Researchers have spotted that the TOR address used by the notorious REvil ransomware gang is now redirecting to a new website, with information about seemingly new attacks.
Read more in my article on the Tripwire State of Security blog.
Category: ransomware
Security researchers at Kaspersky have released a free decryption tool that promises to recover files for organisations hit by the Yanlouwang ransomware, meaning they don't have to pay the ransom.
Vulnerability in Microsoft Exchange Servers is allowing hackers to deploy hive ransomware and other backdoors, including Cobalt Strike Beacon, having capabilities of stealing cryptocurrency from wallets and deploy crypto mining software.
It is all happening because of ProxyShell Security issues where threat actors perform network reconnaissance to download payloads.
Security analytics firm Varonis discovered the details of hive ransomware being deployed on Microsoft Exchange Servers after one of its customers asked it to do so. Researchers discovered that the notorious gang of cyber criminals were planting 4 web shells in an accessible Exchange Directory and executed PowerShell codes to evade detection from threat monitoring solutions. Out of 4, 3 web shells were sourced from public GIT Repository and 1 was sources from wild.
Previously, threat actors from Conti, BlackByte, Babuk, Cuba and Lockfile used the ProxyShell vulnerability to steal info from its customers and lock down their database thereafter with encryption.
In May 2021, Microsoft issued fixes to all the newly founded vulnerabilities and issued patches on an immediate note. But as per the new detection by Varonis, Hive ransomware gang is again seen exploiting flaws tracked as CVE-2021-344473, CVE-2021-34523 and CVE-2021-31297 having severity scores between 8.3(High) to 9.8 (Critical).
Note- Since its first detection by the FBI in June 2021, Hive has emerged as the most active ransomware in attack frequency. Thus, CISA, in association with the Federal Bureau of Investigation (FBI) issued a dedicated report last year on tactics and indicators of Hive Ransomware compromise.
The post Hive Ransomware deployed on Microsoft Exchange Servers appeared first on Cybersecurity Insiders.
A study conducted by Cybersecurity Firm Mandiant confirms that ransomware actors are increasingly targeting virtualization platforms to extort ransom in large amounts. A report released on this note confirmed that most of the targeted environments are the one operating on Vmware.
M-Trends 2022 report not only disclosed what threat actors are doing, but has also offered ways to mitigate risks.
The year 2021 witnessed an increase in ransomware attacks on Corporate IT environments. And from early 2022, the focus of the cyber criminals has shifted towards core business environments such as virtualization as any attack on such operations will lead to complex IT disasters.
Mandiant researchers claim that most of the threat actors such as Hive, Conti, Blackcat and Darkside are only targeting VMware vSphere and ESXi platforms. And they are some strategies to mitigate risks.
Another study made on corporate IT environments by Enterprise Strategy Group (ESG) states that over 79% of organizations have experienced a ransomware attack in the past year. And nearly half of them admitted that their business was financially affected by such attacks.
Interestingly, nearly half of the victims have set up cryptocurrency wallets to pay ransom for the future. And that about 30% of them have sought cyber insurance as a cover to business loss, just in case another digital assault strikes them.
The figure reveals us the mindset of most of the CIOs, CTOs and the business heads of technology companies. Means, they are just interested in freeing up their data from encryption, instead of proactively investing on threat monitoring and detection tools.
Note– If the victim pays ransom; there is no guarantee that the cyber criminal group will return the decryption key for sure. Such activities encourage crime and so the United States FBI is urging victims not to pay any ransom and instead seek the help of the law enforcement.
The post Ransomware gangs increasingly targeting virtualization platforms says study appeared first on Cybersecurity Insiders.
Ireland Health Service (HSE) was cyber-attacked by CONTI Ransomware group in mid last year and news is now out that 80% of the data been stored on the servers of the healthcare services provider was encrypted by the said a gang of criminals.
A detailed probe launched by the US Department of Health and Human Services (HHS) says that the digital assault resulted in severe disruption of health services across Ireland and exposed about 750 GB of data related to COVID-19 vaccines. The criminals not only accessed the data but also sent the details to their remote servers operating in the Russian Federation.
A PDF linked to the probe was released to the media this week, and it states that the Conti gang infiltrated the computer networks of HSE in May 2021 by somehow evading the anti-malware solutions and the threat detection solutions.
