Search This Blog
Powered by Blogger.

Blog Archive

Labels

About Me

Load More
Trendy Right Now

Popular Posts

Showing posts with label Ransomwares. Show all posts
Ransomwares
Cyber Attacks Cybersecurity data security Media Industry News Corporation Ransomware attack Ransomwares

Lee Enterprises Faces Prolonged Ransomware Attack Disrupting Newspaper Operations

 

Lee Enterprises, one of the largest newspaper publishers in the United States, is facing an ongoing ransomware attack that has severely disrupted its operations for over three weeks. The company confirmed the attack in a filing with the U.S. Securities and Exchange Commission (SEC), revealing that hackers illegally accessed its network, encrypted critical applications, and exfiltrated certain files. 

The publishing giant is now conducting a forensic investigation to determine whether sensitive or personal data was stolen. The attack has had widespread consequences across Lee’s business, affecting essential operations such as billing, collections, vendor payments, and the distribution of print newspapers. Many of its 72 publications have experienced significant delays, with some print editions not being published at all. 

The Winston-Salem Journal in North Carolina reported that it was unable to print several editions, while the Albany Democrat-Herald and Corvallis Gazette-Times in Oregon faced similar disruptions, preventing the release of at least two editions. Digital services have also been affected. On February 3, Lee Enterprises notified affected media outlets that one of its data centers, which supports applications and services for both the company and its customers, had gone offline. 

This outage has prevented subscribers from logging into their accounts and accessing key business applications. Several Lee-owned newspaper websites now display maintenance messages, warning readers that subscription services and digital editions may be temporarily unavailable. The full impact of the attack is still being assessed, but Lee has acknowledged that the incident is “reasonably likely” to have a material financial impact. With print and digital disruptions continuing, the company faces potential revenue losses from advertising, subscription cancellations, and operational delays. 

Law enforcement has been notified, though the company has not disclosed details about the perpetrators or whether it is considering paying a ransom. Ransomware attacks typically involve cybercriminals encrypting a company’s data and demanding payment in exchange for its release. If Lee refuses to negotiate, it may take weeks or months to fully restore its systems. 

Cyberattacks targeting media organizations have become increasingly common, as newspapers and digital publications rely on complex networks that can be vulnerable to security breaches. The Freedom of the Press Foundation is currently tracking the scope of the attack and compiling a list of affected newspapers. For now, Lee Enterprises continues its recovery efforts while its newspapers work to restore regular operations. 

Until the attack is fully resolved, readers, advertisers, and employees may continue to face disruptions across print and digital platforms. The incident highlights the growing threat of ransomware attacks on critical infrastructure and the challenges companies face in securing their networks against cyber threats.
Read more »
Ransomwares
Cyber Security cyber threat Data Hackers Data Theft Huntress SMB Report Ransomware threats Ransomwares

Ransomware Tactics Evolve as Hackers Shift Focus to Data Theft

 

Ransomware groups are adapting their strategies to outsmart stronger cybersecurity defenses and increasing law enforcement pressure, according to the Huntress 2025 Cyber Threat Report. The findings reveal that attackers are moving beyond traditional encryption-based ransomware, instead focusing on data theft and extortion to bypass modern protections. 

In 2024, 75% of ransomware cases Huntress investigated involved remote access Trojans (RATs), allowing hackers to infiltrate systems discreetly. Additionally, 17.3% of incidents featured the misuse of legitimate remote management tools such as ConnectWise ScreenConnect, TeamViewer, and LogMeIn. This shift reflects a growing reliance on “living off the land” techniques, where attackers use trusted administrative tools to avoid detection. 

A significant trend noted in the report is that sophisticated tactics once reserved for targeting large enterprises are now common across businesses of all sizes. Huntress observed that cybercriminals are increasingly disabling or tampering with security software to maintain access and avoid detection, effectively closing the gap between attacks on major corporations and smaller organizations.  

Huntress’ analysis of over 3 million endpoints also revealed that nearly 24% of ransomware incidents in 2024 involved infostealer malware, while malicious scripts designed to automate attacks and evade security tools appeared in 22% of cases. Greg Linares, principal threat intelligence analyst at Huntress, states that ransomware groups must constantly evolve to survive in the competitive cybercrime landscape.

“If malware isn’t staying ahead of detection techniques, it becomes obsolete fast,” Linares explained. Another key insight from the report was the speed of modern ransomware campaigns. On average, the time from initial access to the delivery of a ransom demand — known as time-to-ransom (TTR) — was just 17 hours. Some groups, including Play, Akira, and Dharma/Crysis, were even faster, with TTRs averaging around six hours.  

Interestingly, Huntress noted a clear shift in ransomware tactics: rather than encrypting data, many attackers now opt to exfiltrate sensitive information and threaten to leak it unless a ransom is paid. This change is seen as a direct response to stronger ransomware defenses and increased law enforcement efforts, which led to the takedown of major groups like Lockbit. 

However, this shift presents new challenges for companies. While endpoint detection and ransomware protections have improved, the report points out that data loss prevention (DLP) measures remain underdeveloped. Linares noted that DLP solutions are often overlooked, especially in organizations with remote work and bring-your-own-device (BYOD) policies. These environments, he said, often lack the comprehensive monitoring and control needed to prevent data exfiltration. 

To stay ahead of these evolving threats, Huntress recommends that businesses not only strengthen their ransomware defenses but also implement more robust DLP strategies to protect sensitive data. As ransomware gangs continue to adapt, companies must be proactive in addressing both encryption and data theft risks.
Read more »
Shadow AI
AI Deepfakes AI threats Cyber Security cybercriminals Cybersecurity measures IABs Open Source Ransomwares Shadow AI

Emerging Cybersecurity Threats in 2025: Shadow AI, Deepfakes, and Open-Source Risks

 

Cybersecurity continues to be a growing concern as organizations worldwide face an increasing number of sophisticated attacks. In early 2024, businesses encountered an alarming 1,308 cyberattacks per week—a sharp 28% rise from the previous year. This surge highlights the rapid evolution of cyber threats and the pressing need for stronger security strategies. As technology advances, cybercriminals are leveraging artificial intelligence, exploiting open-source vulnerabilities, and using advanced deception techniques to bypass security measures. 

One of the biggest cybersecurity risks in 2025 is ransomware, which remains a persistent and highly disruptive threat. Attackers use this method to encrypt critical data, demanding payment for its release. Many cybercriminals now employ double extortion tactics, where they not only lock an organization’s files but also threaten to leak sensitive information if their demands are not met. These attacks can cripple businesses, leading to financial losses and reputational damage. The growing sophistication of ransomware groups makes it imperative for companies to enhance their defensive measures, implement regular backups, and invest in proactive threat detection systems. 

Another significant concern is the rise of Initial Access Brokers (IABs), cybercriminals who specialize in selling stolen credentials to hackers. By gaining unauthorized access to corporate systems, these brokers enable large-scale cyberattacks, making it easier for threat actors to infiltrate networks. This trend has made stolen login credentials a valuable commodity on the dark web, increasing the risk of data breaches and financial fraud. Organizations must prioritize multi-factor authentication and continuous monitoring to mitigate these risks. 

A new and rapidly growing cybersecurity challenge is the use of unauthorized artificial intelligence tools, often referred to as Shadow AI. Employees frequently adopt AI-driven applications without proper security oversight, leading to potential data leaks and vulnerabilities. In some cases, AI-powered bots have unintentionally exposed sensitive financial information due to default settings that lack robust security measures. 

