Search This Blog
Powered by Blogger.

Blog Archive

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label ransomware-as-a-service. Show all posts
TLS inspection
Cato Networks CVE exploits Cyber Security Cyber Threats Cybersecurity Data Privacy Penetration Testing Ransomware ransomware-as-a-service Shadow AI TLS inspection

Ransomware Gangs Actively Recruiting Pen Testers: Insights from Cato Networks' Q3 2024 Report

 

Cybercriminals are increasingly targeting penetration testers to join ransomware affiliate programs such as Apos, Lynx, and Rabbit Hole, according to Cato Network's Q3 2024 SASE Threat Report, published by its Cyber Threats Research Lab (CTRL).

The report highlights numerous Russian-language job advertisements uncovered through surveillance of discussions on the Russian Anonymous Marketplace (RAMP). Speaking at an event in Stuttgart, Germany, on November 12, Etay Maor, Chief Security Strategist at Cato Networks, explained:"Penetration testing is a term from the security side of things when we try to reach our own systems to see if there are any holes. Now, ransomware gangs are hiring people with the same level of expertise - not to secure systems, but to target systems."

He further noted, "There's a whole economy in the criminal underground just behind this area of ransomware."

The report details how ransomware operators aim to ensure the effectiveness of their attacks by recruiting skilled developers and testers. Maor emphasized the evolution of ransomware-as-a-service (RaaS), stating, "[Ransomware-as-a-service] is constantly evolving. I think they're going into much more details than before, especially in some of their recruitment."

Cato Networks' team discovered instances of ransomware tools being sold, such as locker source code priced at $45,000. Maor remarked:"The bar keeps going down in terms of how much it takes to be a criminal. In the past, cybercriminals may have needed to know how to program. Then in the early 2000s, you could buy viruses. Now you don't need to even buy them because [other cybercriminals] will do this for you."

AI's role in facilitating cybercrime was also noted as a factor lowering barriers to entry. The report flagged examples like a user under the name ‘eloncrypto’ offering a MAKOP ransomware builder, an offshoot of PHOBOS ransomware.

The report warns of the growing threat posed by Shadow AI—where organizations or employees use AI tools without proper governance. Of the AI applications monitored, Bodygram, Craiyon, Otter.ai, Writesonic, and Character.AI were among those flagged for security risks, primarily data privacy concerns.

Cato CTRL also identified critical gaps in Transport Layer Security (TLS) inspection. Only 45% of surveyed organizations utilized TLS inspection, and just 3% inspected all relevant sessions. This lapse allows attackers to leverage encrypted TLS traffic to evade detection.

In Q3 2024, Cato CTRL noted that 60% of CVE exploit attempts were blocked within TLS traffic. Prominent vulnerabilities targeted included Log4j, SolarWinds, and ConnectWise.

The report is based on the analysis of 1.46 trillion network flows across over 2,500 global customers between July and September 2024. It underscores the evolving tactics of ransomware gangs and the growing challenges organizations face in safeguarding their systems.
Read more »
Vice Society
American healthcare cyberattack Cyber Security Inc ransomware ransomware-as-a-service Vice Society

Vice Society Shifts to Inc Ransomware in Latest Healthcare Cyberattack

 

Ransomware incidents are increasing, with a recent attack targeting American healthcare institutions by a well-known cybercrime group.

Vice Society, also known as Vanilla Tempest by Microsoft, has been active since July 2022. This Russian-speaking group has utilized various ransomware strains in its double extortion tactics, including BlackCat, Hello Kitty, Quantum Locker, Rhysida, Zeppelin (including a custom version), and its own proprietary ransomware.

In a series of updates on X, the Microsoft Threat Intelligence Center (MSTIC) highlighted the group's latest weapon: Inc ransomware.

"Vanilla Tempest is one of the most active ransomware operators that MSTIC monitors," said Jeremy Dallman, MSTIC's senior director of threat intelligence. "While they have been targeting healthcare for some time, their recent adoption of the Inc ransomware payload marks a significant shift as they increasingly engage with the broader ransomware-as-a-service (RaaS) ecosystem."

Although Vice Society targets multiple industries, including IT and manufacturing, it is primarily known for its campaigns against education and healthcare. This aligns with broader cybersecurity trends. According to Check Point Research, healthcare remains the most frequently targeted sector by ransomware. In fact, healthcare organizations worldwide face an average of 2,018 attacks per week, representing a 32% increase compared to the previous year.

