Category: ransomware

The Sri Lankan Government has recently reported a significant data loss incident involving over 5000 email accounts spanning from May to August 2023. The primary cause of this data loss was identified as a cyber attack, specifically a ransomware variant. Unfortunately, the situation has been exacerbated by the fact that even the backup servers were compromised, making data recovery a daunting challenge.

According to the Information and Communication Technology Agency of Sri Lanka (ICTA), the root cause of this incident lies in the usage of outdated Microsoft Exchange 2013 software, which is no longer supported by Microsoft. This outdated software was in use on the Lanka Government Network (LGN), a critical network utilized by key government entities such as the Cabinet Office, Presidential Officials, Ministry of Education, and Ministry of Health. The implications of this cyber incident could prove to be dire, given the sensitive nature of the data involved.

Mahesh Perera, the CEO of ICTA, issued a statement acknowledging that all Gov.lk email accounts fell victim to the malware attack, which was first identified on August 26th of this year. He did not explicitly label this incident as a software upgrade failure; however, he did imply that the need for upgrading the Microsoft Exchange services had been pending since 2021. Unfortunately, these upgrade plans had been stalled due to financial constraints within the government’s budget and the overall economic challenges faced by the country.

Mr. Perera clarified that the government has no intentions of negotiating with the perpetrators of the attack. In other words, no ransom demands will be entertained.

While an unofficial source in Sri Lanka leaked information on a Telegram channel, attributing the incident to the LockBit Ransomware or the Russian-speaking BlackCat gang, there has been no official confirmation regarding the identity of the attackers.

It’s worth noting that this incident unfolded against the backdrop of Sri Lanka grappling with high inflation and the depreciation of the Sri Lankan Rupee in international markets, further compounding the challenges faced by the country.

 
 
 

 

The post Ransomware targets over 5000 government email addresses appeared first on Cybersecurity Insiders.

In an unprecedented turn of events in the United States, a relatively obscure ransomware group has committed a grave act by exposing the personal information of individuals who held work visas in the country. This audacious breach took place earlier this year when the group targeted Sabre’s database. Faced with the unyielding demands of the hackers, and having failed to meet their requirements, Sabre found itself confronted with a distressing revelation when a portion of the stolen data was disclosed by the hackers this week.

Sabre, a major player in the travel booking industry, only became aware of the data breach through media reports. In response to the allegations made by the hackers, the company promptly issued a statement vowing to conduct a thorough investigation into the matter.

Inside sources at Cybersecurity Insiders have uncovered that Sabre fell victim to a data exfiltration operation orchestrated by the Dunghill Ransomware Spreading group, resulting in the theft of approximately 1.3 terabytes of data. The stolen information encompasses a wide array of sensitive details, including ticket sales records, passenger statistics, as well as the personal information of employees. This compromised employee data includes their nationalities, dates of birth, passport numbers, visa details, I-9 form particulars, financial records of the corporation, and other personnel-related information.

The revelation that the hackers had accessed the visa details of Sabre’s employees authorized to work in the United States sent shockwaves through the company. The extent of the breach remains uncertain, prompting Sabre to enlist the services of a forensic investigation team to delve deeper into the incident.

At present, little is known about the Dunghill group. However, some sources on Telegram have suggested that this ransom-demanding collective may have ties to the Dark Angels Ransomware, which itself has roots in the code of the infamous Babuk Ransomware.

Furthermore, according to an update from Malwarebytes, the same group targeted the servers of various entities, including the game developer Incredible Technologies, food company Sysco, and automotive manufacturer Gentex. The common thread among these victims was their perceived reluctance to comply with the ransom demands, prompting the Dunghill gang to resort to data leaks as a form of retaliation.

The post Ransomware spreading gang reveals visa details of working employees in America appeared first on Cybersecurity Insiders.

When a server falls victim to a ransomware infection, the urgency to regain access to critical data often leads to a difficult decision: paying the hackers’ demands. However, the reliability of ransomware criminals in conducting their “business” is far from guaranteed.

Are Ransomware Payments Legal?

First and foremost, it’s essential to understand that paying a ransom to cyber-criminals is generally considered illegal. In the United States, for instance, the International Emergency Economic Powers Act (IEEPA) can subject victims to government notices and legal consequences for making such payments. Moreover, many Western and Asian countries also deem digital currency payments for ransom as illegal.

The Alternative: Refusing to Pay

Opting not to pay the ransom is a risky but legal choice. If an organization has a robust backup system in place, it can often rely on these backups for data recovery. However, the effectiveness of this approach hinges on the speed of the recovery process, which directly impacts downtime.

