Feb 08 2024

As-a-Service tools empower criminals with limited tech skills

Category: Cybercrime,Ransomware,Security Toolsdisc7 @ 9:45 am

As-a-service attacks continue to dominate the threat landscape, with Malware-as-a-Service (MaaS) and Ransomware-as-a-Service (RaaS) tools making up the majority of malicious tools in use by attackers, according to Darktrace.

Cybercriminals exploit as-a-Service tools

As-a-Service tools can provide attackers with everything from pre-made malware to templates for phishing emails, payment processing systems and even helplines to enable criminals to mount attacks with limited technical knowledge.

The most common as-a-Service tools Darktrace saw in use from July to December 2023 were:

  • Malware loaders (77% of investigated threats), which can deliver and execute other forms of malware and enable attackers to repeatedly target affected networks.
  • Cryptominers (52% of investigated threats), which use an infected device to mine for cryptocurrency.
  • Botnets (39% of investigated threats) enrol users in wider networks of infected devices, which attackers then leverage in larger-scale attacks on other targets.
  • Information-stealing malware (36% of investigated threats), malicious software like spyware or worms, designed to secretly access and collect sensitive data from a victim’s computer or network.
  • Proxy botnets (15% of investigated threats), more sophisticated botnets that use proxies to hide the true source of their activity.

Phishing threats escalate in business communications

Darktrace identified Hive ransomware as one of the major Ransomware-as-a-Service attacks at the beginning of 2023. With the dismantling of Hive by the US government in January 2023, Darktrace observed the rapid growth of a range of threats filling the void, including ScamClub, a malvertising actor notorious for spreading fake virus alerts to notable news sites, and AsyncRAT, responsible for attacking US infrastructure employees in recent months.

As businesses continue to rely on email and collaboration tools for communication, methods such as phishing continue to cause a headache for security teams. Darktrace detected 10.4 million phishing emails across its customer fleet between the 1st September and the 31st December 2023.

But the report also highlights how cybercriminals are embracing more sophisticated tools and tactics designed to evade traditional security parameters. One example is the rise of Microsoft Teams phishing in which attackers contact employees through Teams, posing as a co-worker and tricking them into clicking malicious links.

In one case in September 2023, Darktrace identified a suspected Teams phisher attempting to trick users into clicking a SharePoint link that would download the DarkGate malware and deploy further strains of malware across the network.

Multi-function malware on the rise

Another new trend identified is the growth of malware developed with multiple functions to inflict maximum damage. Often deployed by sophisticated groups like cyber cartels, these Swiss Army knife-style threats combine capabilities.

For example, the recent Black Basta ransomware also spreads the Qbot banking trojan for credential theft. Such multi-tasking malware lets attackers cast a wide net to monetise infections.

“Throughout 2023, we observed significant development and evolution of malware and ransomware threats, as well as changing attacker tactics and techniques resulting from innovation in the tech industry at large, including the rise in generative AI. Against this backdrop, the breadth, scope, and complexity of threats facing organizations has grown significantly,” comments Hanah Darley, Director of Threat Research, Darktrace. “Security teams face an up-hill battle to stay ahead of attackers, and need a security stack that keeps them ahead of novel attacks, not chasing yesterday’s threats.”

Future Crimes: Inside the Digital Underground and the Battle for Our Connected World

InfoSec tools | InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory

Tags: As-a-Service, darktrace, Malware


Jan 11 2024

INSIDE THE SCAM: HOW RANSOMWARE GANGS FOOL YOU WITH DATA DELETION LIES!

Category: Ransomwaredisc7 @ 2:29 pm

Recently, there has been an emergence of a new scam targeting victims of ransomware attacks. This scam involves individuals or groups posing as “security researchers” or “ethical hackers,” offering to delete data stolen by ransomware attackers for a fee. The scam plays on the fears and vulnerabilities of organizations already compromised by ransomware attacks, such as those by the Royal and Akira ransomware gangs.

The modus operandi of these scammers is quite consistent and alarming. They approach organizations that have already been victimized by ransomware and offer a service to hack into the servers of the ransomware groups and delete the stolen data. This proposition typically comes with a significant fee, sometimes in the range of 1-5 Bitcoins (which could amount to about $190,000 to $220,000).

These scammers often use platforms like Tox Chat to communicate with their targets and may go by names like “Ethical Side Group” or use monikers such as “xanonymoux.” They tend to provide “proof” of access to the stolen data, which they claim is still on the attacker’s servers. In some instances, they accurately report the amount of data exfiltrated, giving their claims an air of credibility.

A notable aspect of this scam is that it adds an additional layer of extortion to the victims of ransomware. Not only do these victims have to contend with the initial ransomware attack and the associated costs, but they are also faced with the prospect of paying yet another party to ensure the safety of their data. This situation highlights the complexities and evolving nature of cyber threats, particularly in the context of ransomware.

Security experts and researchers, like those from Arctic Wolf, have observed and reported on these incidents, noting the similarities in the tactics and communication styles used by the scammers in different cases. However, there remains a great deal of uncertainty regarding the actual ability of these scammers to delete the stolen data, and their true intentions.

THE EMERGING SCAM IN RANSOMWARE ATTACKS

1. THE FALSE PROMISE OF DATA DELETION

  • Ransomware gangs have been known not to always delete stolen data even after receiving payment. Victims are often misled into believing that paying the ransom will result in the deletion of their stolen data. However, there have been numerous instances where this has not been the case, leading to further exploitation.

2. FAKE ‘SECURITY RESEARCHER’ SCAMS

  • A new scam involves individuals posing as security researchers, offering services to recover or delete exfiltrated data for a fee. These scammers target ransomware victims, often demanding payment in Bitcoin. This tactic adds another layer of deception and financial loss for the victims.

3. THE HACK-BACK OFFERS

  • Ransomware victims are now being targeted by fake hack-back offers. These offers promise to delete stolen victim data but are essentially scams designed to extort more money from the victims. This trend highlights the evolving nature of cyber threats and the need for greater awareness.

