Category: ransomware

First is the news related to new ransomware dubbed Cheers that is seen targeting mainly Vmware ESXi Servers. As virtualization software allows cyber crooks to spread malware to many devices, it has become a soft target to criminal gangs spreading Lockbit, Hive, and RansomEXX.

Technically, if a machine hosts a dozen virtual machines meant to process various applications, targeting such machines by hackers makes complete sense as they will get an assured pay for either hacking the database or stealing files and then threatening to leak/sell those files onto the internet.

Cheerscrypt, simply known as Cheers, is seen targeting Vmware Hypervisors and is indulging in double extortion threats to pay the demanded ransom.

The second is a news piece related to a US Senate report on Ransomware. The Senate Committee on Homeland Security has expressed the government’s helplessness in protecting US Infrastructure from sophisticated cyber threats.

Senate’s report titled “Use of Cryptocurrency in Ransomware Attacks, available data and National Security Concerns” expresses concerns about cryptocurrency payments, as they are making it harder for governments to issue restrictions and sanctions.

As companies are failing to report cyber attacks such as ransomware, the Biden-led government is finding it hard to save federal infrastructure from state-funded threats.

This has increased by 30% after the start of the Russian war with Ukraine and that’s really worrying.

The third is the news of one of the wealthiest counties in the United States that has been struck by a ransomware attack. Somerset County in New Jersey was targeted by a gang distributing file-encrypting malware and, as the entire communication network was down, they had to set up temporary Gmail Addresses for emergency communication.

Preliminary investigations revealed that hackers somehow got access to the municipal email server and several other services and blocked the communication system on a permanent note. The ransomware variant that stuck the servers is yet to be known.

As the recovery was tedious, the IT staff set up Google Mail addresses for the county staff to allow county residents to contact in an emergency.

 

The post Ransomware news headlines trending on Google appeared first on Cybersecurity Insiders.

The great thing about working in the world of cybersecurity is that there’s always something new. You may think you’ve seen it all, and then something comes along that completely surprises you. And that’s certainly true of the GoodWill ransomware, which security firm CloudSEK described this week. In fact, the GoodWill ransomware stands out so […]… Read More

The post Ransomware demands acts of kindness to get your files back appeared first on The State of Security.

As soon as Russia waged a war on Ukraine, the entire world led by the United States termed it as a war on innocent and pressed sanctions on the Putin led nation, to pressurize him in stopping the war.

But Vladimir Putin was adamant about his Ukraine invasion and intensified the war to take control of Kyiv.

It has been almost 100 days, and nothing seems to stop Kremlin’s invasion in the Ukraine.

News is out that Russian hacking gang members are feeling the pinch of sanctions, as they are not in a position to monetize their cyber attacks.

During a virtual conference, Rob Joyce, the National Security Agency’s Director of Cybersecurity, disclosed the news about Russian hackers feeling the pinch and confirmed that it has led to a decrease in ransomware attacks.

However, in retaliation for sanctions, the Russian government could launch critical cyber attacks targeting US Critical Infrastructure operated by energy, nuclear and financial firms along with those operating in the Telecom sector.

Like how hackers from Moscow launched digital assaults on Starlink Satellite communication links owned by Tesla Chief Elon Musk that kept Ukraine connected with the world in early March this year.

Joyce also confirmed that the “Shields Up” campaign taken up by the white house in encouraging companies to raise their defense-line against cyber attacks was yielding significant results.

Note– It’s heard that Putin has ordered his officials to apply counter measures to situations where sanctions were being employed, such as demanding rubles for essentials, fuels and such.

 

The post Russian Ransomware hackers getting frustrated by sanctions appeared first on Cybersecurity Insiders.

Spice Jet, a low-cost airline carrier in India, was reportedly hit by a ransomware attack on Tuesday night, causing flight delays to passengers urgently needing to leave the city. The ransomware group that targeted the servers of SpiceJet is yet to be revealed, but a suspicious finger is pointing at Lap$sus Ransomware Group.

Thousands of passengers waiting for their turn to board the flight in about 67 cities of India were left disappointing when the morning services of flying were halted until the afternoon hours.

Some passengers vented their anger against SpiceJet on Twitter and disclosed that their take-off was halted by the airliner for 3-4 hours, as its in-flight systems could not connect to the GPS systems that are essential for take-off.

By late noon, all the services were brought under control with the help of the company’s disaster recovery plan.

Meanwhile, the company that is headquartered in Haryana released a press statement that it has amicably settled a dispute with Credit Suisse as per the directives issued by the Supreme Court of India.

The airliner that is owned by Sun Network’s Proprietor Kalanidhi Maran stated on May 23rd, 2022 that it has mutually agreed to pay the $5 million arrears as per the agreed timeline put forward by the Madras High court without financial liabilities on the company in the future.

