Search This Blog
Powered by Blogger.

Blog Archive

Labels

About Me

Load More
Trendy Right Now

Popular Posts

Showing posts with label ransomware attacks. Show all posts
ransomware attacks
Cybersecurity Threats Document converter malware Fake file converters malware Online Scams ransomware attacks

FBI Warns Against Fake Online Document Converters Spreading Malware

 

iThe FBI Denver field office has issued a warning about cybercriminals using fake online document converters to steal sensitive data and deploy ransomware on victims' devices. Reports of these scams have been increasing, prompting authorities to urge users to be cautious and report incidents.

"The FBI Denver Field Office is warning that agents are increasingly seeing a scam involving free online document converter tools, and we want to encourage victims to report instances of this scam," the agency stated.

Cybercriminals create fraudulent websites that offer free document conversion, file merging, or media download services. While these sites may function as expected, they secretly inject malware into downloaded files, enabling hackers to gain remote access to infected devices.

"To conduct this scheme, cybercriminals across the globe are using any type of free document converter or downloader tool," the FBI added.

These sites may claim to:
  • Convert .DOC to .PDF or other file formats.
  • Merge multiple .JPG files into a single .PDF.
  • Offer MP3 or MP4 downloads.
Once users upload their files, hackers can extract sensitive information, including:
  • Names and Social Security Numbers
  • Cryptocurrency wallet addresses and passphrases
  • Banking credentials and passwords
  • Email addresses
Scammers also use phishing tactics, such as mimicking legitimate URLs by making slight alterations (e.g., changing one letter or replacing "CO" with "INC") to appear trustworthy.

“Users who in the past would type ‘free online file converter’ into a search engine are vulnerable, as the algorithms used for results now often include paid results, which might be scams,” said Vikki Migoya, Public Affairs Officer for FBI Denver.

Cybersecurity experts have confirmed that these fraudulent websites are linked to malware campaigns. Researcher Will Thomas recently identified fake converter sites, such as docu-flex[.]com, distributing malicious executables like Pdfixers.exe and DocuFlex.exe, both flagged as malware.

Additionally, a Google ad campaign in November was found promoting fake converters that installed Gootloader malware, a malware loader known for:

  1. Stealing banking credentials
  2. Installing trojans and infostealers
  3. Deploying Cobalt Strike beacons for ransomware attacks

"Visiting this WordPress site (surprise!), I found a form for uploading a PDF to convert it to a .DOCX file inside a .zip," explained a cybersecurity researcher.

Instead of receiving a legitimate document, users were given a JavaScript file that delivered Gootloader, which is often used in ransomware attacks by groups like REvil and BlackSuit.

In order to stay safe,
  • Avoid unknown document conversion sites. Stick to well-known, reputable services.
  • Verify file types before opening. If a downloaded file is an .exe or .JS instead of the expected document format, it is likely malware.
  • Check reviews before using any online converter. If a site has no reviews or looks suspicious, steer clear
  • Report suspicious sites to authorities. Victi
  • ms can file reports at IC3.gov.
  • While not all file converters are malicious, thorough research and caution are crucial to staying safe online.
Read more »
Ransomwares
Backdoor Backdoor Attacks Critical Infrastructure Cyber Attacks RansomHub ransomware ransomware attacks Ransomwares

Betruger Backdoor Linked to RansomHub Ransomware Attacks on Critical Infrastructure

 

A newly discovered backdoor malware, dubbed Betruger, has been identified in multiple recent ransomware attacks. Researchers at Symantec believe at least one affiliate of the RansomHub ransomware-as-a-service (RaaS) operation is using this sophisticated tool to facilitate cyber intrusions. 

Unlike many conventional malware strains, Betruger functions as a multi-purpose backdoor designed to prepare networks for ransomware deployment while minimizing the need for additional malicious software. Betruger comes equipped with several advanced features commonly associated with pre-ransomware attack stages. These include keylogging, network scanning, privilege escalation, credential theft, screenshot capture, and the ability to upload files to a command-and-control (C2) server. 

Its design suggests that attackers are looking to streamline their intrusion process, reducing reliance on multiple external tools and instead using a single, custom-built malware to execute various attack functions. This approach is relatively rare, as ransomware operators typically rely on widely available tools such as Mimikatz and Cobalt Strike to conduct their attacks. To avoid detection, cybercriminals are disguising Betruger under the filenames ‘mailer.exe’ and ‘turbomailer.exe,’ making it appear like a legitimate email-related application. 

While other ransomware groups have developed proprietary tools for data exfiltration, such as BlackMatter’s Exmatter and BlackByte’s Exbyte, Betruger appears to have a broader range of capabilities beyond just stealing data. The emergence of Betruger coincides with ongoing attacks by RansomHub, a ransomware operation that has been active since February 2024. Previously known as Cyclops and Knight, RansomHub has gained a reputation for focusing on extortion through data theft rather than encrypting victim files. 

Over the past year, the group has targeted several major organizations, including Halliburton, Christie’s, Frontier Communications, Rite Aid, and Kawasaki’s EU division. It was also responsible for leaking Change Healthcare’s stolen data after the BlackCat/ALPHV group’s $22 million exit scam. More recently, RansomHub claimed responsibility for breaching BayMark Health Services, a leading addiction treatment provider in North America. 

The company operates over 400 treatment centers across the U.S. and Canada, serving approximately 75,000 patients daily. The FBI has linked RansomHub affiliates to more than 200 ransomware attacks affecting various critical infrastructure sectors in the U.S., including government agencies, healthcare institutions, and other essential services. With the deployment of Betruger, the group’s operations appear to be evolving, indicating a continued threat to businesses and organizations worldwide.
Read more »
Ransomwares
CISA & FBI CISA advisory Cyber Attacks Malwares Medusa Attacks Medusa Ransomware RaaS ransomware attacks ransomware-as-a-service (RaaS) Ransomwares

Medusa Ransomware Attacks: CISA, FBI, and MS-ISAC Issue #StopRansomware Advisory

 

The Cybersecurity and Infrastructure Security Agency (CISA), in partnership with the FBI and the Multi-State Information Sharing and Analysis Center (MS-ISAC), has issued a #StopRansomware advisory, warning organizations about the increasing threat of Medusa ransomware. 

Medusa, a ransomware-as-a-service (RaaS) variant, was first detected in 2021 and has since targeted over 300 victims across multiple critical infrastructure sectors. Industries such as healthcare, law, education, insurance, technology, and manufacturing have been particularly affected, highlighting the wide reach and severity of the ransomware’s impact. Medusa initially operated as a closed ransomware variant, meaning its developers had full control over its deployment and operations. 

Over time, it transitioned to an affiliate-based model, allowing external cybercriminals to use the ransomware while keeping certain aspects, such as ransom negotiations, under the control of the original developers. This shift has allowed Medusa to expand its reach, increasing its effectiveness as a cyber threat. Medusa demands ransoms ranging from $100,000 to as much as $15 million. 

Like many modern ransomware variants, it employs double extortion tactics—stealing sensitive data before encrypting victim networks. This strategy puts additional pressure on victims, as attackers can threaten to leak or sell stolen data if the ransom is not paid. Cybersecurity researchers from Symantec’s Threat Hunter team recently reported a rise in Medusa-related attacks over the past year. 

