Category: Ransomware Attack

The rise of sophisticated cyberattacks and increasingly brazen attackers is a well-established threat. Businesses and organizations need to take action and be aware of the risks cyberattacks and data breaches pose to their daily functions, financial statements, and reputation. A recent ransomware incident involving IxMetro PowerHost, a Chilean data center and hosting provider with operations spanning the USA, South America, and Europe, is a stark reminder of these dangers.

The ransomware deployed by a threat actor group known as “SEXi” was specifically designed to target ESXi environments, a choice reflected in the group’s name, which is an anagram of ESXi. This suggests a deliberate focus on these systems, leveraging specific vulnerabilities or misconfigurations common in such setups. Once inside the network, the ransomware likely utilized scripts or automated processes to locate and encrypt ESXi server data systematically, rendering the virtual machines (VMs) and their associated data inaccessible. This method ensures a high-impact disruption, as each encrypted ESXi server simultaneously affects multiple clients and services.

The Attack History

April 2024 saw the emergence of the SEXi ransomware gang, which launched a strategic attack on PowerHost’s VMware ESXi servers hosting their clients’ virtual private servers (VPS). The ransomware, specifically crafted to exploit vulnerabilities in ESXi systems, spread rapidly across the network. It systematically encrypted data on the servers and backups, crippling the virtual machines (VMs) and rendering crucial data inaccessible.

SEXi’s method was particularly devastating because it focused on centralizing multiple virtual environments within single physical servers. This strategy maximized disruption by encrypting a limited number of high-value targets, significantly impacting PowerHost’s clients. This approach demonstrates an evolution in ransomware tactics, where attackers aim to negate the victim’s ability to recover independently, thus strengthening their leverage.

It encrypted terabytes of data, effectively rendering numerous websites and services hosted on these servers inaccessible. The ransomware gang demanded a ransom of two bitcoins per victim, which would have amounted to an astronomical $140 million.

Mitigation and Recovery

As customers began experiencing service outages, PowerHost’s IT team swiftly identified the ransomware infection. Recognizing the severity of the situation, they enlisted the expertise of Proven Data’s cybersecurity specialists. Simultaneously, PowerHost’s CEO, Ricardo Rubem, coordinated with law enforcement agencies across multiple countries to gain insights and formulate a response strategy. The clear consensus from these agencies was to refrain from paying the ransom.

Despite encrypting both primary data and backups, PowerHost and Proven Data worked tirelessly to restore services. Leveraging advanced decryption techniques and cutting-edge recovery tools, the joint effort resulted in successful data recovery for IxMetro PowerHost. This critical intervention saved the company from the staggering $140 million ransom demand and minimized operational downtime and financial losses.

While the recovery process is still ongoing, PowerHost has offered affected VPS customers the option to set up new VPS systems, enabling some customers to resume online operations.

Results

PowerHost’s collaboration with Proven Data cybersecurity experts and law enforcement agencies was crucial and underscored the importance of collective efforts in combating cyber threats. This collaborative approach was a testament to the strength of the cybersecurity community and its commitment to protecting businesses and organizations.

It also outlines the importance of transparent and timely communication with customers, which is vital in maintaining trust and managing the fallout from such attacks.

Lessons Learned

The ransomware attack on PowerHost is a critical lesson for businesses worldwide about the necessity of robust cybersecurity measures. By learning from PowerHost’s experience, other companies can fortify their defenses and better protect themselves against the ever-growing ransomware threat. The incident highlights the strength of the cybersecurity community and its unwavering commitment to safeguarding businesses and their operations.

About Bogdan Glushko

Bogdan Glushko is the Chief Information Officer of Proven Data. Glushko actively leverages his years of experience restoring thousands of critical systems after incidents. Glushko is a trusted voice guiding organizations on resilient data strategies, ransomware response protocols, and mitigating evolving cyber threats. Through proven leadership, he continues delivering cutting-edge data preservation and recovery solutions that fortify business resilience against breaches, outages, and data loss from modern cyber attacks.

The post Proven Data Restores PowerHost’s VMware Backups After SEXi Ransomware Attack appeared first on Cybersecurity Insiders.

In today’s digital landscape, the evolution of cyber threats poses significant challenges for individuals and organizations alike. One pressing concern is the sudden escalation of a seemingly minor cyber threat into a full-fledged ransomware attack. This phenomenon has become increasingly common, raising questions about the speed and unpredictability of cyber threats’ transformations.

Cyber threats encompass a wide range of malicious activities, including phishing, malware infections, and data breaches. While each threat presents its own risks, the emergence of ransomware represents a particularly menacing development. Unlike other cyber threats that may cause data loss or financial harm, ransomware encrypts valuable files or systems, demanding payment for their release. The sudden shift from a standard cyber threat to ransomware can catch victims off guard, amplifying the impact and urgency of the attack.

