Category: ransomware

A new ransomware gang dubbed Black Basta has reportedly partners with QBot malware to hacking corporate environments. As Qbot has the potential to steal critical information, such as password credentials and malware payloads, on infected devices, Black Basta might have partnered with it to steal information from its victims.

QBot aka QuakBot is usually being spread by hackers through phishing emails attached with malicious attachments. The malware that started its operations as a banking Trojan is now being used by other ransomware gangs such as Egregor, DopplePaymer, MegaCortex and ProLock.

The team of the malware with the Black Basta Ransomware group was discovered by NCC Group, a Manchester based data assurance firm.

QuakBot, also called as Qakbot, is efficient enough to infect network shared drives and active directory accounts through brute force. It can remain concealed in the network by dodging the radars of many threat detection solutions.

Black Basta Ransomware can disable Windows Defender and can transform itself into a wallpaper icon with a .basta extension of all encrypted files.

Meanwhile, KELA, an Israel-based threat intelligence firm, has discovered a novel way of attack by Ransomware gangs. These days they are hiding the victim’s name and instead are claiming to have stolen sensitive files from a business pertaining to a particular industry, size and stolen data.

Meaning they are concealing the victim’s name in order to save their reputation in the industry, among competitors and among customers.

Wonder how much it helps the victim…?

 

The post Black Basta Ransomware gang partners with QBot malware appeared first on Cybersecurity Insiders.

Healthcare providers are opting to pay a ransom in the event of ransomware attacks, instead of recovering it from data backups. The reason is as it is easy and guarantees 100% encrypted data return- Of course, as per their perspective!

According to the data released by Sophos that was also commissioned by global market research company Vanson Bourne, up to two third’s of ransomware victims from Global Healthcare Organizations (HCOs) were bent to pay their attackers as the cost of remediation and losses incurred from operational disruption was double than paying a ransom straightaway.

The State of Ransomware in Healthcare 2022 report is against what is being urged by the law enforcement agencies such as CISA and the FBI. In November 2019, the Federal Bureau of Investigation discouraged victims from paying a ransom, as it not only encourages crime but also doesn’t guarantee a decryption key for sure in return.

An increase in cyber attacks in volume on businesses operating in the healthcare sector was also observed between 2020-2021.

What’s problematic in this whole scenario is that insurance companies hesitate to take such companies’ undercover lack of history on attacks and uncertainty of attacks in this sector to quantify risks are creating difficulties for companies to take a step ahead.

And even if they take such companies undercover, they exclude data breaches from their insurance backup as it involves a lot of risks that do not qualify in equilibrium with the payment made to the policy.

So, after gauging all the pros and cons, those involved in healthcare are happy paying a ransom, instead of recovering the locked-up data from an efficient disaster recovery plan.

 

The post Healthcare providers prefer paying ransom in ransomware attacks appeared first on Cybersecurity Insiders.

We all know that half of the ransomware gangs that are operating in the wild are from Russia or are being financially backed by Kremlin. So, after analyzing the current situation in the cyber landscape, the FBI has concluded that the Putin-led government is all set to the cyber-attack United States pretty soon!

It is going to be a destructive attack and will primarily focus on the critical infrastructure like power and water utilities and that too is going to happen soon, says the FBI in a statement released yesterday.

Meanwhile, the law enforcement agency proudly disclosed that it disrupted the 2021 Iranian digital attack on Boston Children’s Hospital that could have led to the death of several children.

Moscow now has the intention to cut down the supply of arms and finances to Ukraine from the west and so is planning to target the US and UK in the coming weeks as it wants to corner the Zelensky-led nation.

As it is becoming extremely difficult to gain a potential hold on Kyiv, after 100 days of battle, the Vladimir Putin-led nation is now planning to corner the nation with nuclear bombs, to win the war at any cost.

Its first plan is to cut down essential supplies to Ukraine, after which the populace will automatically bow down their heads to its military troops. And that can only be achieved if it blocks the west from waging any kind of interference on the battlefield.

Second, Russia wants to teach a lesson to the west for supporting Ukraine as without the support it would have conquered the nation within 15 days of its invasion.

To do so, it is first planning to take down the digital infrastructure and later launch a devastating war from air, land, and sea. And to purpose its objectives, the nation will never think twice about launching nuclear attacks.

So, it is better if the west takes all necessary measures to strengthen its current cybersecurity posture.