Medusa’s developers use initial access brokers (IABs) to gain entry into victim networks. These brokers operate within cybercriminal forums and marketplaces, selling access to compromised systems for amounts ranging from $100 to $1 million. Medusa affiliates rely on phishing campaigns and vulnerability exploitation to gain initial access, making it crucial for organizations to bolster their email security and patch known vulnerabilities. Once inside a system, Medusa operators use “living-off-the-land” (LotL) techniques, leveraging legitimate system tools to evade detection while conducting reconnaissance, data theft, and lateral movement.

Given Medusa’s evolving tactics, cybersecurity experts stress the importance of proactive defense measures. Organizations should deploy security patches, implement network segmentation, and restrict access to critical services from untrusted sources. Dan Lattimer, area vice president for Semperis in the UK and Ireland, emphasized the need for an “assumed breach” mindset, urging companies to shift from a prevention-focused approach to rapid detection, response, and recovery. 

As ransomware attacks grow more sophisticated, organizations must remain vigilant, continuously updating their cybersecurity strategies to mitigate risks and strengthen their defenses against threats like Medusa.
Read more »
User Security
Cyber Crime Pressure Tactics Ransom Payment ransomware attacks User Security

Turning The Screws: Pressure Techniques Used by Ransomware Outfits

 

Over the past ten years, ransomware attacks have increased in frequency and sophistication. While exploits like social engineering and unpatched software may help with an initial breach, it's the coercive tactics that force victims to make rash and emotionally charged decisions, like paying the ransom. 

Below are three of the most common tactics used by ransomware perpetrators to persuade victims into complying with their extortion demands.

1. Fear and humiliation 

Fear is a potent emotion that threat actors use. When a victim's documents are encrypted, the message is usually clear: pay the ransom or lose your data forever. In addition to the fear of data loss, cybercriminals use the threat of humiliation to demand ransom in order to prevent the disclosure of sensitive information such as company files, financial data, or personal images. 

Cybercriminals sometimes go one step further by threatening legal action, especially in highly regulated sectors like healthcare or finance: Pay the ransom, or we'll denounce you to the authorities. Due to the increased pressure, victims are compelled to take action out of fear about possible legal action. 

2. Deadlines and ultimatums

Most ransomware demands include a tight deadline to intensify the pressure. Attackers usually give victims a deadline, like 48 hours, to comply, frequently along with a clear warning of the repercussions. Some ransomware programs show a countdown meter, which acts as a continual reminder that time is running out, to further exacerbate panic. Attackers may raise the stakes, such as making some of the stolen material publicly available, or double the ransom if the deadline is missed.

3. False hope and fake assurances 

False promises are another tactic used by ransomware operators to trick victims into believing there is a possible solution. However, victims are merely coerced into complying by this hope. Attackers may provide a solution like a trial decryption tool to "prove" their solution works, a discount for speedy payment, or an extension on the payment deadline—tactics intended to strengthen the notion that paying the ransom would result in a complete recovery.

In reality, just 4% of individuals who pay are able to restore all their data. Furthermore, criminals frequently say that if the ransom is paid, the stolen data will be completely destroyed and the victim will be left alone. However, 78% of victims who pay report recurring attacks, proving that these assurances are nothing more than intentional deception. 

Mitigation tips 

The following are some best practices that can help organisations in handling these pressure tactics: 

Preparedness:    Ransomware attacks can happen to anyone. Employers must provide clear instructions and techniques for their employees to follow, as well as teach them how to respond and report in stressful situations while remaining calm and composed. 

Avoiding impulsiveness:  Avoid making decisions primarily based on emotional factors such as anxiousness or desperation. Evaluate all available information and investigate possible solutions and alternatives. 

Not making a payment right away: Don't ever give in to the urge to pay. Speak with law enforcement, cybersecurity experts, and skilled ransomware negotiators, or get advice from cyber insurance companies. Investigate backups and other recovery options. Online decryptors may even be accessible for some ransomware strains.
Read more »
Security Vendors
Cyber Attacks Cyber attacks on Industrial leaders IBM research ransomware attacks Ransomwares resilience Security Vendors

Cyberattacks on Single Points of Failure Are Driving Major Industry Disruptions


Cybercriminals are increasingly targeting single points of failure within companies, causing widespread disruptions across industries. According to cybersecurity firm Resilience, attackers have shifted their focus toward exploiting key vulnerabilities in highly interconnected organizations, triggering a “cascading effect of disruption and chaos downstream.” This strategy allows cybercriminals to maximize the impact of their attacks, affecting not just the initial target but also its partners, clients, and entire industries. 


The financial consequences of these attacks have been severe. According to IBM research, the global average cost of a data breach in 2024 was nearly $4.9 million. However, some breaches were far more expensive. One of the most significant incidents involved a ransomware attack on Change Healthcare, a subsidiary of UnitedHealth that processes billions of medical claims annually. UnitedHealth reported that the attack cost the company $3.1 billion in response efforts, making it one of the most financially damaging cyber incidents in recent history. 

The attack caused major disruptions across the healthcare sector, impacting hospitals, insurance providers, and pharmacies. John Riggi, national cybersecurity advisor for the American Hospital Association, described the incident as “the most significant and consequential cyberattack in the history of U.S. health care.” Another major ransomware attack targeted CDK Global, a software provider for car dealerships across the U.S. The breach resulted in over $1 billion in collective losses for affected dealerships, according to estimates from Anderson Economic Group. 

This attack further demonstrated how cybercriminals can cripple entire industries by targeting critical service providers that businesses rely on for daily operations. Resilience’s analysis indicates that third-party risk has become a dominant driver of cyber insurance claims. In 2024, third-party breaches accounted for 31% of all claims filed by its clients. While the number was slightly higher in 2023 at 37%, none of those incidents resulted in material financial losses. The report also found that ransomware targeting vendors has become a significant concern, contributing to 18% of all incurred claims.  

Ransomware remained the top cause of financial loss in cyber incidents last year, responsible for 62% of claims involving monetary damages. However, Resilience’s research suggests that while ransomware remains a major threat, its frequency may be declining in broader markets. This trend is attributed to cybercriminals shifting their focus from random, large-scale attacks to more strategic operations against high-value targets that offer larger payouts. 

The evolving threat landscape underscores the need for organizations to strengthen cybersecurity measures, particularly in highly interconnected industries. With cyberattacks becoming more sophisticated and financially motivated, businesses must prioritize risk management, enhance third-party security assessments, and invest in cyber resilience to prevent large-scale disruptions.
Read more »
ransomware payments
Cyber Security cybersecurity trends Law enforcement takedowns ransomware attacks ransomware payments

Ransomware Payments Plummet in 2024 Despite Surge in Cyberattacks

 

The past year witnessed a series of devastating ransomware attacks that disrupted critical sectors. Cyber extortion groups targeted Change Healthcare, crippling hundreds of US pharmacies and clinics, exploited security loopholes in Snowflake's customer accounts to infiltrate high-profile targets, and secured a record-breaking $75 million from a single victim.

