Category: ransomware

In a recent cyberattack, the Philippine Health Insurance Corporation, commonly known as PhilHealth, fell victim to the notorious Medusa Ransomware. This malevolent intrusion has left the government agency grappling with a demand of $300,000 (equivalent to P 17.038 million) to regain access to their compromised database and ensure the deletion of stolen data residing on their servers.

Acknowledging the severity of the situation, the Department of Information and Communications Technology (DICT) of the Philippines has confirmed the authenticity of the incident. DICT’s IT experts are actively engaged in remediation efforts to mitigate the damage.

The extent of data stolen remains uncertain at this point, as it is unclear whether the perpetrators have extracted a portion of the information to exert additional pressure on PhilHealth staff. Emmanuel Ledesma, the President and CEO of PhilHealth, has reassured the public that the matter is under the vigilant scrutiny of Philippine health officials. Further developments regarding this incident are expected to surface in the near future.

A communication channel linked to the Medusa Ransomware group revealed that the data breach occurred in August of this year. The ransom demand serves a triple purpose: to obtain a decryption key, erase the data siphoned prior to encryption, and provide a copy of the stolen data to the victim.

It is worth noting that in the case of double extortion attacks involving file-encrypting malware, there is no guarantee that hackers have truly deleted the pilfered data stored on their servers. There is a significant risk that this data could be sold to third parties, including marketing firms, for illicit gains. Consequently, engaging in negotiations, striking deals with hackers, and paying ransoms may often prove futile.

Instead, a more prudent approach involves initiating backup recovery processes to regain access to encrypted information. Additionally, it is advisable to enlist the expertise of forensic professionals to monitor potential misuse of the stolen data.

Moving forward, it is imperative for organizations to adopt proactive measures to thwart ransomware attacks. Prevention remains the most effective strategy, as safeguarding critical data is paramount in the ever-evolving landscape of cyber threats.

It is noteworthy that the Philippine Health Insurance Corporation is a government-sponsored insurance scheme exempt from taxation. It is owned and operated by the Philippines’ Department of Health, functioning as an egalitarian initiative where the financially privileged contribute to the insurance coverage of the less fortunate, ensuring healthcare access for all.

The post Medusa Ransomware Strikes Philippines’ PhilHealth, Demands $300,000 Ransom appeared first on Cybersecurity Insiders.

Investigation Deepens into MGM Resorts Hack and Caesars Entertainment Ransomware Attack

Recent developments in the ongoing investigation into the MGM Resorts hack and the Caesars Entertainment ransomware attack have shed new light on the culprits behind these cybercrimes. Law enforcement agencies working on the case have revealed that the individuals responsible for these attacks are likely to be between the ages of 17 and 22. This revelation is substantiated by the research findings of Unit 42, the cybersecurity division of Palo Alto Networks.

The sequence of events that led to these cyberattacks commenced with a deceptively simple phone call. The attackers managed to persuade senior staff members to divulge their login credentials, thereby gaining unauthorized access to the corporate networks of these major gaming and casino giants. What’s particularly intriguing about these hackers is that they appear to be quite young, possibly as young as 17, and their voices were identified as being native English speakers. They were tasked with infiltrating these networks through a technique known as Vishing, which involves manipulating individuals over the phone.

As the Scattered Spider group, also known as UNC3944, breached the systems of two of the world’s largest gaming and casino corporations, concerns are mounting about the evolving sophistication of cyber threats in the future.

RANSOMEDVC Claims to Infiltrate Sony Corporation Computer Network

A ransomware group known as RANSOMEDVC has allegedly infiltrated the computer networks of Sony Corporation with the aim of acquiring valuable intelligence and exfiltrating sensitive information for later sale on the dark web.

Interestingly, RANSOMEDVC has refrained from making any ransom demands to the victimized Sony Systems firm. Instead, they intend to monetize their ill-gotten gains by selling the stolen data on the dark web to turn a profit.

In a show of their intent, the ransomware group has released the initial batch of stolen data, including PDFs and screenshots, as evidence of their capabilities. They claim that the senior management of the Japanese conglomerate has shown no interest in negotiating with the criminals regarding the data breach, leaving them with no recourse but to profit from the sale of the compromised information. This decision is motivated by the belief that the stolen data could yield substantially more revenue than any potential ransom payment.

