ransomware – CyberSecurity Confabulation

What to do if a Ransomware Decryptor Doesn’t Work Even After Paying the Ransom

Posted 16 hours ago by Naveen Goud

Ransomware attacks are among the most perilous threats facing individuals and organizations today. They lock or encrypt critical files, rendering them inaccessible until a ransom is paid. Despite paying the ransom, there are situations where the provided decryptor fails to restore your files. If you find yourself in this unfortunate scenario, here’s a comprehensive guide on what steps to take:

1. Verify the Problem
Before taking further action, ensure that the decryptor is indeed malfunctioning. Verify that:
    • You are using the correct decryptor for the ransomware variant that infected your system.
    • The decryption process was followed accurately, according to the instructions provided by the attacker.
    • The files were correctly targeted by the decryptor and were not damaged or corrupted in the process.

2. Consult Cybersecurity Professionals

If the decryptor fails to work, reach out to cybersecurity experts immediately. These professionals can:
    • Analyze the Decryptor: Verify if the decryptor is compatible with your ransomware strain and investigate why it isn’t functioning as expected.
    • Examine the Encrypted Files: Determine if the encryption method has unique characteristics that might require a different approach.
    • Provide Advanced Solutions: Offer alternative methods or tools that might be effective in decrypting your files.

3. Report the Incident
Report the ransomware attack to relevant authorities:
    • Local Law Enforcement: Inform them of the attack, as they may have additional resources or advice.
    • National Cybersecurity Agencies: Many countries have agencies dedicated to handling cybersecurity incidents and can offer support or guidance.
    • Cybercrime Units: Specialized units often work on ransomware cases and may provide assistance or even investigative support.

4. Assess Your Backup Options
Check if you have backups of the affected files. If so, assess the following:
• Backup Integrity: Ensure the backups are up-to-date and not infected with ransomware.
• Restore Procedure: Use the backups to restore your files, ensuring that your system is clean before doing so.

5. Evaluate Decryption Alternatives

If the decryptor provided by the attacker fails, consider these alternatives:
• Decryption Tools from Security Vendors: Sometimes, cybersecurity companies develop decryption tools for specific ransomware strains. Research or consult with professionals to find out if such tools are available.
• Online Ransomware Communities: Platforms like No More Ransom (nomoreransom.org) offer decryption tools and advice for various ransomware strains. Check if your ransomware variant is listed.

6. Improve Future Security Measures
Learn from the incident and take steps to enhance your cybersecurity posture:
    • Update and Patch Systems: Regularly update software and systems to protect against vulnerabilities exploited by ransomware.
    • Implement Comprehensive Backup Solutions: Use automated and regular backups stored in multiple, secure locations.
    • Educate Yourself and Your Team: Conduct training sessions on recognizing phishing attempts and other ransomware delivery methods.

7. Consider Legal and Financial Advice

In cases where ransomware attacks have significant impacts:

• Consult Legal Advisors: Understand your legal obligations and rights regarding data breaches and ransomware payments.
• Seek Financial Counsel: Assess the financial impact of the attack, including the costs of recovery and potential insurance claims.

8. Stay Informed

Ransomware tactics and decryption tools evolve rapidly. Stay informed about the latest developments in cybersecurity to better prepare for and respond to future threats.

Conclusion

Facing a ransomware attack and finding that a decryptor does not work can be an incredibly stressful situation. By taking these steps—verifying the problem, seeking professional help, reporting the incident, exploring backup and decryption alternatives, and enhancing future security measures—you can navigate the aftermath more effectively and safeguard against future threats. Always remember that prevention and preparedness are key to mitigating the impact of such attacks.

The post What to do if a Ransomware Decryptor Doesn’t Work Even After Paying the Ransom appeared first on Cybersecurity Insiders.

What to do if a Ransomware Decryptor Doesn’t Work Even After Paying the Ransom

Posted 16 hours ago by Naveen Goud

2. Consult Cybersecurity Professionals

5. Evaluate Decryption Alternatives

7. Consider Legal and Financial Advice

In cases where ransomware attacks have significant impacts:

8. Stay Informed

Ransomware tactics and decryption tools evolve rapidly. Stay informed about the latest developments in cybersecurity to better prepare for and respond to future threats.

Conclusion

The post What to do if a Ransomware Decryptor Doesn’t Work Even After Paying the Ransom appeared first on Cybersecurity Insiders.

Ransomware attacks are driving up costs to millions of dollars for schools and educational institutions

Posted 5 days ago by Naveen Goud

As the new academic year unfolds, educational institutions are facing an increasingly alarming threat: ransomware attacks. According to a recent report by Sophos, the rising prevalence of these cyber-attacks is placing significant strain on the IT infrastructure of universities, colleges, and schools, regardless of their size or scope. The report underscores that institutions are grappling with escalating IT costs as they struggle to manage the repercussions of these attacks, which include implementing preventive measures, recruiting skilled personnel to mitigate risks, and recovering from the aftermath.