As AI becomes more integrated into workplaces, businesses must establish clear policies to regulate its use and ensure proper safeguards are in place. Deepfake technology has also emerged as a major cybersecurity threat. Cybercriminals are using AI-generated deepfake videos and audio recordings to impersonate high-ranking officials and deceive employees into transferring funds or sharing confidential data. 

A recent incident involved a Hong Kong-based company losing $25 million after an employee fell victim to a deepfake video call that convincingly mimicked their CFO. This alarming development underscores the need for advanced fraud detection systems and enhanced verification protocols to prevent such scams. Open-source software vulnerabilities are another critical concern. Many businesses and government institutions rely on open-source platforms, but these systems are increasingly being targeted by attackers. Cybercriminals have infiltrated open-source projects, gaining the trust of developers before injecting malicious code. 

A notable case involved a widely used Linux tool where a contributor inserted a backdoor after gradually establishing credibility within the project. If not for a vigilant security expert, the backdoor could have remained undetected, potentially compromising millions of systems. This incident highlights the importance of stricter security audits and increased funding for open-source security initiatives. 

To address these emerging threats, organizations and governments must take proactive measures. Strengthening regulatory frameworks, investing in AI-driven threat detection, and enhancing collaboration between cybersecurity experts and policymakers will be crucial in mitigating risks. The cybersecurity landscape is evolving at an unprecedented pace, and without a proactive approach, businesses and individuals alike will remain vulnerable to increasingly sophisticated attacks.
Read more »
Ransomwares
Cyber Attacks IT Companies IT Service NSE Ransomware attack Ransomwares

Tata Technologies Hit by Ransomware Attack: IT Services Temporarily Suspended

 

Tata Technologies, a multinational engineering firm and subsidiary of Tata Motors, recently experienced a ransomware attack that led to the temporary suspension of certain IT services. The company promptly launched an investigation into the incident and assured stakeholders that its operations remained unaffected. In a statement to Recorded Future News, Tata Technologies confirmed the cyberattack but refrained from sharing specifics, including the identity of the ransomware gang responsible, the divisions impacted, or whether any sensitive data was compromised.

On Friday, Tata Technologies filed an official report with the National Stock Exchange of India (NSE), confirming that only a few IT assets were affected. The company stated that it had taken precautionary measures by temporarily suspending some IT services, which have since been restored. Despite the attack, Tata Technologies emphasized that its client delivery services continued without interruption. As of now, no ransomware group has publicly claimed responsibility for the attack.

Implications of the Attack

Ransomware attacks often involve data exfiltration, raising concerns about the potential exposure of sensitive corporate or customer information. Cybercriminal gangs typically take credit for breaches to pressure organizations into paying ransoms, but in this case, there has been no such acknowledgment. Tata Technologies specializes in providing engineering services to industries such as automotive, aerospace, and industrial manufacturing. Operating in 27 countries, the company plays a critical role in supporting the global automotive sector with advanced digital solutions.

In its latest financial report, Tata Technologies reported a revenue of $156.6 million in the last quarter, underscoring its significant market presence. This incident is not the first time a Tata Group company has faced cybersecurity challenges. In 2022, Tata Power, a major energy subsidiary, reported a cyberattack that affected parts of its IT infrastructure. That breach raised concerns about the cybersecurity preparedness of Tata Group companies, given their extensive global operations and reliance on digital technologies.

Growing Cybersecurity Risks for Multinational Corporations

The attack on Tata Technologies highlights the increasing cybersecurity risks faced by multinational corporations. Ransomware groups continue to target high-value organizations, exploiting vulnerabilities in IT systems to disrupt operations and steal sensitive data. While Tata Technologies has managed to maintain business continuity, the incident serves as a reminder of the importance of robust cybersecurity measures.

Organizations facing ransomware threats typically invest in enhanced security protocols, such as:

  1. Regular System Updates: Ensuring that all software and systems are up-to-date to patch known vulnerabilities.
  2. Multi-Factor Authentication (MFA): Adding an extra layer of security to prevent unauthorized access.
  3. Employee Cybersecurity Training: Educating staff on recognizing phishing attempts and other common attack vectors.

Additionally, cybersecurity experts recommend that companies establish comprehensive incident response plans to mitigate the impact of potential cyberattacks. These plans should include steps for identifying, containing, and recovering from breaches, as well as communication strategies to keep stakeholders informed.

The ransomware attack on Tata Technologies underscores the growing threat of cyberattacks targeting multinational corporations. While the company has managed to restore its IT services and maintain business continuity, the incident highlights the need for proactive cybersecurity measures. As Tata Technologies continues its investigation, further details may emerge regarding the extent of the attack and any measures being taken to prevent future incidents. In an era of escalating cyber threats, organizations must remain vigilant and invest in robust security frameworks to protect their operations and sensitive data.

Read more »
Ransomwares
AI Attack Cyber Attacks cybercrime group Data Leak Hacktivism RaaS Ransom Demand Ransomware attack Ransomwares

FunkSec Ransomware Group: AI-Powered Cyber Threat Targeting Global Organizations

 

A new ransomware group, FunkSec, has emerged as a growing concern within the cybersecurity community after launching a series of attacks in late 2024. Reports indicate that the group has carried out over 80 cyberattacks, signaling a strategic blend of hacktivism and cybercrime. According to recent findings, FunkSec’s activities suggest that its members are relatively new to the cyber threat landscape but have been using artificial intelligence (AI) to amplify their capabilities and expand their reach. 

FunkSec’s ransomware, developed using the Rust programming language, has caught the attention of security analysts due to its complexity and efficiency. Investigations suggest that AI tools may have been used to assist in coding and refining the malware, enabling the attackers to bypass security defenses more effectively. A suspected Algerian-based developer is believed to have inadvertently leaked portions of the ransomware’s code online, providing cybersecurity researchers with valuable insights into its functionality. 

Operating under a ransomware-as-a-service (RaaS) framework, FunkSec offers its malware to affiliates, who then carry out attacks in exchange for a percentage of the ransom collected. Their approach involves double extortion tactics—encrypting critical files while simultaneously threatening to publish stolen information unless the victim meets their financial demands. To facilitate their operations, FunkSec has launched an underground data leak website, where they advertise stolen data and offer additional cybercrime tools, such as distributed denial-of-service (DDoS) attack capabilities, credential theft utilities, and remote access software that allows for covert control of compromised systems. 

The origins of FunkSec date back to October 2024, when an online persona known as “Scorpion” introduced the group in underground forums. Additional figures, including “El_Farado” and “Bjorka,” have been linked to its expansion. Investigators have noted discrepancies in FunkSec’s communications, with some materials appearing professionally written in contrast to their typical informal style. This has led experts to believe that AI-generated content is being used to improve their messaging and phishing tactics, making them appear more credible to potential victims. 

FunkSec’s ransomware is designed to disable security features such as antivirus programs, logging mechanisms, and backup systems before encrypting files with a “.funksec” extension. The group’s ransom demands are relatively modest, often starting at around $10,000, making their attacks more accessible to a wide range of potential victims. Additionally, they have been known to sell stolen data at discounted rates to other threat actors, further extending their influence within the cybercriminal ecosystem. Beyond financial motives, FunkSec has attempted to align itself with hacktivist causes, targeting entities in countries like the United States and India in support of movements such as Free Palestine. 

