Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label US. Show all posts

Hackers Use Trojanized Minesweeper Clone to Phish Financial Organizations

 

Hackers are exploiting code from a Python clone of Microsoft's classic Minesweeper game to conceal malicious scripts in attacks targeting financial institutions in Europe and the US.

Ukraine's CSIRT-NBU and CERT-UA have identified the threat actor 'UAC-0188' as responsible for these attacks. They are using the legitimate game code to hide Python scripts that download and install the SuperOps RMM (Remote Monitoring and Management) software. SuperOps RMM, though legitimate, provides remote actors with direct access to compromised systems.

CERT-UA's investigation into the initial discovery has uncovered at least five breaches in financial and insurance sectors across Europe and the United States linked to these same files.

The attack initiates with an email from "support@patient-docs-mail.com," posing as a medical center with the subject "Personal Web Archive of Medical Documents." The email prompts recipients to download a 33MB .SCR file from a Dropbox link. This file includes harmless code from a Python clone of Minesweeper, alongside malicious Python code designed to download additional scripts from a remote source, "anotepad.com."

Incorporating Minesweeper code within the executable helps disguise the 28MB base64-encoded string containing the malicious code, making it seem benign to security software. The Minesweeper code features a function named "create_license_ver," repurposed to decode and execute the hidden malicious code, using legitimate software components to mask and facilitate the attack.

The base64 string decodes to a ZIP file containing an MSI installer for SuperOps RMM, which is extracted and executed using a static password. While SuperOps RMM is a legitimate tool, in this scenario, it grants attackers unauthorized access to the victim's computer.

CERT-UA advises organizations not using SuperOps RMM to treat its presence or related network activity, such as connections to "superops.com" or "superops.ai" domains, as indicators of a compromise.

The agency has also provided additional indicators of compromise (IoCs) associated with this attack at the end of their report.

EU AI Act to Impact US Generative AI Deployments

 



In a move set to reshape the scope of AI deployment, the European Union's AI Act, slated to come into effect in May or June, aims to impose stricter regulations on the development and use of generative AI technology. The Act, which categorises AI use cases based on associated risks, prohibits certain applications like biometric categorization systems and emotion recognition in workplaces due to concerns over manipulation of human behaviour. This legislation will compel companies, regardless of their location, to adopt a more responsible approach to AI development and deployment.

For businesses venturing into generative AI adoption, compliance with the EU AI Act will necessitate a thorough evaluation of use cases through a risk assessment lens. Existing AI deployments will require comprehensive audits to ensure adherence to regulatory standards and mitigate potential penalties. While the Act provides a transition period for compliance, organisations must gear up to meet the stipulated requirements by 2026.

This isn't the first time US companies have faced disruption from overseas tech regulations. Similar to the impact of the GDPR on data privacy practices, the EU AI Act is expected to influence global AI governance standards. By aligning with EU regulations, US tech leaders may find themselves better positioned to comply with emerging regulatory mandates worldwide.

Despite the parallels with GDPR, regulating AI presents unique challenges. The rollout of GDPR witnessed numerous compliance hurdles, indicating the complexity of enforcing such regulations. Additionally, concerns persist regarding the efficacy of fines in deterring non-compliance among large corporations. The EU's proposed fines for AI Act violations range from 7.5 million to 35 million euros, but effective enforcement will require the establishment of robust regulatory mechanisms.

Addressing the AI talent gap is crucial for successful implementation and enforcement of the Act. Both the EU and the US recognize the need for upskilling to attend to the complexities of AI governance. While US efforts have focused on executive orders and policy initiatives, the EU's proactive approach is poised to drive AI enforcement forward.

For CIOs preparing for the AI Act's enforcement, understanding the tools and use cases within their organisations is imperceptible. By conducting comprehensive inventories and risk assessments, businesses can identify areas of potential non-compliance and take corrective measures. It's essential to recognize that seemingly low-risk AI applications may still pose significant challenges, particularly regarding data privacy and transparency.

Companies like TransUnion are taking a nuanced approach to AI deployment, tailoring their strategies to specific use cases. While embracing AI's potential benefits, they exercise caution in deploying complex, less explainable technologies, especially in sensitive areas like credit assessment.

As the EU AI Act reshapes the regulatory landscape, CIOs must proactively adapt their AI strategies to ensure compliance and mitigate risks. By prioritising transparency, accountability, and ethical considerations, organisations can navigate the evolving regulatory environment while harnessing the transformative power of AI responsibly.



US Department of Energy Receives Dual Ransom Demands Amidst Expanding MOVEit Hack Fallout

 

The spokesperson for the US Department of Energy (DOE) revealed that the Russia-linked extortion group Cl0p sent ransom requests to both the nuclear waste facility and scientific education facility of the DOE, which were recently targeted in a global hacking campaign. This attack, initially reported on Thursday, affected the DOE contractor Oak Ridge Associated Universities and the Waste Isolation Pilot Plant in New Mexico, which is responsible for disposing of defense-related radioactive nuclear waste.

The breach occurred through a security flaw in the file transfer tool MOVEit Transfer, a widely-used software for sharing sensitive data among organizations worldwide. Progress Software, the company behind MOVEit Transfer, discovered the security flaw last month, resulting in various victims, including US government departments, the UK's telecom regulator, and energy company Shell.

This incident highlights the significant impact of ransomware attacks, even on security-conscious federal agencies. Ransomware gangs often target widely-used tools, and the attack on MOVEit Transfer reveals the challenges faced by federal agencies in defending against such threats. 

The US Cybersecurity and Infrastructure Security Agency (CISA) confirmed that several federal agencies were affected but noted minimal impact on the federal civilian executive branch. Analysts predict that more victims may emerge in the coming weeks.

The ransom requests to the DOE were sent via individual emails to each facility. The spokesperson did not disclose the demanded amount, but mentioned that the two entities did not engage with Cl0p. Currently, there is no indication that the ransom requests have been withdrawn.

In response to the breach, the DOE has notified Congress and is cooperating with law enforcement and the CISA in their investigations. Cl0p did not respond to requests for comment, but in a post on its website, it said, “WE DON’T HAVE ANY GOVERNMENT DATA” and suggested that should the hackers inadvertently have picked up such data in their mass theft “WE STILL DO THE POLITE THING AND DELETE ALL.”

According to Allan Liska, an analyst from Recorded Future, Cl0p's assertion about deleting government data may be an attempt to safeguard themselves from potential retaliation by Washington and other governments.

