybercrime sphere. The attackers can now bypass endpoint detection systems by employing familiar, legitimate software already present on most networks to conduct malicious operations. The fact that ransomware crews are adapting their approaches to ransomware shows that they are changing their approach despite not being new to the threat actor space.” 

Agger Labs notes. Despite Frag's use of LOLBins, the function has been used by ransomware strains like Akira and Fog which also use similar techniques to blend in with normal network activity and hide from detection.". As a result of using LOLBins as a means of exploitation for malicious purposes, these operators make it harder for us to detect them timely.”
Read more »
Technology
DDOS Attacks Microsoft phishing Ransomware Technology

600 Million Daily Cyberattacks: Microsoft Warns of Escalating Risks in 2024


Microsoft emphasized in its 2024 annual Digital Defense report that the cyber threat landscape remains both "dangerous and complex," posing significant risks to organizations, users, and devices worldwide.

The Expanding Threat Landscape

Every day, Microsoft's customers endure more than 600 million cyberattacks, targeting individuals, corporations, and critical infrastructure. The rise in cyber threats is driven by the convergence of cybercriminal and nation-state activities, further accelerated by advancements in technologies such as artificial intelligence.

Monitoring over 78 trillion signals daily, Microsoft tracks activity from nearly 1,500 threat actor groups, including 600 nation-state groups. The report reveals an expanding threat landscape dominated by multifaceted attack types like phishing, ransomware, DDoS attacks, and identity-based intrusions.

Password-Based Attacks and MFA Evasion

Despite the widespread adoption of multifactor authentication (MFA), password-based attacks remain a dominant threat, making up more than 99% of all identity-related cyber incidents. Attackers use methods like password spraying, breach replays, and brute force attacks to exploit weak or reused passwords1. Microsoft blocks an average of 7,000 password attacks per second, but the rise of adversary-in-the-middle (AiTM) phishing attacks, which bypass MFA, is a growing concern.

Blurred Lines Between Nation-State Actors and Cybercriminals

One of the most alarming trends is the blurred lines between nation-state actors and cybercriminals. Nation-state groups are increasingly enlisting cybercriminals to fund operations, carry out espionage, and attack critical infrastructure1. This collusion has led to a surge in cyberattacks, with global cybercrime costs projected to reach $10.5 trillion annually by 2025.

The Role of Microsoft in Cyber Defense

Microsoft's unique vantage point, serving billions of customers globally, allows it to aggregate security data from a broad spectrum of companies, organizations, and consumers. The company has reassigned 34,000 full-time equivalent engineers to security initiatives, focusing on enhancing defenses and developing phishing-resistant MFA. Additionally, Microsoft collaborates with 15,000 partners with specialized security expertise to strengthen the security ecosystem.

Read more »
Trustwave SpiderLabs
Cyber Threats Cybersecurity JPHP language malware Pronsis Loader Ransomware Spyware stealth malware Threat Intelligence Trustwave SpiderLabs

New Malware ‘Pronsis Loader’ Uses Rare JPHP Language to Evade Detection and Deliver High-Risk Payloads

 

Trustwave SpiderLabs recently announced the discovery of a new form of malware named Pronsis Loader. This malware has already started to pose significant challenges for cybersecurity experts due to its unique design and operation. Pronsis Loader leverages JPHP, a lesser-known programming language, and incorporates sophisticated installation tactics, which complicates detection and mitigation efforts by standard security tools.

JPHP, a variation of the popular PHP programming language, is rarely seen in the world of malware development, especially for desktop applications. While PHP is commonly used for web applications, its adaptation into desktop malware through Pronsis Loader offers cybercriminals an advantage by making it harder to detect.

Pronsis Loader’s use of JPHP helps it bypass conventional detection systems, which often rely on identifying common programming languages in malware. This less common language adds an extra layer of “stealth,” allowing the malware to slip past many security tools. In addition, Pronsis Loader uses advanced obfuscation and encryption to hide during initial infection, silently installing itself by imitating legitimate processes. This stealth tactic hinders both automated and manual detection efforts.

Once Pronsis Loader is installed, it can download and execute other types of malware, such as ransomware, spyware, and data-theft tools. This modular approach makes it highly adaptable, allowing cybercriminals to customize payloads based on their target’s specific system or environment. As part of a broader trend in cybercrime, loaders like Pronsis are used in multi-stage attacks to introduce further malicious programs, providing attackers with a flexible foundation for varied threats.

To counter this evolving threat, security teams should consider adopting advanced behavioral monitoring and analysis techniques that identify malware based on its behavior, rather than relying solely on signature detection. Additionally, staying updated on threat intelligence helps to recognize rare languages and methods, such as those employed by Pronsis Loader.

 Shawn Kanady, Global Director at Trustwave SpiderLabs, emphasized the significance of Pronsis Loader’s stealth and adaptability, noting its potential to deliver high-risk payloads like Lumma Stealer and Latrodectus. Kanady concluded that understanding Pronsis Loader’s unique design and infrastructure offers valuable insights for strengthening cybersecurity defenses against future campaigns.







