Jump to content

Search the Community

Showing results for tags 'ransomware'.

  • Search By Tags

    Type tags separated by commas.
  • Search By Author

Content Type


  • Site Related
    • News & Updates
    • Site / Forum Feedback
    • Member Introduction
  • News
    • General News
    • FileSharing News
    • Mobile News
    • Software News
    • Security & Privacy News
    • Technology News
  • Downloads
    • nsane.down
  • General Discussions & Support
    • Filesharing Chat
    • Security & Privacy Center
    • Software Chat
    • Mobile Mania
    • Technology Talk
    • Entertainment Exchange
    • Guides & Tutorials
  • Off-Topic Chat
    • The Chat Bar
    • Jokes & Funny Stuff
    • Polling Station


  • Drivers
  • Filesharing
    • BitTorrent
    • eDonkey & Direct Connect (DC)
    • NewsReaders (Usenet)
    • Other P2P Clients & Tools
  • Internet
    • Download Managers & FTP Clients
    • Messengers
    • Web Browsers
    • Other Internet Tools
  • Multimedia
    • Codecs & Converters
    • Image Viewers & Editors
    • Media Players
    • Other Multimedia Software
  • Security
    • Anti-Malware
    • Firewalls
    • Other Security Tools
  • System
    • Benchmarking & System Info
    • Customization
    • Defrag Tools
    • Disc & Registry Cleaners
    • Management Suites
    • Other System Tools
  • Other Apps
    • Burning & Imaging
    • Document Viewers & Editors
    • File Managers & Archivers
    • Miscellaneous Applications
  • Linux Distributions


  • General News
  • File Sharing News
  • Mobile News
  • Software News
  • Security & Privacy News
  • Technology News

Find results in...

Find results that contain...

Date Created

  • Start


Last Updated

  • Start


Filter by number of...

