Category: ransomware

Cybersecurity has become an important element of business continuity. Regardless of the industry, all organizations operate in increasingly hazardous environments, with significant threats like ransomware impacting millions of businesses every year.

However, while these threats are very real, your business shouldn’t operate in fear. With the right knowledge and tools, you can have more confidence in your organization’s ability to minimize its attack surface or even recover successfully in the event of an attack.

To get to this point, however, there are some fundamental strategies and best practices you should be deploying.

Identify the Warning Signs

One of the most intimidating aspects of ransomware attacks, besides their aggressive nature, is that they can happen in an instant. While ransomware may appear to execute instantaneously at first glance, more subtle indicators emerge that show an organization that it could be in danger of an attack.

A common sign of a ransomware attempt is unusual spikes in network activity or unexpected system slowdowns. This could be the beginning of an infiltration and can also precede application or file storage performance issues.

If you’re seeing an increase in suspicious emails or flagged spam, it’s possible that your organization may be getting targeted, and it’s important to take added precautions.

Know How to Isolate and Contain

How quickly you respond to potential ransomware incidents can make all the difference in your ability to avoid or recover from them successfully. By acting decisively during an attack, you can prevent serious damage and limit the disruption it causes.

Conduct a Thorough Situation Assessment

After you’ve contained the threat, it’s important to start assessing any damage that’s occurred. Understanding the scope of the attack not only helps you to identify which systems may need to be prepared, but it also helps you to know if there are deeper data compliance issues you or your partners should be aware of.

Something that will inform your next steps is knowing exactly what type of ransomware you’ve come across. For example, why most ransomware variants work to quickly encrypt sensitive business data, the primary goal of an attacker can vary considerably. While some attackers may settle for smaller breaches for quicker financial gains, others may be motivated by disrupting operations as much as possible. 

Work with Cybersecurity Professionals

Knowing how to adequately prepare your business to avoid ransomware attacks can take a fair amount of experience and knowing the right tools to use. In most cases, working with outside security experts is the best way to ensure you’re taking all the necessary steps to protect your business.

External experts are not only valuable in helping to prevent a future attack, but they can also be called in the event that you need to quickly recover from a successful breach. They’ll be able to help with data recovery, system and network restorations, and when working with cybersecurity insurance providers.

Evaluate Your Recovery Options

In the event your business needs to recover from a successful ransomware attack, there are different recovery options you’ll want to decide on. Assuming you’ve kept reliable backups of your critical data, executing manual recovery efforts is definitely an option worth considering sooner rather than later.

Negotiating with attackers or paying a ransom is often a risky option. Paying a ransom doesn’t guarantee that you’ll be able to gain access to your encrypted data again, nor will it ensure you aren’t targeted again. A safer alternative is to explore using professional data recovery services and working with qualified security partners to help you quickly and efficiently recover.

Execute System Restoration

Once you have chosen a recovery process, it’s time to execute it. The first step in most recovery processes is to first try to decrypt locked-out files if lower-grade encryption is used. However, in most cases, modern ransomware will be ineffective since most attackers use highly advanced encryption technologies when planning out their attacks.

In addition to using decryption technology, you can work with your partners or outside security teams to restore the most critical systems first using your recent backups. It’s important to ensure that all backups are adequately scanned before implementation to ensure that they are free of any lingering malware or other suspicious files.

Improve Your Security Effectiveness Long-Term

Prevention is the key to avoiding the long-term impact of ransomware. To do this, it’s important to regularly assess the performance of your existing security measures and identify areas that need improvement. Conducting regular assessments of your organization’s cybersecurity posture gives you the blueprint necessary to ensure you’re maximizing the value of your security investments.

However, business risk assessments are beneficial for more than just keeping your business safe. They’re also important when evaluating regulatory compliance when adopting AI tools and ensuring secure and responsible implementations across all your systems.

Don’t Let a Ransomware Attack Break Your Business

There is no question that ransomware is an intimidating cyber threat that all businesses should be aware of. However, by understanding the risks and taking proactive steps to protect your organization, you’ll be able to confidently navigate new security challenges as they arise.

 

Author Bio:

Nazy Fouladirad is President and COO of Tevora, a global leading cybersecurity consultancy. She has dedicated her career to creating a more secure business and online environment for organizations across the country and world. She is passionate about serving her community and acts as a board member for a local nonprofit organization.

 

 

The post From Crisis to Confidence: Navigating Ransomware Incidents with Expert Guidance appeared first on Cybersecurity Insiders.

