Search This Blog
Powered by Blogger.

Blog Archive

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label Ransowmare. Show all posts
Ransowmare
BlackSuit CDK Global Cyber Attacks Cyberattack Data Theft Kadokawa Ransowmare

Cyberattack by BlackSuit Targets Kadokawa and CDK Global

In early June, Kadokawa's video-sharing platform Niconico experienced a server outage, which has now been claimed by the Russia-linked hacker group BlackSuit. This group, a rebrand of the Royal ransomware operation and linked to the defunct Conti cybercrime syndicate, has issued a threat on the dark web to release 1.5 terabytes of sensitive data, including signed documents, contracts, legal statements, and emails, unless a ransom is paid by July 1, 2024. 

Details of the Attack on Kadokawa: 

Kadokawa first acknowledged the cyberattack in early June, which disrupted multiple websites and services. Despite efforts by Kadokawa's IT department, BlackSuit reportedly managed to steal 1.5 terabytes of sensitive data, including business plans, user data, contracts, and financial records. The hackers exploited vulnerabilities in Kadokawa’s network, gaining access to a control center that allowed them to encrypt the entire network, affecting subsidiaries like Dwango and NicoNico. Kadokawa has assured customers that no credit card information was compromised, as it was not stored on their system. 

The company is prioritizing the restoration of accounting functions and normalizing manufacturing and distribution in its publication business, with expected results by early July. Although the production of new publications remains steady, the shipment of existing publications is currently at one-third of normal levels. Kadokawa is implementing alternative arrangements, including increasing human resources, to mitigate the impact. 

In the Web Services business, all Niconico family services are still suspended, but provisional services like Niconico Video (Re: tmp) and Niconico Live Streaming (Re: tmp) have been provided. Existing services such as Niconico Manga smartphone version and NicoFT have resumed. The Merchandise business has seen limited impact, with shipping functions operating normally. However, the failure of Kadokawa’s account authentication function has prevented users from logging into certain online shops. Temporary pages have been created for affected users, and Kadokawa will keep providing updates regarding this issue. 

Impact on CDK Global: 

BlackSuit is also believed to be behind ongoing outages at CDK Global, a software provider for approximately 15,000 North American car dealerships. Several major U.S. auto dealers, including AutoNation, Group 1 Automotive, Penske Automotive Group, Sonic Automotive, and Lithia Motors, have reported disruptions in their services due to the cyberattack. As a result, many dealerships have had to revert to pen and paper for managing auto repairs, closing new car sales, and conducting other business. 

CDK attempted to restore its systems but was hit with a second cyberattack, causing them to shut down all systems again. The company has yet to acknowledge that the attack is a result of ransomware, but an incident like this could take weeks to recover from. Even after operations return to normal, CDK will have to investigate what data was stolen, how the attack happened, and the impact on its customers. 

Allan Liska, a ransomware analyst at Recorded Future, mentioned that the CDK attack has been attributed to BlackSuit in hacker forums and private chat channels. Malicious cybercriminal gangs are known to boast about their schemes on these platforms. While CDK is not yet listed on BlackSuit's dark web site, indicating ongoing negotiations, Bloomberg reported that the hackers are asking for a ransom in the tens of millions of dollars.
Read more »
Vulnerabilites and Exploits
Citrix Bleed Bug Foreign Ransomware Healthcare Security Ransowmare Vulnerabilites and Exploits

AHA, Federals Urge Healthcare Ogranizations to Minimize Citrix Bleed Vulnerability

Citrix Vulnerability

Healthcare departments under threat

The alert from the Department of Health and Human Services Health Sector Cybersecurity Coordination Center on Nov. 30 and the AHA warning on Friday come amid an outbreak of ransomware attacks alleged to involve Citrix Bleed exploitation that has hit companies in the healthcare and other sectors in recent weeks. This blog will cover the threats and everything related to the Citrix Bleed flaw.

CySecurity News had already reported on a Citrix bleed bug delivering sharp blows earlier in November 2023.

"HC3 strongly recommends companies to make improvements to prevent additional harm against the healthcare and public health sector," alerted the Department of Health and Human Services.

High severity Citrix Bleed Vulnerability

According to John Riggi, AHA's national adviser for cybersecurity and risk, the urgency of HHS's alert "confirms the gravity" of the Citrix Bleed vulnerability and the urgent requirement to install existing Citrix patches and upgrades to secure healthcare IT systems.

Google’s Mandiant report in October “identified zero-day exploitation of this vulnerability in the wild beginning in late August 2023. Successful exploitation could result in the ability to hijack existing authenticated sessions, therefore bypassing multifactor authentication or other strong authentication requirements. 

These sessions may persist after the update to mitigate CVE-2023-4966 has been deployed. Additionally, we have observed session hijacking where session data was stolen prior to the patch deployment and subsequently used by a threat actor, the report further added.

Foreign ransomware groups involved

Riggi said in a statement that this instance further shows the severity by which foreign ransomware groups, mainly Russian-speaking groups, continues targeting hospitals and health organizations. Ransomware threats interrupt and disrupt the delivery of healthcare, jeopardizing patients' lives. We must be attentive and strengthen our cyber security, as hackers will undoubtedly continue to target the field, particularly over the holiday season, he further added.

