Category: ransomware

For the first time, the hackers group that is being sponsored by North Korea State government is found spreading ransomware on computer networks related to companies and organizations operating in South Korea.

According to the intelligence gathered by the National Police Agency of South Korea, the Kim Jong UN funded hacking groups were caught stealing email and identity related credentials related to over 890 foreign policy proficients in the past few weeks.

Phishing tactics were used to steal data from the think tanks and professors as the criminals were using the name of People Power Party Chief or the head of Korea National Diplomatic Academy to trap victims.

Preliminary Inquires revealed that at least 49 people fell prey to the fraudulent tactics and gave credentials related to their email accounts, respectively. And it later paved the way to the spread of file encrypting malware onto the networks of over 13 firms, out of which 2 victims paid $2000 in BTC to regain access to their locked out systems.

More details about the ransomware group involved in the incident will be updated after confirmation!

The second news is related to The Lake Charles Memorial Health System, a Louisiana based healthcare firm that fell prey to Hive Ransomware attack. Cybersecurity Insiders learnt from its sources that Hive Group stolen patient information off over 270,000 patients, that includes their full names, residence addresses, DoBs, Medical History, Patient ID Numbers, Health insurance data, payment details and social security numbers.

The incident reportedly took place on November 15th of this year and as the victim failed to pay a ransom, their details were leaked to the discussion forum in the second week of December 2022.

Online tech news resource Bleeping Computer that reported the ransomware incident first is yet to get a conformation from its experts on whether the leaked data belongs to the Louisiana based medical firm, in real or not.

Third is the news that is fictitious as a hacker named with a pseudo-name “Shadow Hacker” claiming to have stolen tons of data from the database belonging to Indian Railways. Thus, the criminal, whose true identity is yet to be probed, claims to have stolen data of 30 million IRCTC users and has put the siphoned info on sale on the dark web, as his ransom demands weren’t taken seriously. It is unclear on how the hacker gained access to the extremely secure database.

 

The post Ransomware related news headlines trending on Google appeared first on Cybersecurity Insiders.

Black Basta Ransomware Group has reportedly hit two electric utilities in North America in October this year and the attack took place after they compromised the email account of a government contractor in May 2022.

The law enforcement agencies have taken a note on the incident and are currently combing the dark web to see whether the cyber crooks have sold the information.

Chicago based Sargent & Lundy is the engineering firm that was hit by the malware attack and FYI, it has the history of designing and constructing over 900 power stations and 1000s of miles of power lines across the Biden led nation.

Black Basta infiltrating Sargent & Lundy is worrisome as the firm is into the business of designing and building nuclear facilities and so any such info falling into the hands of the hackers might lead to serious consequences.

CNN, the news resource that first got the info about the incident, has assured that the impact was contained on time and strangely, the cyber crooks did not contact the victim for a ransom.

In February this year, Palo Alto Networks was the first security firm to discover Black Basta on the web and added that the group is found targeting only critical infrastructures to date.

Industrial sector and those managing national infrastructure have remained as soft targets till date as the demand for data leaked out from such companies is in great demand among the state funded cyber hacking groups such as Killnet.

 

The post Black Basta Ransomware hits two electric utilities in America appeared first on Cybersecurity Insiders.

A ransomware hit Queensland University of Technology (QUT) in the early hours of today, crippling a portion of the institute’s network from the past 5 hours. The second largest University seems to have been hit badly as whole of the printers operating in the campus are displaying the ransomware note.

Margrett Sheil, the University Chancellor of the technology-based institute, has confirmed the incident and was embarrassed to express her deep regrets that her own office printer stopped working from the early hours of Friday.

Royal Ransomware gang appears to be behind the incident as the ransom notes spit by the printers yield so.

Australia’s telecom networks (Optus) along with an insurance brand(Medibank) were hit by a ransomware attack recently and now an educational institute is ready to join the list.

Royal is a newly developed file encrypting malware and was supposed to attack public and private entities in the United States of America. However, the malware is available on demand and so those indulging in Ransomware-as-a-service business could have offered the malicious software for those interested in disrupting the networks of Australia.

For the past few weeks, the Anthony Albanese led nation has been constantly being hit by cyber-attacks. And at one point of time, the AusCERT confirmed the indulgence of Russian Killnet Hacking group behind all the attacks.

Killnet has issued a public statement in November 2022 that it will disrupt the companies operating in nations that are supporting Ukraine in its battle with Moscow by supplying finances, artillery and essentials to populace and soldiers.

 

The post Queensland University of Technology hit by Ransomware appeared first on Cybersecurity Insiders.

