Search This Blog
Powered by Blogger.

Blog Archive

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label corporate cyber attacks. Show all posts
Ransomware attack
8Base 8Base Ransomware corporate cyber attacks Cyber Attacks Dark Web Data Leak data security Ransomware attack

Nidec Corporation Ransomware Attack: Data Leak on Dark Web

 

In a recent disclosure, Nidec Corporation, a global leader in precision motors and automotive components, confirmed a significant data breach from a ransomware attack that occurred earlier this year. Hackers, after failing to extort the company, leaked stolen data on the dark web. This breach did not involve file encryption, but the stolen information has raised concerns for employees, contractors, and associates regarding potential phishing attacks. Nidec operates in over 40 countries and has an annual revenue exceeding $11 billion. 

The affected division, Nidec Precision, is based in Vietnam and specializes in manufacturing optical, electronic, and mechanical equipment for the photography industry. An internal investigation revealed that hackers accessed a server using stolen VPN credentials of a Nidec employee. This server contained sensitive documents, including business letters, purchase orders, invoices, health policies, and contracts. Over 50,000 files were compromised in the breach. The company responded by closing the entry point and implementing additional security measures as advised by cybersecurity experts. 

Employees are undergoing further training to reduce future risks, with Nidec notifying business partners who may have been affected. The attack was initially claimed by the 8BASE ransomware group in June, who alleged they stole personal data and a large volume of confidential information from Nidec’s systems. In July, the Everest ransomware group also published stolen data on the dark web, suggesting a connection to 8BASE and initiating a secondary extortion attempt. While Nidec has confirmed the authenticity of the stolen data, it downplayed the potential for direct financial damage to the company or its contractors. 

However, the company remains vigilant and continues to monitor for any unauthorized use of the information. This attack underlines the vulnerability of even the largest corporations to cybercriminals and the importance of robust security measures. As ransomware groups continue to evolve their tactics, companies like Nidec must ensure they are prepared to mitigate threats and protect their sensitive data. 

The Nidec breach is a stark reminder of the ongoing risks in today’s interconnected business environment. In response to this breach, Nidec has implemented stronger security protocols and is actively educating its workforce on how to mitigate cybersecurity risks moving forward.
Read more »
VMware ESXi encryptor
ALPHV Blackcat Ransomware corporate cyber attacks Cyber Attacks RansomHub ransomware ransomware-as-a-service VMware ESXi encryptor

RansomHub Ransomware Targets VMware ESXi Environments with Specialized Encryptor

 

The RansomHub ransomware operation is now employing a Linux encryptor specifically designed to target VMware ESXi environments during corporate attacks.

Launched in February 2024, RansomHub operates as a ransomware-as-a-service (RaaS) with connections to ALPHV/BlackCat and Knight ransomware. The group has claimed over 45 victims across 18 countries.

Since early May, both Windows and Linux RansomHub encryptors have been confirmed. Recently, Recorded Future reported that the group also possesses an ESXi variant, first observed in April 2024. Unlike the Windows and Linux versions written in Go, the ESXi encryptor is a C++ program, likely evolved from the now-defunct Knight ransomware.

Interestingly, Recorded Future identified a bug in the ESXi variant that defenders can exploit to cause the encryptor to enter an endless loop, thereby evading encryption.

Enterprises widely use virtual machines to manage their servers due to their efficient CPU, memory, and storage resource management. Consequently, many ransomware gangs have developed dedicated VMware ESXi encryptors to target these environments. RansomHub's ESXi encryptor supports various command-line options, including setting execution delays, specifying VMs to exclude from encryption, and targeting specific directory paths. 

The encryptor features ESXi-specific commands such as 'vim-cmd vmsvc/getallvms' and 'vim-cmd vmsvc/snapshot.removeall' for snapshot deletion, and 'esxcli vm process kill' for shutting down VMs. It also disables syslog and other critical services to hinder logging and can delete itself after execution to evade detection and analysis.

The encryption scheme uses ChaCha20 with Curve25519 for key generation and targets ESXi-related files like '.vmdk,' '.vmx,' and '.vmsn' with intermittent encryption for faster performance. Specifically, it encrypts only the first megabyte of files larger than 1MB, repeating encryption blocks every 11MB. A 113-byte footer is added to each encrypted file containing the victim's public key, ChaCha20 nonce, and chunks count. The ransom note is written to '/etc/motd' (Message of the Day) and '/usr/lib/vmware/hostd/docroot/ui/index.html' to make it visible on login screens and web interfaces.

Recorded Future analysts discovered that the ESXi variant uses a file named '/tmp/app.pid' to check for an existing instance. If this file contains a process ID, the ransomware attempts to kill that process and then exits. However, if the file contains '-1,' the ransomware enters an infinite loop, trying to kill a non-existent process, thus neutralizing itself.

This means organizations can create a /tmp/app.pid file containing '-1' to protect against the RansomHub ESXi variant, at least until the RaaS operators fix the bug and release updated versions for their affiliates.
Read more »
Subscribe to: Posts (Atom)