  1. Microsoft says multiple threat actors, including ransomware affiliates, are targeting the recently patched Windows MSHTML remote code execution security flaw. In the wild exploitation of this vulnerability (tracked as CVE-2021-40444) began on August 18 according to the company, more than two weeks before Microsoft published a security advisory with a partial workaround. According to telemetry data analyzed by security analysts at the Microsoft 365 Defender Threat Intelligence Team and the Microsoft Threat Intelligence Center (MSTIC), the small number of initial attacks (less than 10) used maliciously crafted Office documents. These attacks targeted the CVE-2021-40444 bug "as part of an initial access campaign that distributed custom Cobalt Strike Beacon loaders." Beacons deployed on the network of at least one victim communicated with malicious infrastructure connected with several cybercrime campaigns, including human-operated ransomware. Some of the Cobalt Strike infrastructure used in the August CVE-2021-40444 attacks was also used in the past to deliver BazaLoader and Trickbot payloads — activity overlapping with associated with the DEV-0193 activity cluster, tracked by Mandiant as UNC1878, aka WIZARD SPIDER / RYUK according to RiskIQ. Payloads delivered also overlapped with DEV-0365, an activity cluster associated with infrastructure possibly used as Cobalt Strike command-and-control (C2) service (CS-C2aaS) for other groups. CVE-2021-40444-attack-chain (Microsoft) Exploited by ransomware gangs after public disclosure Microsoft also observed a massive increase in exploitation attempts within 24 hours after the CVE-2021-40444 advisory was published. "Since the public disclosure, Microsoft has observed multiple threat actors, including ransomware-as-a-service affiliates, adopting publicly disclosed proof-of-concept code into their toolkits," the researchers added. "Microsoft continues to monitor the situation and work to deconflict testing from actual exploitation." MSTIC Threat Intelligence analyst Justin Warner added that other threat groups and actors will likely continue adding CVE-2021-40444 exploits to their arsenal in the coming days and weeks. CVE-2021-40444 exploitation (Microsoft) Microsoft recommends immediately applying the CVE-2021-40444 security updates released during the September 2021 Patch Tuesday to block incoming attacks. CVE-2021-40444 impacts systems running Windows Server 2008 through 2019 and Windows 8.1 or later, and it has a severity level of 8.8 out of the maximum 10. The security updates released by Microsoft address the vulnerability for all affected Windows versions and include a Monthly Rollup, a Security Only update, and an Internet Explorer cumulative update. BleepingComputer has independently confirmed that known CVE-2021-40444 exploits no longer work after applying the September 2021 security patches. To reduce the attack surface, customers who cannot apply the security updates should implement Microsoft's workarounds (disabling ActiveX controls via Group Policy and preview in Windows Explorer). Microsoft: Windows MSHTML bug now exploited by ransomware gangs
  2. A free master decryptor for the REvil ransomware operation has been released, allowing all victims encrypted before the gang disappeared to recover their files for free. The REvil master decryptor was created by cybersecurity firm Bitdefender in collaboration with a trusted law enforcement partner. While Bitdefender could not share details about how they obtained the master decryption key or the law enforcement agency involved, they told BleepingComputer that it works for all REvil victims encrypted before July 13th. "As per our blog post, we received the keys from a trusted law enforcement partner, and unfortunately, this is the only information we are at liberty to disclose right now," Bitdefender's Bogdan Botezatu, Director of Threat Research and Reporting, told BleepingComputer. "Once the investigation progresses and will come to an end, further details will be offered upon approval." REvil ransomware victims can download the master decryptor from Bitdefender (instructions) and decrypt entire computers at once or specify specific folders to decrypt. To test the decryptor, BleepingComputer encrypted a virtual machine with an REvil sample used in an attack earlier this year. After encrypting our files, we could use Bitdefender's decryptor to easily recover our files, as shown below. Decrypting REvil encrypted files with decryptor Law enforcement likely compromised REvil servers The REvil ransomware operation, aka Sodinokibi, is believed to be a rebrand or successor to the now "retired" ransomware group known as GandCrab. Since launching in 2019, REvil has conducted numerous attacks against well-known companies, including JBS, Coop, Travelex, and Grupo Fleury. Finally, in a massive July 2nd attack using a Kaseya zero-day vulnerability, the ransomware gang encrypted sixty managed service providers and over 1,500 businesses worldwide. REvil ransom demand for MSP encrypted ion July 2nd After facing intense scrutiny by international law enforcement and increased political tensions between Russia and the USA, REvil suddenly shut down its operation on July 13th and disappeared. While REvil was shut down, Kaseya mysteriously received a master decryptor for their attack, allowing MSPs and their customers to recover files for free. As Bitdefender states that victims who REvil encrypted before July 13th can use this decryptor, it is safe to assume that the ransomware operation's disappearance was tied to this law enforcement investigation. It is also likely that Kaseya obtaining the REvil master decryption key for the attack on their customers is also tied to the same investigation. While REvil has returned to attacking victims earlier this month, the release of this master decryptor comes as a massive boon for existing victims who chose not to pay or simply couldn't after the ransomware gang disappeared. Free REvil ransomware master decrypter released for past victims
  3. The REvil ransomware gang has fully returned and is once again attacking new victims and publishing stolen files on a data leak site. Since 2019, the REvil ransomware operation, aka Sodinokibi, has been conducting attacks on organizations worldwide where they demand million-dollar ransoms to receive a decryption key and prevent the leaking of stolen files. While in operation, the gang has been involved in numerous attacks against well-known companies, including JBS, Coop, Travelex, GSMLaw, Kenneth Cole, Grupo Fleury, and others. REvil's disappearance act REvil shut down their infrastructure and completely disappeared after their biggest caper yet - a massive attack on July 2nd that encrypted 60 managed service providers and over 1,500 businesses using a zero-day vulnerability in the Kaseya VSA remote management platform. REvil then demanded $50 million for a universal decryptor for all Kaseya victims, $5 million for an MSP's decryption, and a $44,999 ransom for individual file encryption extensions at affected businesses. REvil ransom demand for an encrypted MSP This attack had such wide-ranging consequences worldwide that it brought the full attention of international law enforcement to bear on the group. Likely feeling pressure and concerns about being apprehended, the REvil gang suddenly shut down on July 13th, 2021, leaving many victims in a lurch with no way of decrypting their files. The last we had heard of REvil, was that Kaseya received a universal decryptor that victims could use to decrypt files for free. It is unclear how Kaseya received the decryptor but stated it came from a "trusted third party." REvil returns with new attacks After their shutdown, researchers and law enforcement believed that REvil would rebrand as a new ransomware operation at some point. However, much to our surprise, the REvil ransomware gang came back to life this week under the same name. On September 7th, almost two months after their disappearance, the Tor payment/negotiation and data leak sites suddenly turned back on and became accessible. A day later, it was once again possible to log in to the Tor payment site and negotiate with the ransomware gang. All prior victims had their timers reset, and it appeared that their ransom demands were left as they were when the ransomware gang shut down in July. However, there was no proof of new attacks until September 9th, when someone uploaded a new REvil ransomware sample compiled on September 4th to VirusTotal. Today, we have seen further proof of their renewed attacks as the ransomware gang has published screenshots of stolen data for a new victim on their data leak site. If you have first-hand information about REvil's return, you can confidentially contact us on Signal at +16469613731, Wire at @lawrenceabrams-bc, or Jabber at [email protected] New REvil representative emerges In the past, REvil's public representative was a threat actor known as 'Unknown' or 'UNKN,' who frequently posted at hacking forums to recruit new affiliates or post news about the ransomware operation. Forum post by REvil's UNKN On September 9th, after the return of the ransomware operation, a new representative simply named 'REvil' had begun posting at hacking forums claiming that the gang briefly shut down after they though Unknown was arrested and servers were compromised. REvil post to Russian-speaking hacking forum Source: Advanced Intel This translation of these posts can be read below: "As Unknown (aka 8800) disappeared, we (the coders) backed up and turned off all the servers. Thought that he was arrested. We tried to search, but to no avail. We waited - he did not show up and we restored everything from backups. After UNKWN disappeared, the hoster informed us that the Clearnet servers were compromised and they deleted them at once. We shut down the main server with the keys right afterward. Kaseya decryptor, which was allegedly leaked by the law enforcement, in fact, was leaked by one of our operators during the generation of the decryptor." - REvil Based on these claims, Kaseya's universal decryptor was obtained by law enforcement after they gained access to some of REvil's servers. However, BleepingComputer has been told by numerous sources that REvil's disappearance surprised law enforcement as much as everyone else. A chat between what is believed to be a security researcher and REvil, paints a different story, with an REvil operator claiming they simply took a break. Chat between a researcher and REvil about their disappearance While we may never know the real reason for the disappearance or how Kaseya obtained the decryption key, what is most important is to know that REvil is back to targeting corporations worldwide. With their skilled affiliates and ability to perform sophisticated attacks, all network admins and security professionals must become familiar with their tactics and techniques. REvil ransomware is back in full attack mode and leaking data
  4. Ransomware gangs increasingly purchase access to a victim's network on dark web marketplaces and from other threat actors. Analyzing their want ads makes it possible to get an inside look at the types of companies ransomware operations are targeting for attacks. When conducting a cyberattack, ransomware gangs must first gain access to a corporate network to deploy their ransomware. With the massive profits being generated in attacks, instead of finding and breaching targets themselves, ransomware gangs are commonly purchasing initial access to high-value targets through initial access brokers (IABs). IABs are other threat actors who breach a network, whether through brute-forcing passwords, exploits, or phishing campaigns and then sell that access to other cybercriminals. After examining ransomware gang's "want ads," cybersecurity intelligence company KELA has compiled a list of criteria that the larger enterprise-targeting operations look for in a company for their attacks. Targeting certain companies KELA analyzed 48 forum posts creates in July where threat actors are looking to purchase access to a network. The researchers state that 40% of these ads are created by people working with ransomware gangs. These want ads list the company requirements that ransomware actors are looking for, such as the country a company is located, what industry they are in, and how much they are looking to spend. For example, in a want ad from the BlackMatter ransomware gang, the threat actors are looking for targets specifically in the USA, Canada, Australia, and Great Britain with revenue of $100 million or more. For this access, they are willing to pay $3,000 to $100,000, as shown in the want ad below. BlackMatter network access want ad By analyzing the want ads from close to twenty posts created by threat actors related to ransomware gangs, the KELA researchers were able to come up with the following company characteristics that are being targeted: Geography: Ransomware gangs prefer victims located in the USA, Canada, Australia, and Europe. "The majority of requests mentioned the desired location of victims, with the US being the most popular choice - 47% of the actors mentioned it. Other top locations included Canada (37%), Australia (37%), and European countries (31%). Most of the advertisements included a call for multiple countries," said KELA's report. "The reason behind this geographical focus is that actors choose the most wealthy companies which are expected to be located in the biggest and the most developed countries." Revenue: KELA states that the average minimum revenue desired by ransomware gangs is $100 million. However, this can be different depending on the geographic location of the victim.. "For example, one of the actors described the following formula: revenue should be more than 5 million USD for US victims, more than 20 million USD for European victims, and more than 40 million USD for “the third world” countries," explained KELA. Blacklist of sectors: While some gangs said they avoided healthcare, they were less picky about other industries of the companies they encrypt. However, after the Colonial Pipeline, Metropolitan Police Department, and JBS attacks, many ransomware gangs began avoiding specific sectors. "47% of ransomware attackers refused to buy access to companies from the healthcare and education industries. 37% prohibited compromising the government sector, while 26% claimed they will not purchase access related to non-profit organizations. " "When actors prohibit healthcare or non-profit industries offers, it is more likely due to the moral code of the actors. When the education sector is off the table, the reason is the same or the fact that education victims simply cannot afford to pay much. " "Finally, when actors refuse to target government companies, it is a precaution measure and an attempt to avoid unwanted attention from law enforcement." Blacklist of countries: Most large ransomware operations specifically avoid attacking companies located in the Commonwealth of Independent States (CIS) as they believe if they don't target those countries, the local authorities will not target them. These blacklisted countries include Russia, Ukraine, Moldova, Belarus, Kyrgyzstan, Kazakhstan, Armenia, Tajikistan, Turkmenistan, and Uzbekistan. Unfortunately, even if a company does not meet the above criteria, it does not mean that they are safe. Many ransomware gangs, such as Dharma, STOP, Globe, and others, are less picky, and you can wind up being targeted by a ransomware operation. Furthermore, even though these gangs prefer victims with these characteristics, it does not necessarily mean they won't breach a network independently. BleepingComputer has commonly seen ransomware gangs, such as DarkSide, REvil, BlackMatter, and LockBit, target smaller companies and demand much smaller ransoms. Ransomware gangs target companies using these criteria