Russian LockBit Ransomware Targets The Weather Network Servers

In a surprising and unprecedented move, the Russian-speaking ransomware group known as LockBit has issued a threat to release data associated with “The Weather Network” if their ransom demands are not met. This notorious group has a history of targeting corporate and government networks. However, this marks their first reported breach of a server network belonging to a weather reporting organization. Further details on this incident are eagerly awaited as the situation unfolds.

The post Trending Ransomware News headlines on Google appeared first on Cybersecurity Insiders.

When it comes to the world of cybersecurity, the FBI and CISA have a reputation for issuing timely alerts, especially when the threat severity is high. Their latest warning revolves around the notorious Snatch ransomware-as-a-service gang.

In their advisory, the Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) shed light on Snatch, a ransomware-as-a-service operation that has been active since 2018. Over the years, Snatch has honed in on various sectors, including software, U.S. defense, food, and agriculture.

This criminal syndicate has garnered notoriety by executing high-profile attacks on entities such as South Africa’s Department of Defense, the City of Modesto in California, Saskatchewan Airport in Canada, and London’s Briars Group, among others.

What sets Snatch apart is its menacing practice of double extortion. In addition to encrypting victim data, they manage to acquire stolen data from other ransomware gangs. They then issue a chilling ultimatum to their victims: comply with their ransom demands or witness their sensitive data being exposed on an extortion blog.

One particularly intriguing aspect of Snatch is its technical prowess. The malware is designed to force infected Windows systems into Safe Mode before encrypting files. This clever tactic hinders the timely detection of the malware by anti-malware solutions.

Notably, Snatch has recently taken a deviation from its established pattern. It is now showing a keen interest in targeting non-American companies operating within the United States, with a pronounced focus on entities from the Asian continent. This shift underscores the evolving nature of cyber threats in an increasingly interconnected world.

The post FBI and CISA issue Cyber Alert against Snatch Ransomware appeared first on Cybersecurity Insiders.

The victim shaming website operated by the cybercriminals behind 8Base — currently one of the more active ransomware groups — was until earlier today leaking quite a bit of information that the crime group probably did not intend to be made public. The leaked data suggests that at least some of website’s code was written by a 36-year-old programmer residing in the capital city of Moldova.

The 8Base ransomware group’s victim shaming website on the darknet.

8Base maintains a darknet website that is only reachable via Tor, a freely available global anonymity network. The site lists hundreds of victim organizations and companies — all allegedly hacking victims that refused to pay a ransom to keep their stolen data from being published.

The 8Base darknet site also has a built-in chat feature, presumably so that 8Base victims can communicate and negotiate with their extortionists. This chat feature, which runs on the Laravel web application framework, works fine as long as you are *sending* information to the site (i.e., by making a “POST” request).

However, if one were to try to fetch data from the same chat service (i.e., by making a “GET” request), the website until quite recently generated an extremely verbose error message:

The verbose error message when one tries to pull data from 8Base’s darknet site. Notice the link at the bottom of this image, which is generated when one hovers over the “View commit” message under the “Git” heading.

That error page revealed the true Internet address of the Tor hidden service that houses the 8Base website: 95.216.51[.]74, which according to DomainTools.com is a server in Finland that is tied to the Germany-based hosting giant Hetzner.

But that’s not the interesting part: Scrolling down the lengthy error message, we can see a link to a private Gitlab server called Jcube-group: gitlab[.]com/jcube-group/clients/apex/8base-v2. Digging further into this Gitlab account, we can find some curious data points available in the JCube Group’s public code repository.

For example, this “status.php” page, which was committed to JCube Group’s Gitlab repository roughly one month ago, includes code that makes several mentions of the term “KYC” (e.g. KYC_UNVERIFIED, KYC_VERIFIED, and KYC_PENDING).

This is curious because a FAQ on the 8Base darknet site includes a section on “special offers for journalists and reporters,” which says the crime group is open to interviews but that journalists will need to prove their identity before any interview can take place. The 8base FAQ refers to this vetting process as “KYC,” which typically stands for “Know Your Customer.”

