Latest episode - listen now!
Category: ransomware
Laspsus$ ransomware group has revealed some details about its latest victim through its official telegram channel and Argentina-based IT and software firm Globant that has a global business presence seems to have become its latest victim.
Lapsus$ claimed that it has stolen about 70GB of Globant’s data, including the company’s software source code, and threatened the company to release more details, if it doesn’t bow down to its ransom demands.
Globant admitted the ransomware attack and acknowledged the source code steal. But the firm is still unsure how much of its data was compromised as its investigation was still underway.
Okta and Sitel are the other organizations that were hit by Lapsus$ group early this month and the former issued a press update that the incident could have affected up to 366 customers of the company.
On seeing the Lapsus$ ransomware group constantly targeting US firms, FBI has placed it on its ‘Most Wanted’ list and has investigated the group’s core members and their whereabouts with the help of other international law enforcement agencies.
Reports are in that the UK’s law enforcement agencies have arrested a 16-year-old teenager living near the Oxford University in connection with the Lapsus$ gang last week. It is believed that the youngster was connected with the Russian-speaking gang for a couple of years and was assisting them in financial transactions that take place between the criminals and the victims, on a respective note.
The post Lapsus$ ransomware group strikes software firm Globant appeared first on Cybersecurity Insiders.
Online photography printing service Shutterfly has disclosed that it has suffered a security breach at the hands of a ransomware gang that exposed the personal information of some employees.
The only backup you will ever regret is the one you didn't make
1.) Notorious Hive Ransomware group has published details of 850,000 patient records belonging to Partnership HealthPlan of California and said that a portion of data will be sold on the dark web, if the healthcare provider doesn’t bow down to its ransom demands.
As an incident response, the Partnership HealthPlan of California says that it has set up a Gmail address for patients to respond and showed that a team of experts have been pressed to probe the incident.
A press update released by the company states that information such as email addresses, social security numbers, physical addresses of over 850,000 PII were stolen by Hive hackers and all measures were being taken to stop them from posting 400 GB data onto the dark web.
2.) Conti Ransomware group has published on the dark web that it has targeted the servers belonging to Shutterfly, an online store that sells and purchases photography related services via web.
The incident reportedly occurred in December 2021 and the threat actors gained access to their network via a Windows Domain Controller.
Online tech news resource Bleeping computer reported Conti gang encrypted over 4k devices and 120 VMware ESXi servers that stored information belonging to Shutterfly.
3.) Third, a ransomware group dubbed SunCrypt that involves in triple extortion tactics of file encryption, a threat to post data online and launching DDoS attack on victims failing to pay a ransom is doing round on internet. And as per the sources, SunCrypt Ransomware gang is back in business and is slowly picking up in 2022. Minerva Labs, a security firm has endorsed the news and added that the threat group is looking to target only large enterprises and is keeping its ransom negotiations anonymous, to stay away from the tracking radar of law enforcement agencies.
4.) Last, but not the least, is the information regarding how fast the ransomware encrypts files. Researchers from Spunk have found that most of the reputed ransomware groups encrypt servers within a matter of 5 minutes and 50 seconds to encrypt 100,000 files. And the quickest among them is LockBit Ransomware that encrypts over 100 GB data within 4 minutes 9 seconds. Other ransomware forms were found encrypting files in the following time frame- Babuk Ransomware- In 6 minutes 34 seconds for a data of 100GB; Avaddon Ransomware- In 13 minutes 14 seconds for a data of 100GB; RYUK at 14 minutes,30 seconds; REvil in 24 minutes 16 seconds and BlackMatter ransomware in a time frame of 45 minutes. DarkSide that has the history of encrypting databases of Colonial Pipeline took 47 minutes to encrypt data on the victim database and Conti Ransomware at a time of 59 minutes 23 seconds to lock down access to 54GB of data files. Maze and PYSA were slow in doing their work as they were found encrypting a 50GB data file in over 109 minutes.
The post Ransomware news headlines trending on Google appeared first on Cybersecurity Insiders.