Over the years, ransomware attacks have followed a predictable pattern, with cybercriminal groups displaying ransom notes on the screens of victimized businesses. These notes typically demand payment within a specified period, often ranging from 10 to 45 days, threatening severe consequences for failure to comply. These consequences could include not only data loss but also the potential embarrassment of having sensitive information leaked to competitors, partners, and customers.

However, a new twist has emerged with the spread of BianLian Ransomware, or rather, with criminals posing as the BianLian group. Business leaders and Chief Technology Officers (CTOs) are now receiving physical letters at their offices. The content of these letters is straightforward yet alarming: it claims that the company’s database has been compromised, and in order to retrieve a decryption key, they must pay a ransom—typically ranging between $250,000 and $360,000 in Bitcoin.

This approach marks a stark departure from the usual tactics used by cybercriminals. Instead of the typical digital ransom notes, these attackers are opting for physical mail, creating an eerie and personal touch to their threat. Naturally, one of the first concerns that arises is the authenticity of these claims—whether the business has genuinely been hacked, whether its data has truly been encrypted by the BianLian ransomware group, or if it’s all part of a more elaborate scam.

MalwareBytes, a well-regarded cybersecurity firm that has been tracking the BianLian group for several years, was the first to confirm these incidents, bringing attention to this new method of attack. Following this, other firms within the cybersecurity space began to share information through various media outlets, heightening awareness of the threat.

Some freelance security experts on platforms like Reddit and GitHub have weighed in on the situation, suggesting that these letters might not be the work of the actual BianLian group. Instead, they argue that these may be the actions of copycat criminals or even intermediaries seeking to scam businesses into paying a ransom without any real data breach or encryption taking place.

Despite the widespread reports of these letters, no business owner or CTO has publicly confirmed that their company was indeed targeted by the BianLian group or that their data was compromised. As of now, it’s unclear whether the claims made in these letters are based on actual cyberattacks or are simply fraudulent tactics aimed at scamming businesses.

Interestingly, the attackers are providing additional details to increase the credibility of their threats. Along with the ransom note, they include a QR code leading to a Bitcoin wallet address and a Tor link to a supposed data leak site, designed to further convince the victim of the authenticity of the breach.

As investigations continue, the true nature of these attacks remains uncertain. Only time will tell whether these letters represent a genuine new tactic in the world of ransomware or if they are simply part of a larger scam designed to prey on businesses’ fears of cyber threats. Stay tuned for further updates as more details emerge.

The post Ransomware gangs are now sending threatening typed letters to victimized businesses appeared first on Cybersecurity Insiders.

A day after rejecting claims that the US government had ceased surveillance operations against Russia and its affiliated threat groups, the Cybersecurity and Infrastructure Security Agency (CISA) issued a clarification regarding statements made by Defense Secretary Pete Hegseth. The clarification came in response to misinterpretations of Hegseth’s remarks, which had suggested a halt in offensive cyber operations targeting the Russian Federation.

CISA strongly refuted these claims, emphasizing that Russia remains a top priority for both online and offline surveillance. The agency stressed that any insinuation that the US had stopped monitoring Russian cyber activities is completely false. Hegseth’s words were misquoted, and CISA made it clear that surveillance operations would continue as part of ongoing efforts to safeguard national security.

In a parallel development, the Pentagon confirmed that it is actively monitoring the Qilin Ransomware Group, a Russian-speaking cybercriminal syndicate. The group has been linked to a series of high-profile cyberattacks, including the recent encryption of hospital databases in London and the disruption of operations at Lee Enterprises, a major US-based newspaper publisher. According to Pentagon reports, the ransomware gang encrypted over 350GB of files and caused significant operational disturbances across multiple newspapers in the US.

The Qilin group’s malicious activities did not stop there. After successfully encrypting and stealing sensitive data, the hackers leaked a portion of the stolen files on the dark web, further highlighting the group’s sophisticated tactics. In response, CISA issued an urgent warning about the threat posed by the Qilin Ransomware Group, noting that their ongoing efforts are focused on protecting the critical infrastructure of the United States from such cyberattacks. The agency emphasized that it is continuously defending against these threats to ensure the safety and stability of national systems.

Qilin Ransomware Strikes International Targets

In a related development, the Qilin Ransomware Group is reported to have expanded its operations internationally. The group has allegedly targeted the Utsunomiya Central Clinic in Japan, a prominent cancer treatment facility. Initial reports indicate that the hackers successfully stole approximately 135GB of data, which accounts for around 300,000 files. This stolen data includes a variety of personal information, including birthdates, names, addresses, phone numbers, email contacts, medical histories, diagnostic records, and personal details of medical staff such as nurses and doctors.