One way in which a cyber threat can abruptly escalate into a ransomware attack is through the exploitation of vulnerabilities within an organization’s cybersecurity defenses. For example, a seemingly innocuous phishing email may initially deliver malware designed to steal credentials or gather sensitive information. However, if this malware goes undetected or is not promptly addressed, threat actors may pivot to deploying ransomware, leveraging the compromised system as a foothold for launching a broader attack.

Similarly, vulnerabilities in software or outdated security protocols can provide opportunities for threat actors to escalate their tactics. What begins as a routine malware infection or system compromise can quickly escalate into a ransomware incident if adequate safeguards are not in place to prevent unauthorized access or data exfiltration.

Moreover, the interconnected nature of modern IT environments can facilitate the rapid spread of ransomware within an organization. A single compromised device or network segment can serve as a vector for infecting other systems, leading to widespread encryption of critical data and systems. This domino effect underscores the importance of early detection and containment measures to mitigate the impact of ransomware attacks.

The evolving tactics and techniques employed by cyber-criminals further complicate efforts to anticipate and counter ransomware threats. Threat actors continuously adapt their strategies to bypass security controls and maximize their chances of success. As such, organizations must adopt a proactive approach to cybersecurity, regularly assessing their risk posture and implementing robust defenses to thwart potential ransomware attacks.

In conclusion, the abrupt escalation of a cyber threat into a ransomware attack underscores the dynamic nature of cybersecurity threats and the importance of vigilance and preparedness. By understanding the factors that contribute to this escalation, organizations can better safeguard their assets and respond effectively to emerging cyber threats. Through ongoing investment in cybersecurity measures and collaboration with industry partners, they can mitigate the risk of falling victim to ransomware and protect against the potentially devastating consequences of a cyber attack.

The post Can a Cyber Threat Abruptly Evolve into a Ransomware Attack appeared first on Cybersecurity Insiders.

A noted ransomware spreading gang has put forward a $10m proposal before the management of a Paris hospital and is interested in freeing up the data from encryption only when they get the demanded ransom.

The CHSF Hospital Centre in Corbeil-Essonne’s, Paris, is the victim that is in discussion and the computer attack is said to have taken place on Saturday night last week.

According to French Government Centre for Combating Digital Crime (C3N) the demand has been placed in dollars and that needs to reach the hackers in cryptocurrency.

To counter the troubles met by the cyber incident, CHSF Hospital having a 1000 bed capacity immediately triggered its white plan emergency operation from the morning hours of Sunday, all to keep the data continuity to the health services intact.

Concerning, the ransomware attack has disrupted the operations of the business software, data storage servers and information related to the patients. However, the good news is that the data is backed up and so we can term the interruption as temporary.

NOTE 1- From the past few years, the healthcare sector has become a soft target to major ransomware attacks such as the WannaCry malware attack that crippled the servers of NHS to the core in the year 2017.

NOTE 2- The ransomware group that targeted CHSF is yet to been kept under wraps and will be revealed shortly!

Note 3- As the NCSC of the UK is acting as an information-sharing hub related to cyber-attacks, the threat impact details have been shared to it by the hospital authorities. The National Authority for the Security and Defense of Information Systems (Anssi) is also busy investigating the incident and suspects the hand of a Russian funded ransomware spreading group.

 

The post Ransomware spreading Criminals demanding $10m from Paris Hospital appeared first on Cybersecurity Insiders.

All these days, we have seen businesses shutting down on a permanent note because of sophisticated ransomware attacks; but here’s some news that is related to an educational institution which chose to shut down as it became a victim of a massive ransomware attack.

US’s Lincoln College has posted a notice on its website confirming a ‘Goodbye’ note to the business. Interestingly, the note mentioned that the educational institute survived world wars, COVID-19 shutdowns and Spanish flu, but could not sustain itself from a ransomware attack that swallowed it wholly.

Cybersecurity Insiders has learnt that Lincoln College became a victim a cyber attack in Dec’2021 encrypting all the organizations data and painting an unclear picture on the enrollments that were to take place in 2022 fall.

Prima facie revealed the ransomware took control of all the servers related to recruitment, retention and fund raising.

Further investigations assured that no student data was compromised in the cyber incident. However, the information related to students who applied for admission was totally encrypted and now erased as the victim failed to pay a ransom on time.

The US Educational Department is trying everything to infuse life into the institution devoted to blacks and named after President Abraham Lincoln in 1865.

After making many efforts to come out of the trouble, Lincoln College announced an official shut down on March 29th this year and made its final commitment on Sunday last week.

Local students will be given the privilege to enroll into other colleges for the next academic year. However, the fate of the international students is still in a dilemma as their visa to continue their stay in the United States will finish from this month’s end.

Hope, the white house takes control of the situations and gives clarity on such students’ educational future!

 

The post Ransomware attack shuts down a US College permanently appeared first on Cybersecurity Insiders.