Rise in attacks during the holiday season?

NetScaler released an advisory on the flaw in October and then again in late November, citing reports of "a rapid spike in attempts" to take advantage of the vulnerability in unfixed NetScaler ADCs.

The AHA cautioned that exploiting the vulnerability allows hackers to evade password constraints and multifactor authentication mechanisms.

According to HHS HC3, the vulnerability has been routinely exploited since August. Citrix issued a patch for the vulnerability in early October, but the firm warned that compromised sessions would remain active after the patch was applied.

HC3 encourages all administrators to upgrade their devices according to NetScaler's instructions and to erase or "kill" any active or permanent connections with particular commands.

Also read: NetScaler's report to know full details about Citrix Bleed Threat.


Read more »
Windows
Data Evil Extractor malware Ransowmare Safety Security Windows

This Evil Extractor Malware Steals Data from Windows Devices

 


Experts have discovered a hazardous new malware strain that is circulating the internet, stealing sensitive data from victims and, in some cases, installing ransomware as well. The malware, dubbed Evil Extractor, was found by Fortinet cybersecurity experts, who published their findings in a blog post, noting that it was produced and disseminated by a business called Kodex and was marketed as a "educational tool." 

“FortiGuard Labs observed this malware in a phishing email campaign on 30 March, which we traced back to the samples included in this blog,” the researchers said. “It usually pretends to be a legitimate file, such as an Adobe PDF or Dropbox file, but once loaded, it begins to leverage PowerShell malicious activities.” 

An environment-analysis tool and an info stealer are among the harmful actions. As a result, the malware would first check to ensure that it is not being planted in a honeypot before capturing as much sensitive data from the endpoint as possible and transferring it to the threat actor's FTP server. It is also capable of encrypting data.

The tool, known as Kodex Ransomware, downloads zzyy.zip from evilextractor[.]com, which contains 7za.exe, an executable that encrypts data using the argument "-p," which means the files are zipped with a password. 

The malware then sends a ransom note asking $1,000 in Bitcoin in exchange for the decryption key, as is customary. "Otherwise, you will be unable to access your files indefinitely," the notification states. According to reports, the malware mostly targets people in the Western world.

"We recently reviewed a version of the malware that was injected into a victim's system and, as part of that analysis, identified that most of its victims are located in Europe and America," Fortinet states.

It's not known if the operators were successful in spreading the ransomware or how many victims they impacted.
Read more »
Ransowmare
Cyber Security Data Leak Ragnar Locker Ransomware Group Ransowmare

Ragnar Locker to Publish Victims Data if They Approach FBI

 

The ransomware gang Ragnar Locker implements a new strategy, which forces victims to pay the ransom and threatens to expose their stolen data if victims approach the FBI. Earlier, Ragnar Locker has struck notable ransomware attacks on various companies to extract millions of dollars in ransom payments. 

Ragnar Locker perpetrators are believed to deploy payloads of the ransomware to the victim's computers manually. They spend time recognizing system resources, business backups, and other critical files before the data encryption phase. 

This week, the organization threatened to release complete information on victims seeking the aid and assistance of the police and investigating authorities amid a ransomware attack in an annunciation on the darknet leak portal of Ragnar Locker. 

The threat is equally applicable to individuals who approach file recovery experts to try to decode files and later on negotiate. In any case, the gang will expose the entire data of the victims on their .onion site. 

The Ransomware administrator says that the process of recovery is only worsened by affected companies who hire "professional negotiators" It is because these negotiators typically collaborate with FBI-associated data retrieval businesses and equivalent organizations. 

“In our practice we has facing with the professional negotiators much more often in last days,” the announcement said in broken-English-ese. “Unfortunately it’s not making the process easier or safer, on the contrary it’s actually makes all even worse.” 

“So from this moment we warn all our clients, if you will hire any recovery company for negotiations or if you will send requests to the Police/FBI/Investigators, we will consider this as a hostile intent and we will initiate the publication of whole compromised Data immediately. Don’t think please that any negotiators will be able to deceive us, we have enough experience and many ways to recognize such a lie. Dear clients if you want to resolve all issues smoothly, don’t ask the Police to do this for you. We will find out and punish with all our efforts,” further reads the announcement. 

Such dealers are either connected to or interact personally with law enforcement officials, the gang claims. In any case, they are in it and do not care about the economic well-being of their customers or their data privacy, stated the organization. 

The previous victims of Ragnar Locker included the Japanese game maker Capcom, ADATA manufacturer of computer chips, and the Dassault Falcon airline company. In Capcom's case, 2,000 devices were supposedly encoded and the attacker demanded $11.000,000 for a decryption key in return. 

Ragnar Locker's latest revelation induces further stress for victims, given that governments across the world have strongly advocated against paying ransoms in the present climate of escalating cyber threats. 

"Government has a strong position against paying ransoms to criminals, including when targeted by ransomware. Paying a ransom in response to ransomware does not guarantee a successful outcome," said the British Home Secretary, Priti Patel in May this year.
Read more »
Subscribe to: Posts (Atom)