However, it is important to note that the breach did not expose highly sensitive data such as financial information, credit card numbers, or citizen identity details. Despite this, the stolen data presents significant risks, particularly in terms of privacy violations and potential for future attacks. Data breaches of this nature often lead to phishing scams, identity theft, and other forms of cybercrime targeting the affected individuals.

Public Awareness and Risk Mitigation Efforts

In light of the breach, affected individuals—whose data has been compromised—will be contacted directly through digital communication channels. Authorities and healthcare organizations are working together to raise awareness about the risks associated with the attack and to provide guidance on how individuals can protect themselves from potential phishing scams and other security threats.

While this latest attack highlights the growing trend of ransomware groups targeting critical sectors globally, experts stress the importance of continued vigilance and enhanced cybersecurity measures to protect both public and private institutions from such malicious activities.

As the situation develops, both CISA and the Pentagon remain committed to defending the United States from cybercriminals, while the international community grapples with the increasingly sophisticated and damaging operations of groups like Qilin.

The post CISA issues warning against Qilin ransomware group appeared first on Cybersecurity Insiders.

The Trump administration has told US cyber command and CISA to stop following or reporting on Russian cyber threats. Yes, Russia! That country everyone used to agree was home to lots of ransomware gangs and hackers. Hmmm... Read more in my article on the Hot for Security blog.

One of the most notorious providers of abuse-friendly “bulletproof” web hosting for cybercriminals has started routing its operations through networks run by the Russian antivirus and security firm Kaspersky Lab, KrebsOnSecurity has learned.

Security experts say the Russia-based service provider Prospero OOO (the triple O is the Russian version of “LLC”) has long been a persistent source of malicious software, botnet controllers, and a torrent of phishing websites. Last year, the French security firm Intrinsec detailed Prospero’s connections to bulletproof services advertised on Russian cybercrime forums under the names Securehost and BEARHOST.

The bulletproof hosting provider BEARHOST. This screenshot has been machine-translated from Russian. Image: Ke-la.com.

Bulletproof hosts are so named when they earn or cultivate a reputation for ignoring legal demands and abuse complaints. And BEARHOST has been cultivating its reputation since at least 2019.

“If you need a server for a botnet, for malware, brute, scan, phishing, fakes and any other tasks, please contact us,” BEARHOST’s ad on one forum advises. “We completely ignore all abuses without exception, including SPAMHAUS and other organizations.”

Intrinsec found Prospero has courted some of Russia’s nastiest cybercrime groups, hosting control servers for multiple ransomware gangs over the past two years. Intrinsec said its analysis showed Prospero frequently hosts malware operations such as SocGholish and GootLoader, which are spread primarily via fake browser updates on hacked websites and often lay the groundwork for more serious cyber intrusions — including ransomware.

A fake browser update page pushing mobile malware. Image: Intrinsec.

BEARHOST prides itself on the ability to evade blocking by Spamhaus, an organization that many Internet service providers around the world rely on to help identify and block sources of malware and spam. Earlier this week, Spamhaus said it noticed that Prospero was suddenly connecting to the Internet by routing through networks operated by Kaspersky Lab in Moscow.

Kaspersky did not respond to repeated requests for comment.

Kaspersky began selling antivirus and security software in the United States in 2005, and the company’s malware researchers have earned accolades from the security community for many important discoveries over the years. But in September 2017, the Department of Homeland Security (DHS) barred U.S. federal agencies from using Kaspersky software, mandating its removal within 90 days.

Cybersecurity reporter Kim Zetter notes that DHS didn’t cite any specific justification for its ban in 2017, but media reports quoting anonymous government officials referenced two incidents. Zetter wrote:

According to one story, an NSA contractor developing offensive hacking tools for the spy agency had Kaspersky software installed on his home computer where he was developing the tools, and the software detected the source code as malicious code and extracted it from his computer, as antivirus software is designed to do. A second story claimed that Israeli spies caught Russian government hackers using Kaspersky software to search customer systems for files containing U.S. secrets.

Kaspersky denied that anyone used its software to search for secret information on customer machines and said that the tools on the NSA worker’s machine were detected in the same way that all antivirus software detects files it deems suspicious and then quarantines or extracts them for analysis. Once Kaspersky discovered that the code its antivirus software detected on the NSA worker’s machine were not malicious programs but source code in development by the U.S. government for its hacking operations, CEO Eugene Kaspersky says he ordered workers to delete the code.