“We highly respect the work of journalists and consider information to be our priority,” the 8Base FAQ reads. “We have a special program for journalists which includes sharing information a few hours or even days before it is officially published on our news website and Telegram channel: you would need to go through a KYC procedure to apply. Journalists and reporters can contact us via our PR Telegram channel with any questions.”

The 8Base FAQ (left) and the KYC code in Kolev’s Gitlab account (right)

The 8Base darknet site also has a publicly accessible “admin” login page, which features an image of a commercial passenger plane parked at what appears to be an airport. Next to the airplane photo is a message that reads, “Welcome to 8Base. Admin Login to 8Base dashboard.”

The login page on the 8Base ransomware group’s darknet website.

Right-clicking on the 8Base admin page and selecting “View Source” produces the page’s HTML code. That code is virtually identical to a “login.blade.php” page that was authored and committed to JCube Group’s Gitlab repository roughly three weeks ago.

It appears the person responsible for the JCube Group’s code is a 36-year-old developer from Chisinau, Moldova named Andrei Kolev. Mr. Kolev’s LinkedIn page says he’s a full-stack developer at JCube Group, and that he’s currently looking for work. The homepage for Jcubegroup[.]com lists an address and phone number that Moldovan business records confirm is tied to Mr. Kolev.

The posts on the Twitter account for Mr. Kolev (@andrewkolev) are all written in Russian, and reference several now-defunct online businesses, including pluginspro[.]ru.

Reached for comment via LinkedIn, Mr. Kolev said he had no idea why the 8Base darknet site was pulling code from the “clients” directory of his private JCube Group Gitlab repository, or how the 8Base name was even included.

“I [don’t have] a clue, I don’t have that project in my repo,” Kolev explained. “They [aren’t] my clients. Actually we currently have just our own projects.”

Mr. Kolev shared a screenshot of his current projects, but very quickly after that deleted the image he’d shared. However, KrebsOnSecurity captured a copy of it before it was removed:

A screenshot of Mr. Kolev’s current projects that he quickly deleted.

Within minutes of explaining why I was reaching out to Mr. Kolev and walking him through the process of finding this connection, the 8Base website was changed, and the error message that linked to the JCube Group private Gitlab repository no longer appeared. Instead, trying the same “GET” method described above caused the 8Base website to return a “405 Method Not Allowed” error page:

Mr. Kolev claimed he didn’t know anything about the now-removed error page on 8Base’s site that referenced his private Gitlab repo, and said he deleted the screenshot from our LinkedIn chat because it contained private information.

Ransomware groups are known to remotely hire developers for specific projects without disclosing exactly who they are or how the new hire’s code is intended to be used, and it is possible that one of Mr. Kolev’s clients is merely a front for 8Base. But despite 8Base’s statement that they are happy to correspond with journalists, KrebsOnSecurity is still waiting for a reply from the group via their Telegram channel.

The tip about the leaky 8Base website was provided by a reader who asked to remain anonymous. That reader, a legitimate security professional and researcher who goes by the handle @htmalgae on Twitter, said it is likely that whoever developed the 8Base website inadvertently left it in “development mode,” which is what caused the site to be so verbose with its error messages.

“If 8Base was running the app in production mode instead of development mode, this Tor de-anonymization would have never been possible,” Steve said.

A recent blog post from VMware called the 8Base ransomware group “a heavy hitter” that has remained relatively unknown despite the massive spike in activity in Summer of 2023.

“8Base is a Ransomware group that has been active since March 2022 with a significant spike in activity in June of 2023,” VMware researchers wrote. “Describing themselves as ‘simple pen testers,’ their leak site provided victim details through Frequently Asked Questions and Rules sections as well as multiple ways to contact them. ”

According to VMware, what’s particularly interesting about 8Base’s communication style is the use of verbiage that is strikingly familiar to another known cybercriminal group: RansomHouse.

“The group utilizes encryption paired with ‘name-and-shame’ techniques to compel their victims to pay their ransoms,” VMware researchers wrote. “8Base has an opportunistic pattern of compromise with recent victims spanning across varied industries. Despite the high amount of compromises, the information regarding identities, methodology, and underlying motivation behind these incidents still remains a mystery.”