4. THE ILLOGICAL NATURE OF PAYING FOR DATA DELETION

  • Paying to delete stolen data is considered an illogical and ineffective strategy. Once data is stolen, there is no guarantee that the cybercriminals will honor their word. The article argues that paying the ransom often leads to more harm than good.

5. THE ROLE OF RANSOMWARE GROUPS

  • Some ransomware groups are involved in offering services to delete exfiltrated data for a fee. However, these offers are often scams, and there is no assurance that the data will be deleted after payment.

These scams underscores the critical importance of cybersecurity vigilance and the need for robust security measures to protect against ransomware and related cyber threats. It also highlights the challenging decision-making process for organizations that fall victim to ransomware: whether to pay the ransom, how to handle stolen data, and how to respond to subsequent extortion attempts.

The Ransomware Hunting Team: A Band of Misfits’ Improbable Crusade to Save the World from Cybercrime

InfoSec tools | InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory

Tags: ransomware attacks


Oct 04 2023

9 essential ransomware guides and checklists available for free

Category: Cheat Sheet,Ransomwaredisc7 @ 2:14 pm

According to Fortinet, ransomware activity has intensified, registering an increase of 13 times compared to the beginning of 2023 in terms of all malware detections. The rise of Ransomware-as-a-Service has primarily driven this surge in ransomware variations.

According to a recent study, 65% of organizations identified ransomware as one of their top three threats to their operational viability. Additionally, ransomware is the most significant threat for 13% of these organizations.

Here’s a collection of free ransomware guides and checklists you can access without registration.

#StopRansomware guide

This guide came from the Joint Cybersecurity and Infrastructure Security Agency (CISA) and Multi-State Information Sharing & Analysis Center (MS-ISAC) and was developed through the Joint Ransomware Task Force. This guide includes two primary resources:

  • Ransomware and Data Extortion Prevention Best Practice
  • Ransomware and Data Extortion Response Checklist

Mitigating malware and ransomware attacks

This guidance from the National Cyber Security Centre UK helps private and public sector organizations deal with malware’s effects (including ransomware). It provides actions to help organizations prevent a malware infection and steps to take if you’re already infected.

Definitive guide to ransomware

As more ransomware attacks and variants rise monthly, IBM Security X-Force believes ransomware will continue to threaten businesses in the coming years. This document provides guidance to organizations before and during a ransomware attack.

Mapping the ransomware landscape

In partnership with the DACG, ANSSI publishes the guide: Ransomware attacks, all concerned – How to prevent them and respond to an incident. The guide is very practical, particularly at general and IT managers in the private sector and local authorities.

Ransomware response checklist

If your organization is a victim of a ransomware incident, this checklist may assist in identification, containment, remediation, and system(s) recovery. Organizations are recommended to review and familiarize themselves with the steps in the checklist before an incident.

Ransomware survival guide: Recover from an attack

In this ransomware survival guide, the authors share lessons they’ve learned and best practices they’ve developed to help organizations coordinate their response to an attack and make timely, strategic decisions through all phases of the response.

The ultimate guide to ransomware

This guide explains what ransomware is, how it works, and how you can remove it and protect yourself.

Cybersecurity for small business: Ransomware

Learn the basics for protecting your business, take a quiz about what your learned. The tips were developed in partnership with the National Institute of Standards and Technology, the U.S. Small Business Administration, and the Department of Homeland Security.

Aspects of ransomware covered by the Budapest Convention

The Cybercrime Convention Committee just adopted a guidance note on ransomware. It shows how the provisions of the Convention on Cybercrime and its new Second Additional Protocol can be used to criminalize, investigate and prosecute ransomware-related offences and to engage in international cooperation.

InfoSec tools | InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory

The Ransomware Hunting Team: A Band of Misfits’ Improbable Crusade to Save the World from Cybercrime

Tags: guides and checklists available for free


Sep 23 2023

Ransomware cyber insurance claims up by 27%

Category: Cyber Insurance,Ransomwaredisc7 @ 2:45 pm

Increase in ransomware claims frequency

Coalition found that both claims frequency and severity rose for businesses in early 2023 across all revenue bands. Companies with over $100 million in revenue saw the largest increase (20%) in the number of claims as well as more substantial losses from attacks – with a 72% increase in claims severity from 2H 2022.

“The cyber threat landscape has become more volatile, and, as a result, we’ve seen claims become more severe and more common than ever,” said Chris Hendricks, Head of Coalition Incident Response.

“To help prevent these costly and disruptive incidents, organizations need to take an active role in improving their security defenses and make risk management a top priority,” added Hendricks.

Coalition’s report also saw a resounding increase in ransomware claims frequency in 1H 2023, which grew by 27% from 2H 2022. Claims severity also reached a record high, increasing 61% from the previous half and 117% over last year.

Moreover, cybercriminals increased their demands: the average ransom demand was $1.62 million, a 47% increase over the previous six months and a 74% increase over the past year.

Email security remained critical to claims reduction

The company also recovered an unprecedented $23 million in stolen funds — all of which went directly back to policyholders. Notably, Coalition’s total FTF (funds transfer fraud) recovery amount was nearly three times greater than 2H 2022. The average recovery amount was $612,000 per FTF claim, representing 79% of all FTF losses in instances where recovery was possible.

FTF claims frequency increased by 15% in 1H 2023, and FTF severity increased by 39% to an average loss of more than $297,000. This half, Coalition negotiated ransomware payments down to an average of 44% of the initial amount demanded.

Businesses using Google Workspace for email were markedly more secure than those using Microsoft Office 365 (M365) and on-premises Microsoft Exchange. M365 users were more than twice as likely to experience a claim compared to Google Workspace users. On-premises Microsoft Exchange users were nearly three times more likely to experience a claim than businesses using Google Workspace.

Overall, companies using Google Workspace experienced a 25% risk reduction for FTF or BEC claims and a 10% risk reduction for ransomware claims.