The “State of Ransomware in Education 2024” report reveals that over 44% of schools across 14 states have been confronted with ransom demands amounting to $5 million or more. Furthermore, approximately 35% of these institutions were required to pay sums exceeding $5 million to regain access to their encrypted data. Although the report does not specify how many institutions ultimately complied with these demands, it does highlight that the largest ransom paid by an educational entity reached a staggering $6.6 million.

On a slightly positive note, the frequency of ransomware attacks in 2024 appears to be lower compared to the previous year, despite the fact that the current year still has four months remaining. However, the report also highlights a concerning trend: the time required for data recovery has increased. Attackers are not only targeting educational institutions’ networks but are also disrupting their backup systems, which significantly hampers efforts to maintain business continuity.

Sophos security experts attribute the surge in ransomware attacks to the vulnerabilities within educational networks and the susceptibility of staff to phishing schemes. These attacks often exploit compromised credentials, leading to broader network breaches and data theft. The report also warns that advanced, AI-driven ransomware attacks could pose even greater risks if institutions fail to allocate sufficient resources towards cybersecurity measures, including hiring specialized talent and investing in robust hardware and software.

In summary, the rising threat of ransomware in education underscores the urgent need for institutions to bolster their cybersecurity defenses, adopt proactive measures, and invest adequately in technology and expertise to safeguard their data and operations.

The post Ransomware attacks are driving up costs to millions of dollars for schools and educational institutions appeared first on Cybersecurity Insiders.

Ransomware attacks on financial firms in USA increased in 2024

Posted 1 week ago by Naveen Goud

Ransomware attacks are increasingly affecting organizations worldwide, with no country or sector remaining completely shielded. According to a recent study by Trustwave SpiderLabs, businesses in the United States were particularly targeted by ransomware in 2024, with a notable concentration of attacks on the financial sector, including banks and credit unions.

The frequency of these attacks surged by 64% this year, up from 51% last year. Brazil and Canada followed as the second and third most affected countries, respectively.

The Trustwave SpiderLabs report identifies two prominent Russian cybercrime groups, LockBit and ALPHV (also known as BlackCat), as the primary perpetrators targeting the IT infrastructure of financial institutions. These groups are at the forefront of ransomware attacks, exploiting vulnerabilities in the financial sector.

Double extortion tactics have also become more sophisticated. For example, the BlackCat group targeted Change Healthcare with malware, while another group, RansomHub, threatened to release stolen data from the same healthcare firm if a $22 million ransom was not paid promptly. Subsequent investigations revealed that two groups had collectively hacked into the network of a United Health subsidiary. Initially, one group achieved financial gain, but when they refused to share the proceeds, the second group directly approached the victim for their cut.

Financial institutions are particularly vulnerable to ransomware due to the vast amount of sensitive data they hold, which can be extremely lucrative for cybercriminals. This has led to several banks and credit unions suffering from extended downtimes and ongoing recovery efforts. For instance, PatelCo Credit Union is still grappling with the repercussions of such an attack, struggling to fully mitigate the damage.

The post Ransomware attacks on financial firms in USA increased in 2024 appeared first on Cybersecurity Insiders.

Ransomware attack makes school children go home and Veeam Backup Vulnerability

Posted 1 week ago by Naveen Goud

Ransomware attacks typically cause significant disruptions for both public and private sector organizations, often halting operations for days. In a recent incident, however, the Charles Darwin School faced such a severe attack that it had to send students home and declare an extended holiday for the rest of the week.

The cyber attack was detected on Thursday, leading to an immediate decision to close the school for the remainder of the week. Parents were notified that their children would not return to classes until the following week.

Authorities are currently investigating the incident, with initial findings suggesting that a notorious Russian cybercriminal group may be behind the attack. However, conclusive evidence linking the group to the attack is still pending.

The ransomware infection has affected numerous staff devices, causing significant disruption. The IT team is working diligently to clean up and restore data, but the process may take considerable time.

As a precautionary measure, the London-based school has disabled Microsoft 365 on all staff and student devices. Both staff and students have been advised to avoid clicking on any emails from unknown sources to prevent further complications.

In related news, security researchers have recently highlighted a critical vulnerability, CVE-2024-40711, in Veeam Backup and Replication software. This vulnerability poses a risk of data theft and operational downtime. Code White Hacker Florian Hauser and experts from WatchTowr Labs have confirmed that the flaw could allow hackers to exploit the system extensively.

