Category: Hive Ransomware

A Russian man identified by KrebsOnSecurity in January 2022 as a prolific and vocal member of several top ransomware groups was the subject of two indictments unsealed by the Justice Department today. U.S. prosecutors say Mikhail Pavolovich Matveev, a.k.a. “Wazawaka” and “Boriselcin” worked with three different ransomware gangs that extorted hundreds of millions of dollars from companies, schools, hospitals and government agencies.

An FBI wanted poster for Matveev.

Indictments returned in New Jersey and the District of Columbia allege that Matveev was involved in a conspiracy to distribute ransomware from three different strains or affiliate groups, including Babuk, Hive and LockBit.

The indictments allege that on June 25, 2020, Matveev and his LockBit co-conspirators deployed LockBit ransomware against a law enforcement agency in Passaic County, New Jersey. Prosecutors say that on May 27, 2022, Matveev conspired with Hive to ransom a nonprofit behavioral healthcare organization headquartered in Mercer County, New Jersey. And on April 26, 2021, Matveev and his Babuk gang allegedly deployed ransomware against the Metropolitan Police Department in Washington, D.C.

Meanwhile, the U.S. Department of Treasury has added Matveev to its list of persons with whom it is illegal to transact financially. Also, the U.S. State Department is offering a $10 million reward for the capture and/or prosecution of Matveev, although he is unlikely to face either as long as he continues to reside in Russia.

In a January 2021 discussion on a top Russian cybercrime forum, Matveev’s alleged alter ego Wazawaka said he had no plans to leave the protection of “Mother Russia,” and that traveling abroad was not an option for him.

“Mother Russia will help you,” Wazawaka concluded. “Love your country, and you will always get away with everything.”

In January 2022, KrebsOnSecurity published Who is the Network Access Broker ‘Wazawaka,’ which followed clues from Wazawaka’s many pseudonyms and contact details on the Russian-language cybercrime forums back to a 33-year-old Mikhail Matveev from Abaza, RU (the FBI says his date of birth is Aug. 17, 1992).

A month after that story ran, a man who appeared identical to the social media photos for Matveev began posting on Twitter a series of bizarre selfie videos in which he lashed out at security journalists and researchers (including this author), while using the same Twitter account to drop exploit code for a widely-used virtual private networking (VPN) appliance.

“Hello Brian Krebs! You did a really great job actually, really well, fucking great — it’s great that journalism works so well in the US,” Matveev said in one of the videos. “By the way, it is my voice in the background, I just love myself a lot.”

Prosecutors allege Matveev used a dizzying stream of monikers on the cybercrime forums, including “Boriselcin,” a talkative and brash personality who was simultaneously the public persona of Babuk, a ransomware affiliate program that surfaced on New Year’s Eve 2020.

Previous reporting here revealed that Matveev’s alter egos included “Orange,” the founder of the RAMP ransomware forum. RAMP stands for “Ransom Anon Market Place, and analysts at the security firm Flashpoint say the forum was created “directly in response to several large Dark Web forums banning ransomware collectives on their site following the Colonial Pipeline attack by ransomware group ‘DarkSide.”

As noted in last year’s investigations into Matveev, his alleged cybercriminal handles all were driven by a uniquely communitarian view that when organizations being held for ransom decline to cooperate or pay up, any data stolen from the victim should be published on the Russian cybercrime forums for all to plunder — not privately sold to the highest bidder.

In thread after thread on the crime forum XSS, Matveev’s alleged alias “Uhodiransomwar” could be seen posting download links to databases from companies that have refused to negotiate after five days.

Matveev is charged with conspiring to transmit ransom demands, conspiring to damage protected computers, and intentionally damaging protected computers. If convicted, he faces more than 20 years in prison.

Further reading:

Who is the Network Access Broker “Wazawaka?”

Wazawaka Goes Waka Waka

The New Jersey indictment against Matveev (PDF)

The indictment from the U.S. attorney’s office in Washington, D.C. (PDF)

In what comes as a surprise to criminals operating in the cyberworld, the website that used to act as a data leak platform for hive ransomware gang seems in control of the US law enforcement now.

According to the notice witnessed on the website, the URL has been seized and its operations have been shut down in a coordinated operation conducted by the Department of Justice, FBI, Secret Service, Europol and other European Countries. The notice also contains the seizure order issued by the legal Attorney Office of the Middle District of Florida.

Coming to some facts related to Hive Ransomware Gang, it’s just a year-old malware that has emerged into the third position of most active ransomware groups in July 2022, within no time, and is affiliated with a now defunct Conti gang.

Cybersecurity Experts from Microsoft confirmed Hive Gang crippled the entire healthcare network and computer network of Social Security Fund (CCSS) in the country of Costa Rica after which the President of the nation declared an emergency.

NOTE 1- UK NCSC has warned that Russia and Iranian threat actors are launching spear-phishing attacks against government organizations, activists and journalists. And Hive, along with Seaborgium and Iran-based TA453 criminal gangs, are reportedly targeting victims from the past 3 months, especially those from defense and NGOs.