Despite these high-profile incidents, data reveals an unexpected trend: overall ransomware payments declined in 2024, with the second half of the year experiencing the steepest drop ever recorded. A report by cryptocurrency analytics firm Chainalysis shows that ransomware payments totaled $814 million in 2024, marking a 35% decrease from the record $1.25 billion paid in 2023. The decline became more pronounced between July and December, when hackers collected only $321 million, compared to $492 million in the first half of the year—representing the largest six-month reduction in ransomware payments observed by Chainalysis.

“The drastic reversal of the trends we were seeing in the first half of the year to the second was quite surprising,” says Jackie Burns Koven, head of cyber threat intelligence at Chainalysis. She attributes this shift to law enforcement takedowns and disruptions, some of which had delayed effects as organizations grappled with major breaches.

Significant law enforcement actions in late 2023 and early 2024 targeted major ransomware groups. Just before Christmas in 2023, the FBI exploited vulnerabilities in BlackCat (AlphV)'s encryption software, distributed decryption keys to victims, and dismantled the group’s dark-web infrastructure. In February 2024, the UK's National Crime Agency (NCA) struck a major blow against Lockbit, seizing its cryptocurrency wallets and exposing its cybercriminal network.

Initially, both groups appeared to recover. AlphV orchestrated a major attack on Change Healthcare, disrupting payments at US pharmacies and extorting $22 million. Lockbit quickly reestablished its operations through a new dark-web platform. However, law enforcement actions had deeper consequences than initially apparent. AlphV executed an “exit scam,” disappearing with the ransom and leaving its hacker affiliates empty-handed. Lockbit’s operations also diminished following the NCA’s crackdown, with distrust growing in cybercriminal circles after authorities identified its alleged leader, Dmitry Khoroshev. In May 2024, the US Treasury imposed sanctions on Khoroshev, complicating ransom payments to the group.

New Ransomware Gangs Struggle to Match Predecessors

While emerging ransomware groups attempted to fill the void left by these takedowns, many lacked the sophistication to target high-value victims. “Their talent is not quite as robust as their predecessors,” notes Burns Koven. As a result, ransom demands shrank, often amounting to tens of thousands rather than millions of dollars.

Although 2024 saw an increase in ransomware attacks—4,634 incidents compared to 4,400 in 2023—lower ransom payouts suggest that newer cybercriminals prioritized volume over impact. “What we're seeing in terms of payments is a reflection of newer threat actors being attracted by the amount of money that they see you can make in ransomware, trying to get into the game and not being very good at it,” says Allan Liska, a threat intelligence analyst at Recorded Future.

Stronger Cyber Defenses and Cryptocurrency Regulations

Beyond law enforcement interventions, the decline in payments is also linked to heightened awareness and improved cybersecurity measures. Governments and institutions have implemented stronger ransomware response strategies, while increased cryptocurrency regulation and crackdowns on illicit financial channels have complicated ransomware payments. Authorities have particularly targeted crypto mixers, tools used by cybercriminals to anonymize transactions.

Despite the downward trend in payments, historical data suggests that ransomware remains cyclical. In 2022, total payments fell to $655 million, down from $1.07 billion in 2021, only to surge again in 2023 to $1.25 billion. Experts caution against interpreting short-term declines as long-term victories. “If the baddies had a couple of brilliant quarters, a dip will follow, same as if the goodies had some good quarters,” says Brett Callow, managing director at FTI Consulting. “That’s why we really need to analyze trends over a longer period.”

Additionally, the true scale of ransomware payments remains difficult to quantify, as cybercriminals often inflate their success and many victims choose not to report attacks due to stigma or regulatory concerns.

Chainalysis researchers emphasize that the decline in ransomware payments should not be mistaken for a lasting solution. “We're still standing in the rubble, right? We can't go tell everyone, everything's great, we solved ransomware—they’re continuing to go after schools, after hospitals and critical infrastructure,” says Burns Koven. However, the data does serve as an important indicator that sustained investment in ransomware defense is yielding results.
Read more »
ransomware payments
Cybercrime Trends cybersecurity news Data Breach law enforcement crackdown Cyber Attacks ransomware attacks ransomware payments

Ransomware Payments Drop 35% in 2024 Amid Increased Resistance and Law Enforcement Crackdowns

 

Ransomware payments saw a significant decline in 2024, dropping 35% year-over-year to $813.55 million from the $1.25 billion recorded in 2023. Additionally, only about 30% of victims engaged in ransom negotiations proceeded with payments.

These insights, reported by blockchain intelligence firm Chainalysis, highlight a downward trend despite 2024 being a record-breaking year for ransomware attacks. A notable incident involved a Fortune 50 company paying $75 million to the Dark Angels ransomware group—the largest known payout of the year. Meanwhile, cybersecurity firm NCC Group recorded 5,263 successful ransomware breaches in 2024, marking the highest-ever attack volume.

Despite the increase in attacks, ransomware actors are facing difficulties in extorting payments. Chainalysis noted a surge in disclosures on data leak sites, indicating that cybercriminals are resorting to increased exposure tactics to pressure victims. However, a growing number of organizations are resisting ransom demands.

This shift is driven by heightened cybersecurity awareness, improved protective measures, and a realization that attackers’ promises to delete stolen data are often unreliable. Legal scrutiny has also played a role, pushing companies to forgo negotiations, instead opting to restore systems from backups while mitigating reputational risks.

Another critical factor behind the payment decline is the impact of law enforcement operations. In 2024, global agencies targeted ransomware groups, with ‘Operation Cronos’ taking down LockBit, one of the most prolific gangs. Additionally, the collapse of ALPHV/BlackCat created instability, leaving smaller groups unable to dominate the space, despite RansomHub’s attempts.

Chainalysis data indicates that even when ransoms were paid, they were often significantly reduced through negotiations. Cybercriminals are also facing increasing difficulties laundering their illicit earnings. Crackdowns on cryptocurrency mixers and non-compliant exchanges have forced ransomware actors to shift to alternative methods, such as cross-chain bridges, to obscure transactions.

Centralized exchanges remained the primary cash-out method in 2024, handling 39% of all ransomware proceeds. However, an increasing number of affiliates are now opting to hold funds in personal wallets, wary of law enforcement tracking and potential arrests.

Despite the surge in ransomware activity, victims are becoming more resistant, and law enforcement is tightening its grip, signaling a potential long-term shift in the cybersecurity landscape.
Read more »
Sophos
Cyberbreaches CyberCrime Fake IT Support malware Micrpsoft Teams ransomware attacks Sophos

Fake IT Support Used by Ransomware Gangs in Microsoft Teams Breaches

 


The Sophos security team has identified two ransomware campaigns that are utilizing Microsoft Teams to steal data from organizations, and the crooks may be allied with Black Basta and FIN7. In the X-Ops Managed Detection and Response (MDR) service, Sophos X-Ops responds to incidents related to two different groups of threat actors. In each case, the attackers gained access to targeted organizations by using the Microsoft Office 365 platform to steal data and deploy ransomware to steal data. 

This pair of separate clusters of activity were investigated by Sophos MDR in November and December 2024 as a result of customer reports, and the threat is tracked as STAC5143 and STAC5777, respectively. The two groups are utilizing Microsoft Office 365 services, including Teams and Outlook, to gain access to victim organizations, according to Sophos, who has observed over 15 incidents in just the past two weeks, the majority of which took place between November and December 2024. 

