Category: ransomware

Three Iranian Nationals were indicted by the Department of Justice (DoJ) and the FBI on Thursday on ransomware charges hitting the US Critical Infrastructure. The Culprits named in the court documents are Ahmad Khatiba Aghda, Amir Hussain, and Mansoor Ahmadi believed to be living in Iran.

Anyone who discloses the information of the criminals will be presented with a $10 million reward. Evidence was gathered by the DoJ that proves that the trio has connections with the Iranian Revolutionary Guard, but is not connected to the Iranian Government.

Second is the news related to Hive Ransomware, as the gang has issued a statement that it has hacked a subsidiary of Bell Canada named Bell Technical Solutions (BTS). The telecom company is yet to reveal the details related to the hack. But confirmed that a group of threat actors have taken down their systems on August 20th of this year and since then the company is finding it hard to cope-up with the situation.

Bell confirmed that the server that was breached did not contain any financial info such as debit card or banking details and so the severity seems to be diminished a bit.

Office of Privacy Commissioner and Royal Canadian Mounted Police are busy investigating the incident and Bell is confident that its technical solutions subsidiary will recover in no time.

Third is the news belonging to a Russian hacking group named Killnet. According to a press release of Hirokazu Matsuno, the Chief Cabinet Secretary of Japan, a sophisticated state funded attack launched by the Russian government disrupted several government websites.

Web portals such as eLTAX and E-Gov portal were badly hit by the attack state sources and a third part has been pressed into service to digital recover the assets from the incident.

 

The post Ransomware news trending on Google appeared first on Cybersecurity Insiders.

The 2022 SANS Top New Attacks and Threats Report Is In, and It's Required Reading

The latest Top New Attacks and Threat Report from the cybersecurity experts at SANS is here — and the findings around cyberthreats, attacks, and best practices to defend against them are as critical for security teams as they've ever been.

If you're unfamiliar with the SysAdmin, Audit, Network, and Security Institute, or SANS, they're among the leading cybersecurity research organizations in the world, and their annual Top New Attacks and Threat Report is required reading for every security professional operating today.

What's new for 2022

This year's report is a little different from previous years. Rather than focusing on threat statistics from the year before (i.e., 2021 data for the 2022 report), SANS opted to focus on data from the first quarter of 2022, providing a more recent snapshot of the state of play in the threat landscape. The reason for this is probably something you could have guessed: the pandemic.

Typically, the TNAT report (we love coming up with acronyms!) is built out of a highly anticipated presentation from SANS experts at the annual RSA conference. Since the pandemic delayed the start of the RSA event this year, the folks at SANS thought it better to focus on more up-to-the-minute data for their report.

What they found is interesting — if a little concerning.

Smaller breaches, bigger risks?

In the first quarter of 2022, the average breach size was down one-third from the overall breach size in 2021 (even adjusted for seasonal shifts in breach sizes). What's more, there are signs of a trend in breach size decline, as 2021's overall breach size average was 5% lower than that of 2020. SANS believes this is indicative of attackers focusing on smaller targets than in previous years, particularly in the healthcare sector and in state and local government agencies.

A lower average breach size is good news, no doubt, but what it says about the intentions of attackers should have many on edge. Going after smaller — but potentially more vulnerable — organizations means those groups are less likely to have the resources to repel those attackers that larger groups would, and they pose dangers as partner organizations.

The SANS experts suggest shoring up supplier compliance by following two well-established security frameworks: the Supply Chain Risk Management Reporting Framework provided by the American Institute of Certified Public Accountants (AICPA), and the National Institute of Standards and Technology's (NIST's) updated SP 800-161 Supply Chain Risk Framework.

The SANS report also provided telling and important data around the ways in which attackers enter your environment (phishing was the root of 51% of all breaches), as well as the success rate of multi-factor authentication — 99% — in combating phishing attacks.

The RSA panel discussion (and the subsequent report we're sharing) also look into specific trends and best practices from some of SANS's experts. In years past, they've looked at some key takeaways from the SolarWinds breach, ransomware, and machine learning vulnerabilities. This year, they've turned their attention to multi-factor authentication, stalkerware, and the evolution of "living off the land" attacks as they pertain to cloud infrastructure. Each of these sections is worth reading in its own right and can provide some thought-provoking resources as your security team continues to grapple with what comes next in the cloud and attacker spaces.

One space where the SANS experts chose to focus has particular importance to those seeking to mitigate ransomware: attacks on backups. Backups have long been considered your best defense against ransomware attacks because they allow your organization to securely resume use of your data should your environment become compromised (and your data be locked down). However, as backup infrastructure moves into the cloud, SANS experts believe unique attacks against these backups will become more common, because backup solutions are often quite complex and are vulnerable to specific types of threats, such as living-off-the-land attacks.

The annual SANS report is a reliable and instrumental resource for security teams which is why we are proud to be a sponsor of it (and offer it to the security community). You can dive into the full report here.

Additional reading:

NEVER MISS A BLOG

Get the latest stories, expertise, and news about security today.


A recent study made in the time frame of January to June this year revealed that over 1.2 million ransomware attacks were launched so far in this year. And as per an estimate, most of the targets were businesses operating in healthcare, finance, education, utilities and technology sectors.

The research carried out by Barracuda networks confirmed that most cyber attacks of ransomware genre do not make it to the news headlines as the CFOs,CTOs and CIOs hide the news because of the fear of losing a job.