Calculating the Cost of Data Recovery

The cost of data recovery after a ransomware infection is a primary concern for CIOs and CTOs. Using backup data is typically a cost-efficient method, but its success depends on the quality and speed of data recovery software. Alternatively, if an organization decides to pay the ransom, it must consider various expenses, including acquiring cryptocurrency, seeking assistance from forensic experts for ransom negotiation, and evaluating the consequences of giving in to the hackers’ demands.

The FBI’s Perspective

The Federal Bureau of Investigation (FBI) has taken a strong stance against ransomware payments. In November 2019, the FBI warned that paying a ransom doesn’t guarantee a decryption key. Even if a key is provided, there’s a high risk it may not work. Another concern is that paying the ransom can attract further attacks from the same cyber-criminals, especially if the underlying vulnerabilities that allowed the initial infiltration aren’t addressed.

When Backup Is Not an Option

In cases where viable backups are unavailable, victims should consider involving law enforcement agencies and following their guidance. It’s crucial to act cautiously, as making a ransomware payment ultimately fuels the underground economy of cyber-criminals.

Conclusion

In summary, dealing with ransomware is a complex and legally fraught endeavor. Organizations facing this threat must carefully weigh the risks and legal implications of making payments against the potential consequences of refusing to comply with hackers’ demands. Collaboration with law enforcement and cybersecurity experts is advisable when navigating this treacherous landscape.

The post Considerations to be made when dealing with Ransomware Payments appeared first on Cybersecurity Insiders.

The United Kingdom’s Ministry of Defense has once again found itself in the spotlight due to a recent cyberattack, with fingers of suspicion pointing towards Russian hackers. While there is no conclusive evidence to substantiate these claims, there is a growing belief that Russia may be behind the latest data breach.

Social media platforms, such as X and Facebook, are abuzz with reports suggesting that a hacking group funded by the Kremlin has successfully infiltrated sensitive military websites. Among the targeted sites are the HMNB Clyde Nuclear Submarine Base, the Porton Down Chemical Weapon Lab, and the esteemed GCHQ.

The breach reportedly resulted in the theft of highly classified information, including data pertaining to secret security prisons, their locations, and blueprints. The culprits behind this breach are allegedly affiliated with the LockBit ransomware group, a group with Russian ties but operating from a European location.

In a surprising turn of events, Microsoft Threat Intelligence teams have uncovered that these cyber-criminals have shared some of the stolen information on the dark web. This includes details of certain Metropolitan Police officials and individuals serving in the Police Department of Northern Ireland.

Initial investigations suggest that the perpetrators managed to obtain credentials for the Zuan database, responsible for securing many government web portals. Notably, this same criminal group was previously linked to a breach of The Royal Mail Group‘s database earlier this year. They demanded a staggering $40 million in ransom at the time. While the specific actions taken by the British mail service remain undisclosed, reliable sources confirm that LockBit did not receive any ransom payment. Instead, a forensic firm assisted the parcel service in recovering from the cyber incident.

It’s important to note that the UK’s National Cyber Security Centre (NCSC) has issued an official threat notice. This notice urges all businesses operating within the country to exercise caution regarding cyberattacks originating from Russia and its allies. The threat landscape in cyberspace continues to evolve, requiring increased vigilance and robust security measures to safeguard sensitive information and critical infrastructure.

The post LockBit hackers steal sensitive documents from Britain Military Defense appeared first on Cybersecurity Insiders.

The historical Municipality of Montreal, situated in Canada, has fallen victim to the LockBit Ransomware, an event that underscores the increasing menace of cyber threats. This century-old establishment faced a critical juncture as it chose not to comply with the hackers’ ransom demands, leading to the release of a teaser of pilfered information from their servers. The hackers have ominously promised a more comprehensive data dump in the upcoming week.

Montreal, the sprawling metropolis in Quebec Province, exhibited resilience by retrieving the encrypted data using its meticulously designed data continuity strategy. It is evident that the city’s administration is not inclined to negotiate with the hacking syndicate, exemplifying a strong stance against cybercriminal activities.

However, the gravity of the situation lies in the compromised data originating from the IT infrastructure of the Commission Des Services Electriques de Montreal (CSEM). The organization responsible for managing electricity distribution confirmed that the ransomware assault occurred on August 3, 2023. In response to the victim’s failure to meet their financial demands, the perpetrators opted to unveil a fraction of the stolen data as proof of their successful infiltration.