 

The post Russia to the cyber-attack United States with the help of its Ransomware gangs appeared first on Cybersecurity Insiders.

Foxconn, an electronics manufacturer from Mexico, has released a press statement that it was hit by Lockbit ransomware in the last week of May and is recovering data through a business continuity plan.

The Tijuana-based company is into the production of LCD TVs, Mobile components, and set-top boxes and admitted that one of its facilities was severely hit by the cyber attack.

LockBit group has given the time till June 11th, 2022 to pay up the ransom. Otherwise, the criminal group threatened to sell the stolen data on the dark web.

The good news is that this particular group that spreads ransomware offers a negotiation facility to its victim on lessening the ransom demand. But the bad news is there is no guarantee of the return of the decryption key when the ransom is paid.

Sources reporting to Cybersecurity Insiders say that the cyber crooks might hold data related to schematics and technical drawings of all the future products that will be released shortly.

NOTE 1- Lockbit usually demands a ransom in double-digit figures of millions and that too in Bitcoins cryptocurrency.

NOTE 2- According to an analysis made by Trend Micro, Lockbit emerged as ABCD Ransomware in September 2019 and then sophisticated itself into prolific ransomware that first steals data from victims’ databases and then encrypts the entire database. In one instance, the group claimed to have wiped data from its victimized database in the United States. But the incident was never reported as the victim did not care about the archival loss.

NOTE 3- The facilities in San Jeronimo and Juarez are both known to produce components related to computers, mobile phones, and LCD television that are later assembled and labeled as products produced by Cisco Systems, Sony, and Motorola.

 

The post LockBit ransomware strikes Foxconn Electronics of Mexico appeared first on Cybersecurity Insiders.

Ransom acts of kindness are top of our mind, as we also explore how bad bots are hogging more and more of the internet's activity, and look at how deepfakes could be a good thing after all. All this and much more is discussed in the latest edition of the award-winning "Smashing Security" podcast by computer security veterans Graham Cluley and Carole Theriault, joined this week by Ray [REDACTED].

If you thought Windows 11 operating system machines were safe from Ransomware, then you better think twice before concluding. As information is out that those spreading Magniber Ransomware are after Windows 11 Machines and have targeted around a hundred by now.

According to a research conducted by 360 Total Security, Magniber ransomware attacks have increased significantly since May 25th of this year. It’s estimated that the infection spread has increased multifold on Win 11 systems that received infection through windows update downloaded while visiting gaming or X rated websites…..now that’s interesting….isn’t it?

Currently, those spreading Magniber are demanding 0.09 Bitcoins and the time frame they are putting is five days. And if the victim cannot pay the demanded sum on time, then the ransom payment will be doubled up.

Second is the news related to ransomware attack that targeted servers related to Costa Rican Social Security Fund, Unified Digital Health System, and Centralized Tax Collection databases.

What’s surprising about this attack is that it was launched by Conti Ransomware group, which announced a few days ago that it is shutting down its systems.

Thus with the latest announcement, the number of victims from the ransomware attacks has increased to 7 as in May this year the said file encrypting malware gang disrupted server operations of The Finance Ministry, The Ministry of Science, Innovation, Technology and Telecommunication, The Labor and Social Security Ministry, The Social Development and Family Allowances Fund, The National Meteorological Institute, the Inter University Headquarters of Alajuela and now the Costa Rican Social Security Fund.

What so ever are consequences, Costa Rican Government has refused to pay the $10 million ransom to Conti.

Third is the news related to noted clothing brand Hannes that experienced a ransomware attack on May 24th, 2022. According to the latest update provided to SEC, Hannes experienced a ransomware attack at the end of last month and has notified the information commissioner and the law enforcement about the sophisticated cyber attack.

Kirk Saville, the spokesperson for Hannes Brand, confirmed the news and said that the situation was brought under control within no time. However, he failed to provide a statement on whether the company paid any ransom to free up the data from encryption.

 

The post Ransomware news trending on Google appeared first on Cybersecurity Insiders.

Costa Rica’s national health service was hacked sometime earlier this morning by a Russian ransomware group known as Hive. The intrusion comes just weeks after Costa Rican President Rodrigo Chaves declared a state of emergency in response to a data ransom attack from a different Russian ransomware gang — Conti. Ransomware experts say there is good reason to believe the same cybercriminals are behind both attacks, and that Hive has been helping Conti rebrand and evade international sanctions targeting extortion payouts to cybercriminals operating in Russia.