  5. Criminal hackers will try almost anything to get inside a profitable enterprise and secure a million-dollar payday from a ransomware infection. Apparently now that includes emailing employees directly and asking them to unleash the malware inside their employer’s network in exchange for a percentage of any ransom amount paid by the victim company. Image: Abnormal Security. Crane Hassold, director of threat intelligence at Abnormal Security, described what happened after he adopted a fake persona and responded to the proposal in the screenshot above. It offered to pay him 40 percent of a million-dollar ransom demand if he agreed to launch their malware inside his employer’s network. This particular scammer was fairly chatty, and over the course of five days it emerged that Hassold’s correspondent was forced to change up his initial approach in planning to deploy the DemonWare ransomware strain, which is freely available on GitHub. “According to this actor, he had originally intended to send his targets—all senior-level executives—phishing emails to compromise their accounts, but after that was unsuccessful, he pivoted to this ransomware pretext,” Hassold wrote. Abnormal Security documented how it tied the email back to a young man in Nigeria who acknowledged he was trying to save up money to help fund a new social network he is building called Sociogram. Image: Abnormal Security. Reached via LinkedIn, Sociogram founder Oluwaseun Medayedupin asked to have his startup’s name removed from the story, although he did not respond to questions about whether there were an inaccuracies in Hassold’s report. “Please don’t harm Sociogram’s reputation,” Medayedupin pleaded. “I beg you as a promising young man.” This attacker’s approach may seem fairly amateur, but it would be a mistake to dismiss the threat from West African cybercriminals dabbling in ransomware. While multi-million dollar ransomware payments are hogging the headlines, by far the biggest financial losses tied to cybercrime each year stem from so-called Business Email Compromise (BEC) or CEO Scams, in which crooks mainly based in Africa and Southeast Asia will spoof communications from executives at the target firm in a bid to initiate unauthorized international wire transfers. According to the latest figures (PDF) released by the FBI Internet Crime Complaint Center (IC3), the reported losses from BEC scams continue to dwarf other cybercrime loss categories, increasing to $1.86 billion in 2020. Image: FBI “Knowing the actor is Nigerian really brings the entire story full circle and provides some notable context to the tactics used in the initial email we identified,” Hassold wrote. “For decades, West African scammers, primarily located in Nigeria, have perfected the use of social engineering in cybercrime activity.” “While the most common cyber attack we see from Nigerian actors (and most damaging attack globally) is business email compromise (BEC), it makes sense that a Nigerian actor would fall back on using similar social engineering techniques, even when attempting to successfully deploy a more technically sophisticated attack like ransomware,” Hassold concluded. DON’T QUIT YOUR DAY JOB Cybercriminals trolling for disgruntled employees is hardly a new development. Big companies have long been worried about the very real threat of disgruntled employees creating identities on darknet sites and then offering to trash their employer’s network for a fee (for more on that, see my 2016 story, Rise of the Darknet Stokes Fear of the Insider). Indeed, perhaps this enterprising Nigerian scammer is just keeping up with current trends. Several established ransomware affiliate gangs that have recently rebranded under new banners seem to have done away with the affiliate model in favor of just buying illicit access to corporate networks. For example, the Lockbit 2.0 ransomware-as-a-service gang actually includes a solicitation for insiders in the desktop wallpaper left behind on systems encrypted with the malware. “Would you like to earn millions of dollars? Our company acquires access to networks of various companies, as well as insider information that can help you steal the most valuable data of any company,” LockBit’s unusual ad reads. “You can provide us accounting data for the access to any company, for example, login and password to RDP, VPN, corporate email, etc. Open our letter at your email. Launch the provided virus on any computer in your company. Companies pay us the foreclosure for the decryption of files and prevention of data leak.” Image: Sophos. Likewise, the newly formed BlackMatter ransomware gang kicked off its presence on the cybercrime forums with the unassuming thread, “Buying/monetizing your access to corporate networks.” The rest of the post reads: We are looking for access to corporate networks in the following countries: – the USA – Canada – Australia – the UK All lines of business except for: – Healthcare – Government entities. Requirements: – Revenue according to ZoomInfo: over 100 million. – Number of hosts: 500 to 15,000. – We do not accept networks that anybody else has already tried to work on. Two options of cooperation: – We buy networks: 3 to 100k. – We monetize them (subject to negotiation on a case-by-case basis). How we work: You select an option of cooperation. -> You provide access to the network. -> We check it. -> We take it or not (depending on whether it meets the requirements). This entry was posted on Thursday 19th of August 2021 12:27 PM Wanted: Disgruntled Employees to Deploy Ransomware
  6. They reportedly claim to have 112GB of AMD, Intel, and other documents Gigabyte has been the victim of a cyberattack, which was reportedly the work of a ransomware outfit called RansomEXX. According to The Record, the attack didn’t have an impact on any of the company’s production systems, but it did affect some internal servers. Currently, some parts of Gigabyte’s website, including its support section, are down, giving customers issues when trying to access warranty repair information and updates. The hackers who claim to have carried out the attack are reportedly threatening to release data from the company, including confidential documents from Intel, AMD, and American Megatrends. Gigabyte is mainly known for its PC components such as motherboards and graphics cards, but it also has a line of laptops and peripherals like gaming monitors, which are often branded with the Aorus name. According to a ransom note and dark web webpage, seen by Bleeping Computer and The Record, RansomEXX threatens to publish 112GB of data it got from Gigabyte and an American Megatrends Git repo. Bleeping Computer reports that the hackers also include screenshots of documents from Intel, AMD, and American Megatrends that are under an NDA. American Megatrends creates firmware for motherboard and computer manufacturers as well as for certain Chromebook manufacturers. Various parts of Gigabyte’s website are nonfunctional. PC manufacturers aren’t an uncommon target for hackers: earlier this year, Acer was reportedly hit with an attack by the REvil group, which would later go on to target one of Apple’s suppliers. In both cases, hackers threatened to release valuable data if the companies didn’t pay exorbitantly high ransoms of $50 million. The scourge of ransomware has also gone beyond traditional tech companies, affecting hospitals, fuel pipelines, insurance companies, and more. In Gigabyte’s case, the sum that the hackers are seeking doesn’t yet appear to be public. Bleeping Computer reports, however, that RansomEXX’s ransom notes direct companies to contact an email address to start negotiations. Gigabyte didn’t respond to a request for comment, but it told The Record that the company has isolated the affected servers, notified law enforcement, and is beginning an investigation. Gigabyte hasn't publicly named RansomEXX as the responsible party. Hackers reportedly threaten to leak data from Gigabyte ransomware attack
  7. Taiwanese motherboard maker has been hit by the RansomEXX ransomware gang, who threaten to publish 112GB of stolen data unless a ransom is paid Gigabyte is best known for its motherboards but also manufactures other computer components and hardware, such as graphics cards, data center servers, laptops, and monitors. The attack occurred late Tuesday night into Wednesday and forced the company to shut down its systems in Taiwan. The incident also affected multiple websites of the company, including its support site and portions of the Taiwanese website Gigabyte support down due to ransomware attack Customers have also reported issues accessing support documents or receiving updated information about RMAs, which is likely due to the ransomware attack. According to the Chinese news site United Daily News, Gigabyte confirmed they suffered a cyberattack that affected a small number of servers. After detecting the abnormal activity on their network, they had shut down their IT systems and notified law enforcement. If you have first-hand information about this or other unreported cyberattacks, you can confidentially contact us on Signal at +16469613731 or on Wire at @lawrenceabrams-bc. Gigabyte suffers RansomEXX ransomware attack While Gigabyte has not officially stated what ransomware operation performed the attack, BleepingComputer has learned it was conducted by the RansomEXX gang. When the RansomEXX operation encrypts a network, they will create ransom notes on each encrypted device. These ransom notes contain a link to a non-public page meant to only be accessible to the victim to test the decryption of one file and to leave an email address to begin ransom negotiations. Today, a source sent BleepingComputer a link to a non-public RansomEXX leak page for Gigabytes Technologies, where the threat actors claim to have stolen 112GB of data during the attack. In a ransom note also seen by BleepingComputer, the threat actors state, "Hello, Gigabyte (gigabyte.com)!" and include the same link to the private leak page shared with us by our source. Non-public Gigabyte data leak page On this non-public leak page, the threat actors claim to have stolen 112 GB of data from an internal Gigabyte network as well as the American Megatrends Git Repository, We have downloaded 112 GB (120,971,743,713 bytes) of your files and we are ready to PUBLISH it. Many of them are under NDA (Intel, AMD, American Megatrends). Leak sources: newautobom.gigabyte.intra, git.ami.com.tw and some others. On the private data leak page, the threat actors also shared screenshots of four documents under NDA stolen during the attack. While we will not be posting the leaked images, the confidential documents include an American Megatrends debug document, an Intel "Potential Issues" document, an "Ice Lake D SKU stack update schedule," and a AMD revision guide. BleepingComputer has attempted to contact Gigabyte about the attack but has not heard back at this time. What you need to know about RansomEXX The RansomEXX ransomware operation originally started under the name Defray in 2018 but rebranded as RansomEXX in June 2020 when they become more active. Like other ransomware operations, RansomEXX will breach a network through Remote Desktop Protocol, exploits, or stolen credentials. Once they gain access to the network, they will harvest more credentials as they slowly gain control of the Windows domain controller. During this lateral spread through the network, the ransomware gang will steal data from unencrypted devices used as leverage in ransom extortions. RansomEXX does not only target Windows devices but has also created a Linux encryptor to encrypt virtual machines running VMware ESXi servers. Over the past month, the RansomEXX gang has become more active as they have recently attacked Italy's Lazio region and Ecuador's state-run Corporación Nacional de Telecomunicación (CNT). Other high-profile attacks by the ransomware gang include Brazil's government networks, the Texas Department of Transportation (TxDOT), Konica Minolta, IPG Photonics, and Tyler Technologies. Computer hardware giant GIGABYTE hit by RansomEXX ransomware