NOTE 2- Conti Ransomware gang is now defunct as the criminals operating the group have split and formed into smaller criminal groups distributing malware and spying software from May 2022.

 

The post Hive Ransomware gang website seized by FBI and Europol appeared first on Cybersecurity Insiders.

The first one is a report released by the FBI stating the earning details of Hive Ransomware Group. FBI issued a joint advisory along with CISA that the said hacking group extorted more than $100m in this financial year by infecting over 1300 victims in 15 months starting from June’21.Victims list include government organizations, communication sector companies, IT businesses and businesses involved in healthcare sector.

Second is the news related to Microsoft releasing a report on a newly discovered Royal Ransomware, first detected in Aug’22. Microsoft Security Threat Intelligence group said in its latest post that the group of criminals were using Google Ads in one of their campaigns of spreading malware and the victim includes a renowned motor racing circuit in the United Kingdom.

The American tech giant claims that it discovered the malvertising campaign in October this year where DEV-0569 was seen redirecting users to malicious files downloading website.

Google was informed about this malicious practice by the Windows giant early this month and the Alphabet Inc’s subsidiary took measures to curtail this malware attack affecting its normal ad traffic.

Third is the news related to UK’s COBRA meetings that have been intensively discussing ransomware incidents these days rather than other emergencies. Earlier, the Cabinet Office Briefing Room (COBR) was seen discussing terrorist attacks. But now, focus remains to be malware attacks and how they have to be handled from the perspective of victims.

Ironically, the meetings convened by COBRA were linked to Whitehall Sprint, that was supposed to be concluded by December last year, and the recommendations were to be discussed at the G7 meeting at the end of 2021. However, the government failed to put Sprint on an actionable path and so the project seems to be jinxed.

 

The post Ransomware Attack news headlines trending on Google appeared first on Cybersecurity Insiders.

First is the news about Hive Ransomware targeting the New York Racing Association (NYRA) on 30th of June this year that resulted in disruption of IT services, including the website. Interestingly, the accessed records by the threat actors include health info, health insurance records, Social Security Numbers, and Driving License numbers of customers. NYRA is keen on not entertaining the demands of hackers for ransom and says that it will rebuild the locked-up database with the help of an effective data continuity plan that is already in place.

Second is the news related to SparklingGoblin Threat Group from China that devised a Linux variant tool to engage the SideWalk Backdoor and compromise windows devices. The said threat group is also been identified as Earth Baku and is connected to APT41 Cyberespionage Group.

Coming to the third news related to malware, Vmware and Microsoft have jointly issued a warning against Chromeloader Malware that has evolved into a major threat in recent times. Hackers are seen using this malware to exploit browsers leading to advertising and affiliate frauds.

Fourth is the news related to Lorenz ransomware that is seen using a critical vulnerability in Mitel MiVoice VOIP appliances to infiltrate corporate networks via phone lines. Security firm named Artic Wolf Labs was the first to detect this malware spreading tactic that is now being attributed to the Lorenz Gang. Mitel has acknowledged the vulnerability existence long ago and has released security patches in June this year.

Fifth is the news related to TeamTNT that was thought to be defunct since November 2021. Security researchers from AquaSec have found that the said hacking group is back in action and has started to spread malware that uses the computational power of targeted servers to operate Bitcoin Encryption solvers.

Last is the news about the Russian-Ukraine war. A team of experts from Recorded Future have discovered that Russian hacking group Sandworm has strategically dropped eavesdropping malware tools on some telecom providers of Ukraine, to gather intelligence.

Sandworm, which the US Government links to Russian GRU Military Intelligence, conducted many cyber-attacks on the critical infrastructure of Ukraine, including the botnet one dubbed ‘Cyclops Blink’.

As it failed to take down the infrastructure, it might have devised a new malware that was somehow installed on the telecommunication infrastructure of firms serving the Ukraine populace. The idea might be to eavesdrop on the conversations and gather information which later can be used to taking the war with Kyiv to success.

 

The post Malware related news headlines trending on Google appeared first on Cybersecurity Insiders.

The first news headline that is trending on Google belongs to Costa Rica Government websites. Information is out that Costa Rica’s Public Health System was recently targeted by Hive Ransomware and the incident happened just after a few days of attack by Conti Ransomware Group.

Going deep into the details, Costa Rican Social Security Fund (CCSS)’s website has been pulled down as the database has been targeted by Hive Ransomware Group. It is being reported that Hive encrypted around 30 servers out of 1,500 government servers and the estimated recovery time is unknown.

It’s reported that the disruption tactics have reportedly hit the vaccination and Covid-19 tests deeply.

Previously, Conti demanded $23 million for freeing up the data from encryption, and this time Hive is demanding $11 million for not publicizing the stolen data it siphoned before encryption.

Second is the news that belongs to Switzerland-based Pharma company Novartis. A very less known hacking group named Industrial Spy is claiming to have siphoned some critical data from the company’s R&D servers and is now demanding $500,000 in Bitcoins to return it to the owners. Otherwise, they also issued a warning that they will sell that data on the dark web to interested parties.