The Costa Rican publication CRprensa.com reports that affected systems at the Costa Rican Social Security Fund (CCSS) were taken offline on the morning of May 31, but that the extent of the breach was still unclear. The CCSS is responsible for Costa Rica’s public health sector, and worker and employer contributions are mandated by law.

The fallout from this latest attack is not yet clear, but it is likely to be disruptive: A hand-written sign posted outside a public health center in Costa Rica today explained that all systems are down until further notice (thanks to @Xyb3rb3nd3r for sharing this photo).

A hand-written notice posted outside a public health clinic today in Costa Rica warned of system outages due to a cyberattack on the nation’s healthcare systems.

A copy of the ransom note left behind by the intruders and subsequently uploaded to Virustotal.com indicates the CCSS intrusion was the work of Hive, which typically demands payment for a digital key needed to unlock files and servers compromised by the group’s ransomware.

A HIVE ransomware chat page for a specific victim (redacted).

On May 8, President Chaves used his first day in office to declare a national state of emergency after the Conti ransomware group threatened to publish gigabytes of sensitive data stolen from Costa Rica’s Ministry of Finance and other government agencies. Conti initially demanded $10 million, and later doubled the amount when Costa Rica refused to pay. On May 20, Conti leaked more than 670 gigabytes of data taken from Costa Rican government servers.

As CyberScoop reported on May 17, Chaves told local media he believed that collaborators within Costa Rica were helping Conti extort the government. Chaves offered no information to support this claim, but the timeline of Conti’s descent on Costa Rica is worth examining.

Most of Conti’s public communications about the Costa Rica attack have very clearly assigned credit for the intrusion to an individual or group calling itself “unc1756.” In March 2022, a new user by the same name registered on the Russian language crime forum Exploit.

A message Conti posted to its dark web blog on May 20.

On the evening of April 18, Costa Rica’s Ministry of Finance disclosed the Conti intrusion via Twitter. Earlier that same day, the user unc1756 posted a help wanted ad on Exploit saying they were looking to buy access to “special networks” in Costa Rica.

“By special networks I mean something like Haciendas,” unc1756 wrote on Exploit. Costa Rica’s Ministry of Finance is known in Spanish as the “Ministerio Hacienda de Costa Rica.” Unc1756 said they would pay $USD 500 or more for such access, and would work only with Russian-speaking people.

THE NAME GAME DISTRACTION

Experts say there are clues to suggest Conti and Hive are working together in their attacks on Costa Rica, and that the intrusions are tied to a rebranding effort by Conti. Shortly after Russia invaded Ukraine at the end of February, Conti declared its full support, aligning itself directly with Russia and against anyone who would stand against the motherland.

Conti’s threatening message this week regarding international interference in Ukraine.

Conti quickly deleted the declaration from its website, but the damage had already been done, and any favor or esteem that Conti had earned among the Ukrainian cybercriminal underground effectively evaporated overnight.

Shortly thereafter, a Ukrainian security expert leaked many months worth of internal chat records between Conti personnel as they plotted and executed attacks against hundreds of victim organizations. Those candid messages exposed what it’s like to work for Conti, how they undermined the security of their targets, as well as how the group’s leaders strategized for the upper hand in ransom negotiations.

But Conti’s declaration of solidarity with the Kremlin also made it increasingly ineffective as an instrument of financial extortion. According to cyber intelligence firm ADVIntel, Conti’s alliance with the Russian state soon left it largely unable to receive ransom payments because victim companies are being advised that paying a Conti ransom demand could mean violating U.S. economic sanctions on Russia.

“Conti as a brand became associated with the Russian state — a state that is currently undergoing extreme sanctions,” ADVIntel wrote in a lengthy analysis (PDF). “In the eyes of the state, each ransom payment going to Conti may have potentially gone to an individual under sanction, turning simple data extortion into a violation of OFAC regulation and sanction policies against Russia.”

Conti is by far the most aggressive and profitable ransomware group in operation today. Image: Chainalysis

ADVIntel says it first learned of Conti’s intrusion into Costa Rican government systems on April 14, and that it has seen internal Conti communications indicating that getting paid in the Costa Rica attack was not the goal.