  8. It’s nice when ransomware gangs have their bitcoin stolen, malware servers shut down, or are otherwise forced to disband. We hang on to these occasional victories because history tells us that most ransomware moneymaking collectives don’t go away so much as reinvent themselves under a new name, with new rules, targets and weaponry. Indeed, some of the most destructive and costly ransomware groups are now in their third incarnation. A rough timeline of major ransomware operations and their reputed links over time. Reinvention is a basic survival skill in the cybercrime business. Among the oldest tricks in the book is to fake one’s demise or retirement and invent a new identity. A key goal of such subterfuge is to throw investigators off the scent or to temporarily direct their attention elsewhere. Cybercriminal syndicates also perform similar disappearing acts whenever it suits them. These organizational reboots are an opportunity for ransomware program leaders to set new ground rules for their members — such as which types of victims aren’t allowed (e.g., hospitals, governments, critical infrastructure), or how much of a ransom payment an affiliate should expect for bringing the group access to a new victim network. I put together the above graphic to illustrate some of the more notable ransom gang reinventions over the past five years. What it doesn’t show is what we already know about the cybercriminals behind many of these seemingly disparate ransomware groups, some of whom were pioneers in the ransomware space almost a decade ago. We’ll explore that more in the latter half of this story. One of the more intriguing and recent revamps involves DarkSide, the group that extracted a $5 million ransom from Colonial Pipeline earlier this year, only to watch much of it get clawed back in an operation by the U.S. Department of Justice. After acknowledging someone had also seized their Internet servers, DarkSide announced it was folding. But a little more than a month later, a new ransomware affiliate program called BlackMatter emerged, and experts quickly determined BlackMatter was using the same unique encryption methods that DarkSide had used in their attacks. DarkSide’s demise roughly coincided with that of REvil, a long-running ransomware group that claims to have extorted more than $100 million from victims. REvil’s last big victim was Kaseya, a Miami-based company whose products help system administrators manage large networks remotely. That attack let REvil deploy ransomware to as many as 1,500 organizations that used Kaseya. REvil demanded a whopping $70 million to release a universal decryptor for all victims of the Kaseya attack. Just days later, President Biden reportedly told Russian President Vladimir Putin that he expects Russia to act when the United States shares information on specific Russians involved in ransomware activity. A REvil ransom note. Whether that conversation prompted actions is unclear. But REvil’s victim shaming blog would disappear from the dark web just four days later. Mark Arena, CEO of cyber threat intelligence firm Intel 471, said it remains unclear whether BlackMatter is the REvil crew operating under a new banner, or if it is simply the reincarnation of DarkSide. But one thing is clear, Arena said: “Likely we will see them again unless they’ve been arrested.” Likely, indeed. REvil is widely considered a reboot of GandCrab, a prolific ransomware gang that boasted of extorting more than $2 billion over 12 months before abruptly closing up shop in June 2019. “We are living proof that you can do evil and get off scot-free,” Gandcrab bragged. And wouldn’t you know it: Researchers have found GandCrab shared key behaviors with Cerber, an early ransomware-as-a-service operation that stopped claiming new victims at roughly the same time that GandCrab came on the scene. GOOD GRIEF The past few months have been a busy time for ransomware groups looking to rebrand. BleepingComputer recently reported that the new “Grief” ransomware startup was just the latest paintjob of DoppelPaymer, a ransomware strain that shared most of its code with an earlier iteration from 2016 called BitPaymer. All three of these ransom operations stem from a prolific cybercrime group known variously as TA505, “Indrik Spider” and (perhaps most memorably) Evil Corp. According to security firm CrowdStrike, Indrik Spider was formed in 2014 by former affiliates of the GameOver Zeus criminal network who internally referred to themselves as “The Business Club.” The Business Club was a notorious Eastern European organized cybercrime gang accused of stealing more than $100 million from banks and businesses worldwide. In 2015, the FBI offered a standing $3 million bounty for information leading to the capture of the Business Club’s leader — Evgeniy Mikhailovich Bogachev. By the time the FBI put a price on his head, Bogachev’s Zeus trojan and later variants had been infecting computers for nearly a decade. The alleged ZeuS Trojan author, Evgeniy Mikhaylovich Bogachev. Source: FBI Bogachev was way ahead of his colleagues in pursuing ransomware. His Gameover Zeus Botnet was a peer-to-peer crime machine that infected between 500,000 and a million Microsoft Windows computers. Throughout 2013 and 2014, PCs infected with Gameover were seeded with Cryptolocker, an early, much-copied ransomware strain allegedly authored by Bogachev himself. CrowdStrike notes that shortly after the group’s inception, Indrik Spider developed their own custom malware known as Dridex, which has emerged as a major vector for deploying malware that lays the groundwork for ransomware attacks. “Early versions of Dridex were primitive, but over the years the malware became increasingly professional and sophisticated,” CrowdStrike researchers wrote. “In fact, Dridex operations were significant throughout 2015 and 2016, making it one of the most prevalent eCrime malware families.” That CrowdStrike report was from July 2019. In April 2021, security experts at Check Point Software found Dridex was still the most prevalent malware (for the second month running). Mainly distributed via well-crafted phishing emails — such as a recent campaign that spoofed QuickBooks — Dridex often serves as the attacker’s initial foothold in company-wide ransomware attacks, CheckPoint said. REBRANDING TO AVOID SANCTIONS Another ransomware family tied to Evil Corp. and the Dridex gang is WastedLocker, which is the latest name of a ransomware strain that has rebranded several times since 2019. That was when the Justice Department put a $5 million bounty on the head of Evil Corp., and the Treasury Department’s Office of Foreign Asset Control (OFAC) said it was prepared to impose hefty fines on anyone who paid a ransom to the cybercrime group. Alleged Evil Corp leader Maksim “Aqua” Yakubets. Image: FBI In early June 2021, researchers discovered the Dridex gang was once again trying to morph in an effort to evade U.S. sanctions. The drama began when the Babuk ransomware group announced in May that they were starting a new platform for data leak extortion, which was intended to appeal to ransomware groups that didn’t already have a blog where they can publicly shame victims into paying by gradually releasing stolen data. On June 1, Babuk changed the name of its leaks site to payload[dot]bin, and began leaking victim data. Since then, multiple security experts have spotted what they believe is another version of WastedLocker dressed up as payload.bin-branded ransomware. “Looks like EvilCorp is trying to pass off as Babuk this time,” wrote Fabian Wosar, chief technology officer at security firm Emsisoft. “As Babuk releases their PayloadBin leak portal, EvilCorp rebrands WastedLocker once again as PayloadBin in an attempt to trick victims into violating OFAC regulations.” Experts are quick to point out that many cybercriminals involved in ransomware activity are affiliates of more than one distinct ransomware-as-a-service operation. In addition, it is common for a large number of affiliates to migrate to competing ransomware groups when their existing sponsor suddenly gets shut down. All of the above would seem to suggest that the success of any strategy for countering the ransomware epidemic hinges heavily on the ability to disrupt or apprehend a relatively small number of cybercriminals who appear to wear many disguises. Perhaps that’s why the Biden Administration said last month it was offering a $10 million reward for information that leads to the arrest of the gangs behind the extortion schemes, and for new approaches that make it easier to trace and block cryptocurrency payments. Ransomware Gangs and the Name Game Distraction
  9. BlackMatter ransomware gang rises from the ashes of DarkSide, REvil A new ransomware gang named BlackMatter is purchasing access to corporate networks while claiming to include the best features from the notorious and now-defunct REvil and DarkSide operations. Last week, both Recorded Future and security researcher pancak3 shared that a new threat actor named 'BlackMatter' had posted to hacking forums where they want to purchase access to corporate networks. Forum post by BlackMatter to the Exploit forum In the post, the threat actor stated that they want to buy access to networks in the USA, Canada, Australia, and Great Britain, except for networks associated with medical and government entities. They further shared that they were willing to spend $3,000 to $100,000 per network that had the following criteria: Revenue of $100 million or more. The network should contain 500-15,000 devices. It should be a new network that other threat actors have not already targeted. To show that they were serious, the threat actor deposited four bitcoins ($120,000) in the Exile hacking forum's cryptocurrency wallet to show that they mean business and were a serious player. As forums promoting ransomware are now banned on the XSS and Exploit forums, the threat actor did not indicate how they would use the network access. BlackMatter ransomware gang emerges That same day, researchers from Recorded Future revealed that a new Tor data leak site for a 'BlackMatter' ransomware operation appeared on the dark web last week. The name indicates that the BlackMatter threat actor is the public-facing representative for the ransomware operation under the same name. New BlackMatter data leak site In addition to posting information about themselves their operation, BlackMatter states that they will not target entities in the following industries: Hospitals. Critical infrastructure facilities (nuclear power plants, power plants, water treatment facilities). Oil and gas industry (pipelines, oil refineries). Defense industry. Non-profit companies. Government sector. Recorded Future says the gang's ransomware executables come in various formats so that they can encrypt different operating systems and device architecture. "The ransomware is provided for several different operating systems versions and architectures and is deliverable in a variety of formats, including a Windows variant with SafeMode support (EXE / Reflective DLL / PowerShell) and a Linux variant with NAS support: Synology, OpenMediaVault, FreeNAS (TrueNAS)," reported Recorded Future. "According to BlackMatter, the Windows ransomware variant was successfully tested on Windows Server 2003+ x86/x64 and Windows 7+ x64 / x86. The Linux ransomware variant was successfully tested on ESXI 5+, Ubuntu, Debian, and CentOs. Supported file systems for Linux include VMFS, VFFS, NFS, VSAN." At this time, there are no victims listed on the site. However, the ransomware gang states that "all blogs hidden for now. For a very short time," indicating that they are actively attacking victims. BleepingComputer has been able to confirm that there are active attacks underway and that at least one victim paid $4 million to the threat actors this week. BlackMatter Tor negotiation site Source: BleepingComputer Based on the negotiation chat, this is a veteran ransomware operation and most likely a rebrand of one of the larger and now-defunct groups that recently shut down. Rising from the ashes of DarkSide and REvil? Information discovered by security researchers as well as the similarities in web sites and partners may indicate that BlackMatter has recruited or was created by threat actors that were previously with the DarkSide and the REvil ransomware operations. As ransomware gangs commonly rebrand to evade law enforcement, when we first reported on DarkSide in August 2020, some security researchers and law enforcement believed REvil was rebranding as the new DarkSide operation. However, both gangs continued operating side-by-side for almost a year until DarkSide attacked Colonial Pipeline. Feeling the full pressure of the US government and law enforcement, DarkSide shut down its operation in May. The shut down of DarkSide was first reported by REvil's public-facing representative, Unknown, who posted about it on a hacking forum. Forum post by UKNK about DarkSide seizure Two months later, it was REvil's turn to shut down after conducting a massive attack on managed service providers worldwide through a zero-day Kaseya VSA vulnerability. Like DarkSide, REvil was feeling massive pressure from the US government and international law enforcement. It is widely speculated that the Russian government told them to shut down and disappear for a while. After seeing the BlackMatter Tor site, security researchers found that it showed a strong resemblance to the now-defunct DarkSide ransomware's Tor site. Both pages share a similar color theme, similar language, a similar way of referring to themselves, and also included a list of targets they would not attack. Recorded Future also reported that BlackMatter said, "The project has incorporated in itself the best features of DarkSide, REvil, and LockBit." Finally, cybersecurity firm Mandiant has seen indicators suggesting that an actor previously connected to DarkSide is now partnering with BlackMatter. "We have seen some indication that currently suggests that at least one actor connected to some DARKSIDE ransomware operations is aligning themselves with BLACKMATTER," Kimberly Goody, Mandiant Director of Financial Crime Analysis, told BleepingComputer. "This isn’t necessarily surprising as we commonly see ransomware affiliates partnering with multiple providers." While many clues indicate that this may be a rebrand of DarkSide, or possibly created by actors from both groups, we will not know for sure until a sample of the ransomware is analyzed for code similarities. As BlackMatter attacks are ongoing, researchers will likely find a sample soon. BlackMatter ransomware gang rises from the ashes of DarkSide, REvil
  10. LockBit ransomware now encrypts Windows domains using group policies A new version of the LockBit 2.0 ransomware has been found that automates the encryption of a Windows domain using Active Directory group policies. The LockBit ransomware operation launched in September 2019 as a ransomware-as-a-service, where threat actors are recruited to breach networks and encrypt devices. In return, the recruited affiliates earn 70-80% of a ransom payment, and the LockBit developers keep the rest. Over the years, the ransomware operation has been very active, with a representative of the gang promoting the activity and providing support on hacking forums. After ransomware topics were banned on hacking forums [1, 2], LockBit began promoting the new LockBit 2.0 ransomware-as-a-service operation on their data leak site. LockBit 2.0 affiliate program features Included with the new version of LockBit are numerous advanced features, with two of them outlined below. Uses group policy update to encrypt network LockBit 2.0 promotes a long list of features with many used by other ransomware operations in the past. However, one promoted feature stuck out where the developers claim to have automated the ransomware distribution throughout a Windows domain without the need for scripts. When threat actors breach a network and finally gain control of the domain controller, they utilize third-party software to deploy scripts that disable antivirus and then execute the ransomware on the machines on the network. In samples of the LockBit 2.0 ransomware discovered by MalwareHunterTeam and analyzed by BleepingComputer and Vitali Kremez, the threat actors have automated this process so that the ransomware distributes itself throughout a domain when executed on a domain controller. When executed, the ransomware will create new group policies on the domain controller that are then pushed out to every device on the network. These policies disable Microsoft Defender's real-time protection, alerts, submitting samples to Microsoft, and default actions when detecting malicious files, as shown below. [General] Version=%s displayName=%s [Software\Policies\Microsoft\Windows Defender;DisableAntiSpyware] [Software\Policies\Microsoft\Windows Defender\Real-Time Protection;DisableRealtimeMonitoring] [Software\Policies\Microsoft\Windows Defender\Spynet;SubmitSamplesConsent] [Software\Policies\Microsoft\Windows