The Guardian, one of the notable news resources of Britain, was reportedly hit by a cyber attack a few hours ago. Preliminary inquires reveal that the attack was of ransomware, though an official confirmation is awaited!

Unidentified people familiar with the matter state that hackers could have targeted the news firm’s’ IT infrastructure through a vulnerability that was recently discovered in Microsoft Exchange Servers.

As of now, the company has urged most of its staff to work from home and has asked them to continue it till the Christmas celebrations are over, i.e. till 27th December of this year.

Cybersecurity Insiders has learnt that only a certain section of the media company’s technology operations were hit by the incident and so the general operations of news publishing will continue as usual.

However, the recovery is expected to take longer because of the holiday season.

The Guardian has been vocal about the Russian war with Ukraine from the beginning and has been working to support to Zelensky and the west. Therefore, there is a good amount of chance that Killnet, possibly funded by Russian GRU, could have induced the file encrypting ransomware into the Guardian Media Group’s network.

NOTE– Coincidentally, the incident occurred when Volodymyr Zelenskyy was visiting the United States of America after the start of the war between Kyiv and Moscow. And Putin has condemned the move and reiterated that he will never engage in peace talks with Ukraine as its leader has visited an adversary nation.

More details about the attack and the ransomware group behind the incident(if any) will be reported shortly.

 

The post Guardian ransomware attack caused probably by MS Exchange Server Vulnerability appeared first on Cybersecurity Insiders.

LockBit, the notorious gang spreading ransomware, has victimized the servers operating in/for the California’s Finance Department, disrupting the services to a certain extent. The Cal-CSIC has issued a public statement addressing the attack repercussions to be minute and assured that no funds were stolen in the incident.

It appears to be a retaliation attack on the federal government of America by Russia, as Lockbit is a ransomware gang operating for Kremlin. And might have chosen the digital path to corner the Biden led government for arresting Mikhail Vasiliev, who led the malware spread campaign on a global note, before arrest.

Confidential data of about 76GB include the lawsuit proceedings pertaining to Se#ual proceedings was reportedly accessed by hackers, including their pay related documents.

Cerberus Sentinel, the American security firm, claims the damage to be more dangerous than expected, as cyber crooks from the said hacking group could have wiped or encrypted data before detection.

California government has launched a probe on the issue and might also stall producing a financial budget on January 10th,2023, till the inquiry is concluded.

Currently, the budget website is unreachable at the time of this writing.

NOTE- Lockbit is a malware spreading gang operating with an aim to disrupt essential functions of its target, extort money till a ransom is paid and, sometimes, siphoning data and publishing it on the dark web for monetary benefits.

 

The post LockBit Ransomware strikes California Government appeared first on Cybersecurity Insiders.

Day to day a new ransomware emerges on the web giving us a feeling that the threat seems to be a never-ending saga and is going through evolution with time. Royal Ransomware is the latest file encrypting malware that is on the prowl and is, for now, encrypting only networks related to the healthcare sector of America.

Health Department issued a warning on this note and labeled it as a threat of high severity depending on the victims and ransom amount it is demanding and has gained from its victim, so far.

On an average, Royal Malware is seen demanding anything around $250,000 to $4m and solely depends on the data it has siphoned from its victims.

 Highlight of this new malware is that it is consisting experienced members from other gangs such as RYUK who appear to be working freelance for this group.

Besides double extortion, they said a gang of cyber criminals is threatening to wipe off the entire encrypted data from the servers if the victim fails to pay the ransom in time.

Obviously, the healthcare sector info has the highest demand on the dark web and so the hackers’ group might be interested in siphoning the info, as it proves profitable in either case.

NOTE– Ransomware is a kind of software that encrypts data on a database until a ransom is paid to hackers in cryptocurrency, like Bitcoins. With time, those indulged in this business of spreading malware or inducted malware into business have become sophisticated and introduced new malware having the potential to wipe information from the victimized database or steal it and sell it on the dark web, at a later stage.

 

The post Royal Ransomware is after the healthcare sector of the United States appeared first on Cybersecurity Insiders.

Ransomware groups are constantly devising new methods for infecting victims and convincing them to pay up, but a couple of strategies tested recently seem especially devious. The first centers on targeting healthcare organizations that offer consultations over the Internet and sending them booby-trapped medical records for the “patient.” The other involves carefully editing email inboxes of public company executives to make it appear that some were involved in insider trading.

Alex Holden is founder of Hold Security, a Milwaukee-based cybersecurity firm. Holden’s team gained visibility into discussions among members of two different ransom groups: CLOP (a.k.a. “Cl0p” a.k.a. “TA505“), and a newer ransom group known as Venus.