Rather, ADVIntel argues, Conti was simply using it as a way to appear publicly that it was still operating as the world’s most lucrative ransomware collective, when in reality the core Conti leadership was busy dismantling the crime group and folding themselves and top affiliates into other ransomware groups that are already on friendly terms with Conti.

“The only goal Conti had wanted to meet with this final attack was to use the platform as a tool of publicity, performing their own death and subsequent rebirth in the most plausible way it could have been conceived,” ADVIntel concluded.

ADVIntel says Conti’s leaders and core affiliates are dispersing to several Conti-loyal crime collectives that use either ransomware lockers or strictly engage in data theft for ransom, including AlphV/BlackCat, AvosLocker, BlackByte, HelloKitty, Hive, and Karakurt.

Still, Hive appears to be perhaps the biggest beneficiary of any attrition from Conti: Twice over the past week, both Conti and Hive and claimed responsibility for hacking the same companies. When the discrepancy was called out on Twitter, Hive updated its website to claim it was not affiliated with Conti.

Conti and Hive’s Costa Rican exploits mark the latest in a string of recent cyberattacks against government targets across Latin America. Around the same time it hacked Costa Rica in April, Conti announced it had hacked Peru’s National Directorate of Intelligence, threatening to publish sensitive stolen data if the government did not pay a ransom.

But Conti and Hive are not alone in targeting Latin American victims of late. According to data gathered from the victim shaming blogs maintained by multiple ransomware groups, over the past 90 days ransom actors have hacked and sought to extort 15 government agencies in Brazil, nine in Argentina, six in Columbia, four in Ecuador and three in Chile.

A recent report (PDF) by the Inter-American Development Bank suggests many Latin American countries lack the technical expertise or cybercrime laws to deal with today’s threats and threat actors.

“This study shows that the Latin American and Caribbean (LAC) region is not sufficiently prepared to handle cyberattacks,” the IADB document explains. “Only 7 of the 32 countries studied have a critical infrastructure protection plan, while 20 have established cybersecurity incident response teams, often called CERTs or CSIRTs. This limits their ability to identify and respond to attacks.”

3 Takeaways From the 2022 Verizon Data Breach Investigations Report

Sometimes, data surprises you. When it does, it can force you to rethink your assumptions and second-guess the way you look at the world. But other times, data can reaffirm your assumptions, giving you hard proof they're the right ones — and providing increased motivation to act decisively based on that outlook.

The 2022 edition of Verizon's Data Breach Investigations Report (DBIR), which looks at data from cybersecurity incidents that occurred in 2021, is a perfect example of this latter scenario. This year's DBIR rings many of the same bells that have been resounding in the ears of security pros worldwide for the past 12 to 18 months — particularly, the threat of ransomware and the increasing relevance of complex supply chain attacks.

Here are our three big takeaways from the 2022 DBIR, and why we think they should have defenders doubling down on the big cybersecurity priorities of the current moment.

1. Ransomware's rise is reaffirmed

In 2021, it was hard to find a cybersecurity headline that didn't somehow pertain to ransomware. It impacted some 80% of businesses last year and threatened some of the institutions most critical to our society, from primary and secondary schools to hospitals.

This year's DBIR confirms that ransomware is the critical threat that security pros and laypeople alike believe it to be. Ransomware-related breaches increased by 13% in 2021, the study found — that's a greater increase than we saw in the past 5 years combined. In fact, nearly 50% of all system intrusion incidents — i.e., those involving a series of steps by which attackers infiltrate a company's network or other systems — involved ransomware last year.

While the threat has massively increased, the top methods of ransomware delivery remain the ones we're all familiar with: desktop sharing software, which accounted for 40% of incidents, and email at 35%, according to Verizon's data. The growing ransomware threat may seem overwhelming, but the most important steps organizations can take to prevent these attacks remain the fundamentals: educating end users on how to spot phishing attempts and maintain security best practices, and equipping infosec teams with the tools needed to detect and respond to suspicious activity.

2. Attackers are eyeing the supply chain

In 2021 and 2022, we've been using the term "supply chain" more than we ever thought we would. COVID-induced disruptions in the flow of commodities and goods caused lumber to skyrocket and automakers to run short on microchips.

But security pros have had a slightly different sense of the term on their minds: the software supply chain. Breaches from Kaseya to SolarWinds — not to mention the Log4j vulnerability — reminded us all that vendors' systems are just as likely a vector of attack as our own.