Defender\Threats;Threats_ThreatSeverityDefaultAction] [Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction] [Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction] [Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction] [Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction] [Software\Policies\Microsoft\Windows Defender\UX Configuration;Notification_Suppress] Other group policies are created, including one to create a scheduled task on Windows devices that launch the ransomware executable. The ransomware will then run the following command to push the group policy update to all of the machines in the Windows domain. powershell.exe -Command "Get-ADComputer -filter * -Searchbase '%s' | foreach{ Invoke-GPUpdate -computer $_.name -force -RandomDelayInMinutes 0}" Kremez told BleepingComputer that during this process, the ransomware will also use Windows Active Directory APIs to perform LDAP queries against the domain controller's ADS to get a list of computers. Using this list, the ransomware executable will be copied to each device's desktop and the scheduled task configured by group policies will launch the ransomware using the UAC bypass below: Software\Microsoft\Windows NT\CurrentVersion\ICM\Calibration "DisplayCalibrator" As the ransomware will be executed using a UAC bypass, the program will run silently in the background without any outward alert on the device being encrypted. While MountLocker had previously used Windows Active Directory APIs to perform LDAP queries this is the first time we have seen a ransomware automate the distribution of the malware via group policies. "This is the first ransomware operation to automate this process, and it allows a threat actor to disable Microsoft Defender and execute the ransomware on the entire network with a single command," Kremez told BleepingComputer. "A new version of the LockBit 2.0 ransomware has been found that automates the interaction and subsequent encryption of a Windows domain using Active Directory group policies." "The malware added a novel approach of interacting with active directory propagating ransomware to local domains as well as built-in updating global policy with anti-virus disable making "pentester" operations easier for new malware operators." LockBit 2.0 print bombs network printers LockBit 2.0 also includes a feature previously used by the Egregor Ransomware operation that print bombs the ransom note to all networked printers. When the ransomware has finished encrypting a device, it will repeatedly print the ransom note to any connected network printers to get the victim's attention, as shown below. Print bomb of ransom notes In an Egregor attack against retail giant Cencosud, this feature caused ransom notes to shoot out of receipt printers after they conducted the attack. LockBit ransomware now encrypts Windows domains using group policies
  11. HelloKitty ransomware is targeting vulnerable SonicWall devices CISA warns of threat actors targeting "a known, previously patched, vulnerability" found in SonicWall Secure Mobile Access (SMA) 100 series and Secure Remote Access (SRA) products with end-of-life firmware. As the US federal agency also adds, the attackers can exploit this security vulnerability as part of a targeted ransomware attack. This alert comes after SonicWall issued an "urgent security notice" and sent emails to warn customers of the "imminent risk of a targeted ransomware attack." Even though the company said the risk of ransomware attacks is imminent, Coveware CEO Bill Siegel confirmed CISA's warning saying that the campaign is ongoing. CISA urges users and administrators to review the SonicWall security notice and upgrade their devices to the latest firmware or immediately disconnect all end-of-life appliances. HelloKitty ransomware: one of the groups behind these attacks While CISA and SonicWall did not reveal the identity of the threat attackers behind these attacks, BleepingComputer was told by a source in the cybersecurity industry that HelloKitty has been exploiting the vulnerability for the past few weeks. Cybersecurity firm CrowdStrike also confirmed to BleepingComputer that the ongoing attacks are attributed to multiple threat actors, including HelloKitty. HelloKity is a human-operated ransomware operation active since November 2020, mostly known for encrypting the systems of CD Projekt Red and claiming to have stolen Cyberpunk 2077, Witcher 3, Gwent, and other games' source code. Even though the bug abused to compromise unpatched and EOL SMA and SRA products was not disclosed in CISA's warning or SonicWall's notice, CrowdStrike security researcher Heather Smith told BleepingComputer yesterday that the targeted vulnerability is tracked as CVE-2019-7481. "This exploitation targets a long-known vulnerability that was patched in newer versions of firmware released in early 2021," SonicWall said in an emailed statement. However, CrowdStrike's Heather Smith and Hanno Heinrichs said in a report published last month that "CrowdStrike Services incident response teams identified eCrime actors leveraging an older SonicWall VPN vulnerability, CVE-2019-7481, that affects Secure Remote Access (SRA) 4600 devices." SonicWall credited the two security with reporting the actively exploited security flaw in a security advisory issued yesterday. According to a Coveware report, Babuk ransomware is also targeting SonicWall VPNs likely vulnerable to CVE-2020-5135 exploits. This vulnerability was patched in October 2020 but it is still "heavily abused by ransomware groups today" per Coveware. Ransomware vs. SonicWall devices A threat group tracked by Mandiant as UNC2447 has also exploited the CVE-2021-20016 zero-day bug in SonicWall SMA 100 Series VPN appliances to deploy a new ransomware strain known as FiveHands (a DeathRansom variant just as HelloKitty). Their attacks targeted multiple North American and European targets before SonicWall released patches in late February 2021. The same zero-day was also abused in January in attacks targeting SonicWall's internal systems and later indiscriminately exploited in the wild. Mandiant threat analysts discovered three other zero-day vulnerabilities in SonicWall's on-premises and hosted Email Security (ES) products in March. These three zero-days were also actively exploited by a group Mandiant tracks as UNC2682 to backdoor systems using BEHINDER web shells, allowing them to move laterally through victims' networks and access emails and files. "The adversary leveraged these vulnerabilities, with intimate knowledge of the SonicWall application, to install a backdoor, access files and emails, and move laterally into the victim organization's network," the Mandiant researchers said at the time. HelloKitty ransomware is targeting vulnerable SonicWall devices
  12. US govt offers $10 million reward for tips on nation-state hackers The United States government has taken two more active measures to fight and defend against malicious cyber activities affecting the country’s business and critical infrastructure sectors. One initiative is a website with resources from across the federal government designed to help businesses and communities from ransomware attacks. The other is offering a reward of up to $10 million for information on operations conducted by actors working for a foreign government. Tackling the ransomware threat Earlier this week, the U.S. Government launched the StopRansomware.gov website specifically to help private and public entities mitigate the ransomware threat. It is meant as a central platform for information about ransomware gathered from all federal government agencies, which includes the guidance, the latest alerts, updates, and resources. “StopRansomware.gov includes resources and content from DHS’s Cybersecurity and Infrastructure Security Agency (CISA) and the U.S. Secret Service, the Department of Justice’s Federal Bureau of Investigation (FBI), the Department of Commerce’s National Institute of Standards and Technology (NIST), and the Departments of the Treasury and Health and Human Services” - U.S. Department of Homeland Security The ransomware threat has grown to unprecedent levels lately, with attacks on critical infrastructure and businesses that rippled to the regular individual. Cyberattacks like those on giant JBS Foods, the largest meat producer in the world, on Colonial Pipeline - the main fuel supply line for the U.S. East Coast, or the more recent one on Kaseya, which affected up to 1,500 businesses worldwide, highlighted even more the effort necessary to tackle it. Tracking nation-state hackers On Thursday, the U.S. Department of State announced that its Rewards for Justice (RFJ) program now incentivize reports of foreign malicious activity against U.S. critical infrastructure. The reward is up to $10 million and it is intended for details that can help identify and locate any person that acts on behalf of a foreign government in malicious cyber operations. The actions may include extortion as part of a ransomware attack, stealing information from protected systems, “and knowingly causing the transmission of a program, information, code, or command, and as a result of such conduct, intentionally causing damage without authorization to a protected computer.” “Protected computers include not only U.S. government and financial institution computer systems, but also those used in or affecting interstate or foreign commerce or communication” - U.S. Department of State The payment may be enough to encourge hackers involved in attacks affecting critical infrastructure in the U.S. to turn on each other and get a legal, stress-free payout. To receive the information in a secure fashion and to protect the safety of potential sources, the Department of State set up a tips-reporting service on the dark web: http://he5dybnt7sr6cm32xt77pazmtm65flqy6irivtflruqfc5ep7eiodiad.onion [access through Tor browser] For this purpose, RFJ is using the SecureDrop platform that is typically used by journalists for secure communication with their sources and to protect their identity by using random codes instead of usernames. Additionally, payments through the RFJ program may also be in cryptocurrency, which can help tipsters maintain their anonymity and receive the reward. The RFJ program started in 1984 and has paid more than $200 million to over 100 individuals offering information that helped in the fight against terrorism (prevent terrorist acts, bring terrorists to justice) and deal with threats against the U.S. national security. US govt offers $10 million reward for tips on nation-state hackers
  13. REvil ransomware gang's web sites mysteriously shut down The infrastructure and websites for the REvil ransomware operation have mysteriously gone offline as of last night. The REvil ransomware operation, aka Sodinokibi, operates through numerous clear web and dark web sites used as ransom negotiation sites, ransomware data leak sites, and backend infrastructure. Starting last night, the websites and infrastructure used by the REvil ransomware operation have mysteriously shut down. REvil Tor site no longer accessible "In simple terms, this error generally means that the onion site is offline or disabled. To know for sure, you'd need to contact the onion site administrator," the Tor Project's Al Smith told BleepingComputer. While it is not unheard of for REvil sites to lose connectivity for some time, all sites to shut down simultaneously is unusual. Furthermore, the decoder[.]re clear website is no longer resolvable by DNS queries, possibly indicating the DNS records for the domain have been pulled or that backend DNS infrastructure has been shut down. REvil domain no longer resolves to DNS queries Recorded Future's Alan Liska said that the REvil web sites went offline at approximately 1 AM EST this morning. If you have first-hand information about the shut down, you can confidentially contact us on Signal at +16469613731 or on Wire at @lawrenceabrams-bc. Feeling the heat On July 2nd, the REvil ransomware gang encrypted approximately 60 managed service providers (MSPs) and over 1,500 individual businesses using a zero-day vulnerability in the Kaseya VSA remote management software. As part of these attacks, REvil initially demanded $70 million for a universal decryptor for all victims but quickly dropped the price to $50 million. Since then, the ransomware group has been under increased scrutiny by law enforcement, which did not seem to faze 'Unknown,' the public-facing representative of the ransomware gang. As these ransomware gangs commonly operate out of Russia, President Biden has been in talks with President Putin about the attacks and warned that if Russia did not act upon threat actors in their borders, the USA would take action themselves. "I made it very clear to him that the United States expects when a ransomware operation is coming from his soil even though it's not sponsored by the state, we expect them to act if we give them enough information to act on who that is," Biden said after signing an executive order at the White House. At this point, it is not clear if the shut down of these servers is simply a technical issue, if the gang shut down their operation, or if a law enforcement operation took place. Other ransomware groups, such as DarkSide and Babuk, shut down voluntarily due to the increased pressure by law enforcement. However, when ransomware groups shut down, the operators and affiliates commonly rebrand as a new operation to continue performing ransomware attacks. This was seen in the past when GandCrab shut down and many of its members relaunching as REvil. Babuk also relaunched as Babuk v2.0 after the original group splintered due to differences in how attacks were conducted. BleepingComputer has contacted the FBI with questions about possible law enforcement action but has not heard back at this time. This is a developing story. REvil ransomware gang's web sites mysteriously shut down