According to Sophos, the attackers took advantage of a Microsoft Teams configuration that allows users from external domains to initiate chats or meetings with internal users, thereby taking advantage of a default configuration, he warned. As a result of threat actors exploiting Microsoft Teams to pose as tech support personnel, attackers gain initial access to victim organizations by using the platform, and their goal is to steal data and deploy ransomware, according to a report released on Tuesday by Sophos, which examined ongoing threat campaigns related to these two threats. 

A customer who received over 3,000 spam emails in 45 minutes in November of last year first brought STAC5143 to the attention of the Sophos team. Shortly thereafter, a Microsoft Teams call from outside the organization, coming from a bogus "Help Desk Manager" account, reached out to the customer, and he was instructed to allow a remote screen control session through Microsoft Teams to resolve the issue. 

As it turned out, the attacker was exploiting this vulnerability to inject malicious files into the victim's computer as well as infect the computer with malware by opening a command shell and dropping some files on it. The attacker had downloaded a Java archive (JAR) file (MailQueue-Handler.jar), as well as Python scripts (RPivot backdoor). As soon as the attackers have established a command-and-control channel with their target, they utilize the target's credentials to disable multifactor authentication and antivirus protections. 

They then connect to other computers in the network and move laterally to compromise additional computers and systems. Java code performed some reconnaissance work as well, mostly scoping out the user's account name and local network, before extracting and running from the snow.zip archive the payload contained a Python-based backdoor that could be used to remote control the Windows computer remotely. 

Python code included a lambda function to obfuscate the malware, which matched Python malware loaders previously spotted as part of the FIN7 malware campaign.  Two other Python pieces were extracted as part of the malware, including copies of the publicly available reverse SOCKS proxy RPivot, which FIN7 had previously used in its earlier attacks. 

As with the STAC5777 attacks, the malware started with large amounts of spam emails being sent to targeted organizations, followed by team messages claiming to be from the organization's IT department and requesting that they be contacted to stop the spam. CyberScoop spoke to Sean Gallagher, Sophos's principal threat researcher, and the study's lead author. 

Gallagher explained that his team had observed multiple individuals and at least 15 organizations using these tactics, and most of them were blocked before they were able to compromise the device they were attempting to compromise. Using the social engineering technique of posing as a technical support representative is a well-known social engineering method used by malicious hackers to compromise large, multinational companies.

Cybercriminal groups such as Lapsus$ have used this scheme for several years to compromise large, multinational corporations. It is, however, mainly smaller organizations that have been targeted by Office 365 and Teams, and it illustrates how threat groups have increasingly capitalized on the rush by small and mid-sized businesses to adopt cloud computing and digitization, especially after the COVID-19 virus pandemic. 

A significant portion of these small organizations were left vulnerable by the fact that, for the first time, they were using unfamiliar software like Microsoft Office 365, Teams, and Azure. It is a piece of malware, winhttp.dll, that is sideloaded into a legitimate oneDriveStandaloneUpdater.exe process, which is then relaunched by a PowerShell command when Windows starts up. Through the Windows API, the malicious DLL logs the user's keystrokes, gathers credential information from files and the registry, and scans the network for potential pivot points via SMB, RDP, and WinRM. 

Once a C2 connection has been established, the OneDriveStandaloneUpdater.exe process is started and a check is performed to see if there are any Remote Desktop Protocol hosts or Windows Remote Management hosts that can be accessed with stolen credentials. It appears that the attackers then attempted to move laterally to other hosts to continue their attack. 

One instance of this was when the attackers used the backdoor to uninstall local multifactor authentication integration on a compromised device, and Sophos has also found that the attackers have been hoovering up local files whose names contained the word "password". In one instance, STAC5777 was trying to infect the machine with the Black Basta ransomware - even though Sophos assured that its security protections blocked it from infecting the machine. 

According to the researchers, the threat actor has access to Notepad and Word files that have the word "password" in them. Moreover, the attackers also accessed two Remote Desktop Protocol files, likely searching for credentials. To prevent external domains from initiating messages and calls on Microsoft Teams and disabling Quick Assist in critical environments, organizations should consider implementing these tactics in the ransomware space as they become more prevalent.
Read more »
Ransomwares
Andariel Cyber Attacks FortiOS Play ransomware Play ransomware variant ProxyNotShell ransomware attacks Ransomwares

Play Ransomware Threat Intensifies with State-Sponsored Links and Advanced Tactics

 

Play ransomware continues to be a formidable cybersecurity threat, with over 300 successful attacks reported globally since its first detection in 2022. Named for the “.PLAY” extension it appends to encrypted files, this ransomware has been linked to Andariel, a North Korean state-sponsored hacking group operating under the Reconnaissance General Bureau. 

This connection highlights the increasing involvement of state-backed actors in sophisticated cybercrime campaigns targeting both public and private sector organizations worldwide. Recent analysis by AhnLab sheds light on how Play ransomware gains access to its victims’ networks. The attackers exploit vulnerabilities in widely used software systems or misuse valid user accounts. 

Known flaws in Microsoft Exchange Server’s ProxyNotShell vulnerabilities (CVE-2022-41040 and CVE-2022-41082) and Fortinet’s FortiOS (CVE-2020-12812 and CVE-2018-13379) have been frequently abused by these attackers. After infiltrating a network, they use port scanning techniques to gather information about active systems and services, collect Active Directory data, and identify paths for privilege escalation. These escalated privileges allow the attackers to obtain administrator-level access, steal credentials, and ultimately gain control over the domain environment. 

One of the key challenges in detecting Play ransomware lies in its ability to blend malicious activities with legitimate operations. The attackers often use tools like Process Hacker to disable security products. Many of these tools are not inherently malicious and are commonly used for legitimate purposes, making it difficult for security systems to distinguish between normal and nefarious activities. This ability to evade detection underscores the sophistication of Play ransomware and its operators. 

The impact of a Play ransomware attack goes beyond encryption. Like many modern ransomware variants, Play uses double-extortion tactics, exfiltrating sensitive data before locking systems. This exfiltrated data is then leveraged to pressure victims into paying ransoms by threatening to leak the information on dark web forums. The combination of system disruption and the risk of public data exposure makes Play ransomware particularly damaging to its targets. To mitigate the risks posed by Play ransomware, cybersecurity experts and the Federal Bureau of Investigation (FBI) recommend implementing proactive defenses. 

Organizations should ensure that software, operating systems, and firmware are regularly updated to address vulnerabilities. Phishing-resistant multi-factor authentication (MFA) is crucial to reduce the risk of unauthorized access, while employee training on recognizing phishing attempts remains essential. Additionally, network segmentation can limit the attackers’ ability to move laterally, reducing the overall impact of an attack. 

Play ransomware illustrates the evolving complexity of cyber threats, particularly those linked to state-sponsored groups. Its reliance on exploiting known vulnerabilities, combined with its use of legitimate tools, highlights the critical need for organizations to adopt comprehensive cybersecurity measures. By prioritizing vulnerability management, user education, and proactive defenses, organizations can better protect themselves against the ongoing threat posed by Play ransomware and similar cyber campaigns.
Read more »
weekend cybersecurity
Cyber Security healthcare sector security holiday cyber threats Jeff Wichman Semperis ransomware attacks weekend cybersecurity

75% of Ransomware Attacks Target Healthcare on Holidays: Expert Insights

 


Approximately 75% of ransomware attacks on the healthcare sector over the past year occurred during weekends or holidays, highlighting the urgency for organizations to strengthen their staffing and security measures during these high-risk periods. Jeff Wichman, director of incident response at security firm Semperis, emphasized the need for proactive preparation.