However, Novartis claims that the data lying with Industrial Spy is not sensitive and has reassured that it will take all adequate steps not to allow such incidents soon.

The third is the news that belongs to Microsoft. The software giant claims that it has blocked cyber attacks on Israeli firms that could have possibly been generated by a hacking group named ‘Polonium’ linked to Iran’s Ministry of Intelligence and Security.

Reports are in that Polonium was using around 20 OneDrive accounts to virtual abuse Israeli Companies and as soon as it received complaints, it found out the truth that Polonium had links to Tehran and was acting according to its inputs.

Interestingly, those working for Polonium are Lebanese and are seen constantly targeting businesses from Israel and acting according to Iran’s Ministry of Intelligence and Security (MOIS).

 

The post Cyber Attack news headlines trending on Google appeared first on Cybersecurity Insiders.

Vulnerability in Microsoft Exchange Servers is allowing hackers to deploy hive ransomware and other backdoors, including Cobalt Strike Beacon, having capabilities of stealing cryptocurrency from wallets and deploy crypto mining software.

It is all happening because of ProxyShell Security issues where threat actors perform network reconnaissance to download payloads.

Security analytics firm Varonis discovered the details of hive ransomware being deployed on Microsoft Exchange Servers after one of its customers asked it to do so. Researchers discovered that the notorious gang of cyber criminals were planting 4 web shells in an accessible Exchange Directory and executed PowerShell codes to evade detection from threat monitoring solutions. Out of 4, 3 web shells were sourced from public GIT Repository and 1 was sources from wild.

Previously, threat actors from Conti, BlackByte, Babuk, Cuba and Lockfile used the ProxyShell vulnerability to steal info from its customers and lock down their database thereafter with encryption.

In May 2021, Microsoft issued fixes to all the newly founded vulnerabilities and issued patches on an immediate note. But as per the new detection by Varonis, Hive ransomware gang is again seen exploiting flaws tracked as CVE-2021-344473, CVE-2021-34523 and CVE-2021-31297 having severity scores between 8.3(High) to 9.8 (Critical).

Note- Since its first detection by the FBI in June 2021, Hive has emerged as the most active ransomware in attack frequency. Thus, CISA, in association with the Federal Bureau of Investigation (FBI) issued a dedicated report last year on tactics and indicators of Hive Ransomware compromise.

 

The post Hive Ransomware deployed on Microsoft Exchange Servers appeared first on Cybersecurity Insiders.

1.) Notorious Hive Ransomware group has published details of 850,000 patient records belonging to Partnership HealthPlan of California and said that a portion of data will be sold on the dark web, if the healthcare provider doesn’t bow down to its ransom demands.

As an incident response, the Partnership HealthPlan of California says that it has set up a Gmail address for patients to respond and showed that a team of experts have been pressed to probe the incident.

A press update released by the company states that information such as email addresses, social security numbers, physical addresses of over 850,000 PII were stolen by Hive hackers and all measures were being taken to stop them from posting 400 GB data onto the dark web.

2.) Conti Ransomware group has published on the dark web that it has targeted the servers belonging to Shutterfly, an online store that sells and purchases photography related services via web.

The incident reportedly occurred in December 2021 and the threat actors gained access to their network via a Windows Domain Controller.

Online tech news resource Bleeping computer reported Conti gang encrypted over 4k devices and 120 VMware ESXi servers that stored information belonging to Shutterfly.

3.) Third, a ransomware group dubbed SunCrypt that involves in triple extortion tactics of file encryption, a threat to post data online and launching DDoS attack on victims failing to pay a ransom is doing round on internet. And as per the sources, SunCrypt Ransomware gang is back in business and is slowly picking up in 2022. Minerva Labs, a security firm has endorsed the news and added that the threat group is looking to target only large enterprises and is keeping its ransom negotiations anonymous, to stay away from the tracking radar of law enforcement agencies.

4.) Last, but not the least, is the information regarding how fast the ransomware encrypts files. Researchers from Spunk have found that most of the reputed ransomware groups encrypt servers within a matter of 5 minutes and 50 seconds to encrypt 100,000 files. And the quickest among them is LockBit Ransomware that encrypts over 100 GB data within 4 minutes 9 seconds. Other ransomware forms were found encrypting files in the following time frame- Babuk Ransomware- In 6 minutes 34 seconds for a data of 100GB; Avaddon Ransomware- In 13 minutes 14 seconds for a data of 100GB; RYUK at 14 minutes,30 seconds; REvil in 24 minutes 16 seconds and BlackMatter ransomware in a time frame of 45 minutes. DarkSide that has the history of encrypting databases of Colonial Pipeline took 47 minutes to encrypt data on the victim database and Conti Ransomware at a time of 59 minutes 23 seconds to lock down access to 54GB of data files. Maze and PYSA were slow in doing their work as they were found encrypting a 50GB data file in over 109 minutes.

 

The post Ransomware news headlines trending on Google appeared first on Cybersecurity Insiders.