  14. Kaseya patches VSA vulnerabilities used in REvil ransomware attack Kaseya has released a security update for the VSA zero-day vulnerabilities used by the REvil ransomware gang to attack MSPs and their customers. Kaseya VSA is a remote management and monitoring solution commonly used by managed service providers to support their customers. MSPs can deploy VSA on-premise using their servers or utilize Kaseya's cloud-based SaaS solution. In April, the Dutch Institute for Vulnerability Disclosure (DIVD) disclosed seven vulnerabilities to Kaseya: CVE-2021-30116 - A credentials leak and business logic flaw, to be included in 9.5.7 CVE-2021-30117 - An SQL injection vulnerability, resolved in May 8th patch. CVE-2021-30118 - A Remote Code Execution vulnerability, resolved in April 10th patch. (v9.5.6) CVE-2021-30119 - A Cross Site Scripting vulnerability, to be included in 9.5.7 CVE-2021-30120 - 2FA bypass, to be resolved in v9.5.7 CVE-2021-30121 - A Local File Inclusion vulnerability, resolved in May 8th patch. CVE-2021-30201 - A XML External Entity vulnerability, resolved in May 8th patch. Kaseya had implemented patches for most of the vulnerabilities on their VSA SaaS service but had not completed the patches for the on-premise version of VSA. Unfortunately, the REvil ransomware gang beat Kaseya to the finish line and utilized these vulnerabilities to launch a massive attack on July 2nd against approximately 60 MSPs using on-premise VSA servers and 1,500 business customers. It is unclear which vulnerabilities were used in the attack, but it is believed to be one or a combination of CVE-2021-30116, CVE-2021-30119, and CVE-2021-30120. Kaseya releases security updates Since the attack, Kaseya has urged on-premise VSA customers to shut down their servers until a patch is ready. Almost ten days after the attacks, Kaseya has released the VSA 9.5.7a ( update to fix the vulnerabilities used in the REvil ransomware attack. With this release, Kaseya has fixed the following vulnerabilities: Credentials leak and business logic flaw: CVE-2021-30116 Cross Site Scripting vulnerability: CVE-2021-30119 2FA bypass: CVE-2021-30120 Fixed an issue where secure flag was not being used for User Portal session cookies. Fixed an issue where certain API responses would contain a password hash, potentially exposing any weak passwords to brute force attack. The password value is now masked completely. Fixed a vulnerability that could allow unauthorized upload of files to the VSA server. However, Kaseya is urging customers to follow the 'On Premises VSA Startup Readiness Guide' steps before installing the update to prevent further breaches and make sure devices are not already compromised. Below are the basic steps that admins should perform before starting up VSA servers again and connecting them to the Internet: Ensure your VSA server is isolated Check System for Indicators of Compromise (IOC) Patch the Operating Systems of the VSA Servers Using URL Rewrite to control access to VSA through IIS Install FireEye Agent Remove Pending Scripts/Jobs Of these steps, it is critical that on-premise VSA servers not be publicly accessible from the Internet to prevent compromise while installing the patch. Kaseya also urges customers to utilize their "Compromise Detection Tool," a collection of PowerShell scripts to detect whether a VSA server or endpoints have been compromised. The scripts will check VSA servers for the presence of 'Kaseya\webpages\managedfiles\vsaticketfiles\agent.crt' and 'Kaseya\webpages\managedfiles\vsaticketfiles\agent.exe,' and 'agent.crt' and 'agent.exe' on endpoints. The REvil affiliate used the agent.crt and agent.exe files to deploy the REvil ransomware executable. For additional security, Kaseya is also suggesting on-premise VSA admin restrict access to the web GUI to local IP addresses and those known to be used by security products. "For VSA On-Premises installations, we have recommended limiting access to the VSA Web GUI to local IP addresses by blocking port 443 inbound on your internet firewall. Some integrations may require inbound access to your VSA server on port 443. Below are a list of IP addresses you can whitelist in your firewall (allow 443 inbound to FROM ), if you are using these integrations with your VSA On-Premises product." explains Kaseya. After installing the patch, all users will be required to change their password to one using new password requirements. Kaseya patches VSA vulnerabilities used in REvil ransomware attack
  15. Insurance giant CNA reports data breach after ransomware attack CNA Financial Corporation, a leading US-based insurance company, is notifying customers of a data breach following a Phoenix CryptoLocker ransomware attack that hit its systems in March. CNA is considered the seventh-largest commercial insurance firm in the US based on stats from the Insurance Information Institute. The company provides an extensive array of insurance products, including cyber insurance policies, to individuals and businesses across the US, Canada, Europe, and Asia. Over 75,000 individuals affected "The investigation revealed that the threat actor accessed certain CNA systems at various times from March 5, 2021 to March 21, 2021," CNA said in breach notification letters mailed to affected customers today. "During this time period, the threat actor copied a limited amount information before deploying the ransomware." The data breach reported by CNA affected 75,349 individuals, according to breach information filed with the office of Maine's Attorney General. After reviewing the files stolen during the attack, CNA discovered that they contained customers' personal information such as names and Social Security numbers. "Having recovered the information, we have now completed our review of that information and have determined it contained some personal information including name, Social Security number and in some instances, information related to health benefits for certain individuals," CNA explained in a separate incident update. "The majority of individuals being notified are current and former employees, contract workers and their dependents." The company added that it found no evidence that the stolen information was "viewed, retained or shared." Additionally, CNA claims there is no reason to suspect that the stolen information was or will be misused in any way. CNA will be offering 24 months of complimentary credit monitoring and fraud protection services through Experian. CNA is also providing a toll-free hotline for the individuals to call with any questions regarding the Incident. — CNA Systems fully restored after ransomware attack Sources familiar with the attack told BleepingComputer that the Phoenix CryptoLocker operators encrypted over 15,000 devices after deploying ransomware payloads on CNA's network on March 21. BleepingComputer also learned that the attackers encrypted the computers of remote workers who were logged into the company's VPN during the incident. Based on similarities in the code, Phoenix Locker is believed to be a new ransomware family developed by the Evil Corp hacking group to avoid sanctions after WastedLocker ransomware victims would no longer pay ransoms to avoid legal action or fines. When asked by BleepingComputer about a connection between the sanctioned Evil Corp and the Phoenix group, CNA replied that there was no confirmed nexus. "The threat actor group, Phoenix, responsible for this attack, is not a sanctioned entity and no U.S. government agency has confirmed a relationship between the group that attacked CNA and any sanctioned entity," the company said. "We have notified the FBI of this incident and are actively cooperating with them as they conduct their investigation of the incident." Two months ago, CNA reported that it has restored the systems impacted in the ransomware attack and is operating "in a fully restored state." The insurance provider added that it did not find any evidence while investigating the incident of stolen policyholder info surfacing, being exchanged or being put up for sale on the dark web or hacking forums. Update: Added info provided by CNA spokesperson on additional data exposed in the incident. Insurance giant CNA reports data breach after ransomware attack
  16. Kaseya Left Customer Portal Vulnerable to 2015 Flaw in its Own Software Last week cybercriminals deployed ransomware to 1,500 organizations that provide IT security and technical support to many other companies. The attackers exploited a vulnerability in software from Kaseya, a Miami-based company whose products help system administrators manage large networks remotely. Now it appears Kaseya’s customer service portal was left vulnerable until last week to a data-leaking security flaw that was first identified in the same software six years ago. On July 3, the REvil ransomware affiliate program began using a zero-day security hole (CVE-2021-30116) to deploy ransomware to hundreds of IT management companies running Kaseya’s remote management software — known as the Kaseya Virtual System Administrator (VSA). According to this entry for CVE-2021-30116, the security flaw that powers that Kaseya VSA zero-day was assigned a vulnerability number on April 2, 2021, indicating Kaseya had roughly three months to address the bug before it was exploited in the wild. Also on July 3, security incident response firm Mandiant notified Kaseya that their billing and customer support site —portal.kaseya.net — was vulnerable to CVE-2015-2862, a “directory traversal” vulnerability in Kaseya VSA that allows remote users to read any files on the server using nothing more than a Web browser. As its name suggests, CVE-2015-2862 was issued in July 2015. Six years later, Kaseya’s customer portal was still exposed to the data-leaking weakness. The Kaseya customer support and billing portal. Image: Archive.org. Mandiant notified Kaseya after hearing about it from Alex Holden, founder and chief technology officer of Milwaukee-based cyber intelligence firm Hold Security. Holden said the 2015 vulnerability was present on Kaseya’s customer portal until Saturday afternoon, allowing him to download the site’s “web.config” file, a server component that often contains sensitive information such as usernames and passwords and the locations of key databases. “It’s not like they forgot to patch something that Microsoft fixed years ago,” Holden said. “It’s a patch for their own software. And it’s not zero-day. It’s from 2015!” The official description of CVE-2015-2862 says a would-be attacker would need to be already authenticated to the server for the exploit to work. But Holden said that was not the case with the vulnerability on the Kaseya portal that he reported via Mandiant. “This is worse because the CVE calls for an authenticated user,” Holden said. “This was not.” Michael Sanders, executive vice president of account management at Kaseya, confirmed that the customer portal was taken offline in response to a vulnerability report. Sanders said the portal had been retired in 2018 in favor of a more modern customer support and ticketing system, yet somehow the old site was still left available online. “It was deprecated but left up,” Sanders said. In a written statement shared with KrebsOnSecurity, Kaseya said that in 2015 CERT reported two vulnerabilities in its VSA product. “We worked with CERT on responsible disclosure and released patches for VSA versions V7, R8, R9 and R9 along with the public disclosure (CVEs) and notifications to our customers. Portal.kaseya.net was not considered by our team to be part of the VSA shipping product and was not part of the VSA product patch in 2015. It has no access to customer endpoints and has been shut down – and will no longer be enabled or used by Kaseya.” “At this time, there is no evidence this portal was involved in the VSA product security incident,” the statement continued. “We are continuing to do forensic analysis on the system and investigating what data is actually there.” The REvil ransomware group said affected organizations could negotiate independently with them for a decryption key, or someone could pay $70 million worth of virtual currency to buy a key that works to decrypt all systems compromised in this attack. But Sanders said every ransomware expert Kaseya consulted so far has advised against negotiating for one ransom to unlock all victims. “The problem is that they don’t have our data, they have our customers’ data,” Sanders said. “We’ve been counseled not to do that by every ransomware negotiating company we’ve dealt with. They said with the amount of individual machines hacked and ransomwared, it would be very difficult for all of these systems to be remediated at once.” In a video posted to Youtube on July 6, Kaseya CEO Fred Voccola said the ransomware attack had “limited impact, with only approximately 50 of the more than 35,000 Kaseya customers being breached.” “While each and every customer impacted is one too many, the impact of this highly sophisticated attack has proven to be, thankfully, greatly overstated,” Voccola said. The zero-day vulnerability that led to Kaseya customers (and customers of those customers) getting ransomed was discovered and reported to Kaseya by Wietse Boonstra, a researcher with the Dutch Institute for Vulnerability Disclosure (DIVD). In a July 4 blog post, DIVD’s Victor Gevers wrote that Kaseya was “very cooperative,” and “asked the right questions.” “Also, partial patches were shared with us to validate their effectiveness,” Gevers wrote. “During the entire process, Kaseya has shown that they were willing to put in the maximum effort and initiative into this case both to get this issue fixed and their customers patched. They showed a genuine commitment to do the right thing. Unfortunately, we were beaten by REvil in the final sprint, as they could exploit the vulnerabilities before customers could even patch.” Still, Kaseya has yet to issue an official patch for the flaw Boonstra reported in April. Kaseya told customers on July 7 that it was working “through the night” to push out an update. Gevers said the Kaseya vulnerability was discovered as part of a larger DIVD effort to look for serious flaws in a wide array of remote network management tools. “We are focusing on these types of products because we spotted a trend where more and more of the products that are used to keep networks safe and secure are showing structural weaknesses,” he wrote. Kaseya Left Customer Portal Vulnerable to 2015 Flaw in its Own Software