"In reality, we should be staffing up because if the attackers know for a fact that on weekends we, as citizens, take time off. Organizations should be staffing up into the holiday season. Not down," Wichman stated.

However, many healthcare organizations face significant staffing constraints, making it challenging to ensure adequate coverage on weekends and holidays. "In that case, then it's working with partners," he explained. "If the firm can afford to get a security operation center, a managed service provider that can provide that coverage on weekends and holidays. Perfect. But you've got to make sure that they're staffed completely during the holiday and weekend seasons, as well."

Wichman also stressed the importance of being prepared for worst-case scenarios by conducting regular recovery drills and testing system restoration processes. "That includes practicing recovery drills, bringing back your critical assets in a timely fashion, really understanding how long does it take to bring back operations, and not from a theoretical," he said. Organizations cannot assume they can "just push a button, and the backup will restore the domain controller. There are more steps involved," he warned.

"They really need to get that real-time, objective [process] nailed down," Wichman concluded.

In an interview with Information Security Media Group, Wichman also discussed critical topics such as:

  • The importance of testing and validating backups;
  • Common identity management mistakes that lead to security vulnerabilities;
  • The potential impact of upcoming cybersecurity regulations in the healthcare industry.

With over 20 years of experience in information security, Wichman has handled a wide range of incident response investigations, from minor business email breaches to significant ransomware attacks. As an expert in digital forensics and incident response, his insights highlight the critical steps healthcare organizations must take to fortify their defenses against cyber threats.

Read more »
ransomware attacks
Cyber Security Cyberattacks CyberCrime Hoboken Cyber Incident ransomware attacks

Hoboken Cyber Incident Disrupts City Operations

 



Hoboken's city government has fallen victim to a ransomware attack, forcing the closure of City Hall and the suspension of online municipal services. The attack, which occurred in the early hours of Wednesday, Nov. 27, disrupted several city functions, prompting swift action from local authorities. 
 

Service Disruptions and Response  

 
The Hoboken Police Department and the city's IT department are actively investigating the incident and working to restore services. Key actions taken in response to the attack include:   
 
- Municipal Court canceled for the day. 
- Street sweeping suspended for the remainder of the day, although other parking regulations remain in effect. 
- Waste collection and recreation programs proceeding as scheduled, providing some continuity amidst the disruption.   
 
To ensure continued legal and administrative operations, municipal court and police-related matters have been temporarily transferred to the Secaucus Police Department and municipal courts in Secaucus.   
 

Impact and Ongoing Investigation   

 
Authorities have described the ransomware as malicious software designed to block access to critical systems and demand a ransom for their release. The FBI and the Internet Crime Complaint Center are assisting in identifying the malware, known as Audacy, and determining the extent of the damage.  
 
City officials have advised residents to:   
 
- Stay updated through official communication channels. 
- Remain vigilant against potential phishing scams or fraudulent activities targeting municipal customers.   
 

Cybersecurity Challenges for Municipal Systems   

 
The Hoboken attack underscores the growing vulnerability of municipal systems as cities increasingly adopt digital infrastructure. Experts emphasize the importance of robust cybersecurity measures, including regular system updates and security patches, employee training to recognize cyber threats, and comprehensive incident response plans to mitigate disruptions and safeguard critical data.  
 
As the investigation continues, Hoboken’s administration is focused on restoring services and minimizing the impact on residents. Updates will be provided regularly to keep the public informed and ensure a swift return to normalcy.
Read more »
ransomware attacks
Critical Infrastructure Cyber Attacks CyberCrime Cybersecurity CyberThreat Oilfield Supplier ransomware attacks

Texas Oilfield Supplier Operations Impacted by Ransomware Incident

 


About two months before the Newpark Resources attack, oilfield services giant Halliburton had been afflicted with a cyberattack that it then disclosed in a regulatory filing, which occurred about two months earlier.  Last week, Halliburton, the world's largest energy services provider, announced that about $35 million in expenses were incurred because of the attack. Still, the impact on the company's finances is relatively small, especially considering Halliburton is one of the world's largest energy services providers.  

There was an incident in August when Halliburton, a global provider of services for the energy industry, had to shut down the systems of some of its subsidiaries due to a cyber attack. In most cases, this type of breach involves unauthorized access by third parties; oftentimes, this leads to operations being disrupted, systems being shut down, and incident response plans being activated as a result of the breach. A cyber-response plan was activated at that time and a comprehensive investigation was conducted internally with the assistance of external advisors to assess and remedy any unauthorized activity that the company was aware of at that time.  

Halliburton announced last week that in its third-quarter results it incurred a pretax charge of $116 million as a result of severity costs, impairment of assets held for sale, expenses related to cybersecurity incidents, gains on equity investments, and other items. The company said in the release that it recorded a pretax charge of $116 million in the third quarter of 2024. In a report released on Tuesday, Halliburton's chairman, president, and CEO, Jeff Miller, said that Halliburton "experienced a $0.02 per share impact on its adjusted earnings from storms in the Gulf of Mexico and in the Gulf of Mexico due to the August cybersecurity event." 

While the update is not in any way noteworthy, Andy Watkin-Child, founding partner at Veritas GRC told LinkedIn it shows cyber incidents are moving to the top of the corporate agenda, in a post on the social media platform. The board of directors is more transparent, as required by the Securities and Exchange Commission when it comes to the impact of cyber incidents. Following the attack on Halliburton, the company had to postpone billing and collection activities, as well as put a halt on its share buyback program. 

According to the company, the full impact will not be material for the company's operations in the long run.   The Newpark Resources Group announced this week that access to certain information systems and business applications has been disrupted due to a ransomware attack that has hit their network. According to a filing with the Securities and Exchange Commission (SEC), the incident was discovered on October 29 and a cybersecurity response plan was activated immediately, the Texas-based company that provides drilling fluids systems and composite matting systems for the oilfield sector, said in its statement. 

In his statement, Newpark stated that "the incident has caused disruptions and limitations in access to certain of the company's information systems and business applications that support aspects of the company's operations and corporate functions, including financial and operational reporting systems", and the company is still paying the price. To continue operating uninterruptedly, the company reverted to downtime procedures, allowing it to safely continue manufacturing and field operations during the downtime period.  

Based on the company's current understanding of the facts and circumstances regarding this incident, this incident appears not to have a reasonably likely impact on the company's financial situation or its results of operations, the company said in a statement. Newpark declined to provide information about how the attackers accessed its network, as well as who might have been responsible for the incident, nor did it explain how they gained access. No ransomware group is known to be claiming responsibility for the attack, according to SecurityWeek. 

About two months before the Newpark Resources breach, there was also a cyberattack on oilfield services giant Halliburton that was also announced in a regulatory filing by that company.  The company has just reported that as a result of the attack, Halliburton has incurred approximately $35 million in expenses. However, given that the company is one of the leading energy service companies in the world, the financial impact is relatively small.  