Read more »
Ransomware
Cyber Crime Infostealer Interpol Malware Distribution Operation Synergia phishing Ransomware

Operation Synergia II: A Global Effort to Dismantle Cybercrime Networks

Operation Synergia II: A Global Effort to Dismantle Cybercrime Networks

In an unprecedented move, Operation Synergia II has significantly strengthened global cybersecurity efforts. Led by INTERPOL, this extensive operation focused on dismantling malicious networks and thwarting cyber threats across 95 countries. Spanning from April to August 2024, the initiative marks a monumental step in international cybercrime prevention.

Global Collaboration

Operation Synergia II aimed to tackle a range of cybercrimes, including phishing, malware distribution, and ransomware attacks. Cybercriminals exploit vulnerabilities to steal sensitive information, disrupt services, and extort money. The operation's success lies in its collaborative approach, involving INTERPOL, private cybersecurity firms like Kasperksy, and national law enforcement agencies. This partnership was crucial in sharing intelligence, resources, and expertise, enabling swift and effective actions against cyber threats.

The Scope of the Operation

In Hong Kong, authorities dismantled over 1,000 servers linked to cybercrimes, while investigators in Mongolia confiscated equipment and identified 93 suspects. Macau and Madagascar also played vital roles by deactivating hundreds of servers and seizing electronic devices.

Neal Jetton, Director of Interpol's Cybercrime Directorate, remarked, “The global nature of cybercrime requires a global response… Together, we’ve dismantled malicious infrastructure and protected countless potential victims.”

Key Achievements

The operation led to the seizure of over 22,000 malicious IP addresses and servers. This massive takedown disrupted numerous criminal networks, preventing further attacks and mitigating potential damages. The seized assets included servers used for hosting phishing websites, distributing malware, and coordinating ransomware operations.

Impact Areas

Phishing Schemes: Phishing remains one of the most prevalent and dangerous forms of cybercrime. Cybercriminals use deceptive emails and websites to trick individuals into revealing personal information, such as passwords and credit card details. By targeting and taking down phishing servers, Operation Synergia II significantly reduced the risk of individuals falling victim to these scams.

Malware Distribution: Malware, or malicious software, can cause extensive damage to individuals and organizations. It can steal sensitive information, disrupt operations, and even take control of infected systems. The operation's success in dismantling malware distribution networks has helped curb the spread of harmful software and protect countless users.

Ransomware Attacks: Ransomware is a type of malware that encrypts a victim's files, demanding payment for their release. It has become a major threat to businesses, governments, and individuals worldwide. By targeting the infrastructure used to deploy ransomware, Operation Synergia II has disrupted these extortion schemes and safeguarded potential victims.

Read more »
Windows
Cyber Security JPCERT Logs Ransomware Windows

JPCERT Explains How to Identify Ransomware Attacks from Windows Event Logs

 




Japan Computer Emergency Response Team (JPCERT/CC) has published guidance on early identification of ransomware attacks in the system using Windows Event Logs. Probably by reviewing these logs, firms would identify some signs or clues of an existing ransomware attack and find themselves in a position to forestall this threat from spreading across the network.

JPCERT/CC stresses that the discovery of ransomware as early in the attack as possible is extremely important. Many ransomware variants leave apparent traces in Windows Event Logs, and that particular knowledge might be useful for cybersecurity teams to discover and finally stop attacks before they spread further. It's a strategy especially valuable in identifying the type of attack and tracing how ransomware might have entered the system.


Types of Event Logs to Monitor

The agency recommends checking four main types of Windows Event Logs, namely: Application, Security, System, and Setup logs. These types can carry some very important clues left by ransomware along with how it came into the environment and what systems are under attack.


Identifiable Ransomware Signatures in Event Logs

This JPCERT/CC report includes several specific log entries associated with certain ransomware families, which indicate that this was an active attack.

  • Conti Ransomware: This malware typically generates a broad set of logs associated with the Windows Restart Manager, observable through their event IDs 10000 and 10001. The variants such as Akira, Lockbit3.0, HelloKitty, and Bablock all generate almost identical logs because they share code from Lockbit and Conti.

Others, such as 8base and Elbie, also create similar patterns along with traces related to this malware.

  • Midas: This malware changes network configurations to spread across machines. It creates logs having an event ID of 7040.

  • BadRabbit- BadRabbit mostly creates logs with an event ID of 7045 when it instals the encryption modules, further suggesting an attack in progress.

  • Bisamware  Generates entries at both ends of Windows Installer transactions. The event IDs are 1040 and 1042.

Other older ransomware families, like Shade, GandCrab, and Vice Society, similarly display the same event patterns. They especially generate errors with event IDs 13 and 10016, linked to the failed access attempts to COM applications. The reason behind it is ransomware tries to remove Volume Shadow Copies so the victims won't be able to recover encrypted files.


Event Log Monitoring: Not a Silver Bullet But a Mighty Defence

Monitoring these specific Windows Event Logs can certainly prove extremely useful in identifying ransomware, though JPCERT/CC believes such should only be part of the total security strategy. This would truly be transformational were early detection to be combined with other control measures against spreading the attack.

Surprisingly, this method is much more potent for newer ransomware variants rather than those already in the wild, like WannaCry and Petya, which left very minor traces in Windows logs. As ransomware continues to progress, the patterns they leave behind in logs are becoming very obvious, and log monitoring will be more of a good ear for today's cybersecurity infrastructure.