Cyber Insurance – The Cyber Insurance Survival Guide: : Expert Strategies for Preparing and Responding To Cyber Insurance Applications

InfoSec tools | InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory

Tags: cyber insurance claims


Aug 25 2023

Cloud Hosting Provider Lost all Customer Data Following Ransomware Attack

Category: Information Security,Ransomwaredisc7 @ 10:01 am

Cloud Hosting Provider Lost all Customer Data Following Ransomware Attack

There has been a cyber attack on two cloud hosting providers, namely CloudNordic and Azero Cloud, which Certiqa Holding owns. The cyberattack has resulted in complete data loss for all their customers.

The cloud attack was reportedly on Friday, April 18, 2023, at around 4 AM when CloudNordic and Azero cloud were exposed to a ransomware attack in which the threat actors shut down all the systems, including customer systems, e-mail systems, customers’ websites, and everything they gained access to.

Both companies mentioned that they could not and didn’t want to pay the ransom demanded by the threat actors. However, the IT teams of CloudNordic and Azero Cloud are working with external experts to get complete information about the attack and possible recreation.

Unfortunately, the companies could not recover or recreate any customer data, and they have lost every piece of data on their customers, mail servers, web servers, etc.

Current Status

CloudNordic and Azero Cloud are highly affected by this cyber attack, and they have lost largely critical customer data but have re-established communications.

This means they have now deployed blank systems, including name servers, web servers, and mail servers. However, none of them contain any previous data.

The company has sorted out a way to restore the DNS administration interface that can enable users to get email and the web working again.

Attack Explanation

As per the report submitted to Cyber Security News, both companies attempted to migrate between data centers and had some infected systems before the migration, which the company did not know. 

Nevertheless, some servers used to manage all the servers were still wired to the previous network. Threat actors gained access to the administration systems with this network misconfiguration, which paved their way toward the backup systems (both primary and secondary backup).

The attackers encrypted all the systems they had access to, including all the virtual machines. Large amounts of data were reported to have been encrypted by the ransomware, but there seems to be no evidence of data being copied.

Both companies claimed there seemed to be no evidence of a data breach and regretted the inconvenience caused to their customers.

With the rise in cyberattacks and cybercriminals, every organization must implement multiple security measures and monitor every piece of traffic to prevent these kinds of cyberattacks.

Ransomware – Understand Prevent Recover

InfoSec tools | InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory

Tags: ransomware


Jul 12 2023

Staying ahead of the “professionals”: The service-oriented ransomware crime industry

Category: Ransomwaredisc7 @ 12:14 pm

The Ransomware Hunting Team: A Band of Misfits’ Improbable Crusade to Save the World from Cybercrime 

Ransomware Protection Playbook

CISSP training course

InfoSec tools | InfoSec services | InfoSec books

Tags: ransomware, ransomware hunting, ransomware playbook


May 08 2023

1M NextGen Patient Records Compromised in Data Breach

Category: Data Breach,hipaa,Ransomwaredisc7 @ 1:44 pm

BlackCat ransomware operators reportedly stole the sensitive data.

Source: Kristoffer Tripplaar via Alamy Stock Photo

https://www.darkreading.com/application-security/1m-nextgen-healthcare-patient-records-stolen-

A database containing the personal information of more than 1 million people was stolen from NextGen Healthcare, Inc., a provider of cloud-based healthcare technology.

NextGen Heathcare provided a disclosure to the Maine Attorney General’s office that said the breach occurred on March 29 and lasted through April 14. The compromise was discovered on April 24, the company reported.

The compromise occurred due to “unauthorized access to database stemming from use of stolen client credentials that appear to have been stolen from other sources or incidents unrelated to NextGen,” the healthcare technology provider said.

Samples of NextGen’s stolen data reportedly popped up on ransomware operator BlackCat’s leak site, but were later removed without explanation.

NextGen’s disclosure indicated the databased contained “name or other personal identifier in combination with Social Security Number.”

NextGen had not responded to Dark Reading’s request for comment at the time of this post.

NextGen Breach Follow-on Attacks Likely

The NextGen breach poses a major threat to its victims, according to Tom Kellermann, senior vice president of cyber strategy at Contrast Security.

“This is a massive cybercrime which will result in widespread identity theft,” Kellermann said in a statement provided to Dark Reading. “Healthcare providers have long been preferred targets by cybercriminals who specialize in identity theft due to two reasons: First they have woeful inadequate cybersecurity and second, they store the most sensitive PII.”

In 2021, there were more data breaches of healthcare-related organizations than any other sector, accounting for 24% of all cybersecurity incidents, according to Steve Gwizdala, vice president of healthcare at ForgeRock.

“Vigilance and new ways of enhancing cybersecurity measures will be crucial to healthcare organizations and businesses responsible for protecting the personal information of consumers stored online — across the entire supply chain,” Gwizdala said in a statement.

Research Anthology on Securing Medical Systems and Records

  InfoSec tools | InfoSec services | InfoSec books

Tags: Patient Records Compromised


Feb 03 2023

MAJORITY OF THE RANSOMWARE GANGS USED THIS PACKER TO BYPASS ANTIVIRUS AND ENCRYPT DEVICES

Category: Malware,RansomwareDISC @ 11:02 am

Packers are becoming an increasingly important tool for cybercriminals to use in the commission of illegal acts. On hacker forums, the packer is sometimes referred to as “Crypter” and “FUD.” Its primary function is to make it more difficult for antivirus systems to identify malicious code. Malicious actors are able to disseminate their malware more quickly and with fewer consequences when they use a packer. It doesn’t matter what the payload is, which is one of the primary qualities of a commercial Packer-as-a-Service, which implies that it may be used to pack a variety of different harmful samples. This opens up a lot of opportunities for cybercriminals. Another key quality of the packer is that it is transformational. Because the packer’s wrapper is changed on a frequent basis, it is able to avoid detection by devices designed to enhance security.

According to Checkpoint, TrickGate is an excellent illustration of a robust and resilient packer-as-a-service. It has been able to go under the radar of cyber security researchers for a number of years and is consistently becoming better in a variety of different ways.

Although a lot of very good study was done on the packer itself, TrickGate is a master of disguises and has been given a number of different titles due to the fact that it has so many different characteristics. A number of names have been given to it, including “TrickGate,” “Emotet’s packer,” “new loader,” “Loncom,” and “NSIS-based crypter.”