Based on two years of leaked messages, 60,000 in all:
The Conti ransomware gang runs like any number of businesses around the world. It has multiple departments, from HR and administrators to coders and researchers. It has policies on how its hackers should process their code, and shares best practices to keep the group’s members hidden from law enforcement.
After being linked to ransomware attacks that cost companies over US $53 million, an Estonian man has been sentenced to prison for five and a half years.
Read more in my article on the Hot for Security blog.
A ransomware attack launched on American companies was probed deeply and led to the arrest of a man from Estonia. The man was arrested with full evidence and so he was sentenced to a 5-year jail term or for 66 calendar months by the US Department of Justice.
Maksim Berezan is the 37-year-old man found guilty of the ransomware attack launched by Russian criminals on American businesses between April 2019-2020 and reportedly led to a $53 million loss.
Berezan was arrested in November 2020 from Latvia and extradited to the USA in April 2021 for indulging in cybercrime such as wire frauds on banks, assisting ransomware criminals from Russia to buy and sell software tools & services, and stealing money from cryptocurrency exchanges.
The probe was halted for some time because of the COVID-19 pandemic and, in the meantime; the cops investigated the computers operated by the Estonians to find $11 million accumulated from ransom payments.
Some portion of the currency was spent by Maksim to buy two red and black porches, a Ducati Motorbike, and some jewelry, and the same portion was found to be transferred to his Bitcoins wallet.
The Eastern District of Virginia has asked the culprit to pay $36 million as compensation to victims for the incurred losses along with the sentenced jail term.
Note- The news was released by the law enforcement agencies of the United States to enlighten the minds of the cyber crooks that all their digital fraud indulgence will end up for prosecution one day. And the department of justice thanked the Latvian State Police and Estonian Police to help nab the criminal and extradite him to North America.
The post Ransomware attack lands man in jail for 66 months appeared first on Cybersecurity Insiders.
An Estonian man was sentenced today to more than five years in a U.S. prison for his role in at least 13 ransomware attacks that caused losses of approximately $53 million. Prosecutors say the accused also enjoyed a lengthy career of “cashing out” access to hacked bank accounts worldwide.
Maksim Berezan, 37, is an Estonian national who was arrested nearly two years ago in Latvia. U.S. authorities alleged Berezan was a longtime member of DirectConnection, a closely-guarded Russian cybercriminal forum that existed until 2015. Berezan’s indictment (PDF) says he used his status at DirectConnection to secure cashout jobs from other vetted crooks on the exclusive crime forum.
Berezan specialized in cashouts and “drops.” Cashouts refer to using stolen payment card data to make fraudulent purchases or to withdraw money from bank accounts without authorization. A drop is a location or individual able to securely receive and forward funds or goods obtained through cashouts or other types of fraud. Drops typically are used to make it harder for law enforcement to trace fraudulent transactions and to circumvent fraud detection measures used by banks and credit card companies.
Acting on information from U.S. authorities, in November 2020 Latvian police searched Berezan’s residence there and found a red Porsche Carrera 911, a black Porsche Cayenne, a Ducati motorcycle, and an assortment of jewelry. They also seized $200,000 in currency, and $1.7 million in bitcoin.
After Berezan was extradited to the United States in December 2020, investigators searching his electronic devices said they found “significant evidence of his involvement in ransomware activity.”
“The post-extradition investigation determined that Berezan had participated in at least 13 ransomware attacks, 7 of which were against U.S. victims, and that approximately $11 million in ransom payments flowed into cryptocurrency wallets that he controlled,” reads a statement from the U.S. Department of Justice.
Berezan pleaded guilty in April 2021 to conspiracy to commit wire fraud.
The DirectConnection cybercrime forum, circa 2011.
For many years on DirectConnection and other crime forums, Berezan went by the hacker alias “Albanec.” Investigators close to the case told KrebsOnSecurity that Albanec was involved in multiple so-called “unlimited” cashouts, a highly choreographed, global fraud scheme in which crooks hack a bank or payment card processor and used cloned payment cards at cash machines around the world to fraudulently withdraw millions of dollars in just a few hours.
