Analysis and Attribution of the Eternity Ransomware: Timeline and Emergence of the Eternity Group
XVigil discovered a financially motivated threat actor group, dubbed Eternity group, actively operating on the internet, selling worms, stealers, DDoS tools, and ransomware builders.
President Rodrigo Chaves says Costa Rica is at war with Conti hackers
The president of Costa Rica says his country is "at war", as cyber-criminals cause major disruption to IT systems of numerous government ministries. Rodrigo Chaves said hackers infiltrated 27 government institutions, including municipalities and state-run utilities.
US links Thanos and Jigsaw ransomware to 55-year-old doctor
The US Department of Justice today said that Moises Luis Zagala Gonzalez (Zagala), a 55-year-old cardiologist with French and Venezuelan citizenship residing in Ciudad Bolivar, Venezuela, created and rented Jigsaw and Thanos ransomware to cybercriminals.
Costa Rica declares national emergency after Conti ransomware attacks
The Costa Rican President Rodrigo Chaves has declared a national emergency following cyber attacks from Conti ransomware group on multiple government bodies. BleepingComputer also observed Conti published most of the 672 GB dump that appears to contain data belonging to the Costa Rican government agencies. The declaration was signed into law by Chaves on Sunday, May 8th, same day as the economist and former Minister of Finance effectively became the country's 49th and current president.
Ukrainian Researcher Leaks Conti Ransomware Gang Data
A Ukrainian cybersecurity researcher has released a huge batch of data that came from the internal systems of the Conti ransomware gang. The researcher released the
TrickBot malware operation shuts down, devs move to BazarBackdoor
The TrickBot malware operation has shut down after its core developers move to the Conti ransomware gang to focus development on the stealthy BazarBackdoor and Anchor malware families.
Overview This week, the Sonicwall Capture Labs threat research team analyzed a ransomware calling itself Lighter Ransomware. Upon execution, it opens up a window with a countdown timer instructing the victim to reach out immediately […]
Change Healthcare ransomware attack disrupting industry nationwide
The reports keep coming in from across the country on how the Change Healthcare ransomware attack that first came to light on Feb. 21 has been impacting the healthcare sector. The case has been called the most severe cyberattack on the healthcare sector in history and has had a great impact since Change Healthcare, owned by UnitedHealth Group, processes 15 billion healthcare transactions annually, affecting 1 in 3 patient records.
Ransomware Recruitment Efforts Following Law Enforcement Disruption
In late 2023 and early 2024, the ransomware ecosystem experienced repeated disruption of its most prolific Ransomware-as-a-Service (RaaS) groups at the hands of international Law Enforcement (LE). Alphv’s dark web data leak site was seized, then unseized, then re-seized in a December 2023 law enforcement operation that seemingly failed to deter the group – until AlphV ultimately claimed to disband via an apparent exit scam, immediately following a high-profile attack against Change Healthcare in March 2024. LockBit experienced a far more dramatic and well-marketed disruption, “Operation Cronos,” in February 2024, leading to the compromise of its infrastructure, internal operational details, and data. While LockBit has ostensibly continued operations, its highly publicized disruption raises the question of whether the group will be able to continue operating and attracting affiliates at the level they once enjoyed.
Interesting Multi-Stage StopCrypt Ransomware Variant Propagating in the Wild
Overview The SonicWall Capture Labs threat research team recently observed an interesting variant of StopCrypt ransomware. The ransomware executes its malicious activities by utilizing multi-stage shellcodes before launching a final payload that contains the file […]
Exclusive: After LockBit’s takedown, its purported leader vows to hack on
This week, the Click Here podcast landed a rare interview with the purported leader of the LockBit ransomware group – he goes by the name LockBitSupp. He’s under pressure because last month an international police operation infiltrated the group and seized not just their platform, but their hacking tools, cryptocurrency accounts and source code ending a four year ransomware rampage.