At the end of 2016, they made our first observation of TrickGate. During that time, it was used to spread the Cerber malware. Since that time, they have been doing ongoing research on TrickGate and have discovered that it is used to propagate many forms of malicious software tools, including ransomware, RATs, information thieves, bankers, and miners. It has come to their attention that a significant number of APT organizations and threat actors often employ TrickGate to wrap their malicious code in order to evade detection by security solutions. Some of the most well-known and top-distribution malware families have been wrapped by TrickGate,

including Cerber, Trickbot, Maze, Emotet, REvil, CoinMiner, Cobalt Strike, DarkVNC, BuerLoader, HawkEye, NetWire, AZORult, Formbook, Remcos, Lokibot, AgentTesla, and many more. TrickGate has also been involved in the wrapping of many other malware.

Tags: BYPASS ANTIVIRUS AND ENCRYPT DEVICES


Jan 31 2023

RANSOMWARE investigation OSINT Threathunting

Category: Information Security,OSINT,RansomwareDISC @ 11:43 am

by Joas A Santos

Ransomware Staff Awareness E-learning Course

The Ransomware Threat Landscape

Tags: OSINT, Threathunting


Jan 11 2023

Microsoft Details Techniques Used by Hackers to Deliver Ransomware to macOS Devices

Category: Hacking,RansomwareDISC @ 11:02 am

One of the most dominating threats in the current cyberspace era is ransomware which is constantly affecting organizations of all sizes. In order to cast a wider net of potential targets, attackers are constantly changing their tactics and expanding their tradecraft to make sure that they are successful.

As a result of ransomware attacks, a wide range of industries, systems, and platforms are being affected. When it comes to protecting hybrid devices and working environments at work today, it is vital to understand how ransomware works across these systems and platforms.

In contrast to other platforms, Mac ransomware tends to rely substantially on user assistance such as downloading and running fake applications or trojanized programs to infect computers.

macOS Devices Ransomware

Unveiling the TTPs of Ransomware

During ransomware campaigns, the attackers typically gain access to a target device, execute the malware, encrypt the files belonging to the target, and inform the target of a ransom demand and request for payment.

The following steps are taken by malware creators in order to accomplish these objectives:-

  • Abuses legitimate functionalities
  • Devise various techniques to exploit vulnerabilities
  • Evade defenses
  • Force users to infect their devices

Microsoft analyzed the following four Mac ransomware families:-

  • KeRanger
  • FileCoder
  • MacRansom
  • EvilQuest

Technical Analysis 

It is important for ransomware to target which files to encrypt in order to gain the greatest amount of success. Based on Microsoft’s observations, ransomware families enumerate files and directories in several different ways on Mac as follows:-

  • Using the Find binary
  • Using library functions opendir, readdir, and closedir
  • Using the NSFileManager class through Objective-C

The primary goal of malware creators is to prevent or evade the analysis of files by either the human analyst or an automated analysis system.

Among the ransomware families discussed above, either hardware-based checks are employed to ensure that the ransomware is not detected, or special code is made to prevent analysis of the ransomware.

As far as hardware-based checks are concerned, they are the following:-

  • Checking a device’s hardware model
  • Checking the logical and physical processors of a device
  • Checking the MAC OUI of the device
  • Checking the device’s CPU count and memory size

Among the checks related to the code are the following:-

  • Delayed execution
  • PT_DENY_ATTACH (PTRACE)
  • P_TRACED flag
  • Time-based check

It is quite common for malware to use persistence to make sure it continues to run even after the system has been restarted.

The EvilQuest and MacRansom ransomware families, among the Mac ransomware families that have been analyzed, have both utilized persistence techniques.

As a result, these malware families use a variety of persistence techniques to maintain their presence in the system. And here below we have mentioned the persistence techniques:-

  • Creating launch agents or launch daemons
  • Using kernel queues

There are often similarities in the anti-analysis and persistence techniques of the ransomware families that we have analyzed. There is, however, a difference in the encryption logic between these ransomware families. 

The encryption of files is often done using AES-RSA algorithms, while other techniques are used, such as system utilities, XOR routines, or custom algorithms.

The methods for encrypting data vary from adding a patch in place to deleting the original file and creating a new one in its place. As part of its implementation of in-memory execution, EvilQuest uses the following APIs:-

  • NSCreateObjectFileImageFromMemory – used for creating an object file image from the data present in memory
  • NSLinkModule – used to link the object file image
  • NSLookupSymbolInModule – used for looking for a specific symbol
  • NSAddressOfSymbol – used to get the address of the symbol.

Recommendation

It is possible for defenses to mitigate the impact of ransomware attacks by taking the following mitigation steps:-

  • Do not install apps from sources other than the official app store of the software platform.
  • Protect privileged resources by restricting access to them.
  • Use a web browser that supports Microsoft Defender SmartScreen, such as Microsoft Edge.
  • Keep your operating system and applications up-to-date by installing the latest versions of them.
  • On your Mac, make sure you are using Microsoft Defender for Endpoints.

Infosec books | InfoSec tools | InfoSec services

Tags: macOS Devices


Jan 04 2023

Ransomware Risk Management

Category: Ransomware,Risk AssessmentDISC @ 12:15 pm

A Cybersecurity Framework Profile

Infosec books | InfoSec tools | InfoSec services

Tags: ransomware, Ransomware Protection Playbook


Dec 31 2022

Triple Extortion Ransomware: How to Protect Your Organization?

Category: RansomwareDISC @ 12:06 pm

Ransomware strikes businesses every 11 seconds. The ransomware attack volume is already at record levels, but we’re hearing it’s only getting worse.  

As some victims managed to take precautions and refused to pay the ransom, attackers began to add more layers to their attacks. 

Double extortion ransomware became a common tactic in 2021. But in 2022, the attackers presented an innovation in their attacking technique called triple extortion. 

What is triple extortion ransomware attack, and how to protect your business? Read on to find out. 

Triple Extortion Ransomware

What is Double extortion ransomware?

