Archive for the ‘ransomware’ Category

Ransomware gang is auctioning off victims’ confidential data

June 2nd, 2020
Ransomware gang is auctioning off victims’ confidential data

Enlarge (credit: RichLegg/Getty Images)

Ransomware operators say they’re auctioning off victims’ confidential data in an attempt to put further pressure on them to pay hefty fees for its safe return.

The Happy Blog, a dark Web site maintained by the criminals behind the ransomware known by the names REvil, Sodin, and Sodinokibi, began the online bidding process earlier on Tuesday. Previously, the group published limited details of selected victim data and threatened to air additional confidential material if the owners didn’t pay. Besides stealing the data, the group also encrypts it so that it’s no longer accessible to the owners.

Combining the threat of publishing the data while simultaneously locking it from its rightful owner is designed to increase the chances of a payout. The new tactic furthers the pressure, possibly because previous practices haven’t yielded the desired results. The ransoms demanded are frequently high, sometimes in the millions of dollars. Affected companies have also been loath to encourage further attacks by rewarding the people behind them. Added to that reluctance are new financial pressures caused by the coronavirus pandemic.

Read 5 remaining paragraphs | Comments

Posted in Biz & IT, crime, hacking, ransomware | Comments (0)

LockBit, the new ransomware for hire: a sad and cautionary tale

May 1st, 2020
A ransom note is plastered across a laptop monitor.

Enlarge (credit: Getty Images)

Ransomware has emerged as one of the top threats facing large organizations over the past few years, with researchers reporting a more than a fourfold increase in detections last year. A recent infection by a fairly new strain called LockBit explains why: after it ransacked one company’s poorly secured network in a matter of hours, leaders had no viable choice other than to pay the ransom.

A report published by McAfee documents the effectiveness of this newcomer ransomware. Incident responders with Northwave Intelligent Security Operations aided in the analysis. LockBit is most prevalent in countries including the US, the UK, France, Germany, Ukraine, China, India, and Indonesia.

(credit: McAfee)

Attackers started out by researching potential targets with valuable data and the means to make big payouts when faced with the dim prospect of losing access to it. The attackers then used a list of words in hopes of gaining access to one of the accounts. Eventually, they hit the jackpot: an administrative account that had free rein over the entire network. The weak account password, combined with the lack of multi-factor authentication protection, gave the attackers all the system rights they needed.

Read 14 remaining paragraphs | Comments

Posted in Biz & IT, extortion, lockbit, ransomware | Comments (0)

7 Ways Hackers and Scammers Are Exploiting Coronavirus Panic

April 9th, 2020
In our previous stories, you might have already read about various campaigns warning how threat actors are capitalizing on the ongoing coronavirus pandemic in an attempt to infect your computers and mobile devices with malware or scam you out of your money. Unfortunately, to some extent, it's working, and that's because the attack surface is changing and expanding rapidly as many

Posted in android ransomware, coronavirus, COVID-19, Cyber Crime, hacking news, Mobile Security, phishing attack, ransomware, spyware | Comments (0)

The Internet is drowning in COVID-19-related malware and phishing scams

March 16th, 2020
A collage of negative words including scam, deceit, and blackmail.

Enlarge (credit: EpicTop10.com / Flickr)

Emails and websites are promising vital information about keeping safe from the Coronavirus pandemic that’s sweeping the globe and threatening millions. In fact, a flood of them are scams that push malware, ransomware, and disinformation, attempt to steal passwords and personal information, and conduct espionage operations by hackers working for nation-states.

One of the most recent Coronavirus hoaxes to come to light is an Android app available at coronavirusapp[.]site. It claims to provide access to a map that provides real-time virus-tracking and information, including heatmap visuals and statistics. In fact, a researcher from DomainTools said, the app is laced with ransomware.

“This Android ransomware application, previously unseen in the wild, has been titled ‘CovidLock’ because of the malware’s capabilities and its background story,” DomainTools researcher Tarik Saleh wrote in Friday’s report. “CovidLock uses techniques to deny the victim access to their phone by forcing a change in the password used to unlock the phone. This is also known as a screen-lock attack and has been seen before on Android ransomware.”

Read 7 remaining paragraphs | Comments

Posted in Biz & IT, coronavirus, COVID-19, malware, phishing, Policy, ransomware | Comments (0)

A US gas pipeline operator was infected by malware—your questions answered

February 20th, 2020
A US gas pipeline operator was infected by malware—your questions answered

Enlarge

Tuesday’s news that a ransomware infection shut down a US pipeline operator for two days has generated no shortage of questions, not to mention a near-endless stream of tweets.

Some observers and arm-chair incident responders consider the event to be extremely serious. That’s because the debilitating malware spread from the unnamed company’s IT network—where email, accounting and other business is conducted—to the company’s operational technology, or OT, network, which automatically monitors and controls critical operations carried out by physical equipment that can create catastrophic accidents when things go wrong.

Others said the reaction to the incident was overblown. They noted that, per the advisory issued on Tuesday, the threat actor never obtained the ability to control or manipulate operations, that the plant never lost control of its operations, and that facility engineers deliberately shut down operations in a controlled manner. This latter group also cited evidence that the infection of the plant’s industrial control systems, or ICS, network appeared to be unintentional on the part of the attackers.