Slowly and steadily the gang of notorious cyber criminals encrypted the IT environment of the HSE, leading to 80% of encryption within a few days’ time.
Conti ransomware gang provided a free decryption tool to Ireland’s health service department with a warning that they will sell or publish the stolen data if their demand of $20 million for ransom is ignored.
At the time of the incident, Micheal Martin, the Prime Minister of Ireland, warded off the news that the authorities will pay a ransom. He was adamant about the decision of not paying the ransom because it not only encourages crime but also doesn’t guarantee a decryption key for sure.
Unconfirmed reports from a security company titled VirusTotal stated that some criminal/s uploaded some classified data onto its scanning website that contained details such as email addresses, phone numbers, IP addresses, and physical addresses appearing to be stolen from Ireland’s National Health Care Network.
Ireland’s Government, based on the order of the Department of Justice, launched a probe into the incident and asked VirusTotal to submit the data for analysis.
And the result on whether the information truly belonged to HSE is awaited!
The post Conti Ransomware attack on Ireland HSE encrypted 80% of data appeared first on Cybersecurity Insiders.
Conti — one of the most ruthless and successful Russian ransomware groups — publicly declared during the height of the COVID-19 pandemic that it would refrain from targeting healthcare providers. But new information confirms this pledge was always a lie, and that Conti has launched more than 200 attacks against hospitals and other healthcare facilities since first surfacing in 2018 under its earlier name, “Ryuk.”
On April 13, Microsoft said it executed a legal sneak attack against Zloader, a remote access trojan and malware platform that multiple ransomware groups have used to deploy their malware inside victim networks. More specifically, Microsoft obtained a court order that allowed it to seize 65 domain names that were used to maintain the Zloader botnet.
Microsoft’s civil lawsuit against Zloader names seven “John Does,” essentially seeking information to identify cybercriminals who used Zloader to conduct ransomware attacks. As the company’s complaint notes, some of these John Does were associated with lesser ransomware collectives such as Egregor and Netfilim.
But according to Microsoft and an advisory from the U.S. Cybersecurity & Infrastructure Security Agency (CISA), Zloader had a special relationship with Ryuk/Conti, acting as a preferred distribution platform for deploying Ryuk/Conti ransomware.
Several parties backed Microsoft in its legal efforts against Zloader by filing supporting declarations, including Errol Weiss, a former penetration tester for the U.S. National Security Agency (NSA). Weiss now serves as the chief security officer of the Health Information Sharing & Analysis Center (H-ISAC), an industry group that shares information about cyberattacks against healthcare providers.
Weiss said ransomware attacks from Ryuk/Conti have impacted hundreds of healthcare facilities across the United States, including facilities located in 192 cities and 41 states and the District of Columbia.
“The attacks resulted in the temporary or permanent loss of IT systems that support many of the provider delivery functions in modern hospitals resulting in cancelled surgeries and delayed medical care,” Weiss said in a declaration (PDF) with the U.S. District Court for the Northern District of Georgia.
“Hospitals reported revenue losses due to Ryuk infections of nearly $100 million from data I obtained through interviews with hospital staff, public statements, and media articles,” Weiss wrote. “The Ryuk attacks also caused an estimated $500 million in costs to respond to the attacks – costs that include ransomware payments, digital forensic services, security improvements and upgrading impacted systems plus other expenses.”
The figures cited by Weiss appear highly conservative. A single attack by Ryuk/Conti in May 2021 against Ireland’s Health Service Executive, which operates the country’s public health system, resulted in massive disruptions to healthcare in Ireland. In June 2021, the HSE’s director general said the recovery costs for that attack were likely to exceed USD $600 million.
Conti ravaged the healthcare sector throughout 2020, and leaked internal chats from the Conti ransomware group show the gang had access to more than 400 healthcare facilities in the U.S. alone by October 2020.
On Oct. 28, 2020, KrebsOnSecurity broke the news that FBI and DHS officials had seen reliable intelligence indicating the group planned to ransom many of these care facilities simultaneously. Hours after that October 2020 piece ran, I heard from a respected H-ISAC security professional who questioned whether it was worth getting the public so riled up. The story had been updated multiple times throughout the day, and there were at least five healthcare organizations hit with ransomware within the span of 24 hours.