US Government Confirms Federal Agencies Affected by MOVEit Breach, Hackers Expand List of Victims

 

jThe U.S. government has acknowledged that several federal agencies have been targeted in cyberattacks that exploit a security vulnerability found in a popular file transfer tool.

The Cybersecurity and Infrastructure Security Agency (CISA) confirmed the intrusions in a statement provided to TechCrunch. The attacks were attributed to the Clop ransomware gang, believed to be linked to Russia. The group recently began revealing the names of organizations it claims to have hacked by exploiting the vulnerability in the file transfer tool, called MOVEit Transfer, developed by Progress Software.

The exact number of affected agencies was not disclosed by CISA, though CNN was the first to report on the attacks. The agencies impacted were not named, but the Department of Energy confirmed that two of its entities were breached. 

The Federal News Network identified Oak Ridge Associated Universities and a Waste Isolation Pilot Plant in New Mexico as the affected entities. These breaches exposed the personally identifiable information of potentially tens of thousands of individuals, including Energy employees and contractors.

“Upon learning that records from two DOE entities were compromised in the global cyberattack on the file-sharing software MOVEit Transfer, DOE took immediate steps to prevent further exposure to the vulnerability and notified the Cybersecurity and Infrastructure Security Agency (CISA),” a DoE spokesperson said. “The Department has notified Congress and is working with law enforcement, CISA, and the affected entities to investigate the incident and mitigate impacts from the breach.”

The Federal Data Procurement System indicates that approximately twelve other U.S. agencies have active contracts with MOVEit, including the Department of the Army, the Department of the Air Force, and the Food and Drug Administration.

CISA Director Jen Easterly stated in a press conference that the agency is working urgently with the affected agencies to understand the impact and implement timely remediation. Although it is still uncertain if data has been stolen, Easterly mentioned that the intrusions do not appear to be focused on stealing specific high-value information or gaining persistence in targeted systems.

“In sum, as we understand it, this attack is largely an opportunistic one,” Easterly said. “In addition, we are not aware of Clop actors threatening to extort or release any data stolen from U.S. government agencies.”

In an update on their dark web leak site, Clop declared that government data had been erased, and no government agencies have been listed as victims so far.

However, Clop added more victims to their list, claiming that they have compromised organizations such as the Boston Globe, East Western Bank based in California, Enzo Biochem located in New York, and Nuance, an AI firm owned by Microsoft. When contacted, Enzo declined to comment, and the other companies mentioned have not responded to inquiries.

Just a day earlier, Clop had released the initial list of impacted organizations, which included U.S.-based financial services firms 1st Source and First National Bankers Bank, as well as the U.K. energy company Shell.

As new victims are being discovered, Progress Software has rushed to address another vulnerability affecting MOVEit Transfer. The company warned customers in an advisory that this vulnerability, identified as CVE-2023-35708, could result in unauthorized access to customer environments.

The United States has Released its National Cybersecurity Strategy: Here's What you Need to Know

 


The US government is taking steps to enhance the country's cybersecurity capabilities and improve its overall technology governance strategy. President Joe Biden recently unveiled a new National Cybersecurity Strategy aimed at securing cyberspace and building a resilient digital ecosystem that is easier to defend than to attack. 

"When we pick up our smartphones to keep in touch with loved ones, log on to social media to share our ideas with one another, or connect to the internet to run a business or take care of any of our basic needs, we need to be able to trust that the underlying digital ecosystem is safe, reliable and secure," Biden wrote in the framework's preface.

The strategy is part of a broader effort by the Biden administration to reinforce cyber and technology governance, which includes increasing accountability for tech firms, strengthening privacy protections, and ensuring fair competition online.

Why does the United States require a National Cybersecurity Strategy?

The world is becoming more complex, and cyber threats are becoming more sophisticated, with ransomware attacks causing millions of dollars in economic losses in the United States. According to IBM, the average cost of a ransomware attack in 2022 will be more than $4.5 million. The greatest threats we face are interconnected, raising the prospect of a "polycrisis," in which the overall combined impact of these events exceeds their individual impact.

This is also true of technological risks, where attacks on critical information infrastructure, for example, could have disastrous consequences for public infrastructure and health, or where rising geopolitical tensions increase the risk of cyberattacks.

Cybercrime and cyber insecurity were ranked eighth in terms of severity of impact by risk experts polled for the World Economic Forum's Global Risks Report, both in the short term (the next two years) and over the next decade. According to Google data, state-sponsored cyberattacks targeting NATO users increased by 300% in 2022 compared to 2020. With cyberattacks on the rise, experts at the World Economic Forum's Annual Meeting at Davos predicted that 2023 would be a "busy year" for cyberspace with a "gathering cyber storm".

“This is a global threat, and it calls for a global response and enhanced and coordinated action,” Jürgen Stock, Secretary-General of the International Criminal Police Organization (INTERPOL), said at Davos.

According to the Forum's Global Cybersecurity Outlook 2023, 93% of cybersecurity experts and 86% of business leaders believe global instability will have a negative impact on their ability to ensure cybersecurity in the future.

As Biden notes, "Cybersecurity is essential to the basic functioning of our economy, the operation of our critical infrastructure, the strength of our democracy and democratic institutions, the privacy of our data and communications, and our national defense.

"We must ensure the internet remains open, free, global, interoperable, reliable, and secure – anchored in universal values that respect human rights and fundamental freedoms."

What are the National Security Strategy's five pillars?

Because the COVID-19 pandemic has accelerated the world's digital transformation, we rely on connected devices and digital technology to do more than ever before, putting our lives and livelihoods at greater risk from cyber threats.

The US National Security Strategy recognizes the need to rebalance the burden of responsibility for cybersecurity away from small businesses and individuals and onto the public and private organizations best placed to defend cyberspace through "robust collaboration".

It also aims to strengthen cyberspace resilience by balancing the need to address immediate threats with incentivizing investment in the digital ecosystem's secure, long-term future. Each of the five pillars it establishes is divided into strategic objectives, but here's a quick rundown of what they entail:

1. Defend critical infrastructure
2. Disrupt and dismantle threat actors
3. Shape market forces to drive security and resilience
4. Invest in a resilient future
5. Forge international partnerships to pursue shared goals


FBI Admits to Have Gained US Citizens’ Location Data, Unwarranted


According to a Wired report, FBI Director Christopher Wray revealed for the first time at a Senate Intelligence Committee hearing yesterday that the organization has previously acquired the location data of US citizens without obtaining a warrant. 

