Archive for the ‘ransomware’ Category

Spanish companies’ networks shut down as result of ransomware

November 4th, 2019
Photograph of the Madrid skyline on an overcast day.

Enlarge / Spanish broadcaster SER was hit by a ransomware attack on the morning of November 4, 2019, as was Spanish tech services firm Everis. (credit: OSCAR DEL POZO / AFP via Getty Images)

A targeted ransomware attack has taken down the networks of at least two companies in Spain today, sending ripples across other companies as they moved to defend themselves. The targets included Everis—a major IT services and consulting subsidiary of Japan-based global communications company NTT—and the radio company Sociedad Española de Radiodifusión (Cadena SER). A technician at one company told Spanish broadcaster ABC, "We are in hysteria mode."

Some other companies—including Spanish airport operator Aena—took down some of their services as a precautionary measure. They did so in part because Everis has staff on site at many Spanish corporations. But the attack may have affected other companies as well, though no others have publicly acknowledged the ransomware.

The ransomware appears to be a variant of the BitPaymer family that is connected to the Dridex group of malware, according to security researcher Vitali Kremez and others who have analyzed the attack.

Read 3 remaining paragraphs | Comments

Posted in BitPaymer, Biz & IT, NTT, ransomware | Comments (0)

Targeted Ransomware Attacks Hit Several Spanish Companies

November 4th, 2019
Everis, one of the largest IT consulting companies in Spain, suffered a targeted ransomware attack on Monday, forcing the company to shut down all its computer systems until the issue gets resolved completely. Ransomware is a computer virus that encrypts files on an infected system until a ransom is paid. According to several local media, Everis informed its employees about the devastating

Posted in BitPaymer, Cyber Attack, IEncrypt, Malware attack, ransomware, ransomware attack | Comments (0)

The count of managed service providers getting hit with ransomware mounts

October 30th, 2019
Scrabble letters sitting atop laptop computer spell Ransomware.

Enlarge / When MSPs get owned by ransomware, their customers can lose more than just access to an application. (credit: Getty Images)

When more than 20 local governments in Texas were hit this summer by ransomware in one day. The attack was apparently tracked back to one thing the organizations had in common: a managed service provider. With limited IT resources of their own, local governments have increasingly turned to MSPs to operate significant portions of their networks and applications, as have other organizations and businesses—often placing critical parts of their business operations in the MSPs' hands. And that has made MSPs a very attractive target to ransomware operators.

Threat researchers at the global cloud security provider Armor have been tracking publicly-reported incidents in which MSP and cloud service providers have been hit with ransomware. Thus far, they have documented 13 such incidents this year—with 6 of them reported in the past few months.

The most recent publicly exposed victim is Billtrust, which as security journalist Brian Krebs reported, was hit by what BleepingComputer reported was BitPaymer ransomware (a report that has not been confirmed). BillTrust is an online invoicing and billing provider based in New Jersey that also provides credit decision services. Billtrust executives sent an email to customers on October 22, informing them of the attack, stating:

Read 3 remaining paragraphs | Comments

Posted in Biz & IT, managed services, ransomware | Comments (0)

Johannesburg’s network shut down after second attack in 3 months

October 25th, 2019
Johannesburg City Hall

Enlarge / Johannesburg City Hall (credit: Chris Eason)

Johannesburg, the biggest city in South Africa and the 26th largest city worldwide, has shut down its website, billing and electronic services after being hit by a serious network attack, the second one in three months, municipality officials said.

A group calling itself Shadow Kill Hackers took to Twitter to take credit for the attack, claiming it took Johannesburg's “sensitive finance data offline.” The group is demanding 4 Bitcoins, valued at about $32,000 US, for the safe return of the data.

A Johannesburg spokesman said the city took down the site after it detected a breach and that so far no formal ransom demands had been made. He also played down the extent of the breach.

Read 9 remaining paragraphs | Comments

Posted in Biz & IT, cities, hacking, malware, Policy, ransomware | Comments (0)

Attackers exploit an iTunes zeroday to install ransomware

October 10th, 2019
The iTunes logo has been photoshopped onto a pistol target that has been shot multiple times.

Enlarge (credit: Aurich Lawson / Getty Images)

Attackers exploited a zeroday vulnerability in Apple's iTunes and iCloud programs to infect Windows computers with ransomware without triggering antivirus protections, researchers from Morphisec reported on Thursday. Apple patched the vulnerability earlier this week.

The vulnerability resided in the Bonjour component that both iTunes and iCloud for Windows relies on, according to a blog post. The bug is known as an unquoted service path, which as its name suggests, happens when a developer forgets to surround a file path with quotation marks. When the bug is in a trusted program—such as one digitally signed by a well-known developer like Apple—attackers can exploit the flaw to make the program execute code that AV protection might otherwise flag as suspicious.

Morphisec CTO Michael Gorelik explained it this way:

Read 8 remaining paragraphs | Comments

Posted in apple, Biz & IT, Bonjour, exploits, icloud, iTunes, ransomware, vulnerabilities | Comments (0)

FBI warns of major ransomware attacks as criminals go “big-game hunting”

October 7th, 2019
A big cat feasts upon the carcass of a large animal on the savannah.

Enlarge / Big-time criminals have come to play in the ransomware game, taking down "big game" for big bucks. (credit: Wolfgang Kaehler / Getty Images)

The FBI has issued a public service announcement entitled "High Impact Ransomware Attacks Threaten US Businesses and Organizations." While the announcement doesn't provide any details of specific attacks, the Bureau warns in the announcement:

Ransomware attacks are becoming more targeted, sophisticated, and costly, even as the overall frequency of attacks remains consistent. Since early 2018, the incidence of broad, indiscriminant ransomware campaigns has sharply declined, but the losses from ransomware attacks have increased significantly, according to complaints received by IC3 [the Internet Crime Complaint Center] and FBI case information.