“I guess it would help if I understood what the baseline is, like how many healthcare organizations get hit with ransomware on average in one week?” I asked the source.
“It’s more like one a day,” the source confided.
A report in February 2022 from Sophos found Conti orchestrated a cyberattack against a Canadian healthcare provider in late 2021. Security software firm Emsisoft found that at least 68 healthcare providers suffered ransomware attacks last year.
While Conti is just one of many ransomware groups threatening the healthcare industry, it seems likely that ransomware attacks on the healthcare sector are underreported. Perhaps this is because a large percentage of victims are paying a ransom demand to keep their data (and news of their breach) confidential. A survey published in February by email security provider Proofpoint found almost 60 percent of victims hit by ransomware paid their extortionists.
Or perhaps it’s because many crime groups have shifted focus away from deploying ransomware and toward stealing data and demanding payment not to publish the information. Conti shames victims who refuse to pay a ransom by posting their internal data on their darkweb blog.
Since the beginning of 2022, Conti has claimed responsibility for hacking a cancer testing lab, a medical prescription service online, a biomedical testing facility, a pharmaceutical company, and a spinal surgery center.
The Healthcare Information and Management Systems Society recently released its 2021 HIMSS Healthcare Cybersecurity Survey (PDF), which interviewed 167 healthcare cybersecurity professionals and found 67 percent had experienced a “significant security incident” in the past year.
The survey also found that just six percent or less of respondent’s information technology budgets were devoted to cybersecurity, although roughly 60 percent of respondents said their cybersecurity budgets would increase in 2022. Last year, just 79 percent of respondents said they’d fully implemented antivirus or other anti-malware systems; only 43 percent reported they’d fully implemented intrusion detection and prevention technologies.
The FBI says Conti typically gains access to victim networks through weaponized malicious email links, attachments, or stolen Remote Desktop Protocol (RDP) credentials, and that it weaponizes Microsoft Office documents with embedded Powershell scripts — initially staging Cobalt Strike via the Office documents and then dropping Emotet onto the network — giving them the ability to deploy ransomware. The FBI said Conti has been observed inside victim networks between four days and three weeks on average before deploying Conti ransomware.
Nordex has released a press statement admitting IT disruptions across its production facilities. Investigations have revealed that Conti Ransomware Group, which demands millions as ransom after stealing and encrypting data, caused the attack.
With over 8,500 employees, the company has a business presence across the world and recently bagged a 29.5 MW wind project in Finland.
Morknasskogen Wind Project will use Nordex equipment to produce green energy and the commercial operations are expected to start by September 2023.
Currently, the business was targeted by the gang that launched the file-encrypting malware attacks on production systems of the company at the end of March this year, which might negatively affect its supply chain to a certain extent.
But good news is the company has a qualitative disaster recovery plan in place and so is sure to recover from this incident at the earliest.
Out of abundance of caution, the wind turbine supplier has blocked remote access to its customer facilities, to safeguard their IT infrastructure from the ransomware invasion.
In another major development, reports are in that Nordex will develop a wind facility at San Juan de Marconain the SouthWestern Peru region from mid this year as it has secured a 131 MW wind turbine supply contract from Acciona Energia, a Spain-based energy company.
Note 1- Another Turbine producer named Vestas was also hit by a LockBit Ransomware attack in November last year.
Note 2- Conti is a group of ransomware spreading criminals from Russia and attacks large organizations that can quench their ransom needs of millions.
The post Conti Ransomware targets Wind Turbine giant Nordex appeared first on Cybersecurity Insiders.
Amid the growing costs of fuel in India, all because of the ongoing war between Russia and Ukraine, a sophisticated ransomware attack has hit the Indian subcontinent that could throw the entire nation into big trouble of fuel shortage.
Oil India Limited (OIL), an Assam based fuel producing and supplying company, has made it official that’s IT infrastructure was hit by a sophisticated cyber attack of ransomware genre. And the hackers are demanding $75, 00,000 or Rs 57 crore to free up the database from malware.
A ransomware is a kind of file encrypting malware that locks down access to digital files until a ransom ranging in millions is paid.