Despite the practice becoming more frequent and widespread since the US Supreme Court restricted the government’s ability to track Americans’ phones warrantlessly, around five years ago, the FBI did not previously acknowledge ever making purchases of such kind. 

The revelation comes after Sen. Ron Wyden [D-Ore] questioned Wray “Does the FBI purchase US phone-geolocation information?” The response to which alarmed privacy experts. 

“To my knowledge, we do not currently purchase commercial database information that includes location data derived from Internet advertising[…]I understand that we previously—as in the past—purchased some such information for a specific national security pilot project. But that’s not been active for some time,” said Wray. 

The response, while being vague and revolving around the question asked, gave a clear insight into the way the FBI made use of location data to monitor US individuals with no court oversight. 

It is not immediately clear whether Wray was talking to a warrant—a court order that states that a crime has been committed—or another legal device. Wray also did not explain why the FBI decided to stop the practice. 

The Supreme Court ruled in the infamous Carpenter v. United States decision, that when government organizations accessed historical location data without a warrant, they were in violation of the Fourth Amendment's prohibition on unjustified searches. But the decision was interpreted very strictly. Privacy groups claim that the judgment left an obvious gap that enables the government to just buy anything it is unable to legally obtain. The Military Intelligence Agency and US Customs and Border Protection (CBP) are two federal organizations that are known to have exploited this loophole. 

On being asked during the Senate hearing whether the FBI is planning to adhere to the practice of buying location data again, Wray said “We have no plans to change that, at the current time.” 

According to Seam Vitka, a policy lawyer at Demand Progress, a nonprofit firm based on national security and private reforms, the FBI needs to be more forthcoming about the purchase, dubbing Wray’s revelation as “horrifying” in its implications. “The public needs to know who gave the go-ahead for this purchase, why, and what other agencies have done or are trying to do the same,” says Vitka. 

US lawmakers have historically failed to enact a comprehensive privacy law, and the majority of the proposed bills have purposely ignored the government's own acquisition of US citizens' private data. For example, all law enforcement organizations and any business "gathering, processing, or transferring" data on their behalf are excluded from the provisions of the American Data Privacy and Protection Act (ADPPA), which was presented last year. Wyden and other senators have attempted to tackle the problem head-on with a number of proposals. For instance, the Geolocation Privacy and Surveillance Act has been reintroduced multiple times in Congress since 2011, but it has never been put to a vote.  

Protect Your Online Data Now, Rather than Waiting for the Government

 

The old joke goes, "The opposite of pro is con, so the opposite of progress is Congress." Getting laws proposed and passed can be difficult even in a more relaxed political climate, but the present state of the US Congress makes most new legislation, regardless of content, a difficult sell. That is one of the challenges that government advisers from the cybersecurity industry face when urging politicians to suggest and pass federal data privacy laws. Other obstacles include inconsistent data privacy laws in some US states.

It's long past time for the United States to adopt the EU's General Data Protection Regulation (GDPR). GDPR is a set of stringent rules that govern how EU residents' data is handled, sold, and stored. GDPR protects consumers' privacy and security rights by imposing fines on companies that fail to comply.

In conversation with Wade Barisoff of the cybersecurity firm Fortra (Opens in a new window) last week about the current state of data privacy protections in the United States. Barisoff emphasized the importance of federal data privacy regulations, citing the European Union's GDPR as an effective example.

"GDPR was significant, not only because it was a unifying act that enshrined the rights of people and their digital identities to govern how their data could be handled,” Barisoff said, “but also because it was the first legislation with real teeth.”

Consumers in the United States would benefit from federal data privacy regulations that enforce severe penalties on companies that fail to comply. If you live in the United States, you may not have much control over what companies can do with your data once they have it, so lock down your accounts with multi-factor authentication and evaluate the privacy policies of your apps today.

Analyzing Data Breach Statistics

There is little recourse for victims of identity theft in the United States whose data was stolen because a company in the United States failed to report a breach. In the Identity Theft Resource Center's (ITRC) 2022 Data Breach Report(Opens in a new window), CEO Eva Velasquez noted a significant disparity between the average number of breach notices issued each business day in the US (seven) and the 356 breach notices issued daily in the EU in 2021.

"Common sense tells us that data breaches are underreported in the United States," Velasquez explained in the report. "The result is individuals are largely unable to protect themselves from the harmful effects of data compromises which are fueling an epidemic—a scamdemic—of identity fraud committed with stolen or compromised information."

Based on the Data Breach Report, since most state governments do not require companies to include factual data surrounding data breach incidents, the majority of US-based companies do not publish this information at all. According to the ITRC, businesses may choose not to include the details surrounding these incidents in order to avoid future lawsuits for failing to protect consumer data. LastPass, the embattled password management company, was singled out in the report for failing to explain the details of a 2022 attack in which cybercriminals gained access to its customers' information.

The Legal Status of Data Privacy in the United States

According to Barisoff, data privacy regulation in the United States has a long history in certain industries. In the United States, for example, the Health Insurance Portability and Accountability Act, or HIPAA, was signed into law nearly 30 years ago. It is still used to develop data privacy policies for healthcare organizations. Barisoff told me that going beyond decades-old industry guidelines is difficult because capitalism is such a powerful drug.

"We've never really climbed this mountain yet because data is worth money," Barisoff said. "Google has built its entire empire just on data and understanding what people are doing and selling that. There's more of a focus on capitalism, and there's a lot of powerful players here in the US that basically made their entire company off of private data."
 
Some state legislators are attempting to retaliate against tech companies by proposing and passing statewide data privacy legislation. According to Barisoff, these laws are a beginning, but imposing them may be difficult. "The only consistency will be that each new law is different," he noted.

This effect is already being felt. Texas sued Google last year, claiming that the company's Photos and Assistant apps violated state biometric privacy laws. In 2016, residents in Illinois filed and won a similar lawsuit against Google. According to Barisoff, the creation, and enforcement of state-by-state data privacy laws makes it more difficult for businesses to comply with regulations.

"As each state seeks to highlight how much they value their citizens’ rights over the next, we’ll see an element of 'What’s good for California isn’t good enough for Kansas' creep in,” warned Barisoff. 

"This developing complexity will have a significant impact on organizations operating across the country," he concluded.

Where Do the Most Ransomware Attacks Take Place in the United States?

 

Ransomware can be as disruptive to your day as a flood, earthquake, fire, or another natural disaster. It has the potential to devastate businesses, close hospitals, and close schools. And if you're unlucky enough to be affected, it can completely devastate your finances. 

