Category: ransomware

Maui Ransomware is being spread by state-funded hackers of North Korea and it confirmed this in a joint statement released by the FBI, CISA, and Department of Treasury on a collective note.

What’s surprising in this finding is that the said file-encrypting malware is being spread since May 2021 and was being targeted mainly at healthcare and public healthcare organizations.

FBI specified in its statement that the Maui Ransomware group was only interested in stealing and encrypting electronic health records, diagnostic reports, imaging services, and intranet services and has plans to expand the reach to firms involved in manufacturing and production.

Another interesting point is that the malware is being deployed across networks manually, after which the operators target specific files to encrypt and then demand enormous sums in exchange.

Installing updates for software and operating systems, regularly testing offline backups, limiting the usage of RDPs when required, educating employees about phishing attacks, and having a ransomware response checklist on hand will help mitigate risks associated with such ransomware incidents and cut down on serious consequences.

For the past 2-3 years, the federal agencies are advising victims not to pay a ransom to criminals as it encourages crime and doesn’t guarantee a decryption key for sure. At the same, it has issued an advisory to the health care sector on how to deal with the incident and the risks involved in ransomware payments.

NOTE- Maui means a Polynesian Demigod created from two volcanoes. He was rarely worshiped as he was looked upon as a folk hero. Certain mythological scriptures state Maui had the power to control the sun and lengthen the days and had a magical power to pull fire from the universe and use it for human survival in the underworld.

 

The post North Korea spreading Maui Ransomware appeared first on Cybersecurity Insiders.

AstraLocker Ransomware is all set to shut down its operations as it has shifted its operations towards Cryptojacking. The hackers behind the malware have issued an official statement on this note and added that they were ready to provide a free decryption tool to their victims, if any.

Already, the hackers’ group released an informal statement in February this year about their intention to shut down their malware distribution operations. As the law-enforcement forces behind them were making it tough for the cyber crooks to gain ransom from their victims.

Thus, the group of hackers has shifted their business earnings focus toward earnings gained from cryptojacking.

Cryptojacking is a kind of cyber assault where hackers are seen secretly installing crypto-mining malware on the victims’ computing devices to thereafter use their computing power for the generation of cryptocurrency.

Note- Thus, with the latest announcement, AstraLocker, a spin of Babuk Ransomware, has joined the list of other ransomware variants that shut their business operations in recent times- because of the pressure and monitoring of enforcement agencies across the world. Some ransomware variants that shut their operations are – FonixLocker, Ziggy Ransomware, FilesLocker, Shade Ransomware, AES-NI, Crysis, TeslaCrypt, SynAck, Ragnarok, and Avaddon.

 

The post AstraLocker Ransomware shuts down operations and shifts to Cryptojacking appeared first on Cybersecurity Insiders.

In the year 2019, a Netherlands-based University was victimized by a ransomware attack where cyber criminals demanded 200,000 Euros or $200,000 in the BTC to free up the database from encryption. As the educational institution was about to lose valuable staff, students and curriculum related data, it bowed down to the demands of ransomware spreading gang/s.

After thinking a lot and taking a time of a week, the IT and Senior Managerial staff of Southern Maastricht University paid the ransom as the criminals locked down Windows Server Access to about 25,000 students and employees as they encrypted scientific information, library and email access. The issue was resolved as the ransomware distribution group of criminals returned the stolen data and also offered a decryption key, as promised.

During a separate investigation made in the year 2020, the Dutch police discovered that ransom payment made by Southern Maastricht University was diverted to a person based in Ukraine. And they arrested him and tried to extract the funds earned by him in illicit ways.

They seized his bank and e-wallets accounts and found that they were filled with different crypto currencies, out of which a portion of amount belonged to Maastricht University.

After a thorough investigation and follow-ups, they returned the recovered money to their victims.

So, as the value of the bitcoins paid then has doubled in recent times, the university victim will receive the amount of 200 BTC. Since the value of BTC has tripled against US Dollar in recent times, the victim will be paid 500,000 Euros literally by the Netherlands Police.

Michael Borgers, the ICT Director of Maastricht, confirmed the news and added that the additional profits gained from the ransom reimbursement will fund crash strapped students who are economically backward.

 

The post Dutch University gets back double the ransomware payment appeared first on Cybersecurity Insiders.

Ransomware-as-a-service gang is on the prowl of teenagers who can act as distributors for malware. As law enforcement is tightening the noose around black hat hackers in all ways, ransomware spreading groups are now focusing more on luring teenagers into their business distribution stream.

According to a study made by security software firm Avast, cybercriminals are openly advertising their malware-building tools and distribution schemes on online communities and gaming platforms.