Veeam, a leading provider of data backup and recovery solutions, has released a fix for the vulnerability and is actively informing users about the issue and recommended security measures. The company has also issued updates for Veeam Agent for Linux, Veeam Backup for Nutanix AHV, Veeam Backup for Oracle Linux, Veeam Service Provider Console, and Veeam One to address related issues.

The post Ransomware attack makes school children go home and Veeam Backup Vulnerability appeared first on Cybersecurity Insiders.

Our 4 Essential Strategy Takeaways from the Gartner® 2024 Report – How to Prepare for Ransomware Attacks

Posted 1 week ago by Rapid7

As ransomware threats continue to evolve, security and risk management leaders must stay ahead by adopting comprehensive strategies to protect their organizations. The 2024 Gartner report, “How to Prepare for Ransomware Attacks”, provides critical insights into the latest tactics used by bad actors and offers practical solutions on how to fortify defenses.

Below, we highlight our four key strategy takeaways from the report to help your organization prepare for and respond to ransomware attacks.

Adapt to the rise of extortionware

Traditional ransomware tactics are shifting towards extortionware—where attackers steal data and demand payment for its destruction rather than encrypting it. This growing threat emphasizes the need for robust data protection strategies.

According to Gartner: "Extortionware (encryption-free, data theft attack) is a growing tactic being used by bad actors."

This evolution in tactics, which includes the emergence of 21 new ransomware groups in the first half of 2024, as noted in Rapid7’s Ransomware Radar Report, underscores the need for organizations to continuously update their defenses to counter new threats.

Actionable Strategy: Regularly update your threat models and security measures to account for new and emerging ransomware groups. Invest in advanced threat intelligence to stay informed about the latest tactics used by these criminal enterprises.

Strengthen your defenses with advanced detection technologies

This is increasingly important as ransomware attacks are becoming more frequent and sophisticated. Rapid7’s research highlights a 23% increase in ransomware posts on leak sites during the first half of 2024, further emphasizing the growing threat landscape.

We believe Gartner reinforces the importance of detection, stating: "… identity threat detection and response (NDR) tools collect indicators of compromise (IOCs) and events that alert you to anomalous behaviors that could indicate that an attack 'may' be underway."

In addition to these detection tools, Gartner advises that a defense strategy should include Endpoint Protection Platforms (EPPs), EDR, and mobile threat defense (MTD) solutions.

For organizations lacking the necessary in-house expertise or resources, Gartner recommends supplementing EDR with managed services: "If internal teams don’t have the necessary skill set or bandwidth, supplement EDR with managed services (see Market Guide for Managed Detection and Response Services)."

Actionable strategy: Implement and regularly update behavioral-anomaly-based detection technologies. Ensure that your security operations center (SOC) is equipped to respond swiftly to any detected threats.

Rapid7’s Managed Threat Complete, which integrates core MDR functionality with transparency into operations and technology, ensures comprehensive visibility across endpoints, networks, users, and cloud infrastructure. We believe this aligns with the Gartner recommendation to supplement EDR with managed services to enhance your organization’s security posture (see the Gartner Market Guide for Managed Detection and Response Services).

Pay attention to vulnerable targets

While large organizations are often targeted, mid-sized companies are increasingly vulnerable to ransomware attacks. Rapid7’s findings support this, showing that companies with $5 million in annual revenue are being attacked up to five times more often than larger enterprises. These organizations are particularly attractive to attackers due to their valuable data and often less mature security defenses.

Actionable strategy: Mid-sized organizations should prioritize investing in mature cybersecurity defenses, particularly in endpoint protection, identity management, and regular security training for employees.

You can view the Rapid7 Ransomware Radar Report here.

Pay attention to vulnerable targets

You can view the Rapid7 Ransomware Radar Report here.

Prepare with a comprehensive ransomware playbook

One of the key insights from the Gartner research is the critical importance of having a well-prepared incident response plan. Given the increasingly sophisticated nature of ransomware groups—many of which now operate like full-fledged businesses with their own marketplaces and support networks—a detailed and rehearsed ransomware playbook is essential for any organization.

Gartner states: "Develop an incident response plan with containment strategies that is augmented with a ransomware playbook."

Actionable strategy: Develop and regularly update a ransomware playbook that includes clear roles, decision-making protocols, and communication plans. Conduct regular tabletop exercises to ensure your team is prepared to act swiftly and effectively.

Conclusion: fortify your defenses against ransomware

Ransomware is an ever-present threat that requires a proactive, multi-layered approach to defense. We feel the 2024 Gartner Report “How to Prepare for Ransomware Attacks” provides essential strategies for preparing, detecting, and responding to these attacks. By implementing these recommendations, we believe your organization can better protect itself against the evolving tactics of cybercriminals.