Currently, there is no official confirmation of who’s behind the attack. However, highly placed sources state that either Conti or RYUK ransomware gangs could be behind the incident, with a 30% suspicion arrow pointing at Lapsus$ group.
Reports are in that they said PSU Major Company has incurred huge losses as all of its IT systems at its headquarters in Duliajan, Dibrugarh District of Assam, was infected.
Unconfirmed sources revealed that the company is not in a mood to entertain the demands of hackers as it has an efficient disaster recovery plan.
CID’s Cyber cell in coordination with the Assam Police Department is after the cyber criminals behind the attack. And preliminary inquiries reveal the hack was launched from a foreign soil, and perpetrators will be prosecuted as per the existing Cyber Criminal laws in India.
Oil India was formed in 1989 and most of its administrative control likes with the Indian Ministry of Petroleum and Natural Gas. The company is the second largest fuel and natural gas supplier and the attack might show an impact on the supply chain in coming weeks and so has triggered price rise concerns among the public.
The post Sophisticated ransomware attack on Oil India Limited triggers fuel supply concerns appeared first on Cybersecurity Insiders.
All these days, Anonymous Group was releasing updates on the cyber attacks it carried out on the critical infrastructure of the Russian Federation in retaliation for Putin’s invasion of Ukraine and Finland in the coming days.
Now, Network Battalion 65, a hackers group related to the Anonymous Group, has released a media update that it infiltrated the network of Roscosmos, the space agency of Russia, and tried to disrupt the operations of some satellites.
Dmitry Rogozin, the ally of the Russian President, condemned the news and added that such fake news stories were being planted by the media run by the west.
He also confirmed that no satellites went out of control on their radar and were conducting their operations normally.
However, Network Battalion 65 claims that it used Conti Ransomware to block the operations of the space agency and steal classical data, which led to the shutdown of several satellite operations connected to imaging and vehicle monitoring systems in Russia.
Highly placed sources from a western media news outlet state that all the Russian spy satellites were taken down and the criminals weren’t ready to unlock the systems even if they are paid millions in ransom and are not bothered even if the figure exceeds double digits.
Australian Cyber Security Centre (ACSC) investigated the incident and concluded that Anonymous might have purchased Conti ransomware from a group offering RaaS services and launched it on the space agency, provided they are paid a large portion in the ransom payment.
NOTE- Roscosmos is a space corporation of the Russian Federation that’s responsible for aerospace research, satellite operations, and cosmonautic programs related to the science and technology of space shuttles.
The post Anonymous used Conti Ransomware to down Russian Satellites appeared first on Cybersecurity Insiders.
France-based Dordogne Groupements Hospitaliers de Territoire (Dordogne GHT) has stopped RYUK Ransomware attack on its servers by using the AI propelled DarkTrace Threat monitoring and detection solution.
DarkTrace offers Antigena, an autonomous response technology against cyber threats such as ransomware attacks.
And in the year 2021, Dordongne GHT, a healthcare service provider from France, chose DarkTrace Antigena to protect its entire corporate network of medical devices and computers from cyber risks.
Just after 2 months of deployment, the RYUK ransomware group, a notorious gang of malware spreading criminals, suspected to be funded by Russian intelligence, targeted the healthcare company that has.
RYUK steals data from its victim’s database and locks down access to it with encryption until a ransom is paid. Interestingly, this gang of cyber crooks is also known to target backup systems meant to recover information and resources at the time of the disaster.
DarkTrace Antigena immediately blocked the RYUK ransomware invasion of Dordogne GHT without the need of any human intervention. It immediately involved an intelligent action to enforce normal operations, eventually stopping the attack.
If the solution was absent, then the company would have suffered severe losses and sometimes could have resulted in patient death. As most of the IT systems in the hospitals could have been inactive, thus making the doctors and medical practitioners helpless in prescribing the right treatment and medicine.
Note- UK based Cybersecurity Company Darktrace, that has over 30 offices worldwide, is the only business that enables IT infrastructure to learn ways to defend themselves from threats lurking in the cyber landscape. And it does so by employing Artificial Intelligence technology into its threat monitoring and mitigation services.
The post Artificial Intelligence blocks RYUK Ransomware invasion appeared first on Cybersecurity Insiders.