Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Ukraine Organization. Show all posts

Europol Dismantles Ukrainian Ransomware Gang

A well-known ransomware organization operating in Ukraine has been successfully taken down by an international team under the direction of Europol, marking a major win against cybercrime. In this operation, the criminal group behind several high-profile attacks was the target of multiple raids.

The joint effort, which included law enforcement agencies from various countries, highlights the growing need for global cooperation in combating cyber threats. The dismantled group had been a prominent player in the world of ransomware, utilizing sophisticated techniques to extort individuals and organizations.

The operation comes at a crucial time, with Ukraine already facing challenges due to ongoing geopolitical tensions. Europol's involvement underscores the commitment of the international community to address cyber threats regardless of the geopolitical landscape.

One of the key events leading to the takedown was a series of coordinated raids across Ukraine. These actions, supported by Europol, aimed at disrupting the ransomware gang's infrastructure and apprehending key individuals involved in the criminal activities. The raids not only targeted the group's operational base but also sought to gather crucial evidence for further investigations.

Europol, in a statement, emphasized the significance of international collaboration in combating cybercrime. "This successful operation demonstrates the power of coordinated efforts in tackling transnational threats. Cybercriminals operate globally, and law enforcement must respond with a united front," stated the Europol representative.

The dismantled ransomware gang was reportedly using the Lockergoga ransomware variant, known for its sophisticated encryption methods and targeted attacks on high-profile victims. The group's activities had raised concerns globally, making its takedown a priority for law enforcement agencies.

In the aftermath of the operation, cybersecurity experts are optimistic about the potential impact on reducing ransomware threats. However, they also stress the importance of continued vigilance and collaboration to stay ahead of evolving cyber threats.

As the international community celebrates this successful operation, it serves as a reminder of the ongoing battle against cybercrime. The events leading to the dismantlement of the Ukrainian-based ransomware gang underscore the necessity for countries to pool their resources and expertise to protect individuals, businesses, and critical infrastructure from the ever-evolving landscape of cyber threats.

Russian Turla Leveraged Other Hackers' USB-Delivered Malware

 

Russian state-sponsored cyber threat actor Turla victimized a Ukrainian organization in a recent attack. The hackers leveraged legacy Andromeda malware that was executed by other hackers via an infected USB drive, Mandiant reports. 

Turla is active since at least 2006, however, the group came into light in 2008 as the group was behind the agent.btz, a venomous piece of malware that spread through US Department of Defense systems, gaining widespread access via infected USB drives plugged in by the Pentagon employee who was unaware of the danger. 

Also, the group has been historically associated with the use of the ComRAT malware. After 15 years, the group again came into the spotlight. However, this time the group is trying a new trick that is hijacking the USB infections of other malicious actors to piggyback on their infections to spy on targets.

Legacy Andromeda malware also known as Wauchos or Gamarue which has been active since at least September 2011, is a modular trojan that is capable of checking whether it is being executed or debugged in a virtual environment by using anti-virtual machine techniques. 

In the Turla-suspected operation tracked as UNC4210, at least three expired Andromeda command and control (C&C) domains were used for victim profiling, Mandiant discovered. 

The attack took place in September 2022, however, the Ukrainian organization was infected with a legacy Andromeda sample in December 2021 via an infected USB drive. A malicious LNK file on the drive was used for malware installations. Also, it downloads other malware from its commanding servers in order to steal information from infected computers. The countries that are most affected by the malware are India (24%), Vietnam (12%), and Iran (7%). 

The study on Turla operations has been conducted by Kaspersky, Symantec, and CrySyS Lab in Budapest and they revealed that the threat actors behind the campaign are highly sophisticated in their methods. More than one malicious file is used by the threat actor to accomplish their end goals. 

First, a backdoor mostly known as “Wipbot” and “Tavdig” (also known as “WorldCupSec” or “TadjMakhal”) is designed to collect important data. Then it delivered its main module, which has the ability to execute a variety of commands and exfiltrate data on the targeted system. 

“As older Andromeda malware continues to spread from compromised USB devices, these re-registered domains pose a risk as new threat actors can take control and deliver new malware to victims. This novel technique of claiming expired domains used by widely distributed, financially motivated malware can enable follow-on compromises at a wide array of entities,” Mandiant reported. 

Furthermore, it says that this is the first suspected Turla attack that has targeted Ukrainian organizations after the Russian invasion.