This pronouncement will come as no surprise to anyone who's followed the wide-ranging ransomware attacks against cities, counties, state agencies, and school districts over the course of 2019. While some of the most publicized attacks—such as the Baltimore City "RobbinHood" attack in May—have appeared to be opportunistic, many more have been more sophisticated and targeted. And these attacks are but the most visible part of an upsurge in digital crime seen by commercial information security firms thus far in 2019. In fact, sophisticated criminal attacks have nearly fully eclipsed state actors' activity—despite there not being any reduction in state-sponsored attacks.

Data from CrowdStrike has shown a rise in what the firm refers to as "big-game hunting" over the past 18 months. These attacks focus on high-value data or assets within organizations that are especially sensitive to downtime—so the motivation to pay a ransom is consequently very high.

Read 15 remaining paragraphs | Comments

Posted in Advanced Persistent Threats, Biz & IT, ransomware, ryuk, SamSam, Texas Ransomware | Comments (0)

Hospitals that are turning away patients reportedly pay ransomware attackers

October 7th, 2019
Photograph of the backdoor of an ambulance.

Enlarge (credit: Andrew Malone / Flickr)

Three Alabama hospitals have paid a ransomware demand to the criminals who waged a crippling malware attack that's forcing the hospitals to turn away all but the most critical patients, the Tuscaloosa News reported.

As reported last Tuesday, ransomware shut down the hospitals' computer systems and prevented staff from following many normal procedures. Officials have been diverting non-critical patients to nearby hospitals and have warned that emergency patients may also be relocated once they are stabilized. An updated posted on Saturday said the diversion procedure remained in place. All three hospitals are part of the DCH health system in Alabama.

Over the weekend, the Tuscaloosa News said DCH officials made a payment to the people responsible for the ransomware attack. The report didn't say how much officials paid. Saturday's statement from DCH officials said they have obtained a decryption key but didn't say how they obtained it.

Read 7 remaining paragraphs | Comments

Posted in Biz & IT, health care, hospitals, malware, Policy, ransomware | Comments (0)

How insurance companies are fueling a rise in ransomware attacks

August 27th, 2019
Glass-walled skyscraper photographed from below.

Enlarge / Lloyd's of London. (credit: Mark Towning / Flickr)

On June 24, the mayor and council of Lake City, Fla., gathered in an emergency session to decide how to resolve a ransomware attack that had locked the city's computer files for the preceding fortnight. Following the Pledge of Allegiance, Mayor Stephen Witt led an invocation. "Our heavenly father," Witt said, "we ask for your guidance today, that we do what's best for our city and our community."

Witt and the council members also sought guidance from City Manager Joseph Helfenberger. He recommended that the city allow its cyber insurer, Beazley, an underwriter at Lloyd's of London, to pay the ransom of 42 bitcoin, then worth about $460,000. Lake City, which was covered for ransomware under its cyber-insurance policy, would only be responsible for a $10,000 deductible. In exchange for the ransom, the hacker would provide a key to unlock the files.

"If this process works, it would save the city substantially in both time and money," Helfenberger told them.

Read 50 remaining paragraphs | Comments

Posted in Biz & IT, Pro Publica, ransomware | Comments (0)

While one Texas county shook off ransomware, small cities took full punch

August 21st, 2019
They did.

Enlarge / They did. (credit: Hemera Technologies/Getty Images)

Few details have emerged about the coordinated ransomware attack that struck 22 local governments in Texas last week. But five local governments affected by the attack have been identified.

On August 20, the Texas Department of Information Resources revised its initial report that 23 "entities" had been affected by the ransomware attack, reducing that count by 1. And a Texas DIR spokesperson said in a statement that about a quarter of the local governments affected have been able to at least partially restore normal operations.

That includes Lubbock County, which apparently escaped major disruptions. Lubbock County judge Curtis Parrish told Magic 106.5 Radio that the county's IT department "was right on top of it… they were able to get that virus isolated, contained and dealt with in a very quick manner so it did not affect any other computers or computer systems here in Lubbock County."

Read 7 remaining paragraphs | Comments

Posted in Biz & IT, Policy, ransomware, Texas Ransomware | Comments (0)

Ransomware strike takes down 23 Texas local government agencies

August 19th, 2019
They did.

Enlarge / They did. (credit: Getty Images)

Early on August 16, a total of 23 local government organizations in Texas were hit by a coordinated ransomware attack. The type of ransomware has not been revealed, and Texas officials asserted that no state networks were compromised in the attack.

A spokesman for the Texas Department of Information Resources (TDIR) told Ars that authorities are not ready to reveal the names of the entities affected, nor other details of the attack. State and federal agencies are in the midst of a response, and TDIR did not have information on whether any of the affected governmental organizations had chosen to pay the ransom.

But the TDIR did reveal that the ransomware came from a single source. "At this time, the evidence gathered indicates the attacks came from one single threat actor," a spokesperson said. "Investigations into the origin of this attack are ongoing; however, response and recovery are the priority at this time."

Read 6 remaining paragraphs | Comments

Posted in Baltimore City ransomware, Biz & IT, Florida ransomware, Georgia ransomware, local government ransomware, Policy, ransomware, school district, Texas Ransomware | Comments (0)