It is becoming increasingly common for attackers to use ransomware to extort money from businesses and individuals. This type of cybercrime is called “double extortion.”

Here the criminals encrypt the victim’s data and threaten to release it publicly if a ransom is not paid. 

As soon as the attacker exfiltrates the data they wish to leverage, they launch the encryption attack. Next, the attacker threatens to expose the data, possibly selling personal data about customers. 

In most cases, even organizations that have paid the ransom have found their data to be leaked. 

In September 2022, SunCrypt ransomware used DDoS as an additional attack layer. Attackers threaten to overwhelm the victim’s server with traffic if the ransom is not paid. 

Malicious actors like Avaddon and REvil soon started to follow the same tactic.   Adding DDoS extortion attacksis expected to continue, given the increased use of IoT devices and the surge in bitcoins. 

What is Triple Extortion Ransomware Attack?

In triple extortion, attackers demand payment from the company that was initially compromised and those whose information was stolen.

The first case of triple extortion was observed when Vastaamo, a Finland-based psychotherapy clinic, was breached. Even after the clinic paid the ransom, attackers threatened the therapy patients with releasing their session notes.

Another instance of triple extortion occurred last year when the attacker targeted Apple after their first victim, hardware supplier Quanta, refused to pay. 

In this case, criminals proved they could compromise key suppliers if they gained leverage over the initial victim.

Remember, such an assault can cause irreparable damage to the reputation of any company, regardless of the industry.

Leading Causes of Double and Triple Extortions

The main factors that contribute to the increase in double and triple extortions include:

  • The proliferation of ransomware-as-a-service (RaaS) platforms has made it easier for attackers to launch these attacks. 
  • Using cryptocurrency has made it more difficult for law enforcement to trace and track payments. 
  • The emergence of new ransomware strains specifically designed for double and triple extortions. 

Who is vulnerable to Triple extortion ransomware?

Attackers targets companies with inadequate cybersecurity solutions and less mature security teams. They also prey on companies that can pay the ransom demands.

The most obvious targets for ransomware operations are companies and organizations that store client or customer data.  

Whenever a corporation owns or controls important data or is connected to one, they risk triple extortion. 

How to prevent triple extortion ransomware attacks?

Many ransomware attacks remain undetected and unreported until they reach the domain controller. A detection-centric approach will only warn businesses of attacks that are already underway. The most effective course of action is prevention. 

Here are effective ways to prepare against triple extortion attacks:

Keep your network secure

Double extortion ransomware uses the same methods to access your network as traditional ransomware. To prevent initial access to a network, train employees on security awareness, establish password policies and implement multi-factor authentication. 

Run vulnerability assessments and patch known vulnerabilities regularly to avoid compromise. 

Back up Data

If an attacker infiltrates your network, an offline backup can protect you from the first part of a ransomware attack: data recovery. 

Furthermore, encrypt your data to prevent a double extortion attack. It ensures that, if stolen, the ransomware group cannot read it.

Cyber Threat Intelligence

Threat Intelligence is a key pillar in the cyber security stack. Gathering information related to cyber threats provides insights into threat actors and methodologies that could impact your business. 

Stay ahead of the latest threat intelligence to detect and analyze threats. Hunt for signs of compromise that lead to a ransomware attack. 

Proper DDoS Protection

The DDoS attack is now on the list of services the RaaS operator offers. You should protect your company’s network and server with a DDoS security solution. It tracks the incoming traffic, identifies the malicious requests, and diverts them away from your network and server. 

With sophisticated techniques, attackers are dispersing their DDoS attacks. Indusface offers DDoS protection solutions, enabling you to customize mitigation thresholds to isolate and block attacks. 

Conclusion

Cybercriminals continue to evolve their attack techniques; you can’t fall behind and expose your assets. 

If you are at risk of a triple extortion attack, paying the ransom is not the way out. Focus on preventing and mitigating attacks as they happen. 

The best solution would be to prevent the attack from happening in the first place. A comprehensive ransomware resilience plan is essential for preparation, prevention, and response.

Infosec books | InfoSec tools | InfoSec services

Tags: Ransomware Protection Playbook


Dec 14 2022

Preventing a ransomware attack with intelligence: Strategies for CISOs

Category: CISO,Ransomware,vCISODISC @ 10:46 am

Knowledge is power

More good news: We know how ransomware “gangs” work and, for the most part, what they’re after.

Ransomware is opportunistic and the barriers to entry for operators are relatively low as the tools, infrastructure, and access that enables these attacks have proliferated across various online illicit communities through the ransomware-as-a-service (RaaS) model. Ransomware affiliates can rent the malware and be paid a commission from the victim’s extortion fee.

Initial access brokers—i.e. threat actors who sell ransomware operators and affiliates access into victim networks—are constantly scanning the internet for vulnerable systems. Leaked credentials from breaches and other cyber incidents can lead to brute force or credential stuffing attacks. Employees need to constantly be aware of increasingly sophisticated social engineering schemes. Threat actors can use any of these mechanisms to breach systems, escalate privileges, move laterally, and ideally take actions on objectives, dropping that malware on a victim’s network and encrypting all of their files.

Intelligence along the pre-attack chain

Previously I wrote about the role of detection, isolation, mitigation, and negotiation in the event of a ransomware attack. Having this level of preparedness is essential today.

But one of the most effective ways to stop a ransomware attack is to deny them access in the first place; without access, there is no attack. The adversary only needs one route of access, and yet the defender has to be aware and prevent all entry points into a network. Various types of intelligence can illuminate risk across the pre-attack chain—and help organizations monitor and defend their attack surfaces before they’re targeted by attackers.

Vulnerability intelligence

The best vulnerability intelligence should be robust and actionable. For instance, with vulnerability intelligence that includes exploit availability, attack type, impact, disclosure patterns, and other characteristics, vulnerability management teams predict the likelihood that a vulnerability could be used in a ransomware attack.

With this information in hand, vulnerability management teams, who are often under-resourced, can prioritize patching and preemptively defend against vulnerabilities that could lead to a ransomware attack.