However, cybersecurity analysts have expressed skepticism over the authenticity of their claims, noting that some of the data they leak appears to have been recycled from previous breaches. While FunkSec may be a relatively new player in the cyber threat landscape, their innovative use of AI and evolving tactics make them a significant threat. Security experts emphasize the importance of proactive measures such as regular system updates, employee training on cybersecurity best practices, and the implementation of robust access controls to mitigate the risks posed by emerging ransomware threats like FunkSec.
Read more »
Ransomwares
Andariel Cyber Attacks FortiOS Play ransomware Play ransomware variant ProxyNotShell ransomware attacks Ransomwares

Play Ransomware Threat Intensifies with State-Sponsored Links and Advanced Tactics

 

Play ransomware continues to be a formidable cybersecurity threat, with over 300 successful attacks reported globally since its first detection in 2022. Named for the “.PLAY” extension it appends to encrypted files, this ransomware has been linked to Andariel, a North Korean state-sponsored hacking group operating under the Reconnaissance General Bureau. 

This connection highlights the increasing involvement of state-backed actors in sophisticated cybercrime campaigns targeting both public and private sector organizations worldwide. Recent analysis by AhnLab sheds light on how Play ransomware gains access to its victims’ networks. The attackers exploit vulnerabilities in widely used software systems or misuse valid user accounts. 

Known flaws in Microsoft Exchange Server’s ProxyNotShell vulnerabilities (CVE-2022-41040 and CVE-2022-41082) and Fortinet’s FortiOS (CVE-2020-12812 and CVE-2018-13379) have been frequently abused by these attackers. After infiltrating a network, they use port scanning techniques to gather information about active systems and services, collect Active Directory data, and identify paths for privilege escalation. These escalated privileges allow the attackers to obtain administrator-level access, steal credentials, and ultimately gain control over the domain environment. 

One of the key challenges in detecting Play ransomware lies in its ability to blend malicious activities with legitimate operations. The attackers often use tools like Process Hacker to disable security products. Many of these tools are not inherently malicious and are commonly used for legitimate purposes, making it difficult for security systems to distinguish between normal and nefarious activities. This ability to evade detection underscores the sophistication of Play ransomware and its operators. 

The impact of a Play ransomware attack goes beyond encryption. Like many modern ransomware variants, Play uses double-extortion tactics, exfiltrating sensitive data before locking systems. This exfiltrated data is then leveraged to pressure victims into paying ransoms by threatening to leak the information on dark web forums. The combination of system disruption and the risk of public data exposure makes Play ransomware particularly damaging to its targets. To mitigate the risks posed by Play ransomware, cybersecurity experts and the Federal Bureau of Investigation (FBI) recommend implementing proactive defenses. 

Organizations should ensure that software, operating systems, and firmware are regularly updated to address vulnerabilities. Phishing-resistant multi-factor authentication (MFA) is crucial to reduce the risk of unauthorized access, while employee training on recognizing phishing attempts remains essential. Additionally, network segmentation can limit the attackers’ ability to move laterally, reducing the overall impact of an attack. 

Play ransomware illustrates the evolving complexity of cyber threats, particularly those linked to state-sponsored groups. Its reliance on exploiting known vulnerabilities, combined with its use of legitimate tools, highlights the critical need for organizations to adopt comprehensive cybersecurity measures. By prioritizing vulnerability management, user education, and proactive defenses, organizations can better protect themselves against the ongoing threat posed by Play ransomware and similar cyber campaigns.
Read more »
Ransomwares
Cyber Security Data Exfiltration Double extortion Encrypted Files Play ransomware PlayCrypt Ransomware attack Ransomwares

Play Ransomware: A Rising Global Cybersecurity Threat

 


Play ransomware, also known as Balloonfly or PlayCrypt, has become a significant cybersecurity threat since its emergence in June 2022. Responsible for over 300 global attacks, this ransomware employs a double extortion model — stealing sensitive data before encrypting files and appending them with the ".PLAY" extension. 

Victims are pressured to pay ransoms to recover their data and prevent its public release, making Play ransomware particularly dangerous for organizations worldwide. 

Recent investigations have revealed possible connections between Play ransomware and the North Korean-linked Andariel group. Research by cybersecurity firm AhnLab suggests that Andariel utilizes malware like Sliver and DTrack for reconnaissance and data theft prior to deploying ransomware attacks. The group's history with advanced ransomware strains such as SHATTEREDGLASS and Maui highlights the increasing sophistication of Play ransomware operations. Exploitation of Security Vulnerabilities Play ransomware exploits vulnerabilities in widely used systems to gain unauthorized access. Notable targets include:
  • ProxyNotShell (CVE-2022-41040, CVE-2022-41082): Flaws in Microsoft Exchange Server exploited for initial network infiltration.
  • FortiOS Vulnerabilities (CVE-2020-12812, CVE-2018-13379): Security gaps in Fortinet products leveraged for unauthorized access.
By exploiting these vulnerabilities and using compromised credentials, attackers can bypass detection and establish control over targeted networks. 
  
Play Ransomware Attack Lifecycle 
 
Play ransomware operators follow a structured, multi-phase attack methodology:
  • Reconnaissance: Tools like NetScan and AdFind are used to map networks and gather critical system information.
  • Privilege Escalation: Attackers employ scripts such as WinPEAS to exploit vulnerabilities and obtain administrative privileges.
  • Credential Theft: Tools like Mimikatz extract sensitive login information, enabling deeper network penetration.
  • Persistence and Lateral Movement: Remote access tools like AnyDesk and proxy utilities like Plink are used to maintain control and spread malware. Additional tools, such as Cobalt Strike and PsExec, facilitate lateral movement across networks.
  • Defense Evasion: Security programs are disabled using tools like Process Hacker to avoid detection.
  • Data Exfiltration: Files are compressed with WinRAR and transferred using WinSCP before encryption begins.
  • File Encryption and Ransom Demand: Files are encrypted and appended with the ".PLAY" extension. Victims receive a ransom note titled "ReadMe.txt", providing negotiation instructions and a Tor link for secure communication.
Mitigation Strategies Against Play Ransomware 
 
Organizations can reduce the risk of Play ransomware attacks by adopting proactive cybersecurity measures, including:
  • Patch Management: Regularly updating and patching known system vulnerabilities.
  • Advanced Security Protocols: Implementing robust endpoint detection and response (EDR) solutions.
  • Access Control: Strengthening authentication methods and restricting privileged access.
  • Employee Awareness: Conducting cybersecurity training to recognize phishing and social engineering attacks.
  • Data Backup: Maintaining secure, offline backups to enable data recovery without paying ransom demands.
Play ransomware exemplifies the growing complexity and impact of modern cyber threats. Its sophisticated attack methods, exploitation of known vulnerabilities, and suspected collaboration with nation-state actors make it a serious global concern. Proactive cybersecurity strategies and heightened vigilance are essential to protect organizations from this evolving threat.
Read more »
spyware and malware
Cyber Attacks cybercriminals data security Data Theft NCC Group Ransomware attack Ransomwares Spyware spyware and malware

Ymir Ransomware: A Rising Threat in the Cybersecurity Landscape

 

The evolving threat landscape continues to present new challenges, with NCC Group’s latest Threat Pulse report uncovering the emergence of Ymir ransomware. This new ransomware strain showcases the growing collaboration among cybercriminals to execute highly sophisticated attacks.