However, as with natural apocalyptic events, there are patterns in misfortune, and it is possible to draw patterns and identify high-risk areas. You can avoid disaster entirely with some forethought. 

What is Ransomware? 

Criminals are after your money, and draining your bank account is problematic. By encrypting vital files on compromised computers, criminals persuade victims to hand over their money voluntarily. Companies that are unable to perform business and are losing money every day, they are not functioning and will frequently pay criminals to decrypt their machines and enable them to continue trading. Criminals typically gain access to devices through either lax security processes or social engineering attacks.

Engaging in any criminal enterprise is a risky business, and cybercriminals prefer to target targets that will net them the most money while exposing them to the least amount of risk. It makes more sense to hit fewer large targets rather than many small ones. And it's understandable that they'd rather target businesses that are more likely to pay than call law enforcement.

Between 2018 and January 2023, there were 2,122 ransomware attacks in the United States, as per Comparitech research. That's a lot, and even more is likely to have gone unreported. Even if this figure is taken at face value, it equates to more than one ransomware attack per day. Each ransom was worth an astounding $2.3 million on average.

Naturally, because businesses have more money than private individuals, schools, or government agencies, they are regarded as the biggest jackpot for hackers. And because they're constantly making money, every pause costs them more. The largest ransom known to have been paid during this time period was a whopping $60 million paid in 2022 by Intrado, a communications company with interests in cloud collaboration, 911 operations, enterprise communications, and digital media, among other things.

In fact, nine of the top ten ransoms were paid by corporations, including Kia Motors, Garmin, and EDP Renewables. The education sector is prominent, with Broward County Public Schools paying the second-largest ransom of $40 million in 2021. The notorious Conti group, which has been linked to hundreds of other attacks, carried out the attack.

Hospitals and other medical care facilities are prime targets for ransomware attacks because when hospital computers go down, patients don't get the care they require, and people die. Ransoms from the healthcare sector tend to be lower, with an average payout of around $700,000, possibly because the criminals have some conscience about people dying as a direct result of their actions.

Government facilities are also frequently targeted, with state and regional facilities particularly vulnerable. Local government agencies have limited IT security resources and frequently use outdated software due to their stricter budgets, making them easier targets. However, this also means that they pay significantly less than businesses with a median revenue of half a million dollars.

Where do most attacks take place?

Ransomware attacks occur wherever criminals believe they can make a quick buck, and attacks are concentrated in areas with a high concentration of wealth and businesses with a high turnover.

In the United States, this includes the east coast, which includes Washington, DC, Maryland, Delaware, and New York; the north-west coast, which includes California and Seattle; and major regional hubs like Chicago, Illinois. The majority of these attacks target businesses, but that doesn't mean the rest of the country is safe. Attacks on healthcare and government are far more common in poorer states. Again, this is most likely due to reduced IT budgets.

Between 2018 and January 2023, no US state was immune to ransomware attacks, though some were either less appealing or more resilient to criminals. Wyoming had the fewest reported attacks, with one ransomware incident at Carbon Power and Light and two healthcare facility attacks.

Ransomware is frightening, but just like designing flood defences or forest fires, there are steps you can take to avoid becoming a victim. Here are some of the best recommendations:
  • Take regular backups and store them securely
  • Employ a good antivirus
  • Train your staff
  • Keep your systems updated
Ransomware is terrible, but at least you know that if you pay the ransom, your system will be restored to normal working order and you can resume business as usual... right? This isn't always true. What appears to be ransomware is sometimes fake ransomware: your files have been encrypted, but the criminals who have encrypted them will never decrypt them.

US Criminals Responsible for Widespread Credit Card Fraud

 

In a case that sounds like a script, US criminals stole more than $1 million by using hundreds of credit cards that were advertised for sale on the dark web. A portion of the details surrounding this complex criminal enterprise have become public after a federal indictment by the U.S. Department of Justice.

The defendant in the case of United States v. Trevor Osagie admitted to planning to steal credit card data between 2015 and 2018. Osagie worked with a gang of robbers to cause damages totaling more than $1.5 million. 

At least 4,000 people were affected. Osagie could be sentenced to up to 30 years in prison and must pay a $1 million fine, according to Bleeping Computer. May 25, 2023, has been designated as the judgement date. The top search engines do not index the websites and services found on the dark web, and only obscure methods are used to access them. The dark web isn't always used for illegal activities, but because of its encryption and anonymity, criminals are drawn to it. 

Using the dark web, Osagie was able to recruit and supervise additional conspirators who played different roles in the fraud. Hamilton Eromosele is charged with leading a criminal organisation that used social media to identify "employees" who would use stolen credit cards to make expensive purchases.

Ismael Aidara then opened fake bank accounts and credit cards while Malik Ajala provided the stolen card information. There are six additional characters in this story, all of whom went to the US to participate in any activity requiring their actual presence. The indictment's namesakes all entered guilty pleas, demonstrating the prosecution's strong case. 

This is what happened. Members of this criminal network received the information after it had purchased flights to the United States, rentals, and lodging using stolen credit and debit card information from the dark web. As the shopping spree continued, expensive items and gift cards would be purchased. 

Social media promoted travel and enormous profits alongside the "workers" who travelled and purchased items for other group members. A portion of the funds were given to the criminal organisation. The police caught the criminals after a chaotic three-year rampage.

A Recent Ransomware Attack Targeted Multiple Electric Utilities

 


In an October ransomware attack, hackers stole data belonging to multiple electric utilities across the country from a US government contractor. The information was obtained by CNN from a memo that described the hack in detail. 

As part of the federal government's ongoing effort to determine whether the incident will have any serious effects on the US energy sector, it has been closely monitored to evaluate the extent of any impact. Private investigators have searched for stolen data on the dark web. It was in this regard that the North American grid regulator, through its cyberthreat sharing center, sent a memo to senior executives of power companies this month. 

The previously unreported incident offers a glimpse into the complex procedures of what happens behind the scenes when critical US companies are attacked with ransomware. To assess the level of damage caused by this incident, lawyers and federal investigators quickly sprang into action. 

An attack has been reported on Sargent & Lundy, a Chicago-based company that has designed over 900 power stations and thousands of miles of power systems. A ransomware attack encrypts sensitive data related to stations and systems. 

In addition to handling nuclear issues, the company also works with the Departments of Defense, Energy, and other agencies to prevent terrorists from getting their hands on weapons of mass destruction and strengthen nuclear deterrence. 