In 2022, another well-known cybersecurity group also published a SANS ransomware detection guide from Windows Event Logs. Both sources point out how ransomware detection has evolved with time, helping organisations better prepare for such threats.


Read more »
UC Berkeley
AI-driven attacks Artificial Intelligence cyber offense Cybersecurity Deep Fakes exploit detection Jacob Steinhardt Ransomware Technology UC Berkeley

Tech Expert Warns AI Could Surpass Humans in Cyber Attacks by 2030

 

Jacob Steinhardt, an assistant professor at the University of California, Berkeley, shared insights at a recent event in Toronto, Canada, hosted by the Global Risk Institute. During his keynote, Steinhardt, an expert in electrical engineering, computer science, and statistics, discussed the advancing capabilities of artificial intelligence in cybersecurity.

Steinhardt predicts that by the end of this decade, AI could surpass human abilities in executing cyber attacks. He believes that AI systems will eventually develop "superhuman" skills in coding and finding vulnerabilities within software.

Exploits, or weak spots in software and hardware, are commonly exploited by cybercriminals to gain unauthorized access to systems. Once these access points are found, attackers can execute ransomware attacks, locking out users or encrypting sensitive data in exchange for a ransom. 

Traditionally, identifying these exploits requires painstakingly reviewing lines of code — a task that most humans find tedious. Steinhardt points out that AI, unlike humans, does not tire, making it particularly suited to the repetitive process of exploit discovery, which it could perform with remarkable accuracy.

Steinhardt’s talk comes amid rising cybercrime concerns. A 2023 report by EY Canada indicated that 80% of surveyed Canadian businesses experienced at least 25 cybersecurity incidents within the year. While AI holds promise as a defensive tool, Steinhardt warns that it could also be exploited for malicious purposes.

One example he cited is the misuse of AI in creating "deep fakes"— digitally manipulated images, videos, or audio used for deception. These fakes have been used to scam individuals and businesses by impersonating trusted figures, leading to costly fraud incidents, including a recent case involving a British company tricked into sending $25 million to fraudsters.

In closing, Steinhardt reflected on AI’s potential risks and rewards, calling himself a "worried optimist." He estimated a 10% chance that AI could lead to human extinction, balanced by a 50% chance it could drive substantial economic growth and "radical prosperity."

The talk wrapped up the Hinton Lectures in Toronto, a two-evening series inaugurated by AI pioneer Geoffrey Hinton, who introduced Steinhardt as the ideal speaker for the event.
Read more »
Tucson Unified
Cyber Security data security education technology K-12 Schools K12 SIX Nantucket Public Schools Ransomware school closures Student Data Tucson Unified

Rising Cybersecurity Threats: Ransomware Attacks Disrupt Tucson and Nantucket Schools

 

The Tucson Unified School District in Arizona and Nantucket Public Schools in Massachusetts, despite stark contrasts in size and location, both experienced ransomware attacks in early 2023. Tucson, serving around 42,000 students, operates within a major city, while Nantucket's district, with fewer than 2,000 students, is situated on a small island. 

On January 30 and 31, both districts were struck by cybercriminals using ransomware—a form of malware that locks access to critical systems until a ransom is paid. These attacks forced Nantucket schools to close and compromised sensitive data in Tucson.

According to K12 SIX, a nonprofit dedicated to cybersecurity in schools, ransomware incidents within K-12 education have surged in recent years, with around 325 attacks reported between April 2016 and November 2022. In the past year alone, nearly 85 additional incidents have targeted school networks. Data reveals that some districts have even faced ransomware multiple times within this period.

Roberto Rodriguez from the U.S. Department of Education estimates that five cybersecurity incidents hit K-12 schools every week, causing legal, financial, and operational disruptions, as well as emotional impacts on school communities. Experts also note that attacks often involve international criminals, raising national security concerns.

Amy McLaughlin of the Consortium for School Networking (CoSN) explains that K-12 schools are vulnerable because of inadequate cybersecurity resources despite holding extensive digital information, including personal and financial data. She emphasizes that these incidents are not just attacks on individual schools but on the fundamental concept of free public education in the United States.

New extortion tactics, such as dual or triple extortion, compound the issue. Here, criminals not only encrypt data but also threaten to release sensitive information publicly. This heightens risks for identity theft and other types of fraud affecting students, staff, and their families.

These escalating cyber threats have underscored the need for stronger cybersecurity protocols within K-12 education. Doug Levin of K12 SIX notes that the lack of preventive measures, like multifactor authentication, has left schools more exposed to cybercriminals, who primarily target schools for financial gain.
Read more »
Security
AI Business Cyber Security India Mallox RansomHub Ransomware Security

India Faces Rising Ransomware Threat Amid Digital Growth

 


India, with rapid digital growth and reliance on technology, is in the hit list of cybercriminals. As one of the world's biggest economies, the country poses a distinct digital threat that cyber-crooks might exploit due to security holes in businesses, institutions, and personal users.