First documented during the summer of 2024, Ymir initiates its attack cycle by deploying RustyStealer, an infostealer designed to extract credentials and serve as a spyware dropper. Ymir then enters its locker phase, executing swiftly to avoid detection. According to an analysis by Kaspersky, based on an attack in Colombia, Ymir’s ransomware locker employs a configurable, victim-tailored approach, focusing on a single-extortion model, where data is encrypted but not stolen.

Unlike many modern ransomware groups, Ymir’s operators lack a dedicated leak site for stolen data, further distinguishing them. Linguistic analysis of the code revealed Lingala language strings, suggesting a possible connection to Central Africa. However, experts remain divided on whether Ymir operates independently or collaborates with other threat actors.

Blurred Lines Between Criminal and State-Sponsored Activities

Matt Hull, NCC Group’s Head of Threat Intelligence, emphasized the challenges of attribution in modern cybercrime, noting that blurred lines between criminal groups and state-sponsored actors often complicate motivations. Geopolitical tensions are a driving factor behind these dynamic threat patterns, as highlighted by the UK’s National Cyber Security Centre (NCSC).

Ransomware Trends and Global Incidents

Recent incidents exemplify this evolving threat landscape:

  • The KillSec hacktivist group transitioned into ransomware operations.
  • Ukraine’s Cyber Anarchy Squad launched destructive attacks targeting Russian organizations.
  • North Korea’s Jumpy Pisces APT collaborated with the Play ransomware gang.
  • The Turk Hack Team attacked Philippine organizations using leaked LockBit 3.0 lockers.

NCC Group’s report indicates a 16% rise in ransomware incidents in November 2024, with 565 attacks recorded. The industrial sector remains the most targeted, followed by consumer discretionary and IT. Geographically, Europe and North America experienced the highest number of incidents. Akira ransomware overtook RansomHub as the most active group during this period.

State-Backed Threats and Infrastructure Risks

State-backed cyber groups continue to escalate their operations:

  • Sandworm, a Russian APT recently reclassified as APT44, has intensified attacks on Ukrainian and European energy infrastructure.
  • As winter deepens, threats to critical national infrastructure (CNI) heighten global concerns.

Ransomware is evolving into a multipurpose tool, used by hacktivists to fund operations or to obfuscate advanced persistent threats (APTs). With its trajectory pointing to continued growth and sophistication in 2025, heightened vigilance and proactive measures will be essential to mitigate these risks.

Read more »
Ransomwares
Cyber Security Cyber Security Vendor macOS MacOS Malware Malware attacks MITRE MITRE ATT&CK Ransomwares

MITRE’s Latest ATT&CK Evaluations Reveal Critical Insights into Cybersecurity Solutions

 

MITRE Corporation has published its findings from the latest round of ATT&CK evaluations, offering important insights into the effectiveness of enterprise cybersecurity solutions. This sixth evaluation assessed 19 vendors against two major ransomware strains, Cl0p and LockBit, as well as North Korean-linked malware targeting macOS systems. The advanced malware simulations used during the evaluation highlighted sophisticated tactics, such as exploiting macOS utilities and covert data exfiltration, emphasizing the dynamic nature of modern cyber threats.

The Findings and Their Significance

According to MITRE’s general manager, William Booth, the evaluation revealed notable disparities in vendors’ abilities to detect and distinguish between malicious activities. Some solutions achieved high detection rates but also suffered from alarmingly high false-positive rates, indicating a need for better precision in threat identification. MITRE’s methodology involved a two-phase approach: first, evaluating baseline detection capabilities and then assessing protection performance after vendors adjusted their configurations to improve detection accuracy. This approach highlights the adaptability of vendors in enhancing their solutions to counter emerging threats.

The Struggles with Post-Compromise Detection

A key takeaway from the evaluation was the struggle vendors faced with post-compromise threat detection. MITRE stressed the importance of detecting and mitigating ransomware activities after the initial breach, as ransomware often mimics legitimate system behaviors. Booth emphasized that relying solely on blocking initial infections is no longer sufficient—solutions must also account for activities occurring later in the attack chain. This represents a critical area where cybersecurity solutions need improvement to effectively neutralize threats at all stages of an attack.

Contrasting Detection Strategies

The evaluation also highlighted differences in detection strategies among vendors. Some vendors utilized machine learning and AI-based methods for threat detection, while others relied on more traditional heuristic approaches. These contrasting methodologies led to varying levels of effectiveness, particularly in the detection of false positives and distinguishing between benign and malicious activities. The use of AI-based methods showed promise, but some vendors struggled with accuracy, underscoring the challenges faced by the industry in keeping up with evolving threats.

MacOS Threats: A New Challenge

For the first time, MITRE included macOS threats in its evaluation. Addressing macOS malware posed unique challenges, as there is limited publicly available Cyber Threat Intelligence (CTI) on such threats. Despite these challenges, MITRE’s inclusion of macOS malware reflects its commitment to addressing the evolving threat landscape, particularly as more organizations adopt Apple devices in their enterprise environments. The move signals MITRE’s proactive approach to ensuring that cybersecurity solutions account for all major operating systems in use today.

Looking Ahead: Vendor Transparency and Improvement

Although MITRE refrains from ranking vendors, its evaluation provides transparency that can guide organizations in making informed decisions about their cybersecurity strategies. The findings underscore the importance of refining cybersecurity technologies to meet the demands of a rapidly evolving cyber environment. Booth highlighted that these evaluations encourage vendors to continuously improve their technologies to better counter the increasing sophistication of cyber threats.

By incorporating ransomware and macOS malware into its evaluations, MITRE continues to shed light on the complexities of modern cyberattacks. The insights gained from this evaluation are invaluable for organizations looking to enhance their defenses against increasingly sophisticated threats. As cyberattacks become more advanced, understanding the varying capabilities of enterprise security solutions is essential for building a robust cybersecurity posture.

Read more »
sensitive data theft
brain cipher Data Breach Data Theft Deloitte Ransomware attack Ransomware group Ransomwares sensitive data theft

Brain Cipher Ransomware Group Claims Deloitte UK Data Breach

 

Brain Cipher, a ransomware group that emerged in June 2024, has claimed responsibility for breaching Deloitte UK, alleging the exfiltration of over 1 terabyte of sensitive data from the global professional services firm. This claim has raised significant concerns about the cybersecurity defenses of one of the “Big Four” accounting firms. 

Brain Cipher’s Rising Notoriety 
 
Brain Cipher first gained attention earlier this year with its attack on Indonesia’s National Data Center, disrupting operations across more than 200 government agencies, including critical services like immigration and passport control. 

Its growing record of targeting high-profile organizations has heightened concerns over the evolving tactics of ransomware operators. 
 
Details of the Alleged Breach 

According to Brain Cipher, the breach at Deloitte UK revealed critical weaknesses in the company’s cybersecurity defenses. The group claims to have accessed and stolen more than:
  • 1 terabyte of compressed data,
  • Confidential corporate information,
  • Client records, and
  • Sensitive financial details.
Brain Cipher has promised to release detailed evidence of the breach, which reportedly includes:
  • Alleged violations of security protocols,
  • Insights into contractual agreements between Deloitte and its clients, and
  • Information about the firm’s monitoring systems and security tools.
In its statement, Brain Cipher mocked Deloitte’s cybersecurity measures, claiming, “We will show excellent (not) monitoring work and tell what tools we used and use there today.” 