Several people close to the investigation of the Sargent & Lundy hack have told CNN that the event was contained and properly resolved. This is because it does not appear that it had a broader impact on other firms in the power sector. 

The Electricity Information Sharing and Analysis Center tells us that there is no indication that the data stolen from Sargent & Lundy is on the dark web. The data includes "model files" and "transmission data" that the firm uses for utility projects and does not appear to have been accessed by anyone else. 

Nevertheless, security experts have long worried that contractors that work in the electric and nuclear power industries might dump schematics online as a means of launching follow-up physical or cyberattacks against their facilities. 

Several attacks on electric utility customers in multiple states that have resulted in physical assaults and vandalism have created an atmosphere of urgency raising concerns. A Duke Energy substation near Moore County, North Carolina, was damaged by gunfire this month, which resulted in thousands of people losing electricity in the area. After a vandal damaged multiple substations in Washington County, hundreds of thousands of people lost power on Christmas Day as a result of vandalism. 

Brenda Romero, the spokesperson for Sargent & Lundy, said in a statement to CNN that the company has fully recovered from the incident. This incident had a limited impact on its normal business operations. He added that the firm had notified law enforcement about the hack, which was made public on Friday. 

It was Romero's decision to decline further questions regarding the ransomware attack. This included whether the hackers had attempted to extort Sargent & Lundy through the extortion. It was because an investigation was still ongoing. 

According to the Biden administration, companies should share information about such hacks with each other. The reason for this has to do with the fact that US officials are still trying to get a grip on the ransomware epidemic. There have been millions of dollars lost due to this breach of critical infrastructure. 

A strain of ransomware known as Black Basta was used during the attack against Sargent & Lundy. According to two people familiar with the investigation, this strain was first detected early this year. As a result of the Black Basta attacks, Palo Alto Networks, a cybersecurity company, has reported scores of attacks on its website since April. Hackers steal the data and use that data as leverage to demand a ransom from their victims. 

Known for its work on critical infrastructure projects across many sectors of the economy, Sargent & Lundy is one of several engineering firms that have served the needs of the industry for several years. This engineering work can be a challenge for U.S. cybersecurity officials to evaluate as it pertains to its risk to supply chain security. This is in comparison to a company that only makes software. This is because engineering work requires more scrutiny. 

The federal government requires that electric utilities adhere to a set of cybersecurity standards that protect their systems against intrusions and hackers. Experts told CNN that companies that contract with these utilities to deliver services, such as Sargent & Lundy, are generally not held to the same security standards. Instead, they are subject instead to the contract's security requirements.

Spy Agencies Exploit Computer Networks to Gather Digital Information

 


In a recent report, a new revelation from one of the country's two spy agencies revealed the agency retrieves information directly from where it is stored on computers. This is not processed. There has been a high level of secrecy surrounding the “exploitation” of computer networks at the GCSB for a long time. 

There have been comments by US commentators that computer network exploitation can be labeled as a form of cyber warfare, or "theft of data". "With the help of our legislation, we can gain access to information infrastructures, which is more than just interception," said Andrew Hampton, Director-General of the Government Communications Security Bureau. 

"As a result of it, we are also now able to retrieve digital information directly from its storage or processing place." The GCSB calls this "access to information infrastructures", or "accessing the infrastructure of information."

Hampton's speech to the Institute of International Affairs, given in May, was cited as the source of the revelation, by the spying watchdog, Inspector-General of Intelligence and Security, Brendan Horsley.

According to Horsley in his annual report released on Friday, he was able to use that time to make sure that the exploitation operations were thoroughly scrutinized. He was able to assure the public that they were not abused. 

He had been forced to refer to "certain operations" in the past. He said, "although it was subject to oversight, it was not possible to provide any clear public assurance of this." 

During his review of the compliance systems associated with CNE, he found that they were "on the whole, appropriate and effective". 

Even so, he was not permitted to elaborate on "the bureau's use of this potentially significant capability." 

According to the Inspector-General, the SIS is also doing a lot more "target discovery", resulting in the SIS having to manage a lot more data than it has been in the past, at a time when its checks and controls on data have not yet improved to the level they need to be. 

A review is currently being conducted by Horsley of the target discovery process by the SIS, and one will be conducted by the GCSB soon as well. 

After the attacks on the mosque in the summer of 2019, both agencies have intensified their efforts in this area. 

From civil liberties and privacy standpoint, one of the potential hazards associated with target discovery activities would be an intrusion into the lives of people who have done nothing to merit the attention of a national security agency, the Inspector-General declared in his report. 

There was no significant problem with Section 19 of the security laws as he concluded that the law simply required each agency responsible for monitoring or collecting data to be able to justify that monitoring or collection "other than the fact that certain ideas were expressed on a platform". 

A revised policy was adopted late last year by the GCSB regarding the practice of holding on to all of the extra data. This policy specifically states that the GCSB can not hold onto information solely because it may be useful to them in the future. 

On the other hand, a report by the same institution found that the SIS was struggling with its policy implementation. More than 93 percent of its policies and procedures needed to be reviewed before their implementation, and some of them, such as data analytics policies, were non-existent. 

Horsley said that decisions were being made based on draft procedures and that they had been used to guide them. 

There is an agreement between the SIS and DOJ to deal with the backlog of policies. Even though the SIS has already reduced its policy number by half, a policy's suitability for its intended purpose cannot be guaranteed in the meantime. 

In addition, it had a long way to go in reviewing its data-sharing agreement with the Department of Internal Affairs, which is also well behind schedule. 

As far as the SIS and the bureau are concerned, both have fine control mechanisms and effective ways to manage any breaches that may occur. 

When it was determined that sharing information among the agencies would result in human rights abuses, a change was made to the agency's joint policy about sharing information with foreign partners. 

As far as Horsley was concerned, the updated policy was "a marked improvement" on the 2017 policy, although he maintained reservations about some of the terms, criteria, and the handling of reports likely to have been obtained by torture, and he wanted more details made public about the revised policy. 

The report shows that he reviewed 63 spying warrants, 49 of which were the most serious, a Type 1 spying warrant. A New Zealander can therefore be harmed by someone engaging in what would otherwise be an unlawful activity to collect information about him or her.

US Healthcare Department Issues Warning Regarding Venus Ransomware

 

Healthcare organizations across the United States have been warned by the Department of Health and Human Services (HHS) regarding Venus ransomware assaults following a recent breach against a healthcare provider. 