Their modus operandi for attracting teenagers is simple. Lurk on messaging (mainly telegram), gaming, music, and movie streaming platforms and somehow entice the children to join their distribution gangs.

Their attraction scheme is simple: offer their teenage members’ money when in need and then ask them to distribute ransomware, information stealers, and crypto miners.

By doing so, they can achieve two things- get virtual control of the teenager’s computing device that can be used for future malicious activities. Two is to simply gain new members in the team so that the focus of the law enforcement officers remains on the hackers and the budding team of hackers can do the work.

For this reason, Avast researchers are urging parents to monitor their children’s activities and be open to money matters as much as possible. The security firm is also requesting parents to spend time with their kids to inquire about what ‘Stuff’ is happening in their lives and is there anything that they can share with them.

Parents of teenage kids are also being asked to educate their children about the dangers lurking on the internet and how easily anyone can make them prey to scams.

And instead of restricting their actions, it is better if they make their children responsible citizens of the future.

According to a report released by UK’s National Crime Agency (NCA) school-going kids as young as nine are taking part in campaigns related to DDoS and ransomware attacks. And the year 2019-2020 witnessed a 107% increase in crimes conducted by students.

Was this a COVID-19 inducted lockdown effect?

 

The post Teenagers are being encouraged to spread ransomware appeared first on Cybersecurity Insiders.

Macmillan, that is into the publishing business of educational content, was hit by a cyber attack that is suspected to be of ransomware variant. The company is yet to confirm the incident. But the staff of the publishing giant admitted to be experiencing a digital disruption in the IT Infrastructure of the company.

Highly placed sources say the company is not interested in bowing down to the demands of hackers, as it has an efficient data continuity plan in place.

However, a slight delay to the shipments of books would be observed, as access to email to employees has been barred to contain and mitigate risks involved in the incident.

Unconfirmed sources say hackers got access to PII and so if the company cannot pay a ransom on time, it will sell that data on the dark web and would tarnish the image of the company on the internet.

Macmillan was contacted about the incident by Bleeping computer that first reported the matter to the world. But the authorities failed to acknowledge the approach as they were busy investigating the incident.

Usually, ransomware spreading gangs steal data to put pressure on the victim for paying up the demanded ransom. And if the victim cannot pay the ransom, they sell the data for a fair price on the dark web.

Nowadays, ransomware groups are indulging in more notorious tactics of black-mailing the victim to pay up or they threaten to contact the victim’s competitors, customers and partners by tarnishing their image in the business field, respectively.

 

The post Ransomware attack suspected on Macmillan Publications appeared first on Cybersecurity Insiders.

Walmart, an American retail giant having a business presence worldwide, has denied being targeted by Yanluowang ransomware and added that all of its systems in the network were operating fine as its Information Security teams were excellently prepared to maintain data continuity in such situations.

Issuing a statement on this note, the retailer believed that the claim was false and baseless and might be the work of some imaginary web news resources.

However, as per the update given by the Yanluowang ransomware spreading gang, the data from over 5K devices belonging to Walmart was ready to be sold on the dark web as it claims to have encrypted about 50K devices from the hypermarket chain.

They sold the stolen data as the representatives from the grocery chain failed to pay a demanded a sum of $55 million on time. The statement released by Yanluowang also adds that the information was extracted from a Windows domain and contains data of domain users, security certificates, and Kerberoasting attack.

Kerberoasting is a process where hackers gain control of the network and then access details of Windows services accounts and hashed NTLM passwords. Then the cyber crooks use brute force tactics to extract passwords in plain text to gain access.

Note- 1 In the year 2020, Walmart tried to put in a sincere effort to launch its retail operations in Russia. But the Russian Bureaucracy, license issues, and tons of paperwork demoralized the visiting officials of the American company and so they withdrew from establishing a shopping mall chain the network across Russia. This was disclosed to the media when most of the companies from North America pulled down their operations, services, and sales in the Russian Federation. Walmart clarified that it never supports bloodshed and will never-ever support Putin’s motives of capturing the innocent populace of Kyiv.

Note 2- Yanluowang refers to the Chinese god Yanluo Wang and so it might have been developed by Chinese hackers.

 

The post Walmart targeted by Yanluowang Ransomware attack is false appeared first on Cybersecurity Insiders.

What is Black Basta? Black Basta is a relatively new family of ransomware, first discovered in April 2022. Although only active for the past couple of months, the Black Basta ransomware is thought to have already hit almost 50 organisations – first exfiltrating data from targeted companies, and then encrypting files on the firm’s computer […]… Read More

The post Black Basta ransomware – what you need to know appeared first on The State of Security.