Potential Implications 

If substantiated, the breach could result in:
  • The exposure of sensitive client data,
  • Confidential business information,
  • Financial records, and
  • Severe damage to Deloitte UK’s professional reputation.
Deloitte’s Response 
 
Deloitte UK has not confirmed or denied the breach. However, a company spokesperson issued a statement on December 7, 2024, downplaying the incident: 

"The allegations pertain to a single client’s external system and do not involve Deloitte’s internal network. No Deloitte systems have been impacted." The spokesperson emphasized that the company’s core infrastructure remains secure. 

Ransomware Threats Escalating 
 
Brain Cipher’s ability to target high-profile organizations demonstrates the increasing sophistication of ransomware groups. Their tactics often involve leveraging stolen data to exert pressure on victims, as seen in their apparent invitation for Deloitte representatives to negotiate via corporate email channels. 

Key Takeaways for Organizations 

This incident serves as a critical reminder for organizations to:
  • Implement advanced cybersecurity defenses,
  • Continuously monitor networks,
  • Detect potential breaches early, and
  • Stay ahead of emerging threats.
As the situation unfolds, the cybersecurity community will closely watch Brain Cipher’s next steps, particularly its promised release of evidence. For Deloitte UK and other global organizations, this incident underscores the urgent need for vigilance and robust security measures in an increasingly interconnected digital landscape.
Read more »
Stolen Data
Conti Ransomware Cyber Security data security Mimic Mimic Attacks Ransomware attack Ransomware families Ransomwares Stolen Data

Understanding Mimic Ransomware: Features, Threats, and Noteworthy Exploits

 


Mimic is a ransomware family first discovered in 2022. Like other ransomware, it encrypts files on a victim’s system and demands a cryptocurrency payment for the decryption key. What makes Mimic particularly concerning is its dual approach: it not only encrypts data but also exfiltrates it beforehand. This stolen data can be used as leverage, with attackers threatening to release or sell it if the ransom is not paid. 
 
Mimic is believed to reuse code from Conti, a well-known ransomware whose source code was leaked after the group publicly supported Russia’s invasion of Ukraine. While the exact origins of Mimic remain unclear, its operations appear to primarily target English- and Russian-speaking users.   
 

Exploitation of Legitimate Tools  

 
One of Mimic’s distinctive features is its exploitation of the API from Everything, a legitimate Windows file search tool developed by Voidtools. By leveraging this tool, the ransomware can quickly locate and encrypt files, increasing the efficiency of its attacks.   
 
Importantly, Mimic does not rely on victims having Everything pre-installed. Instead, it typically packages the tool along with additional malicious programs designed to:   
 
  • Disable Windows Defender to reduce system defenses. 
  • Misuse Sysinternals’ Secure Delete tool to erase backups, making file recovery more difficult. 

Indicators of Infection  

 
Victims of Mimic can identify an infection by the “.QUIETPLACE” extension added to encrypted files. Additionally, the ransomware leaves a ransom note demanding $3,000 in cryptocurrency to provide the decryption key.   
 
In many cases, victims feel compelled to pay the ransom, particularly when backups have been deleted or compromised.   
 

The Emergence of Elpaco   

 
A new variant of Mimic, known as Elpaco, has recently been detected. This variant is associated with attacks that involve brute-forcing Remote Desktop Protocol (RDP) credentials. Once access is gained, attackers exploit the *Zerologon* vulnerability (CVE-2020-1472) to escalate privileges and deploy the ransomware.   
 
Reports of Elpaco infections have surfaced in countries such as Russia and South Korea, underscoring the expanding reach and evolving capabilities of this ransomware family.   
 

The Importance of Vigilance 

 
Although tools like Everything and Secure Delete are not inherently harmful, Mimic’s misuse of these legitimate programs highlights the need for continuous vigilance. Cybercriminals are increasingly finding ways to exploit trusted software for malicious purposes. 
 
As Mimic and its variants continue to evolve, implementing robust cybersecurity measures—including regular system updates, strong authentication protocols, and comprehensive backup strategies—remains essential to mitigating the risk of ransomware attacks.
Read more »
supply chain security
Cyber Attacks Ransomware attack Ransomwares Software Providers Supply Chain supply chain attacks supply chain security

Ransomware Attack on Blue Yonder Disrupts Global Supply Chains

 

Blue Yonder, a leading supply chain software provider, recently experienced a ransomware attack that disrupted its private cloud services. The incident, which occurred on November 21, 2024, has affected operations for several high-profile clients, including major grocery chains in the UK and Fortune 500 companies. While the company’s Azure public cloud services remained unaffected, the breach significantly impacted its managed services environment. The attack led to immediate operational challenges for key customers. UK supermarket chains Morrisons and Sainsbury’s were among the most affected. 

Morrisons, which operates nearly 500 stores, reported delays in the flow of goods due to the outage. The retailer activated backup systems but acknowledged that its operations were still disrupted. Sainsbury’s similarly implemented contingency plans to address the situation and minimize the impact on its supply chain. In the United States, Blue Yonder serves prominent grocery retailers such as Kroger and Albertsons, though these companies have not confirmed whether their systems were directly affected. 

Other notable clients, including Procter & Gamble and Anheuser-Busch, also declined to comment on any disruptions they might have faced as a result of the attack. In response to the breach, Blue Yonder has enlisted the help of external cybersecurity firms to investigate the incident and implement stronger defenses. The company has initiated forensic protocols to safeguard its systems and prevent further breaches. While recovery efforts are reportedly making steady progress, Blue Yonder has not provided a timeline for full restoration. The company continues to emphasize its commitment to transparency and security as it works to resolve the issue. 

This attack highlights the growing risks faced by supply chain companies in an era of increasing cyber threats. Disruptions like these can have widespread consequences, affecting both businesses and consumers. A recent survey revealed that 62% of organizations experienced ransomware attacks originating from software supply chain vulnerabilities within the past year. Such findings underscore the critical importance of implementing robust cybersecurity measures to protect against similar incidents. 

As Blue Yonder continues its recovery efforts, the incident serves as a reminder of the potential vulnerabilities in supply chain operations. For affected businesses, the focus remains on mitigating disruptions and ensuring continuity, while industry stakeholders are left grappling with the broader implications of this growing threat.
Read more »
Ransomwares
ALPHV ALPHV Blackcat Ransomware Change Healthcare Cyber Attacks cybersecurity in healthcare Information Security Ransomware attack Ransomwares

Change Healthcare Restores Clearinghouse Services After Nine-Month Recovery From Ransomware Attack

 

Change Healthcare has announced the restoration of its clearinghouse services, marking a significant milestone in its recovery from a debilitating ransomware attack by the ALPHV/Blackcat group in February. 

The attack caused unprecedented disruption to one of the U.S.’s most critical healthcare transaction systems, which processes over 15 billion transactions annually and supports payments and communications for hospitals, healthcare providers, and patients. The breach led to widespread financial and operational issues, with the American Hospital Association (AHA) reporting that 94% of U.S. hospitals relying on Change Healthcare were affected. Many hospitals experienced severe cash flow challenges, with nearly 60% reporting daily revenue losses of $1 million or more. These difficulties persisted for months as Change Healthcare scrambled to restore its services and mitigate the attack’s impact. 

In response to the financial strain on healthcare providers, UnitedHealth-owned Optum launched a Temporary Funding Assistance Program in March. This initiative provided over $6 billion in interest-free loans to healthcare providers to address cash flow shortages. As of October, $3.2 billion of the funds had been repaid, reflecting progress in stabilizing the industry. However, some services, such as Clinical Exchange, MedRX, and the Payer Print Communication System, are still undergoing restoration, leaving providers to navigate ongoing challenges. 