Despite the attack, no data leak site for the Venus ransomware actors has been identified, according to a report published by the Health Sector Cybersecurity Coordination Center (HC3). 

"HC3 is aware of at least one healthcare entity in the United States falling victim to Venus ransomware recently. The operators of Venus ransomware are not believed to operate as a ransomware-as-a-service (RaaS) model and no associated data leak site (DLS) exists at this time," said the report. 

Since its emergence in the middle of August 2022, ransomware has propagated throughout the networks of numerous corporate victims around the globe. 

The ransomware terminates 39 processes linked with database servers and Microsoft Office apps. It targets publicly exposed Remote Desktop Services and exploits them to secure initial access to the target endpoints. In addition, the ransomware deletes event logs, Shadow Copy Volumes, and disables Data Execution Prevention on exploited endpoints. 

Lucrative Target 

Since the outbreak of Covid-19, the healthcare industry has been a lucrative target for malicious hackers. Hospitals operate multiple computers, printers, and internet-linked smart devices, generating thousands of sensitive files. These devices are sometimes outdated and improperly secured, making them a perfect candidate for an initial entry endpoint.

Moreover, with the Covid-19 pandemic filling up every last space in hospitals, overworked healthcare workers are an easy target to prey on with phishing and social engineering attacks. 

Last month, government officials in the United States warned regarding multiple ransomware attacks targeting healthcare facilities nationwide. Warnings showed that the attackers are employing ransomware variants such as Maui and Zeppelin against healthcare and public health (HPH) institutions. 

And in February, in a data breach report, debt management firm Professional Finance Corporation, Inc (PFC) revealed that 657 healthcare organizations were impacted by a Quantum ransomware attack. 

To mitigate risks, security experts recommended healthcare organizations implement an email security solution, consider adding a banner to emails from external sources, disable hyperlinks in emails, and provide regular security awareness training to the employees.

A Glitch in Ballot Tabulation Machines, an Opportunity for Election Deniers

 

Earlier this week, former American president Donald Trump and his followers seized on technical issues with ballot tabulation machines in the battleground state of Arizona and falsely claimed it was evidence of an election scam by the Democrats. 

The false claims were made after video emerged of voters being turned away from polling stations in Maricopa, Arizona’s largest county, and officials asking them to head to a different voting center. 

The elections officials also flagged printer issues with ballot tabulators in nearly 20% of the county’s polling locations but made clear that voters can cast ballots without concerns. 

"We also have redundancy in place. If you can't put the ballot in the tabulator, then you can simply place it here where you see the number three and this is a secure box where those ballots will be kept for later this evening, where we'll bring them in here to central count to tabulate them," Maricopa official explained. 

There is nothing fishy regarding the voting process. The issues in a handful of places around the US are well within the normal range of glitches to be expected in thousands of jurisdictions with millions of people voting, a senior official at the US Cybersecurity and Infrastructure Security Agency stated.

However, Trump contradicted state officials claims who said that the paper ballots will be tabulated later and posted on his social media platform, Truth Social, telling voters to stay in line. 

The state's Republican candidate for governor, Kari Lake, also seized on the machine glitches, tweeting out a quote "voter alert". 

She has previously echoed Trump's false claims that the 2020 elections were stolen from him. When election results were announced, she nodded toward the issues with the machines. "We had a big day today. And don't let those cheaters and crooks think anything different. Don't let them doubt. Don't let them put doubt in you." 

Arizona was central in the false claims by Trump and his followers that the 2020 presidential election was rigged against him, after his narrow loss to Joe Biden in the state. The state was ground zero for Trump’s attempts to overturn his White House loss and in this year’s midterms, it’s the only state where all four major statewide candidates are election deniers. 

An election official in Arizona said that the malfunctions in ballot tabulation machines were "disappointing" and correctly predicted that election deniers such as Trump would "exploit" the issue.

TikTok has Grown Into a Global Giant, United States has Threatened to Rein it in

 

This summer was a period of economic uncertainty for much of the tech industry, resulting in a drop in bitcoin prices, hundreds of layoffs, and a hiring freeze. It was also the summer that US regulators crossed the aisle to reach an agreement: it was time for stricter rules for the video platform TikTok. 

TikTok has been the focus of rare bipartisan calls for regulation and investigation since Buzzfeed reported in June that employees of TikTok's Chinese parent company ByteDance had access to US consumer data. When the FBI director, Christopher Wray, called Chinese espionage the "greatest long-term threat to our nation's... economic vitality" in July, those inquiries became more pressing.

“If you are an American adult, it is more likely than not that China has stolen your personal data,” Wray said. “We’ve now reached the point where the FBI is opening a new China-related counterintelligence case about every 10 hours.”

The China question

TikTok is a relatively new player in the arena of massive global social media platforms, but it has already piqued the interest of European regulators. New laws in the UK and the EU concerning child safety and general internet safety have compelled the company to become more transparent about how it operates and how content spreads on its platform.

In the United States, efforts to rein in the video platform have only recently gained traction, though there is little doubt that the round of regulatory pressure is warranted. With 1 billion users, the platform, which uses an algorithmic feed to push short-form videos to users, has had its fair share of misinformation, data privacy concerns, and child safety concerns.

The app's connection to China is one of the issues that US lawmakers are most publicly focused on.   TikTok has consistently stated that the data of its US users is stored in Virginia data centers and backed up in Singapore. In June, the company announced that all US user data would be routed through Oracle servers in the United States.

However, recordings of TikTok executives obtained by BuzzFeed News indicate that ByteDance employees based in China accessed US user data multiple times between September 2021 and January 2022. “Everything is seen in China,” one TikTok employee reportedly said in a meeting.

On June 23, a bipartisan group of five senators proposed a new bill that would prohibit companies from sending American users' data to "high risk foreign countries." In July, Senators Mark Warner and Marco Rubio asked the Federal Trade Commission (FTC) to investigate TikTok.

“TikTok, their parent company ByteDance, and other China-based tech companies are required by Chinese law to share their information with the Communist party,” Warner said. “Allowing access to American data, down to biometrics such as face prints and voiceprints, poses a great risk to not only individual privacy but to national security.”

Brendan Carr, the FCC's senior Republican commissioner, said the BuzzFeed News story marked a watershed moment in lawmakers' thinking about TikTok. “What really changed things was it wasn’t people theorizing or government officials saying stuff in talking points that you weren’t really sure if there was any there, there. This was a report that had internal communications and leaked audio of internal meetings … that just blew the doors off of all of [TikTok’s] representations about how it handled data and showed it to be gaslighting.”