Assurances provided by CSEM indicate that the exfiltrated data holds minimal real-world threat. This is attributed to the fact that the information, originating from the engineering and management divisions, is already accessible to the public through the organization’s website. Consequently, the leaked data is deemed to pose a marginal risk to the victim.

Recent developments have highlighted the nefarious tactics employed by the LockBit gang. The Spanish National Police issued an alert regarding a surge in phishing emails originating from this group, targeting architectural firms specifically.

It’s worth noting that LockBit ransomware perpetrators demand a minimum ransom of $3 million, payable in cryptocurrencies such as BTC or Monero. LockBit, which traces its origins back to the infamous ABCD Ransomware discovered in 2019, has undergone evolution, with LockBit 3.0 emerging in 2022. This version deviates from its predecessor by appending a random nine-character file extension instead of the conventional “.lockbit” extension.

The post LockBit Ransomware targets a province in Quebec Canada appeared first on Cybersecurity Insiders.

In the ever-evolving landscape of cyber threats, one form of digital menace has gained significant notoriety: ransomware malware. These malicious programs encrypt victims’ data and demand a ransom for its release, wreaking havoc on individuals, businesses, and even government institutions. One intriguing aspect of ransomware is the distinct and often creative names these threats are given. Delving into the process of naming ransomware malware provides insights into the psychology of cybercriminals and their intentions.

The Art of Naming Ransomware

Ransomware developers tend to name their creations with an assortment of motives in mind. Some aim for attention-grabbing names to garner media coverage, while others prefer obscure monikers that fly under the radar, allowing them to carry out attacks unnoticed. The naming process is akin to branding for cybercriminals, with the chosen name serving as a tool to strike fear, assert dominance, or even make political or social statements.

Themes and Inspiration

Ransomware names often draw inspiration from a variety of sources, including pop culture, literature, mythology, and even technology itself. The notorious “WannaCry” ransomware, for instance, gained global attention due to its infective speed and destructive impact, while its name seemed to allude to the plea victims might utter when faced with their encrypted files. Similarly, names like “Locky,” “GandCrab,” and “Ryuk” infuse a sense of personality and character into the malware, adding an unsettling layer to their destructive nature.

The Psychological Impact

The names of ransomware malware are carefully chosen to instill fear, uncertainty, and a sense of urgency in victims. Cybercriminals leverage psychological tactics to pressure victims into paying the demanded ransom quickly. By giving their malware ominous or evocative names, hackers aim to manipulate the emotional state of those affected, increasing the likelihood of compliance.

Linguistic Considerations

In some cases, ransomware developers consider linguistic factors to ensure their creations have a global impact. They may select names that are easy to remember and pronounce across different languages and cultures, maximizing the reach of their threat campaigns. This linguistic adaptability further underscores the deliberate strategy behind the naming process.

The Role of Cybersecurity Researchers

The cybersecurity community plays a crucial role in identifying and combating ransomware threats. Security experts often assign their own names or labels to ransomware variants to aid in communication and analysis. These names are typically less sensational and more descriptive, focusing on technical attributes or specific characteristics of the malware. This approach allows researchers to efficiently categorize and track ransomware strains.

Conclusion

The naming of ransomware malware is a multifaceted phenomenon that offers a glimpse into the complex world of cybercrime. From attention-seeking to psychological manipulation, the names chosen for these malicious programs reveal the intentions and strategies of cybercriminals. As the battle against ransomware continues, understanding the significance of these names becomes increasingly important for both cybersecurity professionals and the general public alike.

The post Decoding the Naming Conventions of Ransomware Malware appeared first on Cybersecurity Insiders.

The U.S. government today announced a coordinated crackdown against QakBot, a complex malware family used by multiple cybercrime groups to lay the groundwork for ransomware infections. The international law enforcement operation involved seizing control over the botnet’s online infrastructure, and quietly removing the Qakbot malware from tens of thousands of infected Microsoft Windows computer systems.

Qakbot/Qbot was once again top malware loader observed in the wild in the first six months of 2023. Source: Reliaquest.com.

In an international operation announced today dubbed “Duck Hunt,” the U.S. Department of Justice (DOJ) and Federal Bureau of Investigation (FBI) said they obtained court orders to remove Qakbot from infected devices, and to seize servers used to control the botnet.

“This is the most significant technological and financial operation ever led by the Department of Justice against a botnet,” said Martin Estrada, the U.S. attorney for the Southern District of California, at a press conference this morning in Los Angeles.

Estrada said Qakbot has been implicated in 40 different ransomware attacks over the past 18 months, intrusions that collectively cost victims more than $58 million in losses.