The government of Costa Rica declared a national emergency on May 8th, 2022, Sunday, as most of its government websites were impacted by ransomware, disrupting servers and back-end operations to the core.

Rodrigo Chaves, the President of Costa Rica, released an official statement on this note and added that the hackers were demanding $10 million to hand over the stolen 672GB data and decrypt the locked-up files.

Conti Ransomware gang has declared that it is behind the incident and said that it is ready to negotiate with the government for a 20% discount.

Concernedly, the Costa Rican Social Security Fund (CCSS), a health care agency, was also targeted in the incident by the Conti gang and about 72GB of its data was leaked onto the dark web a few hours ago.

Second is the news related to the Colonial Pipeline Cyber Attack that took place at the same time last year. The US Department of Transportation’s Pipeline and Hazardous Materials Safety Administration (PHMSA) has issued a notice to the management of Colonial Pipeline and proposed a penalty of $986,400, i.e. nearly $1 million.

On May 8th,2021, Colonial Pipeline declared its servers were targeted by Darkside ransomware spreading gang disrupting the distribution of gasoline, diesel, and jet fuel from Texas to New Jersey. As a result of the digital attack, a kind of fuel shortage arise across 17 states and the white house was ready to declare a state emergency as at one point the fuel shortage was declared to be severe.

A special inquiry team was appointed by the government in June 2021 and it discovered that Colonial Pipeline failed to protect its IT Infrastructure with appropriate cyber security measures and so a penalty of nearly $1m was being levied. However, the fuel supplier will be given adequate time to file a counter-petition against the penalty.

 

The post Costa Rica declares ransomware emergency and Colonial Pipeline Cyber Attack fetches $1 Million penalty appeared first on Cybersecurity Insiders.

Amid the growing costs of fuel in India, all because of the ongoing war between Russia and Ukraine, a sophisticated ransomware attack has hit the Indian subcontinent that could throw the entire nation into big trouble of fuel shortage.

Oil India Limited (OIL), an Assam based fuel producing and supplying company, has made it official that’s IT infrastructure was hit by a sophisticated cyber attack of ransomware genre. And the hackers are demanding $75, 00,000 or Rs 57 crore to free up the database from malware.

A ransomware is a kind of file encrypting malware that locks down access to digital files until a ransom ranging in millions is paid.

Currently, there is no official confirmation of who’s behind the attack. However, highly placed sources state that either Conti or RYUK ransomware gangs could be behind the incident, with a 30% suspicion arrow pointing at Lapsus$ group.

Reports are in that they said PSU Major Company has incurred huge losses as all of its IT systems at its headquarters in Duliajan, Dibrugarh District of Assam, was infected.

Unconfirmed sources revealed that the company is not in a mood to entertain the demands of hackers as it has an efficient disaster recovery plan.

CID’s Cyber cell in coordination with the Assam Police Department is after the cyber criminals behind the attack. And preliminary inquiries reveal the hack was launched from a foreign soil, and perpetrators will be prosecuted as per the existing Cyber Criminal laws in India.

Oil India was formed in 1989 and most of its administrative control likes with the Indian Ministry of Petroleum and Natural Gas. The company is the second largest fuel and natural gas supplier and the attack might show an impact on the supply chain in coming weeks and so has triggered price rise concerns among the public.

 

The post Sophisticated ransomware attack on Oil India Limited triggers fuel supply concerns appeared first on Cybersecurity Insiders.

A ransomware attack launched on American companies was probed deeply and led to the arrest of a man from Estonia. The man was arrested with full evidence and so he was sentenced to a 5-year jail term or for 66 calendar months by the US Department of Justice.

Maksim Berezan is the 37-year-old man found guilty of the ransomware attack launched by Russian criminals on American businesses between April 2019-2020 and reportedly led to a $53 million loss.

Berezan was arrested in November 2020 from Latvia and extradited to the USA in April 2021 for indulging in cybercrime such as wire frauds on banks, assisting ransomware criminals from Russia to buy and sell software tools & services, and stealing money from cryptocurrency exchanges.

The probe was halted for some time because of the COVID-19 pandemic and, in the meantime; the cops investigated the computers operated by the Estonians to find $11 million accumulated from ransom payments.

Some portion of the currency was spent by Maksim to buy two red and black porches, a Ducati Motorbike, and some jewelry, and the same portion was found to be transferred to his Bitcoins wallet.

The Eastern District of Virginia has asked the culprit to pay $36 million as compensation to victims for the incurred losses along with the sentenced jail term.

Note- The news was released by the law enforcement agencies of the United States to enlighten the minds of the cyber crooks that all their digital fraud indulgence will end up for prosecution one day. And the department of justice thanked the Latvian State Police and Estonian Police to help nab the criminal and extradite him to North America.

 

The post Ransomware attack lands man in jail for 66 months appeared first on Cybersecurity Insiders.