Carr, who has advocated for Google and Apple to remove TikTok from their stores, said the revelations made TikTok's national security concerns more real than ever before and brought people from different political parties together.

TikTok claims that US lawmakers' concerns about national security are exaggerated and that the platform does not share user data with the Chinese government. "Neither would we if asked," company spokesperson Maureen Shanahan said.

Shanahan stated that the company has been open about its efforts to limit employees' access to US user data, and the BuzzFeed News report demonstrates that TikTok is "doing what it said it would do."

“In 2021, TikTok engaged consultants to help assess how to limit data access to US user data,” Shanahan said in a statement. “In the 80 leaked meetings, there were 14 statements indicating that engineers in China had access to US data … It is unfortunate that BuzzFeed cherry-picked quotes from meetings about those very efforts and failed to provide adequate context.”

“Like many global companies, TikTok has engineering teams around the world,” Shanahan said. “We employ access controls like encryption and security monitoring to secure user data, and the access approval process is overseen by our US-based security team.”

Bigger than China

Experts contacted by the Guardian did not question China's cybersecurity threat to the US. However, some expressed concern that regulators' focus on TikTok's China connection would divert attention away from other pressing issues, such as TikTok's algorithm and how much user data the company collects, stores, and shares with other US entities.

There is little information available about the amount of user data TikTok collects and shares with entities in the United States. Even Oracle, the company TikTok hired to audit its algorithms and data privacy policies in order to reassure lawmakers that the platform is free of Chinese influence, has been accused of keeping dossiers on 5 million people worldwide. There are currently no federal regulations in place to safeguard such information.

“The China question to me is almost a red herring because there’s so little being done to protect user privacy generally in the US,” said Sara Collins, a senior policy counsel at the non-profit public interest group Public Knowledge. “The thing I would be concerned about is the same stuff that we’re concerned about with Facebook or with Google. It’s their data privacy practices, what they’re doing with that data, how they’re monetizing it, and what adverse effects are there on users.”

A federal privacy bill currently being debated in Congress could begin to address these concerns. According to Collins, whose employer Public Knowledge works on content moderation and regulation issues, the American Data Privacy and Protection Act (ADPPA) would "actually create a privacy framework for all these companies that would affect TikTok and its business model." (TikTok has made donations to Public Knowledge.)
 
In the meantime, states are taking control of the situation. California passed a landmark child-only safety bill that would require platforms like TikTok and Instagram to vet any products geared toward children before releasing them, as well as to implement privacy safeguards for younger users by default.

Marc Faddoul, co-director of Tracking Exposed, an organization that tracks how TikTok's algorithm works, believes that congressional leaders' focus on the platform's China connections misses the mark when it comes to pressing for more information about the app's algorithm.

“To me, what’s missing from regulators’ radars is that the biggest leverage point in disseminating content online is the mechanics of algorithmic promotion and algorithmic demotion because taking down an individual piece of content, especially if it has already been spread, does little to mitigate the potential harm,” Faddoul said. Those opaque mechanisms, he argued, pose “the biggest threat in terms of interference in internal politics or popular opinion”.

There isn't much information available about how the algorithm decides which content to promote to the top of each person's For You Page. However, in many cases, that content has proven to have real-world implications. Domestic extremists, for example, used TikTok to promote violence and call on their followers to bring guns to the US Capitol in the run-up to the January 6 riots, according to a Department of Homeland Security intelligence document. According to the document, the platform is also rife with violent extremist content.

TikTok says it uses “a combination of technology and thousands of safety professionals” to identify and remove videos that violate its policies. AB Obi-Okoye, a spokesman for the company, said TikTok will continue those efforts, factchecking content in over 30 languages.

“Factchecking is just one component of how we moderate content,” Obi-Okoye continued. “We use a combination of publicly available information as well as the information we receive from our factchecking partners to help us assess content.”

It's also critical to understand how TikTok's algorithm works, according to Faddoul. As the Guardian first reported, the company has previously directed its moderators to censor certain posts, including those mentioning Tiananmen Square or Tibetan independence, according to Faddoul. Obi-Okoye stated that those policies were outdated and no longer in use.  “Today, we take a nuanced approach to moderation, including building out a global team with deep industry experience and working with external content and safety advisory councils,” Obi-Okoye said.

Is there too much or too little oversight?

While experts and lawmakers agree that more regulation is needed, there is significant disagreement about how much regulatory scrutiny TikTok has historically received, especially in comparison to players such as Facebook, Twitter, and Google.

Carr, the FCC commissioner, attributes some of the apparent lack of focus on TikTok to a politicization of the debate after Donald Trump signed an executive order in 2020 requiring ByteDance to sell or spin off its US TikTok business. (That order has since been revoked by Joe Biden.)

Because of TikTok's ties to China, he believes the threats it poses are in a different category than those posed by Facebook and Google. And, in comparison to other Chinese-based tech companies like Huawei and ZTE, TikTok has "largely skated and avoided having to account for some very serious national security concerns," according to Carr.

Battling the Russian Disinformation War

 

Over the years, the US- Russian ties have been in fluctuation mode. Donald Trump, the former US president was lenient towards Kremlin from 2017-2020 during which the White House seemed to take a backseat to cybersecurity issues. 

However, the Joe Biden regime is ready to take on Russia on every possible front. After Russia invaded Ukraine last February, the American-led European Union moved blocked RT and Sputnik, two of the Kremlin’s top channels for spreading misinformation about the war. 

Blake Dowling, CEO at Florida- based Aegis Business Technologies blamed Russian-backed hackers for staging cyberattacks against American infrastructure (Colonial Pipeline), businesses and government (SolarWinds and others), and elections. 

According to Dowling, Russian Internet Research Agency has also played in propagating disinformation around the globe.

The IRA is an army of internet trolls based in an old arms factory in St Petersburg founded by Yevgeny Prigozhin. The internet operatives in IRA work as regular employees during their shifts of 8 hours per day. 

During their shifts employees must meet quotas which would be something like designing a dozen social media accounts, and posting five political posts and 10 nonpolitical posts. At the same time, they must comment and like hundreds of their colleague’s posts. 

One IRA employee published a blog about a new video game in the U.S. that had a theme of slavery, aiming to stir up anti-U.S. feelings in Russia. In reality, there was no such game, but that is what the job was. 