The breach also exposed sensitive information of approximately 100 million individuals, making it one of the most significant healthcare data breaches in history. Victims’ full names, email addresses, banking details, and medical claims records were among the data compromised. Change Healthcare’s parent company, UnitedHealth, confirmed that the attackers gained access through stolen credentials used to log into a Citrix portal that lacked multi-factor authentication (MFA). UnitedHealth CEO Andrew Witty testified before Congress, admitting to authorizing a $22 million ransom payment to the attackers. He described the decision as one of the hardest he had ever made, emphasizing the urgent need to minimize further harm to the healthcare system. 

Cybersecurity experts have criticized Change Healthcare for failing to implement basic security protocols, including MFA and robust network segmentation, prior to the attack. The attack’s aftermath has been costly, with remediation expenses exceeding $2 billion as of the most recent UnitedHealth earnings report. Critics have described the company’s lack of preventive measures as “egregious negligence.” Tom Kellermann, SVP of cyber strategy at Contrast Security, highlighted that the company failed to conduct adequate threat hunting or prepare for potential vulnerabilities, despite its critical role in the healthcare ecosystem. 

Beyond the immediate financial impact, the incident has raised broader concerns about the resilience of U.S. healthcare infrastructure to cyberattacks. Experts warn that the sector must adopt stronger cybersecurity measures, including advanced threat detection and incident response planning, to prevent similar disruptions in the future. The restoration of Change Healthcare’s clearinghouse services represents a major step forward, but it also serves as a reminder of the severe consequences of insufficient cybersecurity measures in an increasingly digital healthcare landscape. 

The attack has underscored the urgent need for organizations to prioritize data security, invest in robust safeguards, and build resilience against evolving cyber threats.
Read more »
Ransomwares
Cyber Attacks Defense Hacker attack Inc ransomware IT Systems IT systems breach Military Data NATO Ransomwares

Hungarian Defence Agency Hacked: Foreign Hackers Breach IT Systems

 

Foreign hackers recently infiltrated the IT systems of Hungary’s Defence Procurement Agency, a government body responsible for managing the country’s military acquisitions. According to Gergely Gulyas, the chief of staff to Hungarian Prime Minister Viktor Orban, no sensitive military data related to Hungary’s national security or its military structure was compromised during the breach. Speaking at a press briefing, Gulyas confirmed that while some plans and procurement data may have been accessed, nothing that could significantly harm Hungary’s security was made public. The attackers, described as a “hostile foreign, non-state hacker group,” have not been officially identified by name. 

However, Hungarian news outlet Magyar Hang reported that a group known as INC Ransomware claimed responsibility for the breach. According to the outlet, the group accessed, encrypted, and reportedly published some files online, along with screenshots to demonstrate their access. The Hungarian government has refrained from confirming these details, citing an ongoing investigation to assess the breach’s scope and potential impact fully. Hungary, a NATO member state sharing a border with Ukraine, has been increasing its military investments since 2017 under a modernization and rearmament initiative. 

This program has seen the purchase of tanks, helicopters, air defense systems, and the establishment of a domestic military manufacturing industry. Among the notable projects is the production of Lynx infantry fighting vehicles by Germany’s Rheinmetall in Zalaegerszeg, a region in western Hungary. The ongoing conflict in Ukraine, which began with Russia’s 2022 invasion, has further driven Hungary to increase its defense spending. The government recently announced plans to allocate at least 2% of its GDP to military expenditures in 2024. Gulyas assured reporters that Hungary’s most critical military data remains secure. 

The Defence Procurement Agency itself does not handle sensitive information related to military operations or structural details, limiting the potential impact of the breach. The investigation aims to clarify whether the compromised files include any material that could pose broader risks to the nation’s defense strategy. The breach raises concerns about the cybersecurity measures protecting Hungary’s defense systems, particularly given the escalating reliance on advanced technology in modern military infrastructure. With ransomware attacks becoming increasingly sophisticated, governments and agencies globally are facing heightened pressure to bolster their cybersecurity defenses. 

Hungary’s response to this incident will likely involve a combination of intensified cybersecurity protocols and ongoing collaboration with NATO allies to mitigate similar threats in the future. As the investigation continues, the government is expected to release further updates about the breach’s scope and any additional preventive measures being implemented.
Read more »
Ransomwares
Akira Ransomware Cyber Security Cyber Threats LockBit Malware Attack malware prevention Malwares RansomHub Ransomwares

2024’s Most Dangerous Malware: A Wake-Up Call for Cybersecurity

 

OpenText, a leader in cybersecurity insights, has released its eagerly awaited “Nastiest Malware of 2024” list, highlighting some of the most destructive and adaptive cyber threats of the year. The list illustrates how ransomware and other malicious software continue to evolve, particularly regarding their impact on critical infrastructure. As cybercriminals refine their tactics, the need to strengthen cybersecurity measures has become increasingly urgent. Organizations around the globe are projected to boost their cybersecurity spending by 14.3% in 2024, raising total investments to over $215 billion, which reflects the magnitude of the challenges posed by these threats. 

LockBit claimed the title of the most dangerous malware of the year. This ransomware-as-a-service (RaaS) entity has demonstrated its ability to evade law enforcement efforts, including those from the FBI. Its ongoing attacks on critical infrastructure showcase its resilience and technical prowess. According to the FBI, LockBit was responsible for 175 reported attacks on essential systems in 2023 alone. The group’s bold ambition to target one million businesses emphasizes its threat level and solidifies its position in the ransomware landscape. 

Akira, a relatively new player, has rapidly gained infamy for its aggressive tactics. This ransomware has been particularly active in industries such as healthcare, manufacturing, and finance, using advanced encryption methods to cause significant disruption. Its retro-inspired branding contrasts sharply with its destructive potential, making it a popular choice among cybercriminal affiliates. 

Meanwhile, RansomHub, which may have connections to the infamous Black Cat (ALPHV) group, has made headlines with its high-profile attacks, including a daring strike on Planned Parenthood that compromised sensitive patient data. 

Other significant threats include Dark Angels, recognized for its precision-targeted attacks on Fortune 50 companies, and Play Ransomware, which takes advantage of vulnerabilities in FortiOS systems and RDP servers. Redline Stealer, while not technically ransomware, this type of threat significantly endangers organizations by focusing on stealing credentials and sensitive information. Each of these threats illustrates how cybercriminals are continually pushing the limits, employing advanced tactics to stay ahead of defenses. 

Muhi Majzoub, OpenText’s EVP and Chief Product Officer, notes that the increase in ransomware targeting critical infrastructure highlights the growing risks to national security and public safety. At the same time, the heightened emphasis on cybersecurity investments is a positive indication that organizations are recognizing these threats. However, the ability of ransomware groups to adapt remains a significant worry, as these criminals continue to leverage new technologies, including artificial intelligence, to create more sophisticated attacks. 