Cindi Carter, Check Point's CISO for the Americas, explains the appeal to cybercriminals. "Healthcare organizations are often plagued by outdated legacy technology and bureaucratic hurdles, making them easy targets. Additionally, the data these organizations collect is highly valuable," she states. "A medical record is one of the most identifiable pieces of digital information about a person, second only to a fingerprint."

In its recent healthcare exploits, Vice Society gained initial access through systems already compromised by the Gootloader backdoor. The group subsequently deployed tools such as the Supper backdoor, AnyDesk’s remote monitoring software, and MEGA’s data synchronization service—both legitimate products. They utilized Remote Desktop Protocol (RDP) for lateral movement and exploited Windows Management Instrumentation (WMI) to drop Inc ransomware within infected networks.

Inc ransomware has been operational since last summer, making headlines for attacking large organizations, including Xerox and Scotland's National Health Service (NHS). Jason Baker, a threat intelligence consultant with GuidePoint Security, notes that the organized nature of Inc ransomware affiliates sets them apart.

"The most distinct aspect of Inc affiliates is their systematic approach during the negotiation process," Baker says, drawing from his own experiences. "They don’t make off-the-cuff remarks or resort to empty threats. Everything is methodical."

Baker likens it to the difference between a well-planned bank robbery and a spontaneous street mugging. "You can tell when someone has put serious thought into their attack and knows exactly what they're doing," he adds.

According to a report from Dark Reading, Inc’s malware recently leaked details about its encryption methods, potentially giving defenders an advantage. However, Baker warns that the reality is far more nuanced, especially in the healthcare sector.

"If an organization realizes it can recover data without needing a decryptor, it reduces their incentive to pay the ransom," he explains. "But the situation becomes more complex in double extortion scenarios, especially when sensitive personally identifiable health information (PHI) or intellectual property is involved. That’s why double extortion remains effective—it adds pressure, even if recovery is possible."
Read more »
VMware ESXi encryptor
ALPHV Blackcat Ransomware corporate cyber attacks Cyber Attacks RansomHub ransomware ransomware-as-a-service VMware ESXi encryptor

RansomHub Ransomware Targets VMware ESXi Environments with Specialized Encryptor

 

The RansomHub ransomware operation is now employing a Linux encryptor specifically designed to target VMware ESXi environments during corporate attacks.

Launched in February 2024, RansomHub operates as a ransomware-as-a-service (RaaS) with connections to ALPHV/BlackCat and Knight ransomware. The group has claimed over 45 victims across 18 countries.

Since early May, both Windows and Linux RansomHub encryptors have been confirmed. Recently, Recorded Future reported that the group also possesses an ESXi variant, first observed in April 2024. Unlike the Windows and Linux versions written in Go, the ESXi encryptor is a C++ program, likely evolved from the now-defunct Knight ransomware.

Interestingly, Recorded Future identified a bug in the ESXi variant that defenders can exploit to cause the encryptor to enter an endless loop, thereby evading encryption.

Enterprises widely use virtual machines to manage their servers due to their efficient CPU, memory, and storage resource management. Consequently, many ransomware gangs have developed dedicated VMware ESXi encryptors to target these environments. RansomHub's ESXi encryptor supports various command-line options, including setting execution delays, specifying VMs to exclude from encryption, and targeting specific directory paths. 

The encryptor features ESXi-specific commands such as 'vim-cmd vmsvc/getallvms' and 'vim-cmd vmsvc/snapshot.removeall' for snapshot deletion, and 'esxcli vm process kill' for shutting down VMs. It also disables syslog and other critical services to hinder logging and can delete itself after execution to evade detection and analysis.

The encryption scheme uses ChaCha20 with Curve25519 for key generation and targets ESXi-related files like '.vmdk,' '.vmx,' and '.vmsn' with intermittent encryption for faster performance. Specifically, it encrypts only the first megabyte of files larger than 1MB, repeating encryption blocks every 11MB. A 113-byte footer is added to each encrypted file containing the victim's public key, ChaCha20 nonce, and chunks count. The ransom note is written to '/etc/motd' (Message of the Day) and '/usr/lib/vmware/hostd/docroot/ui/index.html' to make it visible on login screens and web interfaces.