Threat intelligence

Having a deep and active understanding of the illicit online communities where ransomware groups operate can also help inform methodology, and prevent compromise. Organizations must be able to monitor for, and be alerted to, stolen login credentials before they reach criminal actors. This intelligence can mitigate account takeover and break the chain leading to brute force or credential stuffing attacks.

Technical intelligence

When cyber threat actors successfully infiltrate your network, the subsequent attack is not always immediate; sometimes, they will install tools that can help them further invade and seek access to the most valuable data. Technical intelligence helps security teams detect indicators of compromise, or IOCs, and the presence of Cobalt Strike beacons, which can unknowingly be present in your systems and later help a ransomer carry out an attack.

Prevention through preparedness

In order to help employees and executives understand various ransomware-related risks, organizations should seek to implement tabletop exercises designed by companies with expertise preparing for, and responding to, a ransomware event. These simulated scenarios should cover how to spot (and report) social engineering schemes like phishing attacks, which lure employees to click on links or interact with harmful attachments that could allow ransomware malware to be deployed on company devices.

By spending time building out and rehearsing a response plan prior to an attack scenario, your team will be equipped with informed decision-making during a ransomware-related emergency. But rest assured: It’s best to have the right intelligence at-hand, including the data, expert insights, and tools that can help to prevent an attack in the first place and keep your organization running without interruption.

ransomware

Responding to a Ransomware Attack: A playbook 

Tags: Strategies for CISOs


Oct 12 2022

Callback Phishing Attack Tactics Evolved – Successful Attack Drops Ransomware

Category: Phishing,RansomwareDISC @ 8:52 am

Trellix released a recent report on the evolution of BazarCall social engineering tactics. Initially BazarCall campaigns appeared in late 2020 and researchers at Trellix noticed a continuous growth in attacks pertaining to this campaign.

Reports say at first, it delivered BazaarLoader (backdoor) which was used as an entry point to deliver ransomware. A BazaarLoader infection will lead to the installation of Conti Ransomware in a span of 32 hours.

It was also found to be delivering other malware such as Trickbot, Gozi IFSB, IcedID and more. In this case, “BazarCall has ceaselessly adapted and evolved its social engineering tactics”. These campaigns were found to be most active in United States and Canada. They were also targeting some Asian countries like India and China.

What is BazarCall?

BazarCall begins with a phishing email but from there deviates to a novel distribution method – using phone call centers to distribute malicious Excel documents that install malware.

In BazarCall’s case, targeted users must dial the number. And when they do, the users are connected with actual humans on the other end of the line, who then provide step-by-step instructions for installing malware into their devices.

Figure. 1: Attack Chain
Attack Chain

Evolution of Bazarcall Social Engineering Tactics

Tags: Callback Phishing Attack


Oct 04 2022

BlackCat Ransomware Gang Claims to Have Hacked US Department of Defense Contractor

Category: Hacking,RansomwareDISC @ 8:47 am

NJVC has been added to the victim list of the BlackCat (ALPHV) ransomware gang. NJVC provides IT support to the US government’s intelligence and defense organizations.

With annual revenue of over $290 million, the company NJVC has a very impressive record. It is claimed that the BlackCat Ransomware Gang has hacked the Department of Defense of the United States of America.

https://twitter.com/ido_cohen2/status/1575400938445148160?ref_src=twsrc%5Etfw%7Ctwcamp%5Etweetembed%7Ctwterm%5E1575400938445148160%7Ctwgr%5E976c826f6097a93f3c2ed9be16ee13aa180e1e03%7Ctwcon%5Es1_c10&ref_url=https%3A%2F%2Fgbhackers.com%2Fblackcat-ransomware-gang%2F

DarkFeed, a deep web intelligence company that operates on the dark web, spotted the message on 28 September. There was a breach declaration provided by BlackCat, which resulted in its immediate suspension. TheRegister said.

Until 30 September, the Dark Web site that hosted BlackCat’s leak site was accessible. NJVC is no longer listed as a victim of the gang and has been removed from its website.

“We strongly recommend that you contact us to discuss your situation. Otherwise, the confidential data in our possession will be released in stages every 12 hours. There is a lot of material,” ALPHV said, per the screenshot.

Professional Rookies

In late 2021, the first outbreaks of BlackCat ransomware were observed, and the Rust programming language was used in BlackCat. 

Ransomware-as-a-service (RaaS) is one of the business models operated by this organization, just like so many others in the criminal underworld.

A number of prominent ransomware families are known to have been used by threat actors who started deploying BlackCat ransomware.

Here below we have mentioned those ransomware families:-

  • Conti
  • LockBit
  • REvil

Darkside and Blackmatter ransomware cartels are linked with the BlackCat cartel. This group may have a well-established network with close ties to the ransomware industry in the case of the ransomware business.

As one of the most active ransomware gangs in recent years, BlackCat has been among the most prominent. It is estimated that in 2022, near about 12% of all attacks were perpetrated by this group.

It is estimated that the group’s activity has increased by 117% since the quarter before, in comparison with the quarter prior. Moreover, as part of the group’s strategy, high-profile, critical industries are being targeted by the group.

Cheerscrypt Linux-based Ransomware Encrypt Both Linux & Windows Systems

Ransomware Protection Playbook

Tags: BlackCat, Department of Defense


Oct 03 2022

RansomEXX gang claims to have hacked Ferrari and leaked online internal documents

Category: RansomwareDISC @ 10:13 am

The Italian luxury sports car manufacturer Ferrari confirmed the availability of internal documents online, but said it has no evidence of cyber attack.

Documents belonging to the Italian luxury sports car manufacturer Ferrari are circulating online, the company confirmed their authenticity stating it is not aware of cyber attacks.

ferrari logo illustration

Ferrari is investigating the leak of the internal documents and announced it will implement all the necessary actions.

While the circumstance suggests the company could have suffered a ransomware attack, the car manufacturer that it has no evidence of a compromise of its systems or ransomware, it also added that its business and operations were not impacted.

The news of the alleged cyber attack was first reported by the Italian website Red Hot Cyber which first reported that the ransomware gang RansomEXX claimed to have breached the popular car maker on its Tor leak site.