GhostSec’s joint ransomware operation and evolution of their arsenal
Cisco Talos observed a surge in GhostSec, a hacking group’s malicious activities since this past year. GhostSec has evolved with a new GhostLocker 2.0 ransomware, a Golang variant of the GhostLocker ransomware.
LockBit ransomware affiliate gets four years in jail, to pay $860k
Russian-Canadian cybercriminal Mikhail Vasiliev has been sentenced to four years in prison by an Ontario court for his involvement in the LockBit ransomware operation. #Canada #Case #Computer #Court #InfoSec #Legal #LockBit #Prison #Ransomware #Security
Switzerland: Play ransomware leaked 65,000 government documents
The National Cyber Security Centre (NCSC) of Switzerland has released a report on its analysis of a data breach following a ransomware attack on Xplain, disclosing that the incident impacted thousands of sensitive Federal government files.
CISA, FBI, and MS-ISAC Release Advisory on Phobos Ransomware
Today, CISA, the Federal Bureau of Investigation (FBI), and the Multi-State Information Sharing and Analysis Center (MS-ISAC) released a joint Cybersecurity Advisory (CSA), #StopRansomware: Phobos Ransomware, to disseminate known tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs), which are from incident response investigations tied to Phobos ransomware activity from as recently as February, 2024.
Phobos Ransomware Aggressively Targeting U.S. Critical Infrastructure
U.S. cybersecurity and intelligence agencies have warned of Phobos ransomware attacks targeting government and critical infrastructure entities, outlining the various tactics and techniques the threat actors have adopted to deploy the file-encrypting malware. "Structured as a ransomware-as-a-service (RaaS) model, Phobos ransomware actors have targeted entities including municipal and county governments, emergency services, education, public healthcare, and critical infrastructure to successfully ransom several million in U.S. dollars," the government said.
Blackcat ransomware site reportedly seized but UK agency denies responsibility
website used by hackers responsible for a breach at UnitedHealth Group (UNH.N), opens new tab has been replaced by a notice saying it has been seized by international law enforcement. But at least one of the agencies allegedly responsible said it had nothing to do with the seizure, raising the possibility that the hackers - who also go by the moniker ALPHV - faked their own takedown. A message posted to the website of the Blackcat hacking gang on Tuesday said it had been impounded "as part of a coordinated law enforcement action" by U.S. authorities and other law enforcement agencies. Among the logos of non-American agencies involved were those of Europol and Britain's National Crime Agency.
BlackCat ransomware shuts down in exit scam, blames the "feds"
The BlackCat ransomware gang is pulling an exit scam, trying to shut down and run off with affiliates' money by pretending the FBI seized their site and infrastructure.
BlackCat ransomware turns off servers amid claim they stole $22 million ransom
The ALPHV/BlackCat ransomware gang has shut down its servers amid claims that they scammed the affiliate responsible for the attack on Optum, the operator of the Change Healthcare platform, of $22 million.
Hackers Behind the Change Healthcare Ransomware Attack Just Received a $22 Million Payment
The transaction, visible on Bitcoin's blockchain, suggests the victim of one of the worst ransomware attacks in years may have paid a very large ransom.
This blog post provides a detailed look at the TTPs of a ransomware affiliate operator. In this case, the endpoint had been moved to another infrastructure (as illustrated by various command lines, and confirmed by the partner), so while Huntress SOC analysts reported the activity to the partner, no Huntress customer was impacted by the ransomware deployment.
LockBit ransomware returns, restores servers after police disruption
The LockBit gang is relaunching its ransomware operation on a new infrastructure less than a week after law enforcement hacked their servers, and is threatening to focus more of their attacks on the government sector.
Ransomware Operation LockBit Reestablishes Dark Web Leak Site
Russian-speaking ransomware operation LockBit reestablished a dark web leak site Saturday afternoon, posting a lengthy screed apparently authored by its leader, who
