Cyber Cops Stopped 500 Ransomware Hacks Since 2021, DHS Says - Bloomberg
Homeland Security Investigations is stopping hacks before they occur.
Event Log Talks a Lot: Identifying Human-operated Ransomware through Windows Event Logs - JPCERT/CC Eyes
The difficult part of the initial response to a human-operated ransomware attack is identifying the attack vector. You may already know from recent security incident trends that the vulnerabilities of VPN devices are likely to be exploited, but it often...
Crucial Texas hospital system turning ambulances away after ransomware attack
One of the largest hospitals in West Texas has been forced to divert ambulances after a ransomware attack shut down many of its systems last Thursday. The University Medical Center Health System in Lubbock confirmed on Friday that IT outages are being caused by a ransomware incident.
Storm-0501: Ransomware attacks expanding to hybrid cloud environments
Microsoft has observed the threat actor tracked as Storm-0501 launching a multi-staged attack where they compromised hybrid cloud environments and performed lateral movement from on-premises to cloud environment, leading to data exfiltration, credential theft, tampering, persistent backdoor access, and ransomware deployment. The said attack targeted multiple sectors in the United States, including government, manufacturing, transportation, and law enforcement. Storm-0501 is a financially motivated cybercriminal group that uses commodity and open-source tools to conduct ransomware operations.
Inside the Dragon: DragonForce Ransomware Group
in light of the escalating frequency and complexity of ransomware attacks, are security leaders confident in their organization’s defenses? According to Group-IB’s Hi-Tech Crime Trends 2023/2024 Report, ransomware will have an increasingly significant impact in 2024 and beyond. Key trends driving this include the expansion of the Ransomware-as-a-Service (RaaS) market, the proliferation of stolen data on Dedicated Leak Sites (DLS), and a rise in affiliate programs.
Nitrogen Campaign Drops Sliver and Ends With BlackCat Ransomware
In November 2023, we identified a BlackCat ransomware intrusion started by Nitrogen malware hosted on a website impersonating Advanced IP Scanner. Nitrogen was leveraged to deploy Sliver and Cobalt Strike beacons on the beachhead host and perform further malicious actions. The two post-exploitation frameworks were loaded in memory through Python scripts. After obtaining initial access and establishing further command and control connections, the threat actor enumerated the compromised network with the use of PowerSploit, SharpHound, and native Windows utilities. Impacket was employed to move laterally, after harvesting domain credentials. The threat actor deployed an opensource backup tool call Restic on a file server to exfiltrate share data to a remote server. Eight days after initial access the threat actor modified a privileged user password and deployed BlackCat ransomware across the domain using PsExec to execute a batch script. Six rules were added to our Private Ruleset related to this intrusion.
Kryptina RaaS | From Unsellable Cast-Off to Enterprise Ransomware
Kryptina's adoption by Mallox affiliates complicates malware tracking as ransomware operators blend different codebases into new variants. Kryptina evolved from a free tool on public forums to being actively used in enterprise attacks, particularly under the Mallox ransomware family. In May 2024, a Mallox affiliate leaked staging server data, revealing that their Linux ransomware was based on a modified version of Kryptina. The affiliate made superficial changes to source code and documentation, stripping Kryptina branding but retaining core functionality. The adoption of Kryptina by Mallox affiliates exemplifies the commoditization of ransomware tools, complicating malware tracking as affiliates blend different codebases into new variants. * This original research was presented by the author at LABScon 2024 in Scottsdale, Arizona.
Vanir Ransomware Group onion site seized by German law enforcement
Threat actors called Vanir Ransomware Group posted a few listings in July. Tonight, however, their onion site has a seized message: ” THIS HIDDEN SITE HAS BEEN SEIZED by the State Bureau of Investigation Baden-Württemberg as a part of a law enforcement action taken against Vanir Ransomware Group “
Qilin ransomware attack on Synnovis impacted over 900K patients
The personal information of a million individuals was leaked online following a ransomware attack that in June hit NHS hospitals in London.
German radio station forced to broadcast 'emergency tape' following cyberattack
Radio Geretsried, a local station in Bavaria, said it was trying to save music files and restore systems after an apparent ransomware attack.
RansomHub claims Kawasaki cyberattack, threatens to leak stolen data
Kawasaki Motors Europe has announced that it's recovering from a cyberattack that caused service disruptions as the RansomHub ransomware gang threatens to leak stolen data.
Kawasaki’s European HQ recovers from cyber attack
At the start of September, Kawasaki Motors Europe, (KME) was the subject of a cyber-attack which, although not successful, resulted in the company’s servers being temporarily isolated until a strategic recovery plan was initiated later on the same day. KME and its country Branches operate a large number of servers and, as a precaution, it was decided to isolate each one and put a cleansing process in place whereby all data was checked and any suspicious material identified and dealt with.