Emerging in 2007 as a banking trojan, QakBot (a.k.a. Qbot and Pinksplipbot) has morphed into an advanced malware strain now used by multiple cybercriminal groups to prepare newly compromised networks for ransomware infestations. QakBot is most commonly delivered via email phishing lures disguised as something legitimate and time-sensitive, such as invoices or work orders.

Don Alway, assistant director in charge of the FBI’s Los Angeles field office, said federal investigators gained access to an online panel that allowed cybercrooks to monitor and control the actions of the botnet. From there, investigators obtained court-ordered approval to instruct all infected systems to uninstall Qakbot and to disconnect infected machines from the botnet, Alway said.

The DOJ says their access to the botnet’s control panel revealed that Qakbot had been used to infect more than 700,000 machines in the past year alone, including 200,000 systems in the United States.

Working with law enforcement partners in France, Germany, Latvia, the Netherlands, Romania and the United Kingdom, the DOJ said it was able to seize more than 50 Internet servers tied to the malware network, and nearly $9 million in ill-gotten cryptocurrency from QakBot’s cybercriminal overlords. The DOJ declined to say whether any suspects were questioned or arrested in connection with Qakbot, citing an ongoing investigation.

According to recent figures from the managed security firm Reliaquest, QakBot is by far the most prevalent malware “loader” — malicious software used to secure access to a hacked network and help drop additional malware payloads. Reliaquest says QakBot infections accounted for nearly one-third of all loaders observed in the wild during the first six months of this year.

Researchers at AT&T Alien Labs say the crooks responsible for maintaining the QakBot botnet have rented their creation to various cybercrime groups over the years. More recently, however, QakBot has been closely associated with ransomware attacks from Black Basta, a prolific Russian-language criminal group that was thought to have spun off from the Conti ransomware gang in early 2022.

Today’s operation is not the first time the U.S. government has used court orders to remotely disinfect systems compromised with malware. In April 2022, the DOJ quietly removed malware from computers around the world infected by the “Snake” malware, an even older malware family that has been tied to the GRU, an intelligence arm of the Russian military.

Documents published by the DOJ in support of today’s takedown state that beginning on Aug. 25, 2023, law enforcement gained access to the Qakbot botnet, redirected botnet traffic to and through servers controlled by law enforcement, and instructed Qakbot-infected computers to download a Qakbot Uninstall file that uninstalled Qakbot malware from the infected computer.

“The Qakbot Uninstall file did not remediate other malware that was already installed on infected computers,” the government explained. “Instead, it was designed to prevent additional Qakbot malware from being installed on the infected computer by untethering the victim computer from the Qakbot botnet.”

The DOJ said it also recovered more than 6.5 million stolen passwords and other credentials, and that is has shared this information with two websites that let users check to see if their credentials were exposed: Have I Been Pwned, and a “Check Your Hack” website erected by the Dutch National Police.

Further reading:

The DOJ’s application for a search warrant application tied to Qakbot uninstall file
The search warrant application connected to QakBot server infrastructure in the United States
The government’s application for a warrant to seize virtual currency from the QakBot operators.

In November of the previous year, Rackspace, a well-known company providing cloud computing services, fell victim to a cyber-attack orchestrated by the Play Ransomware group. This attack led to a disruption in their email exchange services for a duration of a few weeks. The company’s response to this incident included the release of an earnings presentation that highlighted the considerable financial impact. Approximately $10 million had already been expended on remediation efforts, affecting a substantial customer base of around 30,000 individuals.

In a statement submitted to the SEC, Rackspace indicated that the expenses associated with this incident could potentially rise further. This is primarily due to the emergence of multiple lawsuits from customers within the cloud business domain. These legal actions are seeking compensatory measures to address the business losses incurred as a result of the cyber attack.

Rackspace, headquartered in Texas, is not alone in bearing the financial brunt of such incidents. The financial burden extends to costs related to investigative processes, remediation endeavors, legal consultations, professional services, and the necessity of hiring additional personnel.

Although Rackspace remained resilient against the demands of the Play Ransomware group, the company’s financial outlay to counteract the adverse effects of the file encrypting malware has reached nearly $10 million thus far.

The FBI issued a statement in November 2020, emphasizing that paying ransoms to hackers is illegal, as it perpetuates criminal activities and does not guarantee the provision of a decryption key.

Security experts advise victims of such incidents to adopt a thoughtful approach in managing their IT environments. It’s crucial to take actions that are economically viable, as these situations can erode profits and cast a lasting shadow on annual earnings for an extended period of time.

The post Rackspace spends $10m in ransomware cleanup costs appeared first on Cybersecurity Insiders.