India recently saw a 51 percent surge in ransomware attacks in 2023 according to the Indian Computer Emergency Response Team, or CERT-In. Small and medium-sized businesses have been an especially vulnerable target, with more than 300 small banks being forced to close briefly in July after falling prey to a ransomware attack. For millions of Indians using digital banking for daily purchases and payments, such glitches underscore the need for further improvement in cybersecurity measures. A report from Kaspersky shows that 53% of SMBs operating in India have experienced the incidents of ransomware up till now this year, with more than 559 million cases being reported over just two months, starting from April and May this year.

Cyber Thugs are not only locking computers in businesses but extending attacks to individuals, even if it is personal electronic gadgets, stealing sensitive and highly confidential information. A well-organised group of attacks in the wave includes Mallox, RansomHub, LockBit, Kill Security, and ARCrypter. Such entities take advantage of Indian infrastructure weaknesses and focus on ransomware-as-a-service platforms that support Microsoft SQL databases. Recovery costs for affected organisations usually exceeded ₹11 crore and averaged ₹40 crore per incident in India, according to estimates for 2023. The financial sector, in particular the National Payment Corporation of India (NPCI), has been attacked very dearly, and it is crystal clear that there is an imperative need to strengthen the digital financial framework of India.

Cyber Defence Through AI

Indian organisations are now employing AI to fortify their digital defence. AI-based tools process enormous data in real time and report anomalies much more speedily than any manual system. From financial to healthcare sectors, high-security risks make AI become more integral in cybersecurity strategies in the sector. Lenovo's recent AI-enabled security initiatives exemplify how the technology has become mainstream with 71% of retailers in India adopting or planning to adopt AI-powered security.

As India pushes forward on its digital agenda, the threat of ransomware cannot be taken lightly. It will require intimate collaboration between government and private entities, investment in education in AI and cybersecurity, as well as creating safer environments for digital existence. For this, the government Cyber Commando initiative promises forward movement, but collective endeavours will be crucial to safeguarding India's burgeoning digital economy.


Read more »
Ransomware
AI Cyber Crime Cyberattacks CyberCrime Cybersecurity Cyberthreats EMBARGO ESET MDeployer Ransomware

Embargo Ransomware Uses Custom Rust-Based Tools for Advanced Defense Evasion

 


Researchers at ESET claim that Embargo ransomware is using custom Rust-based tools to overcome cybersecurity defences built by vendors such as Microsoft and IBM. An instance of this new toolkit was observed during a ransomware incident targeting US companies in July 2024 and was composed of a loader and an EDR killer, namely MDeployer and MS4Killer, respectively, and was observed during a ransomware attack targeting US companies. 

Unlike other viruses, MS4Killer was customized for each victim's environment, excluding only selected security solutions. This makes it particularly dangerous to those who are unaware of its existence. It appears that the tools were created together and that some of the functionality in the tools overlaps. This report has revealed that the ransomware payloads of MDeployer, MS4Killer and Embargo were all made in Rust, which indicates that this language is the programming language that the group favours. 

During the summer of 2024, the first identification of the Embargo gang took place. This company appears to have a good amount of resources, being able to develop custom tools as well as set up its own infrastructure to help communicate with those affected. A double extortion method is used by the group - as well as encrypting the victims' data and extorting data from them, they threaten to publish those data on a leak site, demonstrating their intention to leak their data. 

Moreover, ESET considers Embargo to be a provider of ransomware-as-a-service (RaaS) that provides threats to users. The group is also able to adjust quickly during attacks. “The main purpose of the Embargo toolkit is to secure successful deployment of the ransomware payload by disabling the security solution in the victim’s infrastructure. Embargo puts a lot of effort into that, replicating the same functionality at different stages of the attack,” the researchers wrote. 

“We have also observed the attackers’ ability to adjust their tools on the fly, during an active intrusion, for a particular security solution,” they added. MDeployer is the main malicious loader Embargo attempts to deploy on victims’ machines in the compromised network. Its purpose is to facilitate ransomware execution and file encryption. It executes two payloads, MS4Killer and Embargo ransomware, and decrypts two encrypted files a.cache and b.cache that were dropped by an unknown previous stage. 

When the ransomware finishes encrypting the system, MDeployer terminates the MS4Killer process, deletes the decrypted payloads and a driver file dropped by MS4Killer, and finally reboots the system. Another feature of MDeployer is when it is executed with admin privileges as a DLL file, it attempts to reboot the victim’s system into Safe Mode to disable selected security solutions. As most cybersecurity defenses are not in effect in Safe Mode, it helps threat actors avoid detection. 

MS4Killer is a defense evasion tool that terminates security product processes using a technique known as bring your own vulnerable driver (BYOVD). MS4Killer terminates security products from the kernel by installing and abusing a vulnerable driver that is stored in a global variable. The process identifier of the process to terminate is passed to s4killer as a program argument. 

Embargo has extended the tool’s functionality with features such as running in an endless loop to constantly scan for running processes and hardcoding the list of process names to kill in the binary. After disabling the security tooling, Embargo affiliates can run the ransomware payload without worrying whether their payload gets detected. During attacks, the group can also adjust to the environment quickly, which is another advantage.