Enquête ESET : le cybergang CosmicBeetle cible des entreprises françaises et devient affilié de RansomHub | UnderNews
ESET découvre que le groupe CosmicBeetle s'associe à d'autres gangs de ransomwares et cible des entreprises en France. Tribune ESET. Les chercheurs d'ESET ont mené l’enquête sur ScRansom, un nouveau ransomware développé par le groupe CosmicBeetle. CosmicBeetle a débuté avec les outils Lockbit qui ont fuité. CosmicBeetle est probablement devenu récement un affilié RansomHub ScRansom
Tracking Ransomware - August 2024 - CYFIRMA
August 2024 witnessed a noticeable increase in ransomware activity, with emerging groups like Lynx and RansomHub showing dramatic...
Arctic Wolf Observes Akira Ransomware Campaign Targeting SonicWall SSLVPN Accounts
In recent threat activity observed by Arctic Wolf, Akira ransomware affiliates carried out ransomware attacks with an initial access vector involving the compromise of SSLVPN user accounts on SonicWall devices.
Cicada 3301 - Ransomware-as-a-Service - Technical Analysis
Discover the latest insights on the emerging ransomware group Cicada3301, first detected in June 2024. Truesec's investigation reveals key findings about this group, named after a famous cryptography game, now targeting multiple victims.
Cybercriminals operating ransomware as a service from overseas continue to be responsible for most high-profile cybercrime attacks against the UK
The deployment of ransomware remains the greatest serious and organised cybercrime threat, the largest cybersecurity threat, and also poses a risk to the UK’s national security. Ransomware attacks can have a significant impact on victims due to financial, data, and service losses, which can lead to business closure, inaccessible public services, and compromised customer data. Threat actors are typically based in overseas jurisdictions where limited cooperation makes it challenging for UK law enforcement to disrupt their activities.
BlackSuit Ransomware
- In December 2023, we observed an intrusion that started with the execution of a Cobalt Strike beacon and ended in the deployment of BlackSuit ransomware. The threat actor leveraged various tools, including Sharphound, Rubeus, SystemBC, Get-DataInfo.ps1, Cobalt Strike, and ADFind, along with built-in system tools. Command and control traffic was proxied through CloudFlare to conceal their Cobalt Strike server. Fifteen days after initial access, BlackSuit ransomware was deployed by copying files over SMB to admin shares and executing them through RDP sessions. Three rules were added to our private ruleset related to this case.
Qilin ransomware caught stealing credentials stored in Google Chrome
Familiar ransomware develops an appetite for passwords to third-party sites
Touché par un ransomware, Schlatter Industries a relancé ses systèmes (update) | ICTjournal
Le réseau informatique de l'entreprise suisse de fabrication de machines Schlatter a été attaqué via un logici
Ransomware attackers introduce new EDR killer to their arsenal
Sophos discovers the threat actors behind RansomHub ransomware using EDRKillShifter in attacks
CVE-2024-23897 Enabled Ransomware Attack on Indian Banks
CVE-2024-23897 is an unauthenticated arbitary file read vulnerability in Jenkins CLI used by RansomEXX to target small Indian banks.
Don’t get Mad, get wise
The “Mad Liberator” ransomware group leverages social-engineering moves to watch out for
Security bugs in ransomware leak sites helped save six companies from paying hefty ransoms
The vulnerabilities allowed one security researcher to peek inside the leak sites without having to log in.
How a cybersecurity researcher befriended, then doxed, the leader of LockBit
Jon DiMaggio used sockpuppet accounts, then his own identity, to infiltrate LockBit and gain the trust of its alleged admin, Dmitry Khoroshev.
Cybersécurité : le Grand Palais et plusieurs musées dont le Louvre victimes d’une attaque par rançongiciel
Les attaquants ont chiffré une partie des données financières et menacent de les diffuser s’ils ne reçoivent pas une rançon. Une enquête a été ouverte.
Ransomware gang targets IT workers with new SharpRhino malware
The Hunters International ransomware group is targeting IT workers with a new C# remote access trojan (RAT) called SharpRhino to breach corporate networks.
New Hunters International RAT identified by Quorum Cyber
During a recent ransomware incident investigated by the Quorum Cyber Incident Response team, novel malware was identified previously unknown.
Surge in Magniber ransomware attacks impact home users worldwide
A massive Magniber ransomware campaign is underway, encrypting home users' devices worldwide and demanding thousand-dollar ransoms to receive a decryptor. Magniber launched in 2017 as a successor to the Cerber ransomware operation when it was spotted being distributed by the Magnitude exploit kit. Since then, the ransomware operation has seen bursts of activity over the years, with the threat actors utilizing various methods to distribute Magniber and encrypt devices. These tactics include using Windows zero-days, fake Windows and browser updates, and trojanized software cracks and key generators.
Black Basta ransomware switches to more evasive custom malware
The Black Basta ransomware gang has shown resilience and an ability to adapt to a constantly shifting space, using new custom tools and tactics to evade detection and spread throughout a network.