Berezan joins a growing list of top cybercriminals from DirectConnection who’ve been arrested and convicted of cybercrimes since the forum disappeared years ago. One of Albanec’s business partners on the forum was Sergey “Flycracker” Vovnenko, a Ukrainian man who once ran his own cybercrime forum and who in 2013 executed a plot to have heroin delivered to our home in a bid to get Yours Truly arrested for drug possession. Vovnenko was later arrested, extradited to the United States, pleaded guilty and spent more than three years in prison on botnet-related charges (Vovnenko is now back in Ukraine, trying to fight the Russian invasion with his hacking abilities).
Perhaps the most famous DirectConnection member was its administrator Aleksei Burkov, a Russian hacker thought to be so connected to the Russian cybercriminal scene that he was described as an “asset of extreme importance to Moscow.” Burkov was arrested in Israel in 2015, and the Kremlin arrested an Israeli woman on trumped-up drug charges to force a prisoner swap.
That effort failed. Burkov was extradited to the U.S. in 2019, soon pleaded guilty, and was sentenced to nine years. However, he was recently deported back to Russia prior to serving his full sentence, which has prompted Republican leaders in the House to question why.
Other notable cybercrooks from DirectConnection who’ve been arrested, extradited to the U.S. and sentenced to prison include convicted credit card fraudsters Vladislav “Badb” Horohorin and Sergey “zo0mer” Kozerev, as well as the infamous spammer and botnet master Peter “Severa” Levashov.
At his sentencing today, Berezan was sentenced to 66 months in prison and ordered to pay $36 million in restitution to his victims. A source close to the investigation said Berezan’s sentence likely would have been far more severe had he not entered into a cooperation agreement to share useful information with U.S. authorities.
Ransomware has focused on big-game hunting of large enterprises in the past years, and those events often make the headlines. The risk can be even more serious for small and medium-sized businesses (SMBs), who struggle to both understand the changing nature of the threats and lack the resources to become cyber resilient. Ransomware poses a greater threat to SMBs’ core ability to continue to operate, as recovery can be impossible or expensive beyond their means.
SMBs commonly seek assistance from managed services providers (MSPs) for their foundational IT needs to run their business — MSPs have been the virtual CIOs for SMBs for years. Increasingly, SMBs are also turning to their MSP partners to help them fight the threat of ransomware, implicitly asking them to also take on the role of a virtual CISO, too. These MSPs have working knowledge of ransomware and are uniquely situated to assist SMBs that are ready to go on a cyber resilience journey.
With this expert assistance available, one would think that we would be making more progress on ransomware. However, MSPs are still meeting resistance when working to implement a cyber resilience plan for many SMBs.
In our experience working with MSPs and hearing the challenges they face with SMBs, we have come to the conclusion that much of this resistance they meet is based on under-awareness, biases, or fallacies.
In this two-part blog series, we will present four common mistakes SMBs make when thinking about ransomware risk, allowing you to examine your own beliefs and draw new conclusions. We contend that until SMBs resistance to resilience improvement do the work to unwind critical flaws in thinking, ransomware will continue to be a growing and existential problem they face.
1. Relying on flawed thinking
“I’m concerned about the potential impacts of ransomware, but I do not have anything valuable that an attacker would want, so ransomware is not likely to happen to me.”
Formal fallacies
These arguments are the most common form of resistance toward implementing adequate cyber resilience for SMBs, and they create a rationalization for inaction as well as a false sense of safety. However, they are formal fallacies, relying on common beliefs that are partially informed by cognitive biases.
Formal fallacies can best be classified simply as deductively invalid arguments that typically commit an easily recognizable logical error when properly examined. Either the premises are untrue, or the argument is invalid due to a logical flaw.
Looking at this argument, the conclusion “ransomware will not happen to me” is the logical conclusion of the prior statement, “I have nothing of value to an attacker.” The flaw in this argument is that the attacker does not need the data they steal or hold ransom to be intrinsically valuable to them — they only need it to be valuable to the attack target.