Basically, what Embargo toolkit does is that it offers a method of ensuring the successful deployment of the ransomware payload and prevents the security solution from being enabled in the victim's infrastructure on the day of deployment. This is something that Embargo invests a lot of time and effort into, replicating the same functionality at different stages of the attack process," wrote the researchers. They added that the attackers also showed a capability to modify their tools on the fly, during an active intrusion, by adjusting the settings on different security solutions on the fly. 

As part of Embargo's campaign against victims in the compromised network, MDeployer is one of the main malicious loaders that it attempts to deploy on victims' machines. With the use of this tool, ransomware can be executed and files can be encrypted easily. During the execution process, two payloads are executed, MS4Killer and Embargo ransomware, which decrypt two encrypted files a.cache and b.cache that have been left over from an unknown earlier stage onto the system.

After its encryption process, the MDeployer program systematically terminates the MS4Killer process, erases any decrypted payloads, and removes a driver previously introduced by MS4Killer. Upon completing these actions, the MDeployer initiates a system reboot. This process helps ensure that no remnants of the decryption or defence-evasion components persist on the system, potentially aiding threat actors in maintaining operational security. In scenarios where MDeployer is executed as a DLL file with administrative privileges, it has an additional capability: rebooting the compromised system into Safe Mode. 

This mode restricts numerous core functionalities, which is often leveraged by threat actors to minimize the effectiveness of cybersecurity defences and enhance stealth. Since most security tools do not operate in Safe Mode, this functionality enables attackers to evade detection more effectively and hinder any active defences, making detection and response significantly more challenging. The MS4Killer utility functions as a defense-evasion mechanism that specifically targets security product processes for termination. This is achieved using a technique referred to as "bring your own vulnerable driver" (BYOVD), wherein threat actors exploit a known vulnerable driver. 

By installing and leveraging this driver, which is maintained within a global variable, MS4Killer is able to terminate security processes from the kernel level, bypassing higher-level protections. The identifier for the targeted process is supplied as an argument to the MS4Killer program. To further enhance MS4Killer’s effectiveness, Embargo has incorporated additional capabilities, such as enabling the tool to run continuously in a loop. This looping function allows it to monitor for active processes that match a predefined list, which is hardcoded within the binary, and terminate them as they appear. 

By persistently disabling security tools, Embargo affiliates can then deploy ransomware payloads with minimal risk of detection or interference, creating an environment highly conducive to successful exploitation.
Read more »
Ransomware
Encryption malware NHS Obfuscation Technique Qilin RaaS Ransomware

NEW Qilin Ransomware Variant Emerges with Improved Evasion Techniques

 



A much more potent version of the Qilin ransomware has been found, according to cybersecurity experts, showing a new and revamped kind that is ready to attack core systems using advanced encryption along with improved stealth techniques.


A Rebranding with a Twist: Qilin's Evolution

The Qilin ransomware operation, which first appeared in July 2022, has now morphed into a more formidable opponent with a new version dubbed "Qilin.B." Known previously as "Agenda," the malware was rebranded and rewritten in Rust, a programming language harder to detect and often used for high-performance systems. The Qilin group is notorious for demanding multi-million dollar ransoms, focusing on high-stakes sectors such as healthcare, where operational disruptions can be particularly severe.

Qilin's latest incarnation has been a powerful tool in mass-attack campaigns. Just last year, a significant cyber attack was launched against Synnovis, a pathology firm providing services to the United Kingdom's NHS, which resulted in the cancellation of thousands of hospital and family doctor appointments. In return for collaborating on campaigns, Qilin partners are promised a large percentage of ransom payments, up to 85% — an arrangement that is structured to encourage high-paying ransomware attacks with the highest payoffs.


Improved Encryption and Obfuscation

This variant, Qilin.B, has the following methods that make their detection a hard nut to crack by the standard systems of security. According to Halcyon, a research firm specialising in cybersecurity, enhanced encryption, such as AES-256-CTR systems that support AESNI, together with RSA-4096 and OAEP padding have been seen in this particular variant. Such standards ensure that decrypting files from this threat is impossible minus the private key, as the case of preventive actions being the only way forward.

Further, the obfuscation technique is available in Qilin.B with which the developers hide the coding language of malware in order to prevent detection via signature-based detection systems. Such evasion mechanisms make the detection and quick response even more difficult by the cyber security teams in case of infections. As reported by the researchers from Halcyon, who had studied malware upgrades, increasing sophistication can be seen in ransomware tactics, specifically Qilin.B was developed to resist reverse engineering as well as delay incident response.


New Tactics to Dodge System Defences

Qilin.B disables important system services such as backup and removes volume shadow copy to prevent rollback of the infected systems. In addition, it disables restarts and self-cleans up by removing the ransomware after a successful attack to minimise digital artefacts. All these features make it more robust for defence against evolving ransomware groups that will continue to change their approach to remain at least a step ahead of security patches.


Growing Need for Cross-Platform Security

As Qilin ransomware is becoming more agile, security experts say the cybersecurity posture of organisations must be more offensive-minded. Qilin.B is rebuilt in Rust and can be executed properly across different environments-from Linux to VMware's ESXi hypervisor. The required security monitoring needs to recognize stealthy methods identified with Qilin.B, including detection of code compiled in Rust because traditional systems would fail to counter it.