Last year, the U.S. Commerce Department banned the sale of Kaspersky software in the U.S. effective July 20, 2024. U.S. officials argued the ban was needed because Russian law requires domestic companies to cooperate in all official investigations, and thus the Russian government could force Kaspersky to secretly gather intelligence on its behalf.

Phishing data gathered last year by the Interisle Consulting Group ranked hosting networks by their size and concentration of spambot hosts, and found Prospero had a higher spam score than any other provider by far.

AS209030, owned by Kaspersky Lab, is providing connectivity to the bulletproof host Prospero (AS200593). Image: cidr-report.org.

It remains unclear why Kaspersky is providing transit to Prospero. Doug Madory, director of Internet analysis at Kentik, said routing records show the relationship between Prospero and Kaspersky started at the beginning of December 2024.

Madory said Kaspersky’s network appears to be hosting several financial institutions, including Russia’s largest — Alfa-Bank. Kaspersky sells services to help protect customers from distributed denial-of-service (DDoS) attacks, and Madory said it could be that Prospero is simply purchasing that protection from Kaspersky.

But if that is the case, it doesn’t make the situation any better, said Zach Edwards, a senior threat researcher at the security firm Silent Push.

“In some ways, providing DDoS protection to a well-known bulletproof hosting provider may be even worse than just allowing them to connect to the rest of the Internet over your infrastructure,” Edwards said.

Recent reports circulating on social media suggest that FBI Director Kash Patel has been targeted by the infamous LockBit ransomware group. According to sources, the gang warned Patel that he is surrounded by subordinates who seem more focused on manipulating narratives and issuing misleading statements rather than performing their duties effectively.

In a message that resembles a version originally published on Forbes, the LockBit group first extended their congratulations to Patel for becoming the 9th Director of the Federal Bureau of Investigation. However, the tone quickly shifted, and the ransomware gang members launched a scathing criticism of his administration.

The controversy began last year when several members of LockBit, a notorious cybercrime group responsible for spreading ransomware globally, were arrested. This led to the takedown of their IT infrastructure in a coordinated effort named Operation Cronos . However, just 45 days after the crackdown, the gang re-emerged with the announcement of LockBit 2.0, vowing to operate with greater intensity. They made it clear that they would target critical federal infrastructure ahead of the November 2024 elections, which saw Donald Trump elected as the 47th President of the United States.

In October 2024, another group claimed to represent LockBit 3.0 and announced that they were focusing on financial institutions and power grids, continuing their efforts to sow political chaos among the public.

But within weeks, their activities seemed to die down. This was largely attributed to the Pentagon’s ongoing surveillance and efforts to disrupt cybercriminal networks responsible for malware attacks and DDoS operations.

Now, in a surprising turn of events, the Russian intelligence-affiliated LockBit group appears to be using a new tactic: directly reaching out to newly sworn in FBI Director Kash Patel. This interaction seems to involve offering him a false narrative, possibly as part of an ongoing psychological operation.

While there has been no official confirmation of these developments—since authorities are still investigating—it’s evident that LockBit is actively promoting this narrative on social media platforms such as Telegram and Facebook. Even some journalists from prominent media outlets have reportedly been contacted to help spread the gang’s fabricated story.

In a curious twist, the criminals seem to be playing a dual game. On one hand, they are praising Donald Trump for his efforts to amend immigration policies and resolve the conflict between Ukraine and Moscow. On the other, they appear to be engaging in a mind game with the FBI Director, possibly to distract Patel from an ongoing campaign that remains hidden from law enforcement.

As the situation unfolds, it remains to be seen how much of this controversy surrounding Kash Patel holds any truth. Given the ransomware gang’s long history of launching high-profile attacks, their latest psychological tactics certainly add an element of intrigue and suspense.

The post LockBit ransomware gang sends a warning to FBI Director Kash Patel appeared first on Cybersecurity Insiders.

As ransomware attacks gained popularity, hackers initially focused on encrypting entire databases and demanding ransom in exchange for decryption keys. However, recent trends suggest a shift in their tactics, with cybercriminals now more interested in stealing data rather than encrypting it.

A report by the American cybersecurity firm ReliaQuest reveals that more malware-spreading gangs are targeting data exfiltration. This method is faster, often taking just 48 to 90 minutes, and carries a lower risk of being traced by law enforcement. In contrast, when encryption is used, victims may refuse to comply with ransom demands and contact authorities, complicating the criminals’ plans.