Last month, the U.S. Department of Health and Human Services (HHS) warned that Venus ransomware attacks were targeting a number of U.S. healthcare organizations. First spotted in mid-August 2022, Venus is known for hacking into victims’ publicly-exposed Remote Desktop services to encrypt Windows devices.

Holden said the internal discussions among the Venus group members indicate this gang has no problem gaining access to victim organizations.

“The Venus group has problems getting paid,” Holden said. “They are targeting a lot of U.S. companies, but nobody wants to pay them.”

Which might explain why their latest scheme centers on trying to frame executives at public companies for insider trading charges. Venus indicated it recently had success with a method that involves carefully editing one or more email inbox files at a victim firm — to insert messages discussing plans to trade large volumes of the company’s stock based on non-public information.

“We imitate correspondence of the [CEO] with a certain insider who shares financial reports of his companies through which your victim allegedly trades in the stock market, which naturally is a criminal offense and — according to US federal laws [includes the possibility of up to] 20 years in prison,” one Venus member wrote to an underling.

“You need to create this file and inject into the machine(s) like this so that metadata would say that they were created on his computer,” they continued. “One of my clients did it, I don’t know how. In addition to pst, you need to decompose several files into different places, so that metadata says the files are native from a certain date and time rather than created yesterday on an unknown machine.”

Holden said it’s not easy to plant emails into an inbox, but it can be done with Microsoft Outlook .pst files, which the attackers may also have access to if they’d already compromised a victim network.

“It’s not going to be forensically solid, but that’s not what they care about,” he said. “It still has the potential to be a huge scandal — at least for a while — when a victim is being threatened with the publication or release of these records.”

The Venus ransom group’s extortion note. Image: Tripwire.com

Holden said the CLOP ransomware gang has a different problem of late: Not enough victims. The intercepted CLOP communication seen by KrebsOnSecurity shows the group bragged about twice having success infiltrating new victims in the healthcare industry by sending them infected files disguised as ultrasound images or other medical documents for a patient seeking a remote consultation.

The CLOP members said one tried-and-true method of infecting healthcare providers involved gathering healthcare insurance and payment data to use in submitting requests for a remote consultation on a patient who has cirrhosis of the liver.

“Basically, they’re counting on doctors or nurses reviewing the patient’s chart and scans just before the appointment,” Holden said. “They initially discussed going in with cardiovascular issues, but decided cirrhosis or fibrosis of the liver would be more likely to be diagnosable remotely from existing test results and scans.”

While CLOP as a money making collective is a fairly young organization, security experts say CLOP members hail from a group of Threat Actors (TA) known as “TA505,” which MITRE’s ATT&CK database says is a financially motivated cybercrime group that has been active since at least 2014. “This group is known for frequently changing malware and driving global trends in criminal malware distribution,” MITRE assessed.

In April, 2021, KrebsOnSecurity detailed how CLOP helped pioneer another innovation aimed at pushing more victims into paying an extortion demand: Emailing the ransomware victim’s customers and partners directly and warning that their data would be leaked to the dark web unless they can convince the victim firm to pay up.

Security firm Tripwire points out that the HHS advisory on Venus says multiple threat actor groups are likely distributing the Venus ransomware. Tripwire’s tips for all organizations on avoiding ransomware attacks include:

  • Making secure offsite backups.
  • Running up-to-date security solutions and ensuring that your computers are protected with the latest security patches against vulnerabilities.
  • Using hard-to-crack unique passwords to protect sensitive data and accounts, as well as enabling multi-factor authentication.
  • Encrypting sensitive data wherever possible.
  • Continuously educating and informing staff about the risks and methods used by cybercriminals to launch attacks and steal data.

While the above tips are important and useful, one critical area of ransomware preparedness overlooked by too many organizations is the need to develop — and then periodically rehearse — a plan for how everyone in the organization should respond in the event of a ransomware or data ransom incident. Drilling this breach response plan is key because it helps expose weaknesses in those plans that could be exploited by the intruders.

As noted in last year’s story Don’t Wanna Pay Ransom Gangs? Test Your Backups, experts say the biggest reason ransomware targets and/or their insurance providers still pay when they already have reliable backups of their systems and data is that nobody at the victim organization bothered to test in advance how long this data restoration process might take.

“Suddenly the victim notices they have a couple of petabytes of data to restore over the Internet, and they realize that even with their fast connections it’s going to take three months to download all these backup files,” said Fabian Wosar, chief technology officer at Emsisoft. “A lot of IT teams never actually make even a back-of-the-napkin calculation of how long it would take them to restore from a data rate perspective.”