Advanced Configurations and Control

Qilin.B. This is another notable configuration option from the attackers so that one can personalise his attack. Thus, this version comes along with new names for some functions, encrypted strings and other complex code, in order to take more time for defence activities and forensic analysis of an incident. According to researchers of the Halcyon company, the best behaviour-based detecting systems should be implemented and it can easily find out what malware does, without the outdated method of searching for signatures by which malware has successfully dodged, in this case.

With the advancements of Qilin.B in terms of encryption and evasion, the security firm Halcyon recommends that organisations supplement their security infrastructure with cross-platform monitoring and backup solutions which are designed to fight against ransomware attacks' newest variations. A more complete system in detecting and responding to threats will still be an asset as ransomware advances through networks well-protected.

Continuous improvement in ransomware-as-a-service (RaaS) points to the intensifying threat that organisations have to grapple with as they secure sensitive data from increasingly sophisticated adversaries. The Qilin operation exemplifies how ransomware groups continue to adapt themselves to avoid defences, so proactive and adaptive security measures are justified in industries.


Read more »
Vendors
Breaches Clean Energy Cyber Security Energy IT Security Ransomware resilience Risks Supply Chain Vendors

Energy Sector Faces Heightened Supply Chain Risks Amid Growing Dependence on IT and Software Vendors

 

The energy industry is experiencing a sharp increase in supply chain risks, largely driven by its growing reliance on external vendors. According to a recent report, two-thirds of security breaches in this sector now originate from software and IT vendors.

The study, conducted by SecurityScorecard and KPMG, titled "A Quantitative Analysis of Cyber Risks in the U.S. Energy Supply Chain," draws attention to frequent threats, including ransomware attacks targeting traditional IT systems.

Researchers have emphasized that as the transition to cleaner energy picks up pace, and as the grid becomes more interconnected and software-reliant, vulnerabilities in the energy sector are expected to increase.

Ryan Sherstobitoff, senior vice president of threat research and intelligence at SecurityScorecard, stated, “The energy sector's rising dependence on third-party vendors exposes a significant vulnerability—its security is only as robust as its weakest link."

He added that this growing reliance on external vendors introduces considerable risks, urging the industry to strengthen cybersecurity defenses before a breach escalates into a national crisis.

The report highlighted that third-party risks account for nearly half of all breaches in the energy sector—significantly higher than the global average of 29%. Over 90% of organizations that experienced multiple breaches were attacked through third-party vendors.

Additionally, the report found that software and IT vendors were responsible for 67% of third-party breaches, while only a small number were linked to other energy companies. A notable portion of these incidents stemmed from the MOVEit file transfer software vulnerability, which was exploited by the Clop ransomware group last year.

The report also pointed out application security, DNS health, and network security as some of the most significant weaknesses in the sector.

The findings come at a time when the U.S. Department of Energy is convening with energy sector leaders to promote the Supply Chain Cybersecurity Principles, urging companies to focus on reducing risks posed by software and IT vendors, which represent the highest third-party threats.

As part of this effort, energy operators are encouraged to ensure new technology purchases are secure by incorporating initiatives like CISA’s "Secure by Design" and following the Department of Energy’s Supply Chain Cybersecurity Principles. The industry must also bolster security programs to defend against supply chain risks and geopolitical threats, especially from nation-state actors, and analyze ransomware attacks affecting foreign counterparts to improve resilience.

“The energy sector is a complex system undergoing a significant generational shift, heavily reliant on a stable supply chain," said Prasanna Govindankutty, KPMG's principal and cybersecurity leader for the U.S. sector.

He further explained that with rising geopolitical and technology-based threats, the industry is facing a level of risk exposure that could negatively impact both businesses and citizens. Organizations that can quantify these risks and implement mitigation strategies will be better equipped to navigate the energy transition.
Read more »
Ransomware
Backups computer crime cryptocurrency Cyber Security Cybersecurity Data Recovery encryptor Hacking phishing Ransomware

The Evolution of Computer Crime: From Tinkering to Ransomware Threats

 



In the early days of computing, systems were relatively isolated, primarily reserved for academic and niche applications. Initial security incidents were more about experimentation gone wrong than intentional harm.

Today, the scenario is vastly different. Computers are everywhere—powering our homes, workplaces, and even critical infrastructure. With this increased reliance, new forms of cybercrime have emerged, driven by different motivations.

Computer crimes, which once revolved around simple scams and tech-savvy groups, have evolved. Modern attackers are more professional and devastating, often state-sponsored, like ransomware collectives.

A prime example of this evolution is ransomware. What began as simple criminal schemes has turned into a full-fledged industry, with criminals realizing that encrypting data and demanding payment is a highly lucrative enterprise.

Ransomware attacks follow a predictable pattern. First, the attacker deploys an encryptor on the victim’s system, locking them out. Then, they make their presence known through alarms and ransom demands. Finally, if the ransom is paid, some attackers provide a tool to decrypt the data, though others might threaten public exposure of sensitive data instead.

However, ransomware attackers face two key challenges. The first is infiltrating the target system, often achieved through phishing tactics or exploiting vulnerabilities. Attacks like WannaCry highlight how these methods can devastate unprotected systems.