Note- SpiceJet operates a fleet(42) of Boeing 737 and 22 Bombardier Dash 8 Aircraft from Canada and is the only airliner in India to operate with a service model consisting only of economy-class seating only.

 

The post Ransomware Attack disrupts airlines services of Spice Jet appeared first on Cybersecurity Insiders.

IBM, the American Technology Company, has taken a cybersecurity initiative to improve Ransomware protection in public schools across the United States. The program will be funded solely by the said private entity at a cost of $5 million that will be distributed as a grant across K-12 schools operating throughout the United States.

Aim is to improve the current security posture of schools against ransomware attacks and will be funded by the tech giant as a part of Corporate Social Responsibility initiative to develop social, environmental and governance projects.

Ransomware has become a major threat to educational institutions and IBM is planning to audit the digital defense infrastructure of schools and will then create a playbook for response, accordingly.

Additionally, a team of cybersecurity experts will be asked to create awareness among students and staff about the current cyber landscape and will train the staff, students and parents in handling communication related services while facing a cyber attack event.

Note 1– Emsisoft Research conducted a study in which it established that over 1000 educational institutions were targeted by ransomware attack in 2021, including schools, colleges, and universities.

Note 2– A separate research carried out by Cisco Talos affirmed that the year 2021 witnessed about 2,323 cyber attacks on government infrastructure belonging to schools, colleges and offices functioning across the United States.

Note 3- Charles Henderson, the Chief of IBM Security X-Force, is urging companies not to pay a ransom when they are hit by ransomware gangs. As it encourages crime and doesn’t guarantee a decryption key for ransom exchange.

 

The post IBM takes initiative to improve Ransomware Protection in Public Schools appeared first on Cybersecurity Insiders.

A Year on from the Ransomware Task Force Report

If you follow cybersecurity, you’ve likely seen one of the many articles written recently on the one-year anniversary of the Colonial Pipeline ransomware attack, which saw fuel delivery suspended for six days, disrupting air and road travel across the southeastern states of the US. The Colonial attack was the biggest cyberattack against US critical infrastructure, making it something of a game-changer in the realm of ransomware, so it is absolutely worth noting the passage of time and investigating what’s changed since.

This blog will do that, but I’ll take a slightly different tack, as I’m also marking the anniversary of the Ransomware Task Force’s (RTF) report, which offered 48 recommendations for policymakers wanting to deter, disrupt, prepare, and respond to ransomware attacks. The report was issued a week prior to the Colonial attack.

Last week, I participated in an excellent event to mark the one-year anniversary of the RTF report. During the session, various ransomware experts discussed how the ransomware landscape has evolved over the past year, how government action has shaped this, and what more needs to be done. The Institute for Security and Technology (IST), which convenes and runs the RTF, has issued a paper capturing the points above. This blog offers my own thoughts on the matter, but it’s not at all exhaustive, and I recommend giving the official paper a read.

High-profile attacks raised the stakes

Looking back over the past year, in many ways, the Colonial attack – along with ransomware attacks on the Irish Health Service Executive (HSE) and JBS, the largest meat processing company in the world, all of which occurred during May 2021 – highlighted the exact concerns outlined in the RTF report. Specifically, the RTF had been convened based on the view that the high level of attacks against healthcare and other critical services through the pandemic made ransomware a matter of national security for those countries that are highly targeted.

In light of this, one of the most fundamental recommendations of the report was that this be acknowledged and met with a senior leadership and cross-governmental response. The Colonial attack resulted in President Biden addressing the issue of ransomware on national television. Subsequently, we have seen a huge cross-governmental focus on ransomware, with measures announced from departments including Homeland Security, Treasury, Justice, and State. We’ve also seen both Congress and the White House working on the issue. And while the US government has been the most vocal in its response, we have seen other governments also focusing on this issue as a priority and working together to amplify the impact of their action.

In June 2021, the Group of Seven (G7) governments of the world’s wealthiest democracies addressed ransomware at its annual summit. The resulting Communique capturing the group’s commitments includes pledges to work together to address the threat. In October 2021, the White House hosted the governments of 30 nations to discuss ransomware. The event launched the Counter Ransomware Initiative (CRI), committing to collaborate together to find solutions to reduce the ransomware threat. The CRI has identified key themes for further exploration and action, with a similar focus on deterring and disrupting attacks and driving adoption of greater cyber resilience.

Status of the RTF recommendations

This is all heartening to see and strongly aligns with the ethos and recommendations of the RTF recommendations. Drilling down into more of the details, there are many further areas of alignment, including the launch of coordinated awareness programs, introduction of sanctions, scrutiny of cryptocurrency regulations, and a focus on incident reporting regulations. The RTF paper provides a great deal more detail on these areas of alignment and the progress that has been made, as well as the areas that need more focus.