The ransomware group claimed to have stolen 6.99GB of data, including internal documents, datasheets, repair manuals, etc.

The source of the documents is still unclear. In the past, the ransomware gang Everest breached the systems of the Speroni SPA, a company in the supply chain of multiple car makers, including Ferrari and leaked company documents online.

Tags: Ferrari


Sep 08 2022

DEADBOLT ransomware rears its head again, attacks QNAP devices

Category: RansomwareDISC @ 8:37 am

Yes, ransomware is still a thing.

No, not all ransomware attacks unfold in the way you might expect.

Most contemporary ransomware attacks involve two groups of criminals: a core gang who create the malware and handle the extortion payments, and “members” of a loose-knit clan of “affiliates” who actively break into networks to carry out the attacks.

Once they’re in, the affiliates then wander around the victim’s network, getting the lie of the land for a while, before abruptly and often devastatingly scrambling as many computers as they can, as quickly as they can, typically at the worst possible time of day.

The affiliates typically pocket 70% of the blackmail money for any attacks they conduct, while the core criminals take an iTunes-ike 30% of every attack done by every affiliate, without ever needing to break into anyone’s computers themselves.

That’s how most malware attacks happen, anyway.

But regular readers of Naked Security will know that some victims, notably home users and small business, end up getting blackmailed via their NAS, or networked attached storage devices.

Plug-and-play network storage

NAS boxes, as they are colloquially known, are miniature, preconfigured servers, usually running Linux, that are typically plugged directly into your router, and then act as simple, fast, file servers for everyone on the network.

No need to buy Windows licences, set up Active Directory, learn how to manage Linux, install Samba, or get to grips with CIFS and other network file system arcana.

NAS boxes are “plug-and-play” network attached storage, and popular precisely because of how easily you can get them running on your LAN.

As you can imagine, however, in today’s cloud-centric era, many NAS users end up opening up their servers to the internet – often by accident, though sometimes on purpose – with potentially dangerous results.

Notably, if a NAS device is reachable from the public internet, and the embedded software, or firmware, on the NAS device contains an exploitable vulnerability, you could be in real trouble.

Crooks could not ony run off with your trophy data, without needing to touch any of the laptops or mobile phones on your network, but also modify all the data on your NAS box…

…including directly rewriting all your original files with encrypted equivalents, with the crooks alone knowing the unscrambling key.

Simply put, ransomware attackers with direct access to the NAS box on your LAN could derail almost all your digital life, and then blackmail you directly, just by accessing your NAS device, and touching nothing else on the network.

The infamous DEADBOLT ransomware

That’s exactly how the infamous DEADBOLT ransomware crooks operate.

They don’t bother attacking Windows computers, Mac laptops, mobile phones or tablets; they just go straight for your main repository of data.

(You probably turn off, “sleep”, or lock most of your devices at night, but your NAS box probably quietly runs 24 hours a day, every day, just like your router.)

By targeting vulnerabilities in the products of well-known NAS vendor QNAP, the DEADBOLT gang aims to lock everyone else on your network out of their digital lives, and then to squeeze you for several thousands dollars to “recover” your data.

After an attack, when you next try to download a file from the NAS box, or to configure it via its web interface, you might see something like this:

In a typical DEADBOLT attack, there’s no negotiation via email or IM – the crooks are blunt and direct, as you see above.

In fact, you generally never get to interact with them using words at all.

If you don’t have any other way to recover your scrambled files, such as a backup copy that’s not stored online, and you’re forced to pay up to get your files back, the crooks expect you simply to send them the money in a cryptocoin transaction.

The arrival of your bitcoins in their wallet serves as your “message” to them.

In return, they “pay” you the princely sum of nothing, with this “refund” being the sum total of their communication with you.

The “refund” is a payment worth $0, submitted simply as a way of including a bitcoin transaction comment.

That comment consists of 16 apparently random data bytes, seen encoded as 32 hexadecimal characters in the screenshot below, which constitute the AES decryption key you will use to recover your data:

Source: DEADBOLT ransomware rears its head again, attacks QNAP devices

Tags: Deadbolt ransomware


Aug 25 2022

This company paid a ransom demand. Hackers leaked its data anyway

Category: Information Security,RansomwareDISC @ 8:57 am

It’s always recommended that ransomware victims don’t give in to ransom demands – and this real-life case demonstrates why.

a-man-looking-frustrated-at-his-computer-in-the-office

A victim of a ransomware attack paid to restore access to their network – but the cyber criminals didn’t hold up their end of the deal. 

The real-life incident, as detailed by cybersecurity researchers at Barracuda Networks, took place in August 2021, when hackers from BlackMatter ransomware group used a phishing email to compromise the account of a single victim at an undisclosed company.

From that initial entry point, the attackers were able to expand their access to the network by moving laterally around the infrastructure, ultimately leading to the point where they were able to install hacking tools and steal sensitive data. 

Stealing sensitive data has become a common part of ransomware attacks. Criminals leverage it as part of their extortion attempts, threatening to release it if a ransom isn’t received.  

The attackers appear to have had access to the network for at least a few weeks, seemingly going undetected before systems were encrypted and a ransom was demanded, to be paid in Bitcoin. 

Cybersecurity agencies warn that despite networks being encrypted, victims shouldn’t pay ransom demands for a decryption key because this only shows hackers that such attacks are effective.

Despite this, the unidentified organisation chose to pay the ransom after negotiating the payment down from half the original demand. But even though the company gave in to the extortion demands, the BlackMatter group still leaked the data a few weeks later – providing a lesson in why you should never trust cyber criminals. 

Cybersecurity responders from Barracuda helped the victim isolate the infected systems, bring them back online, and restore them from backups.

Following an audit of the network, multi-factor authentication (MFA) was applied to accounts, suggesting that a lack of MFA was what helped the attackers gain and maintain access to accounts in the first place. 

A few months after the incident, BlackMatter announced it was shutting down, with the recommendation that those using the ransomware-as-a-service scheme should switch to LockBit

According to Barracuda’s report, ransomware attacks are on the rise, with more than double the number of attacks targeting key sectors, including healthcareeducation and local government

Researchers also warn that the number of recorded ransomware attacks against critical infrastructure has quadrupled over the course of the last year. However, the report suggests there are reasons for optimism. 