The findings from this year reveal a harsh truth: while progress in cybersecurity is being made, the rapid pace of innovation in malware development poses an ongoing challenge. As companies enhance their vigilance and dedicate more resources to protect vital systems, the battle against cyber threats is far from finished. The changing nature of these attacks requires ongoing adaptation, collaboration, and investment to protect the essential services that support modern society.
Read more »
Ransomwares
Company Breach Cyber Attacks Cybersecurity awareness Data Theft Financial Data Breach Hackers ransomware attacks Ransomwares

How to Prevent a Ransomware Attack and Secure Your Business

 

In today’s world, the threat of cyberattacks is an ever-present concern for businesses of all sizes. The scenario of receiving a call at 4 a.m. informing you that your company has been hit by a ransomware attack is no longer a mere fiction; it’s a reality that has affected several major companies globally. In one such instance, Norsk Hydro, a leading aluminum and renewable energy company, suffered a devastating ransomware attack in 2019, costing the company an estimated $70 million. This incident highlights the vulnerabilities companies face in the digital age and the immense financial and reputational toll a cyberattack can cause. 

Ransomware attacks typically involve hackers encrypting sensitive company data and demanding a hefty sum in exchange for decryption keys. Norsk Hydro chose not to pay the ransom, opting instead to rebuild their systems from scratch. Although this route avoided funding cybercriminals, it proved costly in both time and resources. The question remains, what can be done to prevent such attacks from occurring in the first place? The key to preventing ransomware and other cyber threats lies in building a robust security infrastructure. First and foremost, organizations should implement strict role-based access controls. By defining specific roles for employees and limiting access to sensitive systems based on their responsibilities, businesses can reduce the attack surface. 

For example, financial analysts should not have access to software development repositories, and developers shouldn’t be able to access the HR systems. This limits the number of users who can inadvertently expose critical systems to threats. When employees change roles or leave the company, it’s essential to adjust their access rights to prevent potential exploitation. Additionally, organizations should periodically ask employees whether they still require access to certain systems. If access hasn’t been used for a prolonged period, it should be removed, reducing the risk of attack. Another critical aspect of cybersecurity is the implementation of a zero-trust model. A zero-trust security approach assumes that no one, whether inside or outside the organization, should be trusted by default. 

Every request, whether it comes from a device on the corporate network or a remote one, must be verified. This means using tools like single sign-on (SSO) to authenticate users, as well as device management systems to assess the security of devices trying to access company resources. By making trust contingent on verification, companies can significantly mitigate the chances of a successful attack. Moreover, adopting a zero-trust strategy requires monitoring and controlling which applications employees can run on their devices. Unauthorized software, such as penetration testing tools like Metasploit, should be restricted to only those employees whose roles require them. 

This practice not only improves security but also ensures that employees are using the tools necessary for their tasks, without unnecessary exposure to cyber risks. Finally, no security strategy is complete without regular fire drills and incident response exercises. Preparing for the worst-case scenario means having well-documented procedures and ensuring that every employee knows their role during a crisis. Panic and confusion can worsen the impact of an attack, so rehearsing responses and creating a calm, effective plan can make all the difference. 

 Preventing cyberattacks requires a combination of technical measures, strategic planning, and a proactive security mindset across the entire organization. Business leaders must prioritize cybersecurity just as they would profitability, growth, and other business metrics. By doing so, they will not only protect their data but also ensure a safer future for their company, employees, and customers. The impact of a well-prepared security system is immeasurable and could be the difference between an incident being a minor inconvenience or a catastrophic event.
Read more »
security leaders
AI Attacks AI cybersecurity CISO Cyber Security Cyberattack threats Ransomwares security leaders

The Cybersecurity Burnout Crisis: Why CISOs Are Considering Quitting

 

Cybersecurity leaders are facing unprecedented stress as they battle evolving threats, AI-driven cyberattacks, and ransomware. A recent BlackFog study reveals that 93% of CISOs considering leaving their roles cite overwhelming job demands and mental health challenges. Burnout is driven by long hours, a reactive security environment, and the increasing complexity of threats. Organizations must prioritize support for their security teams through flexible work options, mental health resources, and strategic planning to mitigate burnout and retain talent. 

The Rising Pressure on Cybersecurity Leaders The role of the Chief Information Security Officer (CISO) has drastically evolved. They now manage increasingly sophisticated cyberthreats, such as AI-driven attacks and ransomware, in an era where data security is paramount. The workload has increased to unsustainable levels, with 98% of CISOs working beyond contracted hours. The average CISO adds 9 hours a week, and some are clocking over 16 hours extra. This overwork is contributing to widespread burnout, with 25% of CISOs actively considering leaving their roles due to overwhelming stress. The high turnover in this field exacerbates existing security vulnerabilities, as experienced leaders exit while threats grow more sophisticated. 

CISOs face ever-evolving cyberthreats, such as AI-powered attacks, which are particularly concerning for 42% of respondents. These threats use advanced machine learning algorithms to bypass traditional security measures, making them hard to detect and neutralize. Additionally, ransomware is still a major concern, with 37% of CISOs citing it as a significant stressor. The combination of ransomware and data exfiltration forces organizations to defend against attacks on multiple fronts. These heightened risks contribute to a work environment where cybersecurity teams are continually reactive, always “putting out fires” rather than focusing on long-term security strategies. This cycle of incident response leads to burnout and further stress. 

Burnout doesn’t just affect productivity; it also impacts the mental health of CISOs and security teams. According to the study, 45% of security leaders admit to using drugs or alcohol to cope with stress, while 69% report withdrawing from social activities. Although some prioritize physical health—86% allocate time for exercise—many CISOs are still struggling to maintain work-life balance. The emotional toll is immense, with security professionals experiencing the pressure to protect their organizations from increasing cyberthreats while facing a lack of sufficient resources and support. 

To combat the burnout crisis and retain top talent, organizations must rethink their approach to cybersecurity management. Offering flexible work hours, remote work options, and additional mental health resources can alleviate some of the pressure. Companies must also prioritize long-term security planning over constant reactive measures, allowing CISOs the bandwidth to implement proactive strategies. By addressing these critical issues, businesses can protect not only their security infrastructure but also the well-being of the leaders safeguarding it.
Read more »
Ransomwares
CISO Cyber Security cybersecurity solutions Healthcare Healthcare Cyberattacks IT Infrastructure Ransomware attack Ransomwares

Preparing Healthcare for Ransomware Attacks: A 12-Step Approach by Dr. Eric Liederman


Dr. Eric Liederman, CEO of CyberSolutionsMD, emphasizes that healthcare organizations must be prepared for ransomware attacks with a structured approach, describing it as akin to a “12-step program.” He highlights that relying solely on protective measures is insufficient since all protections have the potential to fail. Instead, planning and creating a sense of urgency is key to successfully handling a cyberattack. 

According to Liederman, organizations should anticipate losing access to critical systems and have a strategic recovery plan in place. One of the most important components of such a plan is designating roles and responsibilities for the organization’s response. During an attack, the Chief Information Security Officer (CISO) essentially takes on the role of CEO, dictating the course of action for the entire organization. Liederman says the CISO must tell people which systems are still usable and what must be shut down. 

The CEO, in this situation, plays a supporting role, asking what’s possible and what needs to be done to protect operations. A significant misconception Liederman has observed is the assumption that analog systems like phones and fax machines will continue functioning during a ransomware attack. Often, these systems rely on the same infrastructure as other compromised technology. For example, phone systems that seem analog still resolve to an IP address, which means they could be rendered useless along with other internet-based systems. 

Even fax machines, commonly thought of as a fail-safe, may only function as copiers in these scenarios. Liederman strongly advises healthcare institutions to conduct thorough drills that simulate these kinds of disruptions, enabling clinical and IT staff to practice workarounds for potentially critical outages. This level of preparation ensures that teams can still deliver care and operate essential systems even when technological resources are down for days or weeks. 

