Search This Blog
Powered by Blogger.

Blog Archive

Labels

About Me

Load More
Trendy Right Now

Popular Posts

Showing posts with label Ryuk Ransomware. Show all posts
Ryuk Ransomware
Astro Locker Data Breach ICedID Mandiant Threat Intelligence Mount Locker RDP Ryuk Ransomware

Quantum Ransomware was Detected in Several Network Attacks

 

Quantum ransomware, originally spotted in August 2021, has been found carrying out fast attacks which expand quickly, leaving defenders with little time to react. The assault began with the installation of an IcedID payload on a user endpoint, followed by the launch of Quantum ransomware 3 hours and 44 minutes later. It was identified by DFIR Report researchers as one of the fastest ransomware attacks it had ever seen. IcedID and ISO files have recently been utilized in other attacks, as these files are great for getting past email security safeguards.

According to Mandiant's M-Trends 2022 study, the threat actors began encrypting the victim's data only 29 hours after the first breach in a Ryuk ransomware assault in October 2020. The median global dwell period for ransomware is around 5 days. However, once the ransomware has been installed, the data of the victim may be encrypted in minutes. According to a recent analysis from Splunk, ransomware encrypts data in an average of 43 minutes, with the fastest encryption time being less than 6 minutes. 

The IcedID payload was stored within an ISO image which was presumably distributed by email in the examined Quantum ransomware outbreak. The malware was disguised as a "document" file, which was an LNK file designed to run a DLL (IcedID). Several discovery activities were run when the DLL was executed, utilizing various built-in Windows functions, and a scheduled job was constructed to ensure persistence. 

Cobalt Strike was installed into the victim system about two hours after the first breach, allowing the attackers to begin 'hands-on-keyboard' behavior. The fraudsters then began network reconnaissance, which included identifying each host in the environment as well as the active directory structure of the target organization. After releasing the memory of LSASS, the intruders were able to steal Windows domain credentials and spread laterally via the network. 

Cobalt Strike was also used by the attackers to collect credentials and test them for remote WMI detection tasks. The credentials enabled the adversary to log in to a target server through the remote desktop protocol (RDP), from which they attempted to distribute Cobalt Strike Beacon. The malicious actors then used RDP to access other servers in the system, where they prepared to deliver Quantum ransomware per each host. Threat actors eventually used WMI and PsExec to deliver the Quantum ransomware payload and encrypt devices via WMI and PsExec. 

The Quantum Locker ransomware is a rebranded version of the MountLocker malware, which first appeared in September 2020. Since then, the ransomware gang has gone by several names, including AstroLocker, XingLocker, and Quantum Locker, which is now in its current phase. 

While the DFIR report claims since no data exfiltration activity was detected in the assault they investigated, researchers claim the ransom demands for this gang fluctuate based on the victim, with some attacks seeking $150,000 in exchange for a decryptor. Quantum Locker, unlike its prior versions, is not a highly active operation, with only a few attacks per month.
Read more »
Ryuk Ransomware
Black Cat Malware. RaaS Ransomware Ryuk Ransomware

Black Cat Ransomware Linked with Gangs DarkSide/BlackMatter

The Black Cat Ransomware gang, aka ALPHV, confirmed that they were earlier associated with the infamous BlackMatter/DarkSide ransomware campaign. ALPHV/Black Cat is the latest ransomware operation launched last year in November and built in the Rust programming language, which is rare for ransomware attacks. The ransomware can be customized, via different encryption methods and options that allow attacks on a variety of corporate organizations. 

The ransomware group identifies itself as ALPHV, however, MalwareHunterTeam, a cybersecurity firm, calls the ransomware as Black Cat, because a black cat image is shown on the target's Tor payment page. The ransomware campaigns often run as Ransomware as a Service (RaaS,) where the core team develops ransomware attacks and manages servers, and adverts ( affiliates) are hired to compromise corporate networks and organize attack campaigns. In this sort of assignment, the core team earns around 10-30% of ransomware payment, and the affiliate earns the rest. 

The earnings depend on how much ransom is brought by different affiliates in the campaign. The past has experienced many RaaS operations, where top-level hacking groups, when shut down by the government, resurface with a new name. These include- GandCrab to Revil, Maze to Egregor, and DarkSide to BlackMatter. Few believe that Conti resurfaced as Ruk, however, experts believe these two operate separately under the TrickBot group and are not affiliated with each other. 