Download the full Gartner report to explore detailed insights and recommendations for strengthening your ransomware defenses.

Gartner, Inc. How to Prepare for Ransomware Attacks. Paul Furtado. 16 April 2024.

GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the

Cicada ransomware – what you need to know

Posted 2 weeks ago by Graham Cluley

Cicada (also known as Cicada3301) is a sophisticated ransomware, written in Rust, that has claimed more than 20 victims since its discovery in June 2024. Read more in my article on the Tripwire State of Security blog.

Security Researcher Sued for Disproving Government Statements

Posted 2 weeks ago by Bruce Schneier

This story seems straightforward. A city is the victim of a ransomware attack. They repeatedly lie to the media about the severity of the breach. A security researcher repeatedly proves their statements to be lies. The city gets mad and sues the researcher.

Let’s hope the judge throws the case out, but—still—it will serve as a warning to others.

Record breaking Ransomware attacks on Schools and Colleges in 2023

Posted 2 weeks ago by Naveen Goud

According to a threat analysis report from Comparitech, educational institutions in the United States were the most targeted by ransomware attacks in 2023. Schools and colleges faced over 121 malware incidents, a significant increase from the 71 attacks reported in 2022.

The impact of these attacks was notable, with educational institutions experiencing an average of 12.6 working days lost due to ransomware, compared to 8.7 days in the previous year.

In terms of financial repercussions, the cost of recovery from ransomware incidents ranged between $540,000 and $560,000 from 2018 to 2024. The introduction of the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) in October 2025 is expected to provide more accurate data on these incidents. CIRCIA will require schools and other educational institutions to report cyber incidents within 72 hours, with a reduced timeframe of 48 hours specifically for ransomware attacks.

Comparitech’s research highlights that many educational institutions are either inadequately prepared for such attacks or are struggling with funding shortages, leading to a lack of in-house cybersecurity expertise. This situation could become increasingly problematic if not addressed.

On a positive note, the Federal Communications Commission (FCC) is initiating a Cybersecurity Pilot Program for schools, investing approximately $200 million over the next three years. This program aims to assess and address the cyber risks faced by educational institutions and implement effective risk mitigation measures.

Additionally, the FBI and CISA have issued a joint advisory about an Iranian hacking group known as Pioneer Kitten, Fox Kitten, UNC757, Parasite, and RUBIDIUM. This group is reportedly focused on disrupting and spreading ransomware within the healthcare and educational sectors. They typically infiltrate networks to steal sensitive information and then demand ransom, threatening to release the data if their demands are not met.

In related news, cities and counties are increasingly taking proactive measures to prevent ransomware-related losses. This shift indicates that local governments are beginning to allocate budgets for enhanced cybersecurity, suggesting progress towards achieving greater cybersecurity resilience.

The post Record breaking Ransomware attacks on Schools and Colleges in 2023 appeared first on Cybersecurity Insiders.

Cicada linked to ALPHV ransomware says report

Posted 2 weeks ago by Naveen Goud

A new ransomware, identified as Cicada 3301, is currently making waves on the internet, targeting both Windows and Linux systems. Security researchers from endpoint protection firm Morphisec Inc. have uncovered this malware, suggesting it may be linked to the notorious BlackCat or ALPHV ransomware families.

Cicada3301 is written in Rust and named after the complex Cicada Puzzle, a nod to its intricate nature. This ransomware specifically targets small to medium-sized businesses by exploiting vulnerabilities in SMB (Server Message Block) protocols and demands payment in Monero or Bitcoin for a decryption key.

According to Morphisec researchers, the rebranding and potential connections to Russian-funded ransomware-as-a-service operations might be strategies to evade detection by law enforcement agencies. As international cybercrime units improve their tracking capabilities and even monitor blockchain transactions, hackers are devising new methods to spread ransomware and extract payments from victims.

One common tactic is to launch new ransomware variants under different names while employing the same extortion methods: infiltrating networks, encrypting files, and demanding ransom for their release. This approach not only opens new avenues for criminals but also complicates efforts for law enforcement to track and apprehend them.

This pattern mirrors strategies seen in drug and human trafficking, where criminal organizations frequently introduce new members and methods to evade capture.

In a related development, the US Department of Health announced a reward of up to $10 million in February 2024 for information leading to the capture of the leaders behind the BlackCat ransomware. Meanwhile, in March 2024, the ALPHV gang announced plans to cease operations in response to a ransomware attack on Change Healthcare, raising questions about the group’s motivations and future actions.

The post Cicada linked to ALPHV ransomware says report appeared first on Cybersecurity Insiders.