The incident at Newpark Resources highlighted the importance of network segmentation in protecting networks, according to Chris Grove, director of cybersecurity strategy at Nozomi Networks. He says that when networks are under attack, network segmentation can ensure their security.  According to Grove, separating OT from IT is one way to minimize the risk of a security breach and possibly hurt key operations if there is a breach. However, organizations are facing an increasingly pressing challenge: securing the advantages of segmentation while enabling controlled connectivity, which is becoming increasingly difficult to maintain. 

Cybersecurity Dive has been informed by researchers from NCC Group via email that there has been no public leak of data from the Newpark Resources attack and that there has been no claim made regarding the leak.  Neither the company nor the company's shareholders have been able to determine what costs and financial impacts will be associated with this incident, but about the company's financial condition and results of operations, they believe that the attack "is not reasonably likely to have a material impact."

As a manufacturer, seller, and rental company, Newpark Resources is dedicated to serving the petroleum industry and various other sectors related to energy, such as pipelines, renewable energy, petrochemicals, construction, and oilfields. In its Thursday earnings report, the Woodlands, Texas-based company disclosed quarterly revenue exceeding $44 million and projected an annual revenue reaching up to $223 million. This performance underscores the company's strong market presence despite recent challenges, though it remains under pressure following a recent ransomware attack by unidentified cyber actors. 

As of Thursday, no specific hacking group had taken responsibility for the attack. The oil and gas sector recognized as a globally essential industry, has increasingly become a focal point for ransomware attacks. Due to the industry’s high financial stakes and critical role in infrastructure, it is often targeted by cybercriminals who expect ransom payments to restore access to compromised systems. Notably, ransomware incidents have affected major players in the sector. Over the past four years, corporations such as Shell, Halliburton, Colonial Pipeline, Encino Energy, Oiltanking, and Mabanaft have experienced cybersecurity breaches that have disrupted operations and prompted significant financial and reputational impacts.

These incidents have drawn heightened attention from government entities, prompting federal authorities to pursue enhanced cybersecurity measures across critical infrastructure sectors. The rise in ransomware attacks has spurred the government to implement stricter cybersecurity regulations, with mandates designed to bolster defense mechanisms within vulnerable industries.
Read more »
ransomware attacks
Critical Infrastructure Cyber Attacks cybersecurity in healthcare data security Healthcare Data Healthcare Industry ransomware attacks

WHO and Global Leaders Warn Against Rise of Ransomware Attacks Targeting Hospitals

 

On November 8, the World Health Organization (WHO) joined over 50 countries in issuing an urgent warning at the United Nations about the increase in ransomware attacks on healthcare systems worldwide. WHO Director-General Tedros Adhanom Ghebreyesus addressed the UN Security Council, emphasizing the critical risks these cyberattacks pose to public health and safety. He highlighted the growing frequency of attacks on hospitals, which could delay urgent care, disrupt essential services, and lead to life-threatening consequences. Calling for global cooperation, he described ransomware as an international security threat that demands a coordinated response. 

Ransomware is a form of cyberattack where hackers lock or encrypt a victim’s data and demand payment in exchange for releasing it. This form of digital extortion has escalated globally, affecting healthcare providers, institutions, and governments alike. In the healthcare sector, such attacks can be particularly devastating, compromising the safety of patients and healthcare workers. The joint statement, endorsed by nations such as Japan, South Korea, Argentina, France, Germany, and the United Kingdom, outlined the immediate dangers these attacks pose to public health and international security, calling on all governments to take stronger cybersecurity measures. The U.S., represented by Deputy National Security Adviser Anne Neuberger, directly blamed Russia for allowing ransomware groups to operate freely within its borders. 

According to Neuberger, some countries knowingly permit these actors to execute attacks that impact critical infrastructure globally. She called out Moscow for not addressing cybercriminals targeting foreign healthcare systems, implying that Russia’s inaction may indirectly support these malicious groups. Additional accusations were made against North Korea by delegates from France and South Korea, who highlighted the country’s alleged complicity in facilitating ransomware attacks. Russia’s UN representative, Ambassador Vassily Nebenzia, defended against these claims, arguing that the Security Council was not the right forum to address such issues. He asserted that Western nations were wasting valuable council time and resources by focusing on ransomware, suggesting instead that they address other pressing matters, including alleged attacks on hospitals in Gaza.  

WHO and the supporting nations warn that cybercrime, particularly ransomware, requires a global response to strengthen defenses in vulnerable sectors like healthcare. Dr. Ghebreyesus underscored that without collaboration, cybercriminals will continue to exploit critical systems, putting lives at risk. The joint statement also condemned nations that knowingly enable cybercriminals by allowing them to operate within their jurisdictions. This complicity, they argue, not only endangers healthcare systems but also threatens peace and security globally. 

As ransomware attacks continue to rise, healthcare systems worldwide face increasing pressure to strengthen cybersecurity defenses. The WHO’s call to action emphasizes that nations need to take ransomware threats as seriously as traditional security issues, working together to protect both patient safety and public health infrastructure.
Read more »
Ransomwares
Company Breach Cyber Attacks Cybersecurity awareness Data Theft Financial Data Breach Hackers ransomware attacks Ransomwares

How to Prevent a Ransomware Attack and Secure Your Business

 

In today’s world, the threat of cyberattacks is an ever-present concern for businesses of all sizes. The scenario of receiving a call at 4 a.m. informing you that your company has been hit by a ransomware attack is no longer a mere fiction; it’s a reality that has affected several major companies globally. In one such instance, Norsk Hydro, a leading aluminum and renewable energy company, suffered a devastating ransomware attack in 2019, costing the company an estimated $70 million. This incident highlights the vulnerabilities companies face in the digital age and the immense financial and reputational toll a cyberattack can cause. 

Ransomware attacks typically involve hackers encrypting sensitive company data and demanding a hefty sum in exchange for decryption keys. Norsk Hydro chose not to pay the ransom, opting instead to rebuild their systems from scratch. Although this route avoided funding cybercriminals, it proved costly in both time and resources. The question remains, what can be done to prevent such attacks from occurring in the first place? The key to preventing ransomware and other cyber threats lies in building a robust security infrastructure. First and foremost, organizations should implement strict role-based access controls. By defining specific roles for employees and limiting access to sensitive systems based on their responsibilities, businesses can reduce the attack surface. 

For example, financial analysts should not have access to software development repositories, and developers shouldn’t be able to access the HR systems. This limits the number of users who can inadvertently expose critical systems to threats. When employees change roles or leave the company, it’s essential to adjust their access rights to prevent potential exploitation. Additionally, organizations should periodically ask employees whether they still require access to certain systems. If access hasn’t been used for a prolonged period, it should be removed, reducing the risk of attack. Another critical aspect of cybersecurity is the implementation of a zero-trust model. A zero-trust security approach assumes that no one, whether inside or outside the organization, should be trusted by default. 

Every request, whether it comes from a device on the corporate network or a remote one, must be verified. This means using tools like single sign-on (SSO) to authenticate users, as well as device management systems to assess the security of devices trying to access company resources. By making trust contingent on verification, companies can significantly mitigate the chances of a successful attack. Moreover, adopting a zero-trust strategy requires monitoring and controlling which applications employees can run on their devices. Unauthorized software, such as penetration testing tools like Metasploit, should be restricted to only those employees whose roles require them. 