“The good news is that in our analysis of highly publicized attacks, we saw fewer victims paying the ransom and more businesses standing firm thanks to better defenses, especially in attacks on critical infrastructure,” it said. 

In addition to applying MFA, organisations can take other actions to help secure their network against ransomware and cyberattacks, including setting up network segmentation, disabling macros to prevent attackers exploiting them in phishing emails, and ensuring backups are stored offline. 

It’s also recommended that organisations apply security updates as quickly as possible to stop attackers targeting known vulnerabilities to gain access to accounts and networks. 

https://www.zdnet.com/article/this-company-paid-a-ransom-demand-hackers-leaked-its-data-anyway/

The Ransomware Threat Landscape

Ransomware Protection Playbook

Tags: Ransomware Protection Playbook, Ransomware Threat


Jun 28 2022

Detection, isolation, and negotiation: Improving your ransomware preparedness and response

Category: RansomwareDISC @ 4:04 pm

Improving threat readiness

When your company’s data is leveraged in a cyber extortion attack, a quick determination must be made about the nature and extent of the attack, followed by the execution of plans to respond to and mitigate the attack. Because the longer a ransomware attack remains unaddressed, the more potential damage there could be to your organization’s ability to conduct business as usual.

While an organization’s ultimate goal is the total prevention of an attack, mitigation is a likelier (and perhaps more reasonable) goal, and organizations should prioritize preparedness just as much as prevention. Prevention includes the implementation of best practices and measures that can stop ransomware events from happening while also positioning the organization to sustain as little as damage as possible, should an attack occur.

Ransomware readiness can be divided into three major components: preparationdetection and isolation.

Preparation

Your organization’s ability to respond to a ransomware event is directly affected by the tools you have readily available to you in the moment, which makes preparation a key part of successfully navigating an attack. Good preparation works twofold to educate your teams on how to prevent attacks, and to provide guidance on what to do in case you are targeted.

The following are some of the components you may wish to include as you map out your organization’s planning around cyber extortion attacks.

  • Create an Incident Response playbook that contains all relevant information related to responding to a ransomware attack.
  • Regularly hold mandatory training sessions for employees to educate them on how to prevent giving threat actors access to company systems to carry out an attack. The importance of password hygiene, warning signs of email phishing, and best practices for online safety may be among the topics covered.
  • Empower employees to help prevent attacks by providing them with protocols and resources to report suspicious activity and voice their concerns if they feel there is a risk that needs to be addressed.

Detection

Detection refers to the tools, technology, people, and processes in place to notice that attack is happening or has occured, and to identify its source within the network. Specific subcomponents of detection include:

  • Having a robust system of platforms configured to monitor your networks and alert you if suspicious activity occurs, such as the appearance of a known ransomware file extension or the rapid renaming of a large volume of files, which can signal that they’re being encrypted.
  • Fueling your threat intelligence program with easily accessible and updated knowledge about specific ransomware actors/groups and tactics, techniques, and procedures (TTPs)—including technical intelligence—to better anticipate potential risk apertures and attacks.
  • Implement multi-factor authentication to reduce the likelihood of ransomers gaining unauthorized access to your systems.

Isolation

To limit its spread, isolation should be your organization’s first priority after you realize a ransomware attack is targeting your organization. Designing your systems in a way that separates different networks can be very impactful when every second counts. Specific subcomponents of isolation include:

  • Limiting any individual employee’s access to only the files and data they must have to do their jobs.
  • Shutting down infected systems and completely disconnecting them from your organization’s network as quickly as possible.
  • Disabling means of spreading potentially harmful data among devices, including VPN, NAC, and AD-user.

Responding to an ransomware attack

Once you have successfully caught and halted a ransomware attack’s progression, it is critical to have a response plan already in place to help you save time making decisions and keep emotional reactions in check, which can occur during a potential emergency. It can be difficult to determine the full scope of a ransomware attack, and the more data that the threat actor extorts or encrypts, the longer it may take to understand the nature of the breach.

shield

Ransomware Protection Playbook

Tags: Improving your ransomware, Ransomware Protection


Jun 16 2022

ALPHV/BlackCat ransomware gang starts publishing victims’ data on the clear web

Category: RansomwareDISC @ 9:46 am

ALPHV/BlackCat ransomware group began publishing victims’ data on the clear web to increase the pressure on them and force them to pay the ransom.

ALPHV/BlackCat ransomware group has adopted a new strategy to force victims into paying the ransom, the gang began publishing victims’ data on the clear web to increase the pressure. Publishing data online will make data indexable by search engines, increasing the potential impact on the victims due to the public availability of the stolen data.

The ALPHA/BlackCat gang has been active since at least December 2021 when malware researchers from Recorded Future and MalwareHunterTeam discovered their operation. The ALPHA/BlackCat is the first professional ransomware strain that was written in the Rust programming language.

BlackCat ransomware

BlackCat can target Windows, Linux, and VMWare ESXi systems, but at this time the number of victims is limited. The popular malware researcher Michael Gillespie said that the BlackCat ransomware is “very sophisticated.

Recorded Future experts speculate that the author of the BlackCat ransomware, known as ALPHV, was previously involved with the REvil ransomware operations.

ALPHV has been advertising the BlackCat Ransomware-as-a-Service (RaaS) on the cybercrime forums XSS and Exploit since early December. Like other ransomware groups, the gang also implements a double-extortion model, threatening to leak the stolen data if the victims don’t pay.

In the past, many victims of past ransomware attacks were not concerned about the publication of their data on a leak site in the Tor network believing that dark nets are not easy to access to the masses.

The ransomware gangs set up a website on the clear web for each victims and publish the stolen data on it.

It’s unclear if ALPHV plans to pursue this approach with every victim, but other recent victims of the crime group include a school district and a U.S. city. Most likely, this is a test run to see if it improves results.

Ransomware Protection Playbook

Tags: BlackCat ransomware


Next Page »