Recorded Future analysts discovered that the ESXi variant uses a file named '/tmp/app.pid' to check for an existing instance. If this file contains a process ID, the ransomware attempts to kill that process and then exits. However, if the file contains '-1,' the ransomware enters an infinite loop, trying to kill a non-existent process, thus neutralizing itself.

This means organizations can create a /tmp/app.pid file containing '-1' to protect against the RansomHub ESXi variant, at least until the RaaS operators fix the bug and release updated versions for their affiliates.
Read more »
ransomware-as-a-service
BlackByte ransomware Critical Infrastructure Cyberattack Cybersecurity Cybersecurity Agencies Data Breach Encina Wastewater Authority ransomware-as-a-service

Encina Wastewater Authority Reportedly Targeted by BlackByte Ransomware

Carlsbad, California – Encina Wastewater Authority (EWA) has become the latest target of the notorious BlackByte ransomware group. The group, known for its aggressive tactics, has hinted at a cyberattack on EWA's platform, suggesting the potential sale of sensitive company documents obtained during the intrusion.

Despite BlackByte's claims, EWA's website, http://encinajpa.com, remains operational without immediate signs of intrusion. However, cybersecurity experts speculate that the threat actor may have infiltrated the organization's backend systems or databases rather than launching a visible front-end attack like a distributed denial-of-service (DDoS) assault.

Encina Wastewater Authority serves over 379,000 residents and businesses across North San Diego County, playing a crucial role in wastewater treatment, resource recovery, and environmental protection for public health and regional water sustainability.

The Cyber Express has reached out to Encina Wastewater Authority for clarification on the alleged cyberattack. As of writing, no official statement or response has been issued by the organization, leaving the claims unconfirmed. The BlackByte ransomware group has also shared sample documents, indicating the attack and offering their sale or removal via email.

BlackByte has been a concern for cybersecurity agencies since its emergence in July 2021, targeting critical infrastructure and gaining attention from the Federal Bureau of Investigation (FBI) and the US Secret Service (USS). Despite mitigation efforts, such as the release of a decrypter by Trustwave in October 2021, BlackByte continues to evolve its tactics and persists in targeting organizations worldwide through a ransomware-as-a-service (RaaS) model.

The situation regarding the alleged cyberattack on Encina Wastewater Authority will be closely monitored by The Cyber Express, and updates will be provided as more information becomes available or any official statement from the organization is issued.
Read more »
VMware ESXi attacks
Automation Cyber Security double extortion tactics MrAgent tool Network Security RansomHouse gang ransomware-as-a-service VMware ESXi attacks

RansomHouse Gang Streamlines VMware ESXi Attacks Using Latest MrAgent Tool

 

RansomHouse, a ransomware group known for its double extortion tactics, has developed a new tool named 'MrAgent' to facilitate the widespread deployment of its data encrypter on VMware ESXi hypervisors.

Since its emergence in December 2021, RansomHouse has been targeting large organizations, although it hasn't been as active as some other notorious ransomware groups. Nevertheless, it has been employing sophisticated methods to infiltrate systems and extort victims.

ESXi servers are a prime target for ransomware attacks due to their role in managing virtual computers containing valuable data for businesses. Disrupting these servers can cause significant operational damage, impacting critical applications and services like databases and email servers.

Researchers from Trellix and Northwave have identified a new binary associated with RansomHouse attacks, designed specifically to streamline the process of targeting ESXi systems. This tool, named MrAgent, automates the deployment of ransomware across multiple hypervisors simultaneously, compromising all managed virtual machines.

MrAgent is highly configurable, allowing attackers to customize ransomware deployment settings received from the command and control server. This includes tasks such as setting passwords, scheduling encryption events, and altering system messages to display ransom notices.

By disabling firewalls and terminating non-root SSH sessions, MrAgent aims to minimize detection and intervention by administrators while maximizing the impact of the attack on all reachable virtual machines.

Trellix has identified a Windows version of MrAgent, indicating RansomHouse's efforts to broaden the tool's reach and effectiveness across different platforms.

The automation of these attack steps underscores the attackers' determination to target large networks efficiently. Defenders must remain vigilant and implement robust security measures, including regular updates, access controls, network monitoring, and logging, to mitigate the threat posed by tools like MrAgent.
Read more »
Subscribe to: Posts (Atom)