This practice not only improves security but also ensures that employees are using the tools necessary for their tasks, without unnecessary exposure to cyber risks. Finally, no security strategy is complete without regular fire drills and incident response exercises. Preparing for the worst-case scenario means having well-documented procedures and ensuring that every employee knows their role during a crisis. Panic and confusion can worsen the impact of an attack, so rehearsing responses and creating a calm, effective plan can make all the difference. 

 Preventing cyberattacks requires a combination of technical measures, strategic planning, and a proactive security mindset across the entire organization. Business leaders must prioritize cybersecurity just as they would profitability, growth, and other business metrics. By doing so, they will not only protect their data but also ensure a safer future for their company, employees, and customers. The impact of a well-prepared security system is immeasurable and could be the difference between an incident being a minor inconvenience or a catastrophic event.
Read more »
ransomware attacks
Cyber Attacks CyberCrime Cyberhackers Cybersecurity Cyberthreats Hospitals ransomware attacks

Cyberattack Impacts Georgia Hospital, Colorado Pathology Services

 


The number of hospitals that have been affected by ransomware, business email compromise, and other cyber threats is increasing across all sectors, from small community hospitals such as Memorial Hospital and Manor in Bainbridge, Georgia, to those with a large number of beds.  In his opening keynote address at the HIMSS Healthcare Cybersecurity Forum last week in Washington, D.C., Greg Garcia, executive director of the Health Sector Coordinating Council Cybersecurity Working Group, indicated that there is now an average of two data breaches conducted every day within the American health care system. 

People who work in hospitals and health systems are often targeted by cyber threat actors exploiting the basic vulnerabilities of their systems and taking advantage of the vulnerabilities. To illustrate these types of breaches, Kaiser Permanente, one of the country's largest health systems, said it had sent a notice Sunday to those in Southern California whose personal health data had been compromised as a result of unauthorized access to two email accounts of employees. 

The bad guys can also be skilled at exploiting their victim's vulnerability, with sophisticated social engineering techniques coupled with phishing attacks that focus on bots. As part of a cyber exploit, originally discovered earlier this month, Summit Pathology, an independent pathology service provider based in Colorado, had patient data associated with more than 1.8 million people exfiltrated from its system. 

In a report issued by Kaiser Permanente, it was reported that an unauthorised third party gained access to the email accounts of two employees and was able to view the health information of patients. As the U.S. grows and grows, ransomware, business email compromise, and other cyber threats are causing disruptions to care for millions of people across the nation, including small community hospitals such as Memorial Hospital and Manor in Bainbridge, Georgia, as well as the largest providers. 

A recent study conducted by the Health Sector Coordinating Council Cybersecurity Working Group found that the United States amounted to two data breaches per day on average, Greg Garcia, executive director of the ASHC Cybersecurity Working Group, said in his opening address at the HIMSS Healthcare Cybersecurity Forum, held in Washington, DC, last week. In many cases, cybercriminals target people who work in hospitals and health systems to exploit weaknesses in the system. A health system in Southern California posted a notice informing its members on Friday there was an issue about the security of health information that was discovered on September 3. 

A notice on the company's website advised that two of its employees' email accounts had been accessed by an unauthorized party, according to the notice. "Immediately following the discovery of this incident, Kaiser Permanente terminated the unauthorized access and immediately began investigating to determine the scope of the access." this statement was made by Kaiser Permanente. It was found that some protected health information about some patients were included in the email's contents after we validated them." 

According to the health system, although Social Security numbers and financial information were not involved, protected health information, such as first and last names, dates of birth, medical records numbers, and medical information, had the potential to be accessed and/or viewed by third parties. As part of Kaiser Permanente's maintenance of health system operations, affected individuals were contacted directly by the company, Kaiser Permanente said. There is evidence out there that on October 18, Summit Pathology of Loveland, Colorado, reported to the Department of HHS that there are 1,813,538, whose data had been breached in a hacking incident, in which their data has been compromised. 

 As outlined in the pathology services company's notice on its website, the impacted systems contained data such as names, addresses, medical billing and insurance information, certain medical information such as diagnosis, demographic information such as dates of birth, social security numbers, and financial information. There was an incident that occurred on or around April 18 when Summit announced it had noticed suspicious activity on its computer network and that it had taken the necessary steps to secure it, including contacting third parties to assist in the investigation. 

The affected healthcare entities have reported that they successfully identified files that unauthorized individuals may have accessed or acquired during the ransomware attack. In response to the incident, Summit conducted a thorough review of its internal policies and procedures. Following this review, they implemented additional administrative and technical safeguards to strengthen security and mitigate the risk of future attacks. 

On October 31, the Murphy Law Firm, based in Oklahoma City, stated its involvement in the case. The firm announced that it is pursuing a class action lawsuit and actively investigating claims related to the breach. According to Murphy Law Firm, Summit’s forensic investigation revealed that cybercriminals were able to infiltrate the organization's inadequately secured network, leading to unauthorized access to sensitive data files. The law firm is now seeking to hold Summit accountable for the potential data security lapses that may have enabled the breach.
Read more »
Wayne County Michigan
Cyberattack Data Breach double-extortion encryptor FreeBSD servers Interlock ransomware ransomware attacks Trend Micro Wayne County Michigan

Interlock Ransomware: New Threat Targeting FreeBSD Servers and Critical Infrastructure Worldwide

 

The Interlock ransomware operation, launched in late September 2024, is increasingly targeting organizations around the globe. Distinctly, this new threat employs an encryptor specifically designed to attack FreeBSD servers, a relatively uncommon tactic among ransomware groups.

Interlock has already affected six organizations and publicly leaked stolen data after ransoms went unpaid. One prominent victim, Wayne County in Michigan, experienced a cyberattack early in October, adding to the list of affected entities.

Details about Interlock remain limited, with early reports emerging from cybersecurity responder Simo in October. Simo's analysis noted a new backdoor associated with the ransomware, discovered during an investigation on VirusTotal.

Shortly after, MalwareHunterTeam identified a Linux ELF encryptor related to Interlock. Upon further examination, BleepingComputer confirmed that this executable was built specifically for FreeBSD 10.4, though attempts to execute it in a FreeBSD environment failed.

Although ransomware targeting Linux-based VMware ESXi servers is common, an encryptor for FreeBSD is rare. The now-defunct Hive ransomware, disrupted by the FBI in 2023, was the only other known operation with a FreeBSD encryptor.

Trend Micro researchers shared additional samples of the Interlock FreeBSD ELF encryptor and a Windows variant, noting that FreeBSD is often used in critical infrastructure. This likely makes it a strategic target for Interlock, as attacks on these systems can lead to significant service disruptions.

Trend Micro emphasizes that Interlock’s focus on FreeBSD infrastructure allows attackers to disrupt essential services and demand high ransoms, as these systems are integral to many organizations’ operations.

It is important to note that Interlock ransomware is unrelated to any cryptocurrency token of the same name.

While BleepingComputer encountered issues with running the FreeBSD encryptor, they successfully tested the Windows version, which performed actions like clearing event logs and deleting the main binary using rundll32.exe if self-deletion is enabled.