Unfortunately, Verizon's Data Breach Investigations Report indicates these incidents are not isolated events — the software supply chain is, in fact, a major avenue of exploitation by attackers. In fact, 62% of cyberattacks that follow the system intrusion pattern began with the threat actors exploiting vulnerabilities in a partner's systems, the study found.

Put another way: If you were targeted with a system intrusion attack last year, it was almost twice as likely that it began on a partner's network than on your own.

While supply chain attacks still account for just under 10% of overall cybersecurity incidents, according to the Verizon data, the study authors point out that this vector continues to account for a considerable slice of all incidents each year. That means it's critical for companies to keep an eye on both their own and their vendors' security posture. This could include:

  • Demanding visibility into the components behind software vendors' applications
  • Staying consistent with regular patching updates
  • Acting quickly to remediate and emergency-patch when the next major vulnerability that could affect high numbers of web applications rears its head

3. Mind the app

Between Log4Shell and Spring4Shell, the past 6 months have jolted developers and security pros alike to the realization that their web apps might contain vulnerable code. This proliferation of new avenues of exploitation is particularly concerning given just how commonly attackers target web apps.

Compromising a web application was far and away the top cyberattack vector in 2021, accounting for roughly 70% of security incidents, according to Verizon's latest DBIR. Meanwhile, web servers themselves were the most commonly exploited asset type — they were involved in nearly 60% of documented breaches.

More than 80% of attacks targeting web apps involved the use of stolen credentials, emphasizing the importance of user awareness and strong authentication protocols at the endpoint level. That said, 30% of basic web application attacks did involve some form of exploited vulnerability — a percentage that should be cause for concern.

"While this 30% may not seem like an extremely high number, the targeting of mail servers using exploits has increased dramatically since last year, when it accounted for only 3% of the breaches," the authors of the Verizon DBIR wrote.

That means vulnerability exploits accounted for a 10 times greater proportion of web application attacks in 2021 than they did in 2022, reinforcing the importance of being able to quickly and efficiently test your applications for the most common types of vulnerabilities that hackers take advantage of.

Stay the course

For those who've been tuned into the current cybersecurity landscape, the key themes of the 2022 Verizon DBIR will likely feel familiar — and with so many major breaches and vulnerabilities that claimed the industry's attention in 2021, it would be surprising if there were any major curveballs we missed. But the key takeaways from the DBIR remain as critical as ever: Ransomware is a top-priority threat, software supply chains need greater security controls, and web applications remain a key attack vector.

If your go-forward cybersecurity plan reflects these trends, that means you're on the right track. Now is the time to stick to that plan and ensure you have tools and tactics in place that let you focus on the alerts and vulnerabilities that matter most.

Additional reading:

NEVER MISS A BLOG

Get the latest stories, expertise, and news about security today.


CLOP Ransomware gang has targeted over 21 organizations from March to April this year and the numbers might increase as the time progresses. According to a survey conducted by NCC Group, CLOP returned in February this year from a hiatus of almost 16 months and is now only after industrial sector.

CLOP is seen infecting mostly firms operating in the industrial sector and that too mainly those partnering with US Companies.

In June last year, CLOP gang members announced that there were shutting down their business as earnings from cyber attacks were decreasing on a drastic note. All thanks to the law enforcement groups like CISA, FBI, NCSC and Europol. As the noose around those laundering cryptocurrency was being tightened by law enforcement agencies such as INTERPOL, it was getting difficult for the hackers to gain money from targets.

Recently, after the start of war between Russia and Ukraine, six gang members belonging to CLOP were arrested by Ukrainian authorities after making through searchers for them in various regions of Kyiv.

Intel 471 states that CLOP claimed approximately 7 victims in 2019, that includes Software Giant AG IT, ExecuPharm, Indiabulls, Maastricht University and Accellion software.

Britain has also tightened its noose around the necks of gangs spreading file encrypting malware and is using many techniques to block their earnings from various means.

Eventually, such steps have worked in the favor of the Biden led government as many ransomware spreading gangs such as CONTI have announced that there are leaving the business because of a significant drop in earnings.

CLOP went into a hiatus till January this year and might have probably regained strength after the start of Putin’s war with Zelensky led nation, as it seems like it resumed its notorious operations from March 2022.

 

The post CLOP Ransomware targets 21 victims in a single month appeared first on Cybersecurity Insiders.