In a recent development, Greater Manchester Police (GMP) officers have fallen victim to a highly sophisticated cyberattack. This attack targeted a technology provider and resulted in the unauthorized exposure of information including ranks, photographs, the precise geolocation where the photos were taken, and the serial numbers of thousands of police officers.

The seriousness of this incident has prompted the involvement of the National Crime Agency, which has initiated an investigation into the matter.

Reports indicate that the hackers managed to access information pertaining to approximately 8,000 officers, but fortunately, no financial data was compromised during this breach.

In another concerning cybersecurity incident, Caesars Entertainment, a prominent casino operator with interests in the hotel industry, found itself in the crosshairs of a file-encrypting malware attack. The Nevada-based company confirmed that it had successfully resolved the issue, but not without a troubling twist.

The attackers, after receiving a substantial ransom payment in cryptocurrency, released the decryption key. Caesars Entertainment acknowledged that its IT personnel, under the guidance of cybersecurity experts, reluctantly complied with the hackers’ demands due to a lack of viable alternatives.

Sources with knowledge of the situation, speaking to Cybersecurity Insiders, revealed that the casino and gaming service provider had no choice but to accede to the cybercriminals’ demands since even their backup data had been compromised.

The incident is believed to be the work of Scattered Spider, also known as BlackCat or ALPHV Ransomware. This group, also identified as UNC3944, is characterized by its youthful membership and is notorious for activities such as SIM swapping and engaging in vishing attacks. This event underscores the audacity and sophistication of modern cyber threats, as the attackers managed to achieve their objectives in a mere ten-minute phone call.

The post Two Ransomware Attack Stories currently trending on Google appeared first on Cybersecurity Insiders.

In the realm of cybersecurity threats, the terms “Killware” and “Ransomware” often surface in discussions. While both are malicious software designed to disrupt computer systems, they serve distinct purposes and operate in different ways. This article delves into the concepts of killware and ransomware, highlighting their differences and shedding light on the unique threats they pose.

Killware:

Killware, also known as “wiper” malware, is a type of malicious software created with the intention of causing irreversible damage to a computer system or network. Unlike ransomware, which seeks to encrypt files and extort a ransom from victims, killware aims to destroy data, rendering it unusable. Here are some key characteristics of killware:

Data Destruction: Killware’s primary objective is to delete or corrupt files and data on infected systems. It doesn’t attempt to extort money from victims but rather aims to inflict maximum harm.

No Ransom Demands: Unlike ransomware, which displays ransom notes demanding payment for decryption keys, killware does not offer a way to recover the compromised data.

High-Level Disruption: Killware often targets critical systems and infrastructure, such as government networks, industrial control systems, or corporate environments. Its impact can be devastating, causing operational disruptions and significant financial losses.

Attribution Challenges: Identifying the perpetrators behind killware attacks can be challenging, as they often remain anonymous and do not communicate with victims.

Motivations: Killware attacks may have various motivations, including espionage, nation-state cyberwarfare, or simply causing chaos and destruction.

Ransomware:

Ransomware, on the other hand, is a form of malware that encrypts a victim’s files, making them inaccessible, and then demands a ransom in exchange for the decryption key. Here are some key characteristics of ransomware:

Data Encryption: Ransomware encrypts a victim’s files, rendering them unreadable. Victims are typically presented with a ransom note instructing them to pay a specified amount in cryptocurrency to receive the decryption key.

Financial Motivation: The primary goal of ransomware attacks is financial gain. Attackers hope that victims will pay the ransom to regain access to their data.

Payment Demands: Ransomware attackers communicate with victims through ransom notes, providing instructions on how to pay the ransom. They often set a deadline, after which the decryption key may be destroyed.

Varied Targets: Ransomware attacks can target individuals, businesses, or organizations of all sizes. Some high-profile attacks have targeted hospitals, municipalities, and even critical infrastructure.

Conclusion:

In summary, while both killware and ransomware are malicious software designed to disrupt computer systems, their objectives and methods differ significantly. Killware aims to destroy data and infrastructure without offering any chance of recovery, while ransomware encrypts data with the intent of extorting money from victims. Understanding the differences between these threats is crucial for organizations and individuals to implement effective cybersecurity measures and respond appropriately to cyberattacks.

The post Killware vs. Ransomware: Key Differences appeared first on Cybersecurity Insiders.