When encrypting files, Interlock appends the .interlock extension and generates a ransom note titled "!README!.txt" in each affected folder. The note explains the encryption, threats, and includes links to a Tor-based negotiation site where victims can communicate with the attackers. Each victim receives a unique ID and email for registration on this negotiation platform.

During attacks, Interlock breaches networks, steals sensitive data, and then deploys the encryptor to lock down files. The data theft supports a double-extortion scheme, with threats to leak data if ransoms—ranging from hundreds of thousands to millions of dollars—are not paid.
Read more »
ransomware attacks
Columbus Data Breach CyberCrime Cyberhackers Cybersecurity CyberThreat Data Breach ransomware attacks

Columbus Data Breach Affects 500,000 in Recent Cyberattack

 


In July, a ransomware attack on Columbus, Ohio, compromised the personal information of an estimated 500,000 residents, marking one of the largest cyber incidents to affect a city in the United States in recent years. There has been great interest in the attack linked to the Rhysida ransomware group due to the extent of the data stolen as well as the controversy surrounding the city's response. 

The City of Columbus, the state capital of Ohio, has confirmed that hackers stole data from 500,000 residents during a ransomware attack in July, locking them out.  The City of Columbus confirmed in a filing with the state attorney general that a "foreign cyber threat actor" had infiltrated the city's network to access information about residents, including their names, dates of birth, addresses, ID documents, Social Security numbers, and bank accounts.  

With a population of 900,000 people, the city in Ohio has the largest population of any municipality in the state, with around half a million people affected by the flooding, but the exact number of victims has yet to be determined.  In a regulatory filing, the city revealed that it had "thwarted" a ransomware attack on July 18 of this year, which was the effect of disconnecting its network from the internet to thwart the attack. This attack has been claimed by the Rhysida ransomware group, which specializes in crypto-ransomware attacks.

Cybercriminals believed to be connected to Russian threat actors sought a ransom from Columbus in the initial stages of the attack, claiming that 6.5 TB of data was stolen by this group. It is alleged that Rhysida introduced 3.1 TB of data from this database to the dark web leak site after negotiations with the city failed. A significant data breach in the public sector has occurred within the last two years as a result of this exposure. 

 According to Rhysida, the ransomware gang, the attack occurred the same day. They claim they have stolen databases containing 6.5 TB of data, including information about staff credentials, video feeds from the city camera system, and server dumps, along with other sensitive data. There has been no increase in the amount of stolen data that is now being published on the dark web leak portal of the gang because they failed to extort the City. Some 45% of the stolen data includes 260,000 documents (3.1 TB) on this portal. 

There was no need to be concerned about the leak of the data because the data was "encrypted or corrupted" as the mayor of Columbus Andrew Ginther said in his statement to the Columbus media. As a result, David Leroy Ross (aka Connor Goodwolf) of the Security Research Group, a British security research company, refuted the Mayor's claim by sharing some samples of the leaked data with press outlets, which showed that it contained unencrypted personal information belonging to city employees, residents, and visitors. 

As of early August, Columbus had filed a lawsuit against security researcher David Leroy Ross, escalating the situation to a point where it became an extreme situation. In an announcement to the local media, Ross, who goes by the username "Connor Goodwolf", reported that residents' personal information had been uploaded on the dark web. According to the disclosure, Columbus officials had earlier claimed that only unusable, corrupted data had been stolen, which was contrary to the new disclosure.

The first cyber analysts to investigate the stolen data discovered a significant volume of sensitive files among them databases, password logs, cloud management files, employee payroll records, and even footage culled from city traffic cameras in the aftermath of Ross's revelations. In response to this attack, the city said it has committed to improving its cybersecurity protocols in the future to prevent similar attacks from happening again. 

In Columbus, a town of approximately 915,000 people, the Maine Attorney General's Office received a report from the city informing them that the breach may affect approximately 55% of its citizens. Those affected by this tragedy will receive two years of free credit monitoring and identity protection services as a gesture of goodwill from the city. The city of Columbus has been put under increasing public pressure to ensure that data is protected and transparent communications about the extent of the breach are made in light of rising public pressure. As a result of the City's lawsuit, Goodwolf is alleged to have spread stolen data illegally and negligently. 

There was a request for monetary damages with a request for a temporary restraining order and a permanent injunction, and the researcher was ordered to stop further dissemination of the leaked data to prevent future disclosures. It was decided in December 2011 that a temporary restraining order would be issued in Franklin County prohibiting Goodwolf from downloading and disseminating the data they stole from the City.

The City had previously claimed that the leaked data was useless, but as shown in breach notification letter samples filed with the Maine Attorney General's Office, despite its claims, it informed 500,000 people in early October that some of their financial and personal information had been stolen and published on the dark web by those who stole it. There has been a breach of the City information system, according to the breach notification letters, which include your personal information, including your first and last name, date of birth, address, bank account information, driver's license number, Social Security number, and other identifying information that may have been included as a result of the incident. 

Although the City has yet to find evidence of the misuse of its data, it warns those affected by this breach to keep a close eye on their credit reports and financial accounts to ensure no suspicious activity is taking place. It is now also offering 24 months of free 24 months of monitoring of credit and identity, provided by Experian IdentityWorks, as well as identity restoration services provided by Experian.
Read more »
User Security
Cyber Attacks Healthcare Sector ransomware attacks threat report User Security

Microsoft: Healthcare Sector Sees 300% Surge in Ransomware Assaults

 

A Microsoft investigation published earlier this week revealed that ransomware attacks on the healthcare sector are rising and threatening lives. 

The report, which uses both internal corporate data and external data, shows a 300% spike in ransomware attacks on the health sector since 2015, as well as an increase in stroke and cardiac arrest cases at hospitals receiving patients from nearby facilities that have been paralysed by similar assaults.

It all amounts to a worrisome pattern that began during the peak of the COVID-19 pandemic, when certain ransomware gangs pledged not to attack the healthcare industry. 

“That [pledge has] been shoved off the table, unfortunately, and we are seeing a broader targeting of everything that has to do with health care, from hospital systems to clinics to doctors’ offices — really, anything where patient care can be impacted,” Sherrod DeGrippo, director of threat intelligence strategy at Microsoft, stated. “Threat actors know people’s lives are at stake, and therefore the organization is more likely to pay.” 

According to Microsoft's second-quarter 2024 data, health care is one of the top ten most targeted sectors, with an average payment of $4.4 million reported in a survey of health care organisations. Additionally, Microsoft analysts believe Iranian gangs are mostly targeting healthcare organisations. 

A research published last year discovered that ransomware attacks on hospitals have a spillover effect, with unaffected institutions seeing an increase in patients, resulting in stroke cases soaring by 113% and cardiac arrest cases reaching 81%. Those cardiac arrest instances also had lower survival rates. 

“We know that these types of incidents have impacts on many of the technologies, such as CT scanners or laboratory machines that are used to take care of patients suffering from things like heart attack, stroke or sepsis,” Jeff Tully, co-director and of the University of California San Diego Center for Healthcare Cybersecurity and co-author of that study, noted. “And we know that there are delays in our ability to care for these patients during these types of down times.” 

Tully stated that the centre was working on developing a ransomware response playbook for health care organisations, but DeGrippo emphasised the need of creating resilience to survive an assault when it occurs.
Read more »
Subscribe to: Posts (Atom)