Meanwhile few affiliates team up with a single RaaS campaign, it is also common for affiliates to work with multiple hacking groups. "While the BlackCat ransomware operators claim that they were only DarkSide/BlackMatter affiliates who launched their own ransomware operation, some security researchers are not buying it. Emsisoft threat analyst Brett Callow believes BlackMatter replaced their dev team after Emsisoft exploited a weakness allowing victims to recover their files for free and losing the ransomware gang millions of dollars in ransoms," reports Bleeping Computer.

Read more »
Ryuk Ransomware
Belgium Cyber Attacks Liege Ransomware Attack Ryuk Ransomware

Ryuk Ransomware Hits City of LiĆØge

 

Liege, the third biggest city in Belgium, was hit by a ransomware attack resulting in the disruption of the municipality’s IT network and online services. As a precautionary measure, IT staff shut down its network to avoid the malware from spreading. The LiĆØge officials launched an investigation into the attack with the help of international security experts and are currently working to restore the operations. 

The officials also published a non-exhaustive list of services that have been affected. These include the bookings for town halls, birth registration, wedding, burial services, collection of passports, driving licenses, identity cards, and other important documents. Online forms for event permits and paid parking are also down. 

“The City of LiĆØge, surrounded by experts of international competence, analyzes the scale of this attack and its consequences, in particular in terms of duration on the partial unavailability of its IT system. It is doing everything to restore the situation as soon as possible. Services to the public are currently heavily impacted,” reads the status page published by the city.

The city officials only reported the incident as a “computer attack”. However, two Belgian media outlets, a radio station, and a TV station claimed that the attack may have been conducted by a group using Ryuk ransomware. Recently, the National Cybersecurity Agency of France (ANSSI) identified a new variant of Ryuk. It possesses worm-like capabilities and can spend weeks or even months inside a victim’s network, conducting reconnaissance and quietly moving ransomware to important systems, often using standard Windows administration tools.

The attack against the Liege municipality is not a one-time attack. Threat actors often target local city networks because many cannot afford top-of-the-line security nor new IT gear, often running severely outdated servers and workstations with a small IT staff. The list of targeted municipalities includes the City of Tulsa, City of Saint John, Albany, Atlanta, Baltimore, Florence, Knoxville, Lafayette, New Orleans, and more. 

According to the latest report by Ransomware Task Force, in 2020 average ransom payments raised 170 percent year-on-year, and the total sum paid in ransom increased 310 percent. It is estimated that ransomware gangs collected at least $150 million in ransoms, with one victim paying $34 million to restore their systems
Read more »
TrickBot
fake websites Hackers malware Proofpoint Ryuk Ransomware TrickBot

BazaLoader Malware is Being Distributed by Hackers Using a Bogus Streaming Website

 

Proofpoint identified the phishing attempt in early May, which entailed hackers creating a phoney movie-streaming website named BravoMovies and stocking it with phoney movie posters and other materials to make it appear real to unwary visitors. It has nothing to offer for download other than BazaLoader malware, despite its pretty pictures and fun-sounding titles. BazaLoader is a malware loader that is used to spread ransomware and other types of malware, as well as steal sensitive data from infected computers. 

"BazaLoader is a downloader written in C++ that is used to download and execute additional modules. Proofpoint first observed BazaLoader in April 2020. It is currently used by multiple threat actors and frequently serves as a loader for disruptive malware including Ryuk and Conti ransomware. Proofpoint assesses with high confidence there is a strong overlap between the distribution and post-exploitation activity of BazaLoader and threat actors behind The Trick malware, also known as Trickbot," the security firm said. 

The BravoMovies campaign employs a complex infection chain similar to that employed by BazaLoader affiliates, who entice their victims to jump through a series of hurdles in order to activate malware payloads. It starts with an email informing recipients that their credit cards would be debited until they cancel their subscription to the service, which they never agreed to. 

The email includes a phone number for a call center with live people on the other end of the line, ready to send consumers to a website where they may purportedly cancel the phoney movie-streaming subscription. Those who fall for the trick, on the other hand, are directed to download a boobytrapped Excel spreadsheet that will trigger macros that will download BazaLoader. 