The second challenge is receiving payment without revealing the attacker’s identity. Cryptocurrencies have helped solve this problem, allowing criminals to receive payments anonymously, making it harder for authorities to trace.

Preventing ransomware isn’t solely about avoiding the initial attack; it’s also about having a recovery strategy. Regular backups and proper employee training on cybersecurity protocols are crucial. Resilient companies use backup strategies to ensure they can restore systems quickly without paying ransoms.

However, backups must be thoroughly tested and isolated from the main system to prevent infection. Many companies fail to adequately test their backups, leading to a difficult recovery process in the event of an attack.

While ransomware isn’t a new concept in technical terms, its economic implications make it a growing threat. Cybercriminals can now act more ruthlessly and target industries that can afford to pay high ransoms. As these attacks become more common, companies must prepare to mitigate the damage and avoid paying ransoms altogether
Read more »
Security Defenses
BlackCat Cyber Community CyberCrime Cybersecurity Cyberthreats EMBARGO ESET MDeployment MS4Killer Ransomware Rust Security Defenses

Security Defenses Crippled by Embargo Ransomware

 


There is a new gang known as Embargo ransomware that specializes in ransomware-as-a-service (RaaS). According to a study by ESET researchers published Wednesday, the Embargo ransomware group is a relatively young and undeveloped ransomware gang. It uses a custom Rust-based toolkit, with one variant utilizing the Windows Safe Mode feature to disable security processes.

ESET researchers say that the Embargo ransomware group is developing custom Rust-based tools to defeat the cybersecurity defenses put in place by companies and governments. There is a new toolkit that was discovered in July 2024 during an attack on US companies by ransomware and is made up of a loader and an EDR killer, MDeployer, and MS4Killer, respectively, which can also be accessed and downloaded online. There are several ways in which MS4Killer can be utilized. 

For instance, it can be compiled according to each victim's environment, targeting only specific security solutions. As it appears that both tools were developed together, there is some overlap in functionality between them. Several of the programs that were developed as part of the group, including MDeployer, MS4Killer, and Embargo's ransomware payload, are written in Rust, thus suggesting that the language is one that the developers use most often. It is claimed that the group has committed ten acts of cybercrime on its dark web leak site, including a non-bank lender from Australia, a police department from South Carolina, and a community hospital from Idaho. 

An interview conducted in June with a self-proclaimed representative of Embargo said that the group specializes in ransomware-as-a-service, with affiliates taking an extortion payment of up to 80%. It is believed that the toolkit discovered by Eset consists of two primary components: MDeployer, which is designed to deploy Embargo's ransomware and other malicious payloads, and MS4Killer, which is built to exploit vulnerable drivers to disable endpoint detection and response systems. 

In both MDeployment and MS4Killer, Rust is used as the programming language. Because of its memory protection features as well as its low-level capabilities, it can be used to create malware that is both effective and resilient. A study conducted by Eset reported that Embargo can target both Windows and Linux systems with Rust. It was in May 2024, one month after the first observation of Embargo in the ESET telemetry in June 2024 that Embargo was publicly observed for the first time. There are several reasons why the group has drawn attention besides the fact that it successfully breached high-profile targets as well as the language it used for its ransomware payload that piqued people's curiosity. 

As part of its development, Embargo chose Rust, which is a cross-platform programming language that provided the potential to develop ransomware that targets both Windows and Linux platforms. The Embargo group follows in the footsteps of BlackCat and Hive as yet another group developing ransomware payloads using Rust programming language. It is clear from Embargo's mode of operation that it is a well-resourced group considering its modus operandi. This system also allows victims to communicate with it via Tox, which results in the communication being managed by the system itself. It is a group that uses double extortion to force victims to pay him and then publishes the stolen information on its leaked website too. 

It is the MDeployer that Embargo uses mainly to install malicious loads on victims' computers within the compromised network to destroy them. An application for this purpose is designed to make it easier to execute ransomware and encrypt files. Two payloads are executed, MS4Killer and Embargo ransomware. Additionally, two encrypted files, a.cache, and b.cache, which were dropped by an unknown stage in the previous step, are decrypted and delivered to the victim. 

If the ransomware finishes encrypting the system, the MDeployer terminates the MS4Killer process, deletes all the decrypted payload files and the driver file dropped by MS4Killer, and finally restarts the computer. Besides the fact that MDeployer can run as a DLL file with administrative privileges, it has also the ability to reboot the victim's system into a Safe Mode if it is executed with administrator access. This is because major cybersecurity defenses aren't switched on in Safe Mode, which allows threat actors to continue operating undetected. The initial intrusion vector is unknown, however, once MDeployer has installed itself on the victim machine, it decrypts MS4Killer from the encrypted file "b.cache" and drops the file "praxisbackup.exe" into the system. 