  17. REvil victims are refusing to pay after flawed Kaseya ransomware attack The REvil ransomware gang's attack on MSPs and their customers last week outwardly should have been successful, yet changes in their typical tactics and procedures have led to few ransom payments. When ransomware gangs conduct an attack, they usually breach a network and take time stealing data and deleting backups before ultimately encrypting the victim's devices. When a victim is shown proof of stolen data, backups are deleted, and their devices are encrypted, it creates a much stronger incentive for them to pay the ransom to restore their data and prevent the leak of data. However, the REvil affiliate responsible for this attack chose to forgo standard tactics and procedures. Instead, they used a zero-day vulnerability in on-premise Kaseya's VSA servers to perform a massive and widespread attack without actually ccessing a victim's network. This tactic led to the most significant ransomware attack in history, with over 1,500 individual businesses encrypted in a single attack. Yet, while BleepingComputer knows of two companies who paid a ransom to receive a decryptor, overall, this attack is likely not nearly as successful as the REvil gang would have expected. The reason is simply that backups were not deleted and data was not stolen, thus providing the ransomware gang little leverage over the victims. A victim paid a $220,000 ransom in Kaseya attack Cybersecurity researchers familiar with the attacks and the targeted MSPs have told BleepingComputer that victims are lucky they were attacked this way as the threat actors did not have regular unfettered access to networks and were forced to use automated methods of deleting backups. For example, Emsisoft CTO Fabian Wosar extracted the configuration for a REvil ransomware sample used in the attack, and it shows that the REvil affiliate made a rudimentary attempt of deleting files in folders containing the string 'backup.' Snippet of REvil ransomware configuration However, this method does not appear to have been successful as an MSP and multiple victims encrypted during the attack told BleepingComputer that none of their backups were affected, and they chose to restore rather than paying a ransom. Bill Siegel, CEO of ransomware negotiation firm Coveware, told BleepingComputer that this is a similar decision for many other victims of the attack as not one of their clients has had to pay a ransom. "In the Kaseya attack, they opted to try and impact EVERY Kaseya client by targeting the software vs direct ingress to an MSP's network. By going for such a broad impact they appear to have sacrificed the step of encrypting / wiping backups at the MSP control level," Siegel told BleepingComputer. "This may end up being a bit of a saving grace, even for MSPs that had poorly segmented backups for their clients." "While it is certainly impressive that Sodin was able to pull off this exploit, we have not seen the level of disruption that typically follows a single MSP attack where the backups are intentionally wiped or encrypted, and there is no other way to recover data without paying a ransom." "The disruption is still bad, but encrypted data that is unrecoverable from backups may end up being minimal. This will translate to minimal need to pay ransoms. " "Impacted MSPs are going to be stretched for a while as they restore their clients, but so far none of the clients we have triaged have needed to pay a ransom. I'm sure there are some victims out there that will need to, but this could have been a lot worse." Those victims who do ultimately pay a ransom will likely only do so because they had poor backups to restore from. We rarely get to write a positive story about ransomware, and while many companies have had a stressful and disruptive week, it does appear that the majority of victims should be able to get back up and running fairly quickly. REvil victims are refusing to pay after flawed Kaseya ransomware attack
  18. US warns of action against ransomware gangs if Russia refuses White House Press Secretary Jen Psaki says that the US will take action against cybercriminal groups from Russia if the Russian government refuses to do so. Psaki added that the recent REvil ransomware attack on Florida-based IT company Kaseya is not yet attributed to anyone, specifically not to the Russian government. She also said that high-level US and Russian officials will meet again next week to address the recent attacks that have targeted US organizations this year. "We have undertaken expert level talks that are continuing. We expect to have another meeting next week focused on ransomware attacks," the White House Press Secretary stated during a briefing on the Biden administration's policy agenda. "As the President made clear to President Putin when they met, if the Russian government cannot or will not take action against criminal actors residing in Russia, we will take action or reserve the right to take action on our own. "Now, in this case, the intelligence community has not yet attributed the attack. The cybersecurity community agrees that REvil operates out of Russia with affiliates around the world." G7 (Group of 7) leaders also asked Russia last month to urgently disrupt ransomware gangs believed to be operating within its borders after the seemingly endless stream of attacks targeting organizations from critical sectors worldwide. Earlier today, Kaseya said that the supply-chain ransomware attack coordinated by the REvil ransomware group "had limited impact" as it hit fewer than 60 managed service providers (MSPs) using its VSA remote monitoring and management software. REvil claims to have encrypted more than 1,000,000 systems in this large-scale supply-chain attack and, after initially demanding $70 million, it is now asking for $50 million for a universal decryptor. In all, the company said the attackers compromised up to 1,500 downstream businesses and "this attack was never a threat nor had any impact to critical infrastructure," even though CISA considers the Information Technology Sector as a critical infrastructure sector. "The attack had limited impact, with only approximately 50 of the more than 35,000 Kaseya customers being breached," Kaseya said. "Of the approximately 800,000 to 1,000,000 local and small businesses that are managed by Kaseya’s customers, only about 800 to 1,500 have been compromised." Kaseya's CEO also added that "this highly sophisticated attack has proven to be, thankfully, greatly overstated." CISA and the FBI have shared guidance for victims of this attack, and the White House National Security Council is urging victims to report incidents and follow the guidance issued by Kaseya. US warns of action against ransomware gangs if Russia refuses
  19. Coop supermarket closes 500 stores after Kaseya ransomware attack Source: Nicklas Andersson Swedish supermarket chain Coop has shut down approximately 500 stores after they were affected by an REvil ransomware attack targeting managed service providers through a supply-chain attack. Last night, the supermarket chain closed its stores after the REvil ransomware gang targeted managed service providers (MSPs) and their customers in a massive supply-chain attack through Kaseya VSA, a remote patch management and monitoring uite. Soon after the attack, Coop posted a notice stating all of their stores except for five had been shut down after cash registers no longer functioned due to an "IT attack" on one of their suppliers. Right now, many of our stores are temporarily closed. The following stores are NOT affected and are open: The online store on coop.se, stores in Värmland, Oskarshamn, Tabergsdalen, Norrbotten and on Gotland. One of our suppliers has been hit by an IT attack and therefore the cash registers do not work. We regret this and do everything to be able to open again soon. - Coop. Translated notice posted on Coop's website In a statement to BleepingComputer, Coop said that the attack was not aimed at them but their supplier Visma Esscom. Coop first learned of the attack at approximately 7 PM last night when there were problems with the cash registers. causing stores to close. The stores continue to be closed through Saturday as Coop works on restoring operations. "We got signals from some of our stores last night at about 7 pm that there were problems with the cash registers. Since the customers could not pay, some stores closed early last night. During the night we have worked on the problem, and this morning at 8 am we took the decision to close the stores, with the exception of a few regions that weren’t affected, to be able to solve the problem without interference. "So, not all of our 800 stores were affected, but a majority of them. They have been closed the whole day today Saturday." BBC reporter Joe Tidy further confirmed that Coop had to shut down approximately 500 stored due to the ransomware attack. If you have first-hand information about this attack or information about companies affected by the Kaseya cyberattack, we would love to hear about it. You can confidentially contact us on Signal at +16469613731 or on Wire at @lawrenceabrams-bc. Encrypted through MSP supply chain attack Yesterday, REvil ransomware conducted a massive attack through the Kaseya VSA patch and remote management software that encrypted MSPs worldwide and their customers. Coop is a customer of Swedish MSP Visma who manages the supermarket chain's point-of-sale system used to power cash registers and self-checkout kiosks. Visma confirmed they were affected by the Kaseya cyber attack that allowed the REvil ransomware to encrypt their customer's systems. "Kaseya, which supplies software for remote control and operation of clients and servers in the retail trade, has been subjected to a cyber attack that is currently affecting Visma EssCom and many other companies around the world." "The attack results in the Kaseya software that Visma EssCom and many other service providers use in their deliveries to retailers can be used to spread a ransomware virus to clients and servers in customers' IT environments." "The most critical consequence is that stores cannot charge their customers when the cash registers are infected. The attack on Kaseya was discovered on Friday night." The attack on Coop is just the first in what will be a long list of victims from this attack. Visma alone states they have 1 million customers, many of whom may have been affected by the REvil ransomware attack yesterday. In a statement to BleepingComputer, Kaseya CEO Fred Voccola stated that they know of 40 customers affected by the attack. While this is a small number, it is essential to remember that each of these MSPs could potentially work with hundreds of thousands of businesses, making this the most significant ransomware attack ever conducted. At this time, Kaseya states that REvil used a vulnerability in their on-premise VSA service to conduct the attack and that a patch would be released soon. Coop supermarket closes 500 stores after Kaseya ransomware attack
  20. US chemical distributor shares info on DarkSide ransomware data theft World-leading chemical distribution company Brenntag has shared additional info on what data was stolen from its network by DarkSide ransomware operators during an attack from late April 2021 that targeted its North America division. Brenntag is the second largest in sales for North America, according to the ICIS report on the Top 100 Chemical Distributors worldwide. The chemical distribution company is headquartered in Germany and has more than 17,000 employees worldwide at over 670 sites. Stolen info includes SSNs, medical info, more Brenntag confirmed the ransomware attack in an email statement sent to BleepingComputer on May 13, saying that it disconnected all impacted systems from the network after the incident was discovered to contain the threat. However, as revealed in data breach notification letters sent to affected individuals during late June, the chemical distribution firm became aware of the attack on April 28, two days after the DarkSide operators breached its network. "Our investigation confirmed that Brenntag systems were accessed without authorization starting on April 26, 2021, and/or that some information was taken from our system," the company said. The data exfiltrated by the DarkSide attackers includes "social security number, date of birth, driver's license number, and select medical information." Luckily, as Brenntag further explained, third-party cybersecurity forensic experts hired to investigate the incident found no evidence that the stolen information was misused for fraudulent purposes. The company also asked the impacted individuals (more than 6700 according to info provided to Maine's Attorney General) to review their account statements and keep an eye on their free credit reports to detect any attempts of identity theft and fraud. "If you find any transactions you do not recognize, contact the business or institution issuing the statement," Brenntag added. $4.4 million ransom paid to DarkSide As BleepingComputer reported in May, the chemical distributor company paid a $4.4 million ransom to DarkSide for a decryptor and to prevent the ransomware gang from leaking the stolen data. The ransom was negotiated down from 133.65 bitcoins (roughly $7.5 million at the time), with Brenntag having sent the $4.4 million to the attackers on May 11, as BleepingComputer was able to confirm. After the attack, the DarkSide ransomware group claimed to have exfiltrated150GB of data while they had access to Brenntag's systems. As proof of their claims, the threat actors also created a private data leak page with a description of the types of stolen data and screenshots of some of the files. Private data leak page sent to Brenntag The DarkSide affiliate who breached Brenntag's systems claimed to have gotten access to the network using stolen credentials bought from an unknown source. This aligns with similar tactics employed by other ransomware gangs who regularly purchase stolen credentials (including Remote Desktop credentials) from dark web marketplace. BleepingComputer reported in April that threat actors used UAS, one of the largest RDP marketplaces, to sell more than 1.3 million stolen credentials since the end of 2018. The Darkside ransomware gang has been active since August 2020 with a focus on corporate networks and asking millions of dollars for decryptors and the promise not to release stolen data. The ransomware group landed in the crosshairs of the US government and law enforcement after hitting Colonial Pipeline, the largest fuel pipeline in the US. Following heightened scrutiny from law enforcement, DarkSide decided to suddenly shut down in May out of fear of being arrested. DarkSide hit other organizations in the past, including Discount Car and Truck Rentals, Brookfield Residential, and Brazil's Eletrobras and Copel energy companies. US chemical distributor shares info on DarkSide ransomware data theft
  21. REvil ransomware hits 200 companies in MSP supply-chain attack A massive REvil ransomware attack affects multiple managed service providers and their clients through a reported Kaseya supply-chain attack. Starting this afternoon, the REvil ransomware gang targeted approximately six large MSPs, with thousands of customers, through what appears to be a Kaseya VSA supply-chain attack. Kaseya VSA is a cloud base MSP platform that allows providers to perform patch management and client monitoring. Huntress Labs' John Hammond has told BleepingComputer that all of the affected MSPs are using Kaseya VSA and that they have proof that their customers are being encrypted as well. "We have 3 Huntress partners that are impacted with roughly 200 businesses encrypted," Hammond told BleepingComputer. Kaseya is warning all VSA customers to immediately shut down their VSA server to prevent the attack's spread while they investigate. "We are experiencing a potential attack against the VSA that has been limited to a small number of on-premise customers only as of 2:00 PM EDT today," reads a warning on Kaseya's site. "We are in the process of investigating the root cause of the incident with an abundance of caution but we recommend that you IMMEDIATELY shutdown your VSA server until you receive further notice from us." "Its critical that you do this immediately, because one of the first things the attacker does is shutoff administrative access to the VSA." REvil attack spread through autoupdate BleepingComputer has been told by both Huntress' John Hammond and Sophos' Mark Loman that the attacks on MSPs appear to be a supply chain attack through Kaseya VSA. According to Hammond, an agent.crt file is dropped by Kaseya VSA, which is then decoded with the legitimate certutil.exe to extract an agent.exe file. This agent.exe includes an embedded 'MsMpEng.exe' and 'mpsvc.dll,' with the DLL being the REvil encryptor. The MsMPEng.exe is used as a LOLBin to launch the DLL and encrypt the device through a trusted executable. The agent.exe extracting and launching embedded resources Ransomware gang demands a $5 million ransom A sample of the REvil ransomware used in one of these attacks has been shared with BleepingComputer. However, it is unknown if this is the sample used for every victim or if each MSP received its own ransom demand. The ransomware gang is demanding a $5,000,000 ransom to receive a decryptor from one of the samples. Ransom demand While REvil is known to steal data before deploying the ransomware and encrypting devices, it is unknown if the attackers exfiltrated any files. This is a developing story and will continue to be updated. REvil ransomware hits 200 companies in MSP supply-chain attack