The other news trending on Google and related to ransomware is about the steal of over 1 million patient records stolen and released to the dark web as the victim failed to pay a ransom on time. The victimized healthcare firm is OakBend Medical Centre that was hit by Daixin Team that claims to have stolen sensitive details such as social security numbers, patient treatment info, names and date of births.

OakBend has contacted Microsoft and FBI for help in dealing with the situation and its preliminary inquires revealed that the criminals might have gained access to 1 million digital records and not one million patient records as claimed earlier.

Argentina’s capital city, Buenos Aires, has announced that a ransomware attack has compromised its internal servers, disrupting its Wi-Fi services on the whole. The gang that induced the malware is yet to be detected, but information is out that the file encrypting malware spreading group targeted the servers on Sunday and since then the network has been down.

Fifth is the news related to a judicial form named Warner Norcross &Judd (WNJ) that reported a ransomware incident yesterday. WNJ suspects that the attack could be the work of a state funded actor and is currently busy collecting the evidence to bolster its claims.

Surprisingly, the incident affected about 120,000 Primary Health Members exposing their social security numbers, debit card numbers, credit card numbers, DOBs, names, driving license numbers, contact details, patient account numbers, life insurance details, and health details.

Finally, it’s the news related to Practice Resources LLC, that faced a ransomware attack a few weeks ago and is now in news for facing a new class action lawsuit as it failed to protect the information of its customers from hackers.

In April this year, the company suffered a sophisticated attack that led to the breach of data related to 1 million Central New York populace.

As the said healthcare services provider is assigned that task to look after the IT needs of over 28 different hospitals and clinics, the data leak of medical records is indeed a cause of severe concern.

 

The post Ransomware news headlines trending on Google appeared first on Cybersecurity Insiders.

According to a study conducted by security firm SentinelOne, ransomware spreading hackers are adopting a new encryption standard named ‘Intermittent Encryption’ while targeting victims. And as per the update, now available on the company’s blog post, the new data locking technique is being embraced by more buyers and affiliates as they find it innovative and VFM.

Intermittent Encryption is nothing but locking down files on a partial note and at a great speed that also helps in being detected. For instance, if suppose, a 1GB file is targeted. The hacker locks down the file in parts and with great accuracy and speed.

Since there are no intense IO operations, the anti-malware solutions cannot detect the activity, thus failing in its true aim of inception.

SentinelOne researchers state that some ransomware spreading gangs such as Black Basta, ALPHV, PLAY, Agenda and Qyick are advertising their RaaS operations by advertising that their malware has the ability of intermittent encryption.

And FYI, LockFile spreading ransomware gang were the first to use such a new technique, and with time, the threat actors learnt to encrypt over 100,000 files or 53GB of data in just 4 minutes.

NOTE 1- Typically, hackers encrypt all the data on the database and lock it down from access until a ransom is paid. But with intermittent encryption on the rise, the complexity of such ransomware activities might encourage the victims to pay up for the decryption key.

NOTE 2- American Technology Giant Microsoft has released a press update urging all internationally active businesses to stay vigilant about ransomware attacks being conducted by an Iranian Hacking Group named ‘Phosphorous’. The Windows OS giant reiterated the fact that the functions of this notorious criminal gang was to exploit vulnerabilities and take hold of the systems, mostly through moonlighting.

 

The post Ransomware hackers adopting Intermittent Encryption appeared first on Cybersecurity Insiders.

A ransomware attack that took place on July 15th of this year disrupted most of the government’s IT infrastructure in Albania, including utility websites. For this reason, the Albanian government issued a 24 hours time frame on September 7th,2022 to all Italian embassy diplomats and high-profile citizens to vacate the country on an immediate note.

Edi Rama, the Albanian Prime Minister, issued this statement from the Tirana Capital and added that all diplomatic ties with Iran will remain severed till further notification.

Security analysts suggest that such public statements will be needed more in the near future, as some countries are taking down their adversaries through cyber aggression.

John Hultquist, the VP of Mandiant, applauded the decision taken by Albania against a state funded cyber attack and appreciated the courage with which Mr. Rama dealt with the situation.

Iran has condemned the allegations put forward by the Albanian Prime Minister as totally baseless and false.

Conversely, the United States and United Kingdom have deeply condemned the attack and added that it will hold Iran as fully accountable for the digital invasion it conducted on a NATO ally.

NOTE- The decision to cut down diplomatic ties with Iran was issued by the PM, after the Albanian National Agency for the Information Society(AKSHI) conducted a detailed analysis on the state that launched the cyber attack. And AKSHI claims that it has appropriate evidence to confirm its allegations.

 

The post Albania asks Iranians to vacate because of a Ransomware Attack appeared first on Cybersecurity Insiders.

A ransomware gang that has been increasingly disproportionately targeting the education sector is the subject of a joint warning issued by the FBI, CISA, and MS-ISAC. The Vice Society ransomware group has been breaking into schools and colleges, exfiltrating sensitive data, and demanding ransom payments. The threat? If the extortionists aren’t paid, you may not […]… Read More

The post Warning issued about Vice Society ransomware gang after attacks on schools appeared first on The State of Security.

It is hard to believe, but ransomware is more than three decades old.  While many would think that the ransomware mayhem started with the WannaCry attack of 2017, that is simply the most publicized example. Since then, dozens of ransomware strains have been utilized in a variety of cyberattacks. According to a PhishLabs report, by […]… Read More

The post How Penetration Testing can help prevent Ransomware Attacks appeared first on The State of Security.