In every single case observed by ESET, the MDeployer used the same hardcoded RC4 key to decrypt both files from "a.cache" and dropped and executed them as "pay.exe." MDeployer decrypted both files using the same hardcoded RC4 key. It has been reported that MS4Killer allegedly builds upon the S4Killer proof-of-concept tool available on GitHub and drops the vulnerable mini-filter drive problem.sys version 3.0.0.4 as part of what is known as the "Bring Your Own Vulnerable Driver" idea (BYOVD), which is a technique developed to deal with driver vulnerabilities in general. The researchers wrote in their paper that MS4Killer exploits this vulnerability to obtain kernel-level code execution and interacts with security software to carry out its malicious purposes. 

The Embargo's version of MS4Killer differs from the original MS4Killer in that Embargo has hardcoded a list of the processes to be killed into its binary. It has also encrypted the embedded driver blob which is an RC4 hash. Using cloud-based techniques, ESET researchers describe how MS4Killer runs in an endless loop and constantly seeks out processes that need to be terminated.   

MDeployer, a component of the Embargo ransomware attack chain, meticulously logs any errors encountered during its operations in a file named “fail.txt.” Upon completion of the attack — whether by successful ransomware deployment or an error in loader execution halting the attack — the MDeployer initiates a cleanup routine. This process includes terminating the MS4Killer loop and deleting specific files such as praxisbackup.exe, pay.exe, and a vulnerable driver. 

Additionally, it generates a control file named “stop.exe,” which certain MDeployer versions reference to prevent re-execution and, consequently, double encryption. Embargo, developed in Rust, appends each encrypted file with a unique, randomly generated six-character extension combining letters and numbers, such as “.b58eeb.” It also drops a ransom note titled “HOW_TO_RECOVER_FILES.txt” in each affected directory. The group has established its secure infrastructure for covert communication with victims but provides the option to negotiate through Tox chat as well. 

Although still developing, Embargo shows signs of ambition, borrowing techniques from established ransomware-as-a-service (RaaS) groups. These include implementing the "bring your vulnerable driver" (BYOVD) strategy, exploiting Safe Mode, and leveraging the adaptable Rust programming language. ESET's analysis highlights Embargo’s indicators of compromise (IoCs) and its tactics, techniques, and procedures (TTPs), offering guidance to help organizations defend against this emerging threat.
Read more »
Transak
cryptocurrency Data Breach KYC Ransomware Transak

Data Breach Exposes 93,000 Transak Users Due to Employee’s Device Misuse

 





Transak is an operation that enables users to buy cryptocurrencies using the Metamask, Binance, and Trust Wallet platforms. The company has just announced a data breach that exposed the names and identity documents of approximately 93,000 users. According to the company, the data breach happened through the misutilization of work equipment by the employee.


Facts of the Breach

The hack went through a company due to an abuse of work times by one of its employees through the use of his laptop for non-work purposes. In reality, it happened to be a malicious script run unknowingly by the employee. It gave cybercriminals access to one of the firm's third-party Know Your Customer (KYC) authentication services. It means that only 1.14% of users were affected, but even the leaked data contained sensitive personal documents like passports, ID cards, and selfies.

According to the Transak CEO, Sami Start, the leaked information was not about sensitive matters like social security numbers, bank statements, or emails. However, it's quite a serious concern in terms of privacy. The firm is terming this incident "mild to moderate" as no financial information was leaked.

 

Ransomware Group Claims Responsibility

The group behind the ransomware attack has now claimed responsibility for it and is trying to get a ransom out of Transak so that it does not publish any more of its data. It has already published parts of this stolen data online and says it has an even greater dataset, all up of over 300 GB in total, comprising sensitive personal documents, proof of address, financial statements, and so on. They have threatened to leak or sell the remaining data unless their threats are met.

However, despite the threat, Transak has not entered into negotiations with the attackers. Start averred that the company had reached out to affected customers and had also notified law enforcement agencies and relevant data regulators of the attack. He also believes that the ransomware group is inflating its report of data that they have obtained since only a subset of their KYC data was involved.


Cause and Impact

The vulnerability on the system of the KYC vendor is what hackers exploited after obtaining illegal access through the compromised employee's device, making the breach of data possible. This is an incident that brings out more sharply the risks involved when work equipment is misused or even failed to follow cybersecurity protocols. The affected employee was dismissed from the company afterward.

The CEO continued to say that the rest of the other systems were not affected within the system; the hackers had access only to this one KYC service. No other systems had been, nor would have been, compromised. Therefore, no information has leaked. Only a few rumours were spread that some other significant systems have been compromised.


Transak's Response

Transak is working with data regulators to manage the breach and is working on steps that will prevent this from happening again. The company assured its users also that there was no sensitive information stolen including one's password, credit card details, or a social security number. However, the exposure of their personal identification documents still poses risks for those affected users.

The aftermath of this incident has seen the company looking at various ways it can enhance its security measures to avoid such a breach from happening in the future. Even though the damage done is still under calculation, the response of Transak to the ransomware gang explicitly proves that latter has a stance on maintaining integrity despite the challenges posed to it by cyber-hoodlums.


The Transak data breach thus presents as a wake-up call to business by upholding proper cybersecurity in the management of work-related devices. With increased cyber-attacks on the crypto industry, businesses have to raise their mechanisms of protection for user data. Here, the hack demonstrated the possible risks that may be uncovered when security measures get badged by malicious actors.


Read more »
Subscribe to: Posts (Atom)