Data that is intrinsically valuable is nice to have for an attacker, as they can monetize it outside of the attack by exfiltrating it and selling it (potentially multiple times), but the primary objective is to hold it ransom, because you need it to run your business. Facing this fact, we can see that the conclusion “ransomware will not happen to me” is logically invalid based on the premise “I have nothing of value to an attacker.”
Confirmation bias
The belief “ransomware will not happen to me” can also be a standalone argument. The challenge here is that the premise of the argument is unknown. This means we need data to support probability. With insufficient reporting data to capture accurate rates of ransomware on SMBs, this is problematic and can lead to confirmation bias. If I can't find data on others like me as an SMB, then I may conclude that this confirms I'm not at risk.
Anchoring bias
I may be able to find data in aggregate that states that my SMB’s industries are not as commonly targeted. This piece of data can lead to an anchoring bias, which is the tendency to rely heavily on the first piece of information we are given. While ransomware might not be as common in your industry, that does not mean it does not exist. We need to research further rather than latching onto this data to anchor our belief.
Acknowledge and act
The best way to combat these formal fallacies and biases is for the SMB and their MSP to acknowledge these beliefs and act to challenge them through proper education. Below are some of the most effective exercises we have seen SMBs and MSPs use to better educate themselves on real versus perceived ransomware risk likelihood:
- Threat profiling is an exercise that collects information, from vendor partners and open-source intelligence sources, to inform which threat actors are likely to target the business, using which tactics.
- Data flow diagrams can help you to map out your unique operating environment and see how all your systems connect together to better inform how data moves and resides within your IT environment.
- A risk assessment uses the threat profile information and overlays on the data flow diagram to determine where the business is most susceptible to attacker tactics.
- Corrective action planning is the last exercise, where you prioritize the largest gaps in protection using a threat- and risk-informed approach.
2. Being resigned to victimhood
“Large companies and enterprises get hit with ransomware all the time. As an SMB, I don't stand a chance. I don't have the resources they do. This is hopeless; there’s nothing I can do about it.”
Victim mentality
This past year has seen a number of companies that were supposedly “too large and well-funded to be hacked” reporting ransomware breaches. It feels like there is a constant stream of information re-enforcing the mentality that, even with a multi-million dollar security program, an SMB will not be able to effectively defend against the adverse outcomes from ransomware. This barrage of information can make them feel a loss of control and that the world is against them.
Learned helplessness
These frequent negative outcomes for “prepared” organizations are building a sense of learned helplessness, or powerlessness, within the SMB space. If a well-funded and organized company can't stop ransomware, why should we even try?
This mentality takes a binary view on a ransomware attack, viewing it as an all-or-nothing event. In reality, there are degrees of success of a ransomware attack. The goal of becoming immune to ransomware can spark feelings of learned helplessness, but if you reframe it as minimizing the damage a successful attack will have, this allows you to regain a sense of control in what otherwise may feel like an impossible effort.
Pessimism bias
This echo chamber of successful attacks (and thus presumed unsuccessful mitigations) is driving a pessimism bias. As empathetic beings, we feel the pain of these attacked organizations as though it were our own. We then tie this negative emotion to our expectation of an event (i.e. a ransomware attack), creating the expectation of a negative outcome for our own organization.
Acknowledge and act
Biases and beliefs shape our reality. If an SMB believes they are going to fall victim to ransomware and fails to protect against it, they actually make that exact adverse outcome more likely.
Despite the fear and uncertainty, the most important variable missing from this mental math is environment complexity. The more complex the environment, the more difficult it is to protect. SMBs have an advantage over their large-business counterparts, as the SMB IT environment is usually easier to control with the right in-house tech staff and/or MSP partners. That means SMBs are better situated than large companies to deter and recover from attacks — with the right strategic investments.
Check back with us next week, when we’ll tackle the third and fourth major fallacies that hold SMBs back from securing themselves against ransomware.
Additional reading:
- Graph Analysis of the Conti Ransomware Group Internal Chats
- How Ransomware Is Changing US Federal Policy
- Is the Internet of Things the Next Ransomware Target?
- Ransomware: Is Critical Infrastructure in the Clear?