This, I believe, is the key point: A great deal of progress has been made, both in terms of building understanding of the problem and in developing alignment and collaboration among stakeholders, yet there is a great deal more work to be done. The partnerships between multiple governments — and between the public and private sectors — are hugely important for improving our odds against the attackers, but progress will not happen overnight. It will take time to see the real impact of the measures already taken, and there are yet measures to be determined, developed, and implemented.

Uncertain times

We must keep our eye on the ball and stay engaged, which is not easy when there are so many other demands on governments’ and business leaders’ limited time and resources. The Russia/Ukraine conflict has undoubtedly been a very time-consuming area of focus, though expectations that offensive cyber operations would be a key element of the Russian action have perhaps helped increase awareness of the need for cyber resilience. The economic downturn is another huge pressure and will almost certainly reduce critical infrastructure providers’ investments in cybersecurity as the cost of business increases in other areas, resulting in budget cuts. While both of these developments may distract governments and business leaders from ransomware, they may also increase ransomware activity as economic deprivation and job scarcity encourage more people to turn to cybercrime to make a living.

According to law enforcement and other government agencies, as well as the cyber insurance sector, the reports of ransomware incidents are slowing down or declining. Due to a long-standing lack of consistent incident reporting, it’s hard to contextualize this, and while we very much hope it points to a reduction in attacks, we can’t say that that’s the case. Security researchers report that activity on the dark web seems to be continuing at pace with 2021, a record year for ransomware attacks. It’s possible that the shift in view from law enforcement could be due to fears that involving them will result in regulatory repercussions; reports to insurers could be down due to the introduction of more stringent requirements for claims.

The point is that it’s too early to tell, which is why we need to maintain a focus on the issue and seek out data points and anecdotal evidence to help us understand the impact of the government action taken so far, so we can continue to explore and adjust our approach. An ongoing focus, continued collaboration, and more data will help ensure we put as much pressure as possible on ransomware actors and the governments and systems that allow them to flourish. Over time, this is how we will make progress to reduce the ransomware threat.

Additional reading:

NEVER MISS A BLOG

Get the latest stories, expertise, and news about security today.


Conti Ransomware gang has announced that it is going to shut down its digital operations and will come as a rebranded version split into multiple groups soon. According to the intelligence update provided by security vendor AdvIntel, the group was forced to take this action because of internal conflicts developed in its syndicate after its announcement to support Russia in its invasion in Ukraine.

From February this year or just after a few days after the start of the Russian war with Ukraine, the notorious organization announced its support to Putin and launched several cyber attacks on the critical infrastructure of Ukraine.

This did not go down well with some gang members, who not only retaliated the actions, but leaked classical info about the gang operations to law enforcement agencies in UK and USA.

After the gang launched a ransomware attack on the government of Costa Rica, Biden led the government announced a $10m reward to those who disclose details about the hacking group and also ordered the Costa Rican government not to pay a ransom to hackers.

Hence, a strict vigil started on a digital note, thus blocking Conti from receiving payments and launching any further attacks.

Thence, in this way, the Conti Ransomware group seems to have dug its own grave and is repenting with its past move of supporting Russia in its invasion of Kyiv.

Note 1- Conti has assured that it will return by splitting its self into multiple ransomware distribution groups and this time it will target large-scale organizations that have the potential to pay double-digit figures in millions.

Note 2- AdvIntel announced the shutdown of Conti on May 20th, 2022, i.e. Friday, and hinted that the gang might bounce back within a couple of months to target large organizations in the Christmas season this year.

 

The post Conti Ransomware to shut down and come rebranded into multiple groups appeared first on Cybersecurity Insiders.

A ransomware attack has led to the leak of personal information of students and staff at the Chicago Public Schools(CPS) and information is out that the incident which took place in December last year was revealed to the public on April 25th this year.

Investigations later launched revealed that hackers accessed data stored from the past 4 years and in the incident and that included information such as names, schools, DoBs, CPS Identification Numbers, and state student identification numbers along with class schedule information and scores of the CPS Pupils.

Coming to the employee details, names, their IDs, hackers accessed email access credentials in the file-encrypting malware attack.

About 495,398 students and 57,158 employee records belonging to the 2015-2016 and 2018-2019 school years were leaked in the attack.

All students and staff affected by the ransomware attack will be provided a year-long credit monitoring and identity theft protection service says a statement issued by Chicago Public Schools.

FBI and Homeland Security were asked to investigate the breach and discovered that none of the stolen details have been misused or sold on the dark web to date. Both the law enforcement agencies issued a joint statement that no social security numbers, insurance details, home addresses, and health data were leaked in the incident.

Battelle for Kids is the technology company that has been serving CPS for years and it is believed that a cyberattack took place on the firm’s servers affecting Chicago Public Schools, the 3rd largest school district in the United States.

The suspicion finder is currently pointing at Conti Ransomware or Lap$sus Ransomware group.

 

The post Ransomware Attack Leads to a data breach at Chicago Public Schools appeared first on Cybersecurity Insiders.