Law enforcement typically intervenes by discouraging ransom payments, sometimes offering decryption keys to quickly restore the victim’s database. They also attempt to trace cryptocurrency payments, which can eventually lead to identifying the perpetrators, though this is a rare occurrence.

To avoid these complications, ransomware gangs are increasingly opting to steal data first. This allows them to sell the stolen information for profit or, in some cases, hold it for months before releasing it on the dark web for social engineering attacks.

To mitigate such risks, it’s crucial for organizations to deploy threat monitoring systems that can provide early warnings. Regular backups using a reliable disaster recovery solution are also essential. Additionally, notifying relevant authorities can help share information across industries and facilitate the capture of criminals, ultimately reducing the spread of cybercrime.

While data theft isn’t replacing ransomware entirely, it represents a shift in the criminal focus from disrupting systems to generating profit—minimizing attention from global authorities like the FBI and CISA.

The post Ransomware hackers are more interested in data exfiltration than encryption appeared first on Cybersecurity Insiders.

Orange Group, a telecom services provider based in France, has confirmed that one of its internal systems at its Romanian branch was breached by a cyber attacker identified as “Rey,” an individual reportedly associated with the HellCat ransomware group. The breach has resulted in the exposure of over 380,000 email addresses and other sensitive data.

Upon further investigation, Orange clarified that the attack was limited to a back-office application, ensuring that customer-facing services and data remained unaffected. This is a crucial detail, as it highlights that no customer transactions, services, or other sensitive information were compromised during the attack.

While the data breach has been attributed to a lesser-known hacking group, the exact scale of the leak is still under review. Early reports indicate that the attacker managed to siphon off more than 12,000 files, totaling over 6.5GB of data. Among the compromised files were payment card details, subscription information for contractor Yoxo, partner data, and employee records.

At this stage, there is still uncertainty surrounding whether the attack was carried out by the HellCat ransomware group itself, or if it was the work of Rey, a figure who may be operating independently, separate from the larger cybercrime collective. Some sources in the cybersecurity community are skeptical about the HellCat group’s involvement, particularly after a recent statement surfaced on a Telegram channel. According to the post, if HellCat were behind the attack, it likely would have claimed responsibility, as it did in previous high-profile incidents like those involving Telefonica and Schneider Electric.

Interestingly, this breach follows a similar cyber incident reported by Orange Spain just last week. The company has promised to provide additional details in the near future, further suggesting that the telecom sector may be facing heightened cyber threats.

This incident serves as a stark reminder of the vulnerability of telecom companies, which often hold vast amounts of personal and financial data. As cybercriminals increasingly target data-intensive industries, the telecom sector remains a prime target for malicious actors seeking valuable information.

The post Orange data breach details after HellCat Ransomware Attack appeared first on Cybersecurity Insiders.

A joint report from the FBI and CISA has revealed that the Ghost Ransomware group has been targeting businesses running outdated hardware and software. Since 2021, the gang has victimized multiple organizations in over 70 countries, including China.

According to the report from the Multi-State Information Sharing and Analysis Center (MS-ISAC), the ransomware group frequently alters the file extensions of encrypted files and modifies the content of ransom notes. They also change the email addresses used for ransom communication, making it harder to trace their activities and link them to a particular group.

The group’s tactics evolve constantly. For instance, they may focus on attacking healthcare organizations one month, while targeting businesses in tech, education, and manufacturing sectors the next. Additionally, the Ghost Ransomware continuously rebrands itself, complicating efforts to attribute attacks to a specific malware variant. This shifting strategy also makes it challenging to access free decryption keys available online.

Over a four-year period, Ghost Ransomware has been associated with various other malware names, including Cring, Crypt3r, Phantom, Strike, Hello, Wickrme, HsHarada, and Rapture.

Businesses are urged to adopt a proactive approach to cybersecurity to defend against such threats, regardless of the malware or group responsible. Key recommendations include regular backups, timely patching of operating systems, upgrading firmware and software, implementing network segmentation, and enforcing multi-factor authentication (MFA) to protect against phishing attacks.

IT leaders such as CISOs, CTOs, and CFOs are encouraged to advocate for sufficient IT budgets to ensure their organizations can defend against emerging threats and vulnerabilities effectively.

The post Ghost Ransomware targeting Obsolete IT Systems appeared first on Cybersecurity Insiders.