Search This Blog
Powered by Blogger.

Blog Archive

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label corporate cyber attacks. Show all posts
trending news
company data theft corporate cyber attacks cyberattacks trending news malware News trending news

BianLian Ransomware Gang Shifts Tactics: A New Era of Cyber Threats

 

A recent advisory from the FBI, CISA, and Australia’s Cyber Security Centre reveals a tactical shift by the ransomware group BianLian, marking a significant evolution in cyber extortion. The update, issued on November 20, 2024, highlights how the group has abandoned traditional encryption-based attacks in favor of exfiltration-only extortion, a trend gaining momentum across the cybercrime landscape. Previously known for their double-extortion model—encrypting victims' data while threatening to release stolen files—BianLian has moved exclusively to encryption-less attacks since early 2023. 

Instead of locking victims out of their systems, the group focuses solely on stealing sensitive data and leveraging it to demand ransoms. This new approach leaves the victims’ systems intact, but their sensitive information becomes the ultimate bargaining chip. “This method allows criminals to exploit multiple avenues for extortion,” the advisory states. “Even when victims pay, stolen data is rarely deleted and often surfaces on the Dark Web.” 

The shift reflects both a response to improved corporate defenses and a focus on operational efficiency. Muhammad Yahya Patel, lead security engineer at Check Point Software, noted that exfiltration-only attacks require fewer resources, making them harder to detect. “This tactic reduces the need for encryption malware, minimizing operational complexity and allowing attackers to stay under the radar,” Patel explained. 

Organizations with robust backup systems can recover from encryption-based attacks, diminishing their effectiveness. Pedro Umbelino, principal research scientist at Bitsight, observed, “Encryption rarely leads to data loss now, but companies still fear the public release of stolen data. Ransomware operators are prioritizing simpler methods to maximize profit.” The trend extends beyond BianLian. Darren Williams, CEO of BlackFog, revealed that 94% of ransomware attacks in 2024 now center on data theft rather than encryption. 

“The value of intellectual property, customer, and personal data has made exfiltration the preferred method for cybercriminals,” Williams noted. 

For organizations, this shift underscores the urgency of adapting cybersecurity defenses. Unlike encryption attacks, data exfiltration is harder to detect and often unnoticed until it’s too late. Investing in advanced monitoring tools, enhancing incident response plans, and fostering a culture of cybersecurity awareness are critical steps in mitigating this emerging threat. The rise of exfiltration-only ransomware is a stark reminder of cybercriminals’ adaptability. Businesses must evolve their defenses to match the growing sophistication of their adversaries.
Read more »
Ransomware attack
8Base 8Base Ransomware corporate cyber attacks Cyber Attacks Dark Web Data Leak data security Ransomware attack

Nidec Corporation Ransomware Attack: Data Leak on Dark Web

 

In a recent disclosure, Nidec Corporation, a global leader in precision motors and automotive components, confirmed a significant data breach from a ransomware attack that occurred earlier this year. Hackers, after failing to extort the company, leaked stolen data on the dark web. This breach did not involve file encryption, but the stolen information has raised concerns for employees, contractors, and associates regarding potential phishing attacks. Nidec operates in over 40 countries and has an annual revenue exceeding $11 billion. 

The affected division, Nidec Precision, is based in Vietnam and specializes in manufacturing optical, electronic, and mechanical equipment for the photography industry. An internal investigation revealed that hackers accessed a server using stolen VPN credentials of a Nidec employee. This server contained sensitive documents, including business letters, purchase orders, invoices, health policies, and contracts. Over 50,000 files were compromised in the breach. The company responded by closing the entry point and implementing additional security measures as advised by cybersecurity experts. 

Employees are undergoing further training to reduce future risks, with Nidec notifying business partners who may have been affected. The attack was initially claimed by the 8BASE ransomware group in June, who alleged they stole personal data and a large volume of confidential information from Nidec’s systems. In July, the Everest ransomware group also published stolen data on the dark web, suggesting a connection to 8BASE and initiating a secondary extortion attempt. While Nidec has confirmed the authenticity of the stolen data, it downplayed the potential for direct financial damage to the company or its contractors. 

However, the company remains vigilant and continues to monitor for any unauthorized use of the information. This attack underlines the vulnerability of even the largest corporations to cybercriminals and the importance of robust security measures. As ransomware groups continue to evolve their tactics, companies like Nidec must ensure they are prepared to mitigate threats and protect their sensitive data. 

The Nidec breach is a stark reminder of the ongoing risks in today’s interconnected business environment. In response to this breach, Nidec has implemented stronger security protocols and is actively educating its workforce on how to mitigate cybersecurity risks moving forward.
Read more »
VMware ESXi encryptor
ALPHV Blackcat Ransomware corporate cyber attacks Cyber Attacks RansomHub ransomware ransomware-as-a-service VMware ESXi encryptor

RansomHub Ransomware Targets VMware ESXi Environments with Specialized Encryptor

 

The RansomHub ransomware operation is now employing a Linux encryptor specifically designed to target VMware ESXi environments during corporate attacks.

Launched in February 2024, RansomHub operates as a ransomware-as-a-service (RaaS) with connections to ALPHV/BlackCat and Knight ransomware. The group has claimed over 45 victims across 18 countries.

Since early May, both Windows and Linux RansomHub encryptors have been confirmed. Recently, Recorded Future reported that the group also possesses an ESXi variant, first observed in April 2024. Unlike the Windows and Linux versions written in Go, the ESXi encryptor is a C++ program, likely evolved from the now-defunct Knight ransomware.

Interestingly, Recorded Future identified a bug in the ESXi variant that defenders can exploit to cause the encryptor to enter an endless loop, thereby evading encryption.

Enterprises widely use virtual machines to manage their servers due to their efficient CPU, memory, and storage resource management. Consequently, many ransomware gangs have developed dedicated VMware ESXi encryptors to target these environments. RansomHub's ESXi encryptor supports various command-line options, including setting execution delays, specifying VMs to exclude from encryption, and targeting specific directory paths. 

The encryptor features ESXi-specific commands such as 'vim-cmd vmsvc/getallvms' and 'vim-cmd vmsvc/snapshot.removeall' for snapshot deletion, and 'esxcli vm process kill' for shutting down VMs. It also disables syslog and other critical services to hinder logging and can delete itself after execution to evade detection and analysis.

The encryption scheme uses ChaCha20 with Curve25519 for key generation and targets ESXi-related files like '.vmdk,' '.vmx,' and '.vmsn' with intermittent encryption for faster performance. Specifically, it encrypts only the first megabyte of files larger than 1MB, repeating encryption blocks every 11MB. A 113-byte footer is added to each encrypted file containing the victim's public key, ChaCha20 nonce, and chunks count. The ransom note is written to '/etc/motd' (Message of the Day) and '/usr/lib/vmware/hostd/docroot/ui/index.html' to make it visible on login screens and web interfaces.

Recorded Future analysts discovered that the ESXi variant uses a file named '/tmp/app.pid' to check for an existing instance. If this file contains a process ID, the ransomware attempts to kill that process and then exits. However, if the file contains '-1,' the ransomware enters an infinite loop, trying to kill a non-existent process, thus neutralizing itself.

This means organizations can create a /tmp/app.pid file containing '-1' to protect against the RansomHub ESXi variant, at least until the RaaS operators fix the bug and release updated versions for their affiliates.
Read more »
Subscribe to: Posts (Atom)