The call-center staff advises their customers to the BravoMovies website, where they should go to the Frequently Asked Questions page and unsubscribe using the "Subscription" page. They'll then be directed to download an Excel spreadsheet. If BazaLoader is enabled, the macros on the Excel sheet will download it. The second-stage payload in this campaign has yet to be discovered, according to Proofpoint experts. 

Proofpoint researchers first noticed the use of BazaLoader in February 2021, when a pre-Day Valentine's malware assault supplied lures to bogus flower and lingerie stores. It's also been spotted in a campaign for subscription pharmaceutical services.
Read more »
Ryuk Ransomware
Blockchain Cyber Crime Maze Ransomware Ransomware group Ryuk Ransomware

Maze/Egregor Ransomware Earned over $75 Million

 

Researchers at Analyst1 have noticed that the Maze/Egregor ransomware cartel has made at least $75 million in ransom payments to date. This figure is the base of their estimations, as the maximum could be conceivably more since not every victim has disclosed paying to the threat actor. While the group is crippled presently, it is the one that began numerous innovations in the ransomware space. 

“We believe this figure to be much more significant, but we can only assess the publicly acknowledged ransom payments. Many victims never publicly report when they pay a ransom,” security firm Analyst1 said in a 58-page report published this week. 

Analyst1's discoveries are in accordance with a similar report from blockchain analysis firm Chainalysis, which listed the Maze group as the third most profitable ransomware operation — behind Ryuk and Doppelpaymer. 

The now-dead ransomware Maze group was a pioneer in its times. Started in mid-2019, the group was closed down for obscure reasons before the end of last year however resurrected as Egregor ransomware. The greater part of the code, working mechanism, and different clues call attention to that Egregor is the new Maze group. The group dealt with a purported RaaS (Ransomware-as-a-Service), permitting other cybercrime actors to lease admittance to their ransomware strain. These clients, likewise called affiliates, would penetrate organizations and send the Maze groups ransomware as an approach to encrypt files and extort payments.

But, while there were a lot of ransomware groups working on similar RaaS plans, the Maze group became famous by making a “leak site” where they'd regularly list organizations they infected, which was a novelty at that point, in December 2019. 

This branding change didn't influence the group's prosperity. Indeed, both Maze and Egregor positioned as the second and third most active RaaS services on the market, representing almost a fourth of all victims recorded on leak sites a year ago. As per Analyst1's report published for the current week, this heightened period of activity additionally converted into money-related benefits, based on transactions the company was able to track on public blockchains. 

However, this achievement additionally drew attention from law enforcement, which started putting hefty assets into researching and finding the group. Right now, the Maze/Egregor group is on a hiatus, having stopped activities after French and Ukrainian authorities captured three of their members in mid-February, including a member from its core team.
Read more »
Spain
Employment Service malware Ranomware Attack Ryuk Ransomware SEPE Spain

Ryuk Ransomware Hits Spain's Employment Agency

 

The Spanish State Employment Service (SEPE) has been targeted by a ransomware attack which has resulted in hundreds of offices being knocked offline. According to Central Independent Trade Union and Civil Servants, the ransomware attack on SEPE has affected the agency’s offices around the country, forcing employees to use pen and paper to take appointments.

SEPE is a Spanish government agency for labor that provides employment opportunities to the public. The ransomware is said to have spread beyond SEPE’s workstations and also targeted the agency’s remote working employees’ devices. 

The SEPE published a note on their website which said, “currently, work is being done with the objective of restoring priority services as soon as possible, among which is the portal of the State Public Employment Service and then gradually other services to the citizens, companies, benefit and employment offices. The application deadlines for benefits are extended by as many days as the applications are out of service. In no case will this situation affect the rights of applicants for benefits.” 

According to Business Insider Spain, the cyberattack is the work of Ryuk ransomware. Ryuk is a ransomware-as-a-service (RaaS) group that’s been active since August 2018 and is known for running a private affiliate program. In this program, affiliates can submit applications and resumes to apply for membership. The threat group has targeted several organizations over the past year, such as Universal Health Services.

Gerardo GutiĆ©rrez, director of SEPE confirmed that the agency’s network systems were encrypted by the Ryuk ransomware operators after the incident. “Confidential data is safe. The payroll generation system is not affected and the payment of unemployment benefits and ERTE will be paid normally,” he further added. 