Apart from social media trolls, a Russian hacktivist group called Killnet is also playing a major role in disrupting services in the United States. They are looking to cause chaos to the enemies of Russia, specifically those entities that side with Ukraine. 

The standard modus operandi of the hacking group is to launch distributed denial of service attacks (DDoS) toward their victims, causing their web presence to break down. Earlier targets include the European song contest Eurovision and this month fourteen airports in the United States. 

To counter this cyber onslaught, the Department of Homeland Security and Cyber Security and Infrastructure Security Agency recommends a Shields Up approach for American citizens. 

The Shield Up technique refers to a heightened cyber defensive posture when protecting data and technical assets. This includes updating your network and hardware for known exploits and vulnerabilities and using robust passwords that are changed regularly.

Authorities Seize Online Marketplace for Stolen Credentials

In coordination with International Law enforcement authorities, Portuguese conducted an investigation and successfully seized the website selling login credentials and PII addresses of over 5.85 million people. 

The United States law enforcement agencies also reported that they have seized four domains of an online marketplace associated with the online shop, named ‘wt1store.cc’, ‘wt1shop.net’, wt1store.com’, and ‘wt1store.net’. 

A federal agency had charged Nicolai Colesnicov, 36, of the Republic of Moldova, with operating wt1shop to facilitate the selling of stolen credentials and PII. 

Following the incident, the U.S. Justice Department (DoJ) stated that the agencies seized approximately 25,000 scanned driver’s licenses/passports, 1.7 million login credentials for various online shops, 108,000 bank accounts, and 21,800 credit cards.

According to the documents, visitors of the illegal marketplace could purchase the stolen data using Bitcoin. Around 2.4 million credentials had been sold on wt1shop, for total proceeds of $4 million. Also, the online market had a forum that could be accessed by the customers. 

The data that was sold was for online retailers, PayPal accounts, financial institutions, and email accounts. Other credentials were for remote access to computers, servers, and other appliances Additionally,  a person visiting the website to buy stolen credentials can also purchase the credit card accounts of that victim. 

 U.S. Attorney Brit Featherston said that “This case exemplifies the need for all of us, right now, to take steps to protect our online identity, our personal data, and our monetary accounts. Cyber-criminals are lurking behind the glow of computer screens and are harming Americans. These investigations require dedicated professionals who work tirelessly to stop thieves that steal from unknowing innocent people. To those who dedicate their lives to stopping cyber-criminals, we thank you.”

Earlier this year, the Department of Justice along with other international authorities had announced that they had seized Slilpp, the largest site for stolen credentials on the Dark Web. The site had data of 80 million users from 1,400 service providers. 

Also, on March 16, 2022, a federal grand jury put Igor Dekhtyarchuk, a Russian citizen, on trial for running a cyber-criminal marketplace that stole and sold thousands of login credentials, authentication tools, and Personally Identifiable Information. 

HHS Warns, Karakurt Ransomware Group Targeting Healthcare Providers

 

The US Department of Health and Human Services Cybersecurity Coordination Center (HC3) recently issued a warning about rising Karakurt activities against the healthcare centre. The department has now issued a new warning about Evil Corp attacks. 

According to the alert, Evil Corp is supposedly obtaining intellectual property from the United States healthcare sector on behalf of the Russian government. Evil Corp's Dridex trojan is competent in compromising the confidentiality and accessibility of operational systems and data, including financial and health data. 

The threat actor has constantly changed its tactics in order to avoid sanctions imposed by the US government, causing millions of dollars in damage.

Evil Corp has a plethora of tools and techniques at its disposal, which are frequently combined with commodity malware and off-the-grid tactics. Furthermore, HC3 is concerned because nation-state-sponsored threat actors, such as Evil Corp, see data exfiltration as a cost-effective way to steal intellectual property. 

In addition to the aforementioned, Evil Corp makes no distinction between large and small organisations, preferring to target wherever there is an opportunity. Karakurt has at least compromised an assisted living facility, a healthcare provider, a hospital, and a dental clinic, according to HC3. The group even transformed its leak site into a searchable database, making it easier to locate victims.

The healthcare sector has long been a favourite target of cybercriminals, and this has only increased since the pandemic's onslaught. On a regular basis, various threat groups target the sector. As a result, putting in place the necessary security measures is advised.

FBI Issues Warning as BlackCat Ransomware Targets More Than 60 Organizations Worldwide

 

An FBI flash alert released this week suggests that the law enforcement agency has identified at least 60 ransomware attacks worldwide by the BlackCat (ALPHV) group between November 2021 and March 2022. 

The flash alert highlights the tactics, techniques, and procedures (TTPs) employed and indicators of compromise (IOCs) associated with ransomware groups spotted during FBI investigations.

According to the FBI's Cyber Division, BlackCat also tracked as ALPHV and Noberus "is the first ransomware group to do so successfully using RUST, considered to be a more secure programming language that offers improved performance and reliable concurrent processing."

BlackCat's ransomware executable is also highly customizable and is loaded with several encryption methods and options that make it easy to adapt attacks to a wide range of industrial organizations. "Many of the developers and money launderers for BlackCat/ALPHV are linked to Darkside/Blackmatter, indicating they have extensive networks and experience with ransomware operations," the FBI added. 

Security researchers recently revealed an increased interest from BlackCat operators in targeting industrial organizations. BlackCat affiliates often demand ransom payments of millions of dollars, but they have been observed accepting lower payments after negotiations with their victims. 

For initial access, the FBI explains, BlackCat employs compromised user credentials. Next, Active Directory user and administrator accounts are compromised and malicious Group Policy Objects (GPOs) are used to deploy the ransomware, but not before victim data is exfiltrated. 

As part of observed BlackCat assaults, PowerShell scripts, Cobalt Strike Beacon, and authentic Windows tools and Sysinternals utilities have been used. The malicious actors were also seen disabling security features to move unhindered within the victim’s network. 

As usual, the FBI recommends not paying the ransom, as this would not guarantee the recovery of compromised data, and urges organizations to proactively deploy cybersecurity defenses that can help them prevent ransomware attacks. 

Since the start of the year, the notorious group has taken credit for ransomware attacks on US schools like Florida International University and North Carolina A&T University and has already breached dozens of US critical infrastructure organizations. 

The group was first spotted in November 2021 and became known for aggressively posting details about its victims publicly. Emsisoft threat analyst Brett Callow and others previously said the group is a rebrand of the BlackMatter and DarkSide ransomware groups, something the FBI also highlighted in its notice.