Read 30 remaining paragraphs | Comments

Posted in Biz & IT, Industrial Control Systems, infections, malware, Policy, ransomware | Comments (0)

US Govt Warns Critical Industries After Ransomware Hits Gas Pipeline Facility

February 19th, 2020
The U.S. Department of Homeland Security's Cybersecurity and Infrastructure Security Agency (CISA) earlier today issued a warning to all industries operating critical infrastructures about a new ransomware threat that if left unaddressed could have severe consequences. The advisory comes in response to a cyberattack targeting an unnamed natural gas compression facility that employed

Posted in computer virus, critical infrastructure, Cyber Attack, Cyber Crime, cyber war, Malware attack, ransomware, scada ransomware, Spear Phishing | Comments (0)

US natural gas operator shuts down for 2 days after being infected by ransomware

February 19th, 2020
A maze of gas pipelines.

Enlarge (credit: Glen Dillon)

A US-based natural gas facility shut down operations for two days after sustaining a ransomware infection that prevented personnel from receiving crucial real-time operational data from control and communication equipment, the Department of Homeland Security said on Tuesday.

Tuesday’s advisory from the DHS’s Cybersecurity and Infrastructure Security Agency, or CISA, didn’t identify the site except to say that it was a natural gas-compression facility. Such sites typically use turbines, motors, and engines to compress natural gas so it can be safely moved through pipelines.

The attack started with a malicious link in a phishing email that allowed attackers to pivot from the facility’s IT network to the facility’s OT network, which is the operational technology hub of servers that control and monitor physical processes of the facility. With that, both the IT and OT networks were infected with what the advisory described as “commodity ransomware.”

Read 10 remaining paragraphs | Comments

Posted in Biz & IT, critical infrastructure, Policy, ransomware | Comments (0)

Why you can’t bank on backups to fight ransomware anymore

February 7th, 2020
The Credit Union National Association held a ransomware exercise for member institutions and then got hit itself. While CUNA quickly recovered, the assumption that ransomware attacks don't equal data breaches is changing what "recovery" actually means.

Enlarge / The Credit Union National Association held a ransomware exercise for member institutions and then got hit itself. While CUNA quickly recovered, the assumption that ransomware attacks don't equal data breaches is changing what "recovery" actually means. (credit: Smith Collection/Gado/Getty Images)

Not every ransomware attack is an unmitigated disaster. But even the most prepared organizations, it seems, can have small-scale disasters in the era of mass scans, spear phishes, and targeted ransomware.

Just a few months after staging a ransomware exercise for its member credit unions, the Credit Union National Association (CUNA) experienced what a spokesperson described as a "business disruption issue"—caused by ransomware, according to a source that spoke with TechCrunch's Zack Whittaker. By late on February 4, the site had been fully restored. Jim Nussle, CUNA's president and CEO, sent a message to members on February 5:

We are pleased to share that as of last night, we have restored access to our site and other online resources. We want to thank you for your patience as we worked around the clock to restore these systems. We apologize for the inconvenience and frustration this may have caused as you had trouble accessing our services.

CUNA spokesperson Vicky Christner told Whittaker that “CUNA does not store Social Security numbers or credit card numbers of our members" and that "there no evidence to suggest that any data in our system—such as names, businesses addresses and email addresses—have been accessed."

Read 11 remaining paragraphs | Comments

Posted in Biz & IT, Maze ransomware, ransomware, REvil ransomware, ryuk, Sodinokibi | Comments (0)

Attack abusing Bitbucket serves potent malware cocktail to more than 500k users

February 5th, 2020
A bubbling cauldron.

Enlarge (credit: Joel Kramer / Flickr)

An ongoing attack has so far delivered a cocktail of malicious wares to more than 500,000 users by abusing Bitbucket, the source code management system operated by Atlassian, researchers reported on Wednesday.

The attack, carried out by multiple holders of malicious Bitbucket accounts, distributes an array of malware that carries out a wide range of nefarious actions. Siphoning email credentials and other sensitive data, installing ransomware, stealing cryptocurrency, and surreptitiously freeloading on electricity and computing resources to mine cryptocurrency are all included. Researchers at security firm Cybereason said the ongoing attack has already generated more than 500,000 downloads, an indication that the attack may be infecting a sizable number of users.

"This campaign deploys an arsenal of malware for a multi-pronged assault on businesses," Cybereason researchers Lior Rochberger and Assaf Dahan wrote in a report. "It is able to steal sensitive browser data, cookies, email client data, system information, and two-factor authentication software data, along with cryptocurrency from digital wallets. It is also able to take pictures using the camera, take screenshots, mine Monero, and in certain cases also deploy ransomware."

Read 6 remaining paragraphs | Comments

Posted in Bitbucket, Biz & IT, malware, ransomware | Comments (0)

New ransomware doesn’t just encrypt data. It also meddles with critical infrastructure

February 4th, 2020
Stock photo of energy plant at night.

Enlarge (credit: An Energy Company / Flickr)

Over the past five years, ransomware has emerged as a vexing menace that has shut down factories, hospitals, and local municipalities and school districts around the world. In recent months, researchers have caught ransomware doing something that's potentially more sinister: intentionally tampering with industrial control systems that dams, electric grids, and gas refineries rely on to keep equipment running safely.

A ransomware strain discovered last month and dubbed Ekans contains the usual routines for disabling data backups and mass-encrypting files on infected systems. But researchers at security firm Dragos found something else that has the potential to be more disruptive: code that actively seeks out and forcibly stops applications used in industrial control systems. Before starting file-encryption operations, the ransomware kills processes listed by process name in a hard-coded list within the encoded strings of the malware.

In all, Ekans kills 64 processes, including those spawned by human-machine interfaces from Honeywell, the Proficy Historian from General Electric, and licensing servers from GE Fanuc. The same 64 processes, it turns out, are targeted in a version of the MegaCortex ransomware. That version first came to light in August.

Read 8 remaining paragraphs | Comments

Posted in Biz & IT, critical infrastructure, ICS, Industrial Control Systems, malware, Policy, ransomware | Comments (0)