  22. US insurance giant AJG reports data breach after ransomware attack Arthur J. Gallagher (AJG), a US-based global insurance brokerage and risk management firm, is mailing breach notification letters to potentially impacted individuals following a ransomware attack that hit its systems in late September. "Working with the cybersecurity and forensic specialists to determine what may have happened and what information may have been affected, we determined that an unknown party accessed or acquired data contained within certain segments of our network between June 3, 2020 and September 26, 2020," AJG said. As one of the largest insurance brokers in the world, AJG has over 33,300 employees and its operations span 49 countries. The company is also ranked 429 on the Fortune 500 list, and it reportedly provides insurance services to customers from more than 150 countries. Personal, financial, and health information exposed in the attack While AJG didn't say in the SEC filing announcing the ransomware attack if any customer or employee data was accessed or stolen by the attackers, a subsequent investigation found multiple types of sensitive information stored on systems breached during the incident. The types of information discovered on compromised systems during the review include: "Social Security number or tax identification number, driver's license, passport or other government identification number, date of birth, username and password, employee identification number, financial account or credit card information, electronic signature, medical treatment, claim, diagnosis, medication or other medical information, health insurance information, medical record or account number, and biometric information." To further illustrate the types of sensitive data that might've gotten accessed in the incident, AJG says in its privacy policy that it collects the following info from customers: personal details (e.g., name, date of birth); contact details (e.g., phone number, email address, postal address or mobile number); government-issued identification details (e.g., social security and national insurance numbers, passport details); health and medical details (e.g., health certificates); policy details (e.g., policy numbers and types); bank details (e.g., payment details, account numbers, and sort codes); driving license details; online log-in information (e.g., username, password, answers to security questions); information relating to any claims; other information received from applications or required questionnaires (e.g., occupation, current employer); AJG is now notifying data regulatory authorities and all potentially impacted individuals (7,376 according to information provided to the Office of Maine's Attorney General) as required by law. The company is also warning affected individuals of identity theft risks and recommends keeping an eye out for unusual activity on their account statements and credit reports. While Gallagher is not aware of any attempted or actual misuse of the impacted information, Gallagher is providing access to credit monitoring services for twenty-four months through Kroll to individuals whose personal information was affected by this incident, at no cost to these individuals. — AJG AJG shut down all systems to block the attack AJG said in an 8-K filing with the U.S. Securities and Exchange Commission (SEC) on September 28, 2020, that only a limited number of its internal systems were affected by the ransomware attack. "We promptly took all of our global systems offline as a precautionary measure, initiated response protocols, launched an investigation, engaged the services of external cybersecurity and forensics professionals, and implemented our business continuity plans to minimize disruption to our customers," AJG said. The company didn't reply to any of BleepingComputer's attempts to reach out for more info on how the attackers breached its network. However, Bad Packets' chief research officer Troy Mursch said they had two F5 BIG-IP servers on their network vulnerable to CVE-2020-5902 before the ransomware attack. At the moment, the ransomware gang behind this attack is still unknown. Still, more than 20 different ransomware operations are known to first steal sensitive files from victims' servers before deploying their payloads. This stolen data is used as leverage to force compromised organizations into paying ransoms under the threat of gradually leaking the info. In some cases, the ransomware gangs are also increasing the ransom until the entire batch of stolen files is leaked on sites specifically designed for this exact purpose. US insurance giant AJG reports data breach after ransomware attack
  23. Trickbot cybercrime group linked to new Diavol ransomware FortiGuard Labs security researchers have linked a new ransomware strain dubbed Diavol to Wizard Spider, the cybercrime group behind the Trickbot botnet. Diavol and Conti ransomware payloads were deployed on different systems in a ransomware attack blocked by the company's EDR solution in early June 2021. The two ransomware families' samples are cut from the same cloth, from the use of asynchronous I/O operations for file encryption queuing to using virtually identical command-line parameters for the same functionality (i.e., logging, drives and network shares encryption, network scanning). However, despite all similarities, the researchers couldn't find a direct link between Diavol ransomware and the Trickbot gang, with some significant differences making high confidence attribution impossible. For instance, there are no built-in checks in Diavol ransomware preventing the payloads from running on Russian targets' systems as Conti does. There's also no evidence of data exfiltration capabilities before encryption, a common tactic used by ransomware gangs for double extortion. Diavol ransomware Tor site (Fortinet) Diavol ransomware capabilities Diavol ransomware's encryption procedure uses user-mode Asynchronous Procedure Calls (APCs) with an asymmetric encryption algorithm. This sets it apart from other ransomware families as they commonly use symmetric algorithms to significantly speed up the encryption process. Diavol also lacks any obfuscation as it doesn't use packing or anti-disassembly tricks, but it still manages to make analysis harder by storing its main routines within bitmap images. When executing on a compromised machine, the ransomware extracts the code from the images' PE resource section and loads it within a buffer with execution permissions. The code it extracts amounts to 14 different routines that will execute in the following order: Create an identifier for the victim Initialize configuration Register with the C&C server and update the configuration Stop services and processes Initialize encryption key Find all drives to encrypt Find files to encrypt Prevent recovery by deleting shadow copies Encryption Change the desktop wallpaper Right before Diavol ransomware is done, it will change each encrypted Windows device's background to a black wallpaper with the following message: "All your files are encrypted! For more information see README-FOR-DECRYPT.txt" "Currently, the source of the intrusion is unknown," Fortinet says. "The parameters used by the attackers, along with the errors in the hardcoded configuration, hint to the fact that Diavol is a new tool in the arsenal of its operators which they are not yet fully accustomed to." Additional Diavol ransomware technical info and indicators of compromise (IOCs) can be found at the end of FortiGuard Labs's threat research report. Diavol ransomware wallpaper (Fortinet) Ransomware targets set on enterprises Wizard Spider, a Russian-based financially motivated cybercrime group that operates the Trickbot botnet used to drop second-stage malware on compromised systems and networks. Trickbot is particularly dangerous to enterprises since it propagates through corporate networks. If it gets admin access to a domain controller, it will also steal the Active Directory database to collect even more network credentials the group can use to make their job easier. While Microsoft and several partners announced the takedown of some Trickbot C2s after the US Cyber Command also reportedly tried to cripple the botnet, TrickBot is still active, with the group still releasing new malware builds. The TrickBot gang's operations entered a higher gear during the summer of 2018 when they started targeting corporate networks using Ryuk ransomware and again in 2020 after switching to Conti ransomware. The developers of Trickbot have also started deploying the stealthy BazarLoader backdoor in attacks in April 2020, a tool designed to help them compromise and gain full access to corporate networks before deploying the ransomware payloads. Trickbot cybercrime group linked to new Diavol ransomware
  24. Leaked Babuk Locker ransomware builder used in new attacks A leaked tool used by the Babuk Locker operation to create custom ransomware executables is now being used by another threat actor in a very active campaign targeting victims worldwide. Babuk Locker was a ransomware operation that launched at the beginning of 2021 when it began targeting corporate victims and stealing their data in double-extortion attacks. After performing an attack on Washinton DC's Metropolitan Police Department (MPD) and feeling the pressure from law enforcement, the ransomware gang shut down in April and switched to a non-encrypting data extortion model under the name PayLoad Bin. Babuk Locker builder leaked Last week, security researcher Kevin Beaumont discovered that someone uploaded the Babuk operation's ransomware builder to VirusTotal. When BleepingComputer tested the builder, it was simplistic to generate a customized ransomware. All a threat actor has to do is modify the enclosed ransom note to include their own contact info, and then run the build executable to create customized ransomware encryptors and decryptors that target Windows, VMware ESXi, Network Attached Storage (NAS) x86, and NAS ARM devices. Using the builder to create a customized Babuk ransomware Source: BleepingComputer.com Babuk builder used to launch new attacks Soon after the builder was leaked online, a threat actor began using it to launch a very active ransomware campaign. Starting on Tuesday, a victim reported on Reddit that they were hit by ransomware calling itself 'Babuk Locker.' Security researcher MalwareHunterTeam also told BleepingComputer that ID Ransomware received a sharp spike in Babuk Locker submissions starting on June 29th. These victims are from all over the world, and the submitted ransom notes all contained the email address of the threat actor. A sharp spike in Babuk Ransomware submissions to ID Ransomware Like the original operation, this ransomware attack adds the .babyk extension to encrypted file names and drops a ransom note named How To Restore Your Files.txt. Files encrypted by Babuk Locker Source: BleepingComputer Compared to the original Babuk Ransomware operation that demanded hundreds of thousands, if not millions, of dollars to recover their files, this new threat actor is only asking for .006 bitcoins or approximately $210 from their victims. Ransom note from new Babuk ransomware attack Source: BleepingComputer Another noticeable change is that the original Babuk Locker operation utilized a dedicated Tor payment site used to negotiate with victims. However, the new attacks are using email to communicate with victims through a [email protected] email address. It is unclear how the ransomware is being distributed, but we have created a dedicated Babuk Locker support topic that victims can use to share more information about the attack. If anyone pays the ransom demand for this new ransomware campaign, please let us know as we would like to ask you some private questions. Leaked Babuk Locker ransomware builder used in new attacks
  25. Lorenz ransomware decryptor recovers victims' files for free Dutch cybersecurity firm Tesorion has released a free decryptor for the Lorenz ransomware, allowing victims to recover some of their files for free without paying a ransom. Lorenz is a human-operated ransomware that began operating in April 2021 and has since listed twelve victims whose data they have stolen and leaked on their ransomware data leak site. Lorenz ransomware data leak site Lorenz is not particularly active and has begun to taper off in recent months compared to other operations. Lorenz ransomware decryptor released The Lorenz ransomware decryption tool can be downloaded from NoMoreRansom and will allow victims to recover some of their encrypted files. Unlike other ransomware decryptors that include the actual decryption key, Tesorion's decryptor operates differently and can only decrypt certain file types. Tesorion researcher Gijs Rijnders told BleepingComputer that only files with well-known file structures could be decrypted, such as Office documents, PDF files, some image types, and movie files. While the decryptor will decrypt not every file type, it will still allow those who do not pay the ransom to recover important files. As you can see below, the decryptor can decrypt well-known file types, such as XLS and XLSX files, without a problem. However, it will not decrypt unknown file types or those with uncommon file structures. Lorenz ransomware decryptor In addition to providing a decryptor, Tesorion provided insight into the encryption technique used by the Lorenz ransomware. In a blog post, Rijnders explains that a bug in how they implement their encryption can cause data to become lost, which would prevent a file from being decrypted even if a ransom was paid. "The result of this bug is that for every file which’s size is a multiple of 48 bytes, the last 48 bytes are lost. Even if you managed to obtain a decryptor from the malware authors, these bytes cannot be recovered," explains Rijnders. Lorenz ransomware decryptor recovers victims' files for free
  • Create New...