According to Central Sindical Independiente y de Funcionarios (CSIF), the attack has caused hundreds of thousands of appointments made through the agency throughout Spain to be delayed. The ransomware has also spread beyond SEPE’s workstations and has reached the agency’s remote working staff’s laptops.
Read more »
Ryuk Ransomware
COVID-19 Healthcare malware Ryuk Ransomware

Ryuk Ransomware: What Can We Learn From DCH Cyberattack?

Hackers have profited a lot from the Covid-19 pandemic by targeting health institutions, let us look back and learn from these attacks. For a very long time, cybercriminals have been attacking healthcare institutions, one fine example is the "DCH ransomware" attack. E Hacking News in this article analysis the events of the DCH ransomware incident, and how Alabama healthcare dealt with the attack.  

About the attack
Alabama's DCH health system was hit by a ransomware attack in October 2019. The attack forced DHS to shut down its 3 state units named- Fayette Medical Center, Northport Medical Center, and Tuscaloosa’s DCH Regional Medical Center. Because of the attack, the computer systems in the 3 hospitals stopped working and the hospital staff couldn't access important files and patient records. DCH took applied emergency measures to deal with the crisis, the hospitals took in critical patients, whereas non-critical cases were transferred off to other health institutions, and only admitted after 10 days.  

About DCH Ransomware 
Hackers attacked DCH systems using a strain of Ryuk ransomware, the malware used by Wizard Spider, a Russian hacking group. Ryuk uses malicious social engineering techniques and uses phishing attacks to trick users into opening false links. Once opened, the malware deploys itself with the target device. When Ryuk is successfully deployed, it gets into the system codes and stops the device from functioning. It is followed by encryption and the last step is demanding ransom.  

Aftermaths of the Ransomware Attack 
DCH couldn't continue it's healthcare services for 10 days due to the partial disruption caused by the ransomware. Four patients filed a lawsuit against DCH for violating "information privacy law" and affecting their medical treatment during the ransomware attack. The lawsuit stated, "because of the ransomware attack, plaintiffs and class members had their medical care and treatment, as well as their daily lives, disrupted." "As a consequence of the ransomware locking down the medical records of plaintiffs and class members, plaintiffs and the class members had to forego medical care and treatment or had to seek alternative care and treatment."
Read more »
TrickBot.
malware Ransomware Ryuk Ransomware TrickBot.

A quick look into malwares that installs ransomware : Remove them form your system immediately

 

We recently looked into ways phishing mails are evolving, attackers getting creative by the day. But a new trend has taken up the dark web, and soon phishing campaigns for ransomware and malware will be a thing of the past. With the sources equable of a small government, malware gangs have started collaborating within themselves and have come up with "initial access brokers," what these groups do is provide ransomware and other groups with already infected systems.
Compromised systems through RDP endpoints, backdoored networking devices, and malware-infected computers install ransomware into the network, this makes the ransomware attacker work as swiftly as cutting into the cake. 

 There are currently three types of bookers that serve ransomware : 

Selling compromised RDP endpoints: These bookers carry a brute remote desktop protocol (RDP) into corporate systems, sold as "RDP Shops". Ransom groups often choose systems that are integrated well within the network.

Selling hacked networking devices: Hackers sell pre hacked devices exploiting publically known vulnerabilities or weak spots like firewalls, VPN servers or others. Access to these devices is auctioned off on dark web forums.

Selling computers pre-infected with malware: This is the most popular way ransomware is spread. Hacking gangs spread their malware bots into well-established systems and sell them to the highest bidder who further injects ransomware into the system. 

The best protection against these attacks is to prevent them from happening. The first two infiltrations can be fended off using strong passwords, security measures, and regular updates. The third means (malware) is a bit complicated as it uses human blunder and tricks to invade the device.

Following is a list of malware that if you find in your system, drop everything and fix them out for they are sure to inject ransomware in your network:

  •  Emotet (Emotet-Trickbot-Ryuk) 
  •  Trickbot (Ryuk - Conti)
  •  BazarLoader (Ryuk) 
  • QakBot (MegaCortex-ProLock-Egregor) 
  •  SDBBot (Clop)
  •  Dridex (BitPaymer-DoppelPaymer) 
  • Zloader (Egregor-Ryuk)
  •  Buer Loader (Ryuk)
Read more »
Subscribe to: Posts (Atom)