In terms of system recovery, Liederman encourages organizations to plan for bringing devices back online securely. While the need to restore services quickly is essential to maintaining operations, the process must be carefully managed to avoid reinfection by the ransomware or other vulnerabilities. Given his extensive experience, which includes almost two decades at Kaiser Permanente, Liederman advocates for resilient healthcare IT infrastructures that focus on readiness. This proactive approach allows healthcare organizations to mitigate the potential impacts of cyberattacks, ensuring that patient care can continue even in worst-case scenarios.
Read more »
Rhysida ransomware gang
Cyber Security Data Leak data security Lawsuits Ransomware attack Ransomwares Rhysida Rhysida Ransomware Rhysida ransomware gang

Columbus Faces Scrutiny for Handling of Ransomware Attack and Lawsuit Against IT Consultant

 

In July, Columbus, Ohio, experienced a ransomware attack, which initially appeared to be a typical breach. However, the city’s unusual response sparked concern among cybersecurity experts and legal professionals. IT consultant David Leroy Ross, also known as Connor Goodwolf, uncovered a significant breach exposing sensitive data from various city databases, including arrest records, domestic violence cases, and personal information. 

This attack, carried out by the Rhysida Group, affected the city, police, and prosecutor’s office, with some databases going back to 1999. Goodwolf, whose expertise involves monitoring dark web activities, discovered that over three terabytes of data had been stolen. Among the exposed data were personal identifiable information, protected health information, and social security numbers. Goodwolf expressed particular concern over the exposure of sensitive information involving minors and domestic violence victims, emphasizing that they were now victimized a second time. 

Despite the serious implications, the city’s response appeared to downplay the breach. At a press conference in mid-August, Columbus Mayor Andrew Ginther claimed that the stolen data was encrypted or corrupted, making it largely unusable. Goodwolf, however, contradicted this statement, revealing that the data he found was intact and usable. When he attempted to notify city officials, he was met with resistance and a lack of cooperation. As a result, Goodwolf turned to the media, which led the city of Columbus to file a lawsuit and secure a temporary restraining order against him. The lawsuit, intended to prevent the further dissemination of sensitive information, raised concerns in the cybersecurity community. 

Legal experts pointed out that such lawsuits against data security researchers are uncommon and could have broader implications. Raymond Ku, a professor of law, noted that lawsuits against researchers typically arise when the disclosure of a vulnerability puts others at risk. However, cybersecurity professionals, such as Kyle Hanslovan, CEO of Huntress, argued that Goodwolf was acting as a responsible researcher. Hanslovan warned that this approach could set a dangerous precedent, silencing individuals who work to expose breaches. The city defended its actions, stating that it sought to prevent the release of confidential information, including undercover police identities. Although the restraining order expired, Columbus continues its civil lawsuit against Goodwolf, seeking up to $25,000 in damages. 

As Columbus works to recover from the attack, the broader implications of its actions toward Goodwolf remain a point of contention. Experts argue that the case highlights the need for a legal framework that balances the protection of sensitive information with the role of security researchers in revealing vulnerabilities. As Columbus strives to position itself as a tech hub, this legal battle could affect its reputation and relationships within the tech industry.
Read more »
Vulnerability
Cyber Attacks Cyberfrauds Cybersecurity Hacking Linux Encryptor Ransomwares VMware Vulnerability

ESXi Servers are Targeted by Linux-Based Akira Ransomware

 


As part of a ransomware operation called Akira, VMware ESXi virtual machines have been encrypted using a Linux encryption tool. This is to block access to the virtual machines. The attack comes after the company targeted Windows systems for a couple of months. 

To encrypt VMware ESXi virtual machines in double-extortion attacks against companies worldwide, the Akira ransomware operations use a Linux encryptor to encrypt VMware ESXi virtual machines controlled by VMware. 

There has been a recent expansion of the Akira ransomware and it now targets VMware ESXi virtual machines using a Linux encryptor. It is because of this adaptation that Akira can now attack companies across the globe. 

This ransomware virus, Akira, was found in March 2023. As the most recent addition to the ransomware landscape, it is relatively less well-known. 

In the short time that Akira ransomware has been in operation, it has been confirmed that 45 organizations have been affected. Most of the targets are based in the U.S. Organizations affected range from childcare centers to large financial institutions but all have been affected. 

The threat actors are engaged in double extortion attacks against their victims, demanding several million dollars and stealing data from breached networks, encrypting files, and encrypting the data until they reach the point of demanding payouts.

In addition to asset managers, the gang's blog lists several victims of the gang's crimes. Akira will encrypt the files of an organization after an attack has been launched, appending the name of the encrypted files to the file names. The desktop screen will display a ransom note, explaining in a condescending tone that it is the quickest way back to the state where the company functions normally if you pay the ransom. 

The Development Bank of Southern Africa and London Capital Group are completely aware of the damage they have caused. There are many US-based companies on the gang's black web blog. 

This computer virus, known as Akira, uses double extortion techniques to pressure its victims into paying a ransom. This means that Akira copies the data before encrypting it to make sure the information can not be released, as well as selling the description key, and using these techniques to force a company into paying the ransom. 

In some cases, the ransoms amount to more than a million dollars, while in others it is less. It has focused on professional services, education, manufacturing, and research and development so far.

In sectors as diverse as education and finance, the threat of ransomware has disrupted corporate networks and encrypted stolen data from breached networks. These compromised files are marked with the extension .akira, which signifies compromise. 

It is important to note that, after the Akira ransomware has been activated, many different file extensions and names will become encrypted, as well as renamed files with the .akira extension. There will also be a ransom note titled akira_readme.txt left in each folder on the encrypted device. 

It is possible to customize how Akira works on Linux, which includes specifying the percentage of data that will be encrypted on each file, which allows threat actors to better customize their attacks. The propensity of this version of Akira to skip folders and files that are usually associated with Windows seems to indicate that it has been ported from the Windows version of the game.

Despite Akira's increasing scope, the fact that the threat now faces organizations around the world illustrates the urgency of action. Sadly, ransomware groups are increasingly expanding their operations to include Linux platforms as well. Many of them are leveraging readily available tools to do so due to the trend toward expanding their operations. To maximize their profits, they have turned this strategy into a simple and lucrative one. 

Among the most notable ransomware operations, some of which predominantly target VMware ESXi servers with their ransomware encryptors, include Royal, Black Basta, LockBit, BlackMatter, AvosLocker, HelloKitty, RansomEXX, and Hive. These operations use Linux-based encryption methods. 

Spreads Rapidly, is Widely Popular, and is Unsecured 

During a ransomware attack, servers are popular due to their ability to spread ransomware rapidly. Hackers need only one run to launch the ransomware attack, which means the ransomware attack becomes extremely fast for the first time in history. ESXi servers have gained popularity in the enterprise world, as they are among the most widely used hypervisors on the planet. Lastly, the devices do not have any security solutions installed on them, which leads to a lack of security. CrowdStrike published a report previously that focused on the fact that antivirus software simply isn't supported by the manufacturer. 

During the weekend of February 2-6, ESXi servers were targeted by thousands of attacks taking place simultaneously. The attackers were able to exploit an outdated vulnerability that had existed two years ago. As a result, good cyber security for servers is very important because research can take a long time and is not always easy. A problem that had not yet been exploited massively had been discovered by Mandiant in 2022, but the problem was